Privacy Policy

Last Updated: 2026-05-07

This Privacy Policy (“Policy”) describes how Spiffing, a company incorporated under the laws of Malta and having its registered office at 4, Kent Street, Sliema, Malta (“we”, “us”, or “our”), collects, uses, stores, and discloses personal data when individuals (“you”, “your”, or “User”) access or use the PerformanceGuardian platform, available at https://performanceguardian.ai (the “Platform”).

This Policy is issued in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

1. Data Protection Officer

Mr. Kevin Farrugia (Data Protection Officer)
4, Kent Street, Sliema, SLM2182, Malta
Email: info@spiffing.io
Phone: +356 99218499

2. Categories of Personal Data Collected

We collect and process the following categories of personal data:

  • Account and Registration Data. Upon account creation and payment processing, we may collect full name, email address, company name (if applicable), and payment and billing details (processed by third-party payment processors).
  • Website Testing and Credential Data. To facilitate authenticated performance testing of user websites, Users may voluntarily provide login credentials. These credentials are securely encrypted and stored and are used solely for the purpose of executing the requested tests. They are not accessed, used, or disclosed for any other purpose and are deleted upon request or account termination. We do not collect or process any user content or data beyond what is publicly accessible or voluntarily provided via the Platform.
  • Technical and Usage Data. We may automatically collect non-personal data when you access the Platform, including browser type and version, operating system, device information, IP address, timestamps, and activity logs. This data is used for Platform diagnostics, performance optimization, and security monitoring.
  • Customer Data. We do not collect, access, or store any personal data belonging to your end users, unless you or your team manually input test data for testing purposes. In such cases, you remain fully responsible for that data and how it is used, and you are considered the data controller under applicable privacy laws.

3. Legal Basis for Processing

We process personal data based on the following legal grounds under the GDPR:

  • Performance of a contract (Article 6(1)(b)): To provide access to and operation of the Platform and related services.
  • Legitimate interests (Article 6(1)(f)): To maintain and improve service quality, security, and user support.
  • Consent (Article 6(1)(a)): For storing login credentials to enable authenticated monitoring (consent may be withdrawn at any time).

4. Use of Personal Data

Personal data is processed for the following purposes:

  • Account setup, administration, and user authentication
  • Payment processing via third-party providers
  • Execution of website performance monitoring
  • Performance testing of authenticated journeys (where applicable)
  • Platform maintenance and security
  • Customer service and technical support

5. Data Sharing, Storage and Third-Party Access

We understand the importance of maintaining the confidentiality and integrity of personal data. Data sharing practices are strictly governed by legal requirements and contractual obligations to ensure consistent data protection standards.

Data Storage and Hosting All personal data is stored and processed using Amazon Web Services (AWS) S3 infrastructure. To ensure compliance with EU data protection standards, all data is hosted on servers located in the Europe (Frankfurt) Region.

Third-Party Processors We engage trusted third-party service providers, acting as Processors, to assist in operating PerformanceGuardian and providing related services. These may include cloud hosting providers, analytics providers, and payment processors. These third parties process personal data strictly on our behalf and according to documented instructions via Data Processing Agreements (DPAs).

Third-Party Integrations The Platform may allow you to connect or add integrations to third-party services. If a User adds an integration to a third party, that third party’s own privacy policies and terms apply to the data shared with or processed by them. Spiffing is not responsible for the privacy practices or security of these third-party services.

6. Data Retention

Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Credential data provided for authenticated testing is retained securely for the duration of active use and deleted upon request or account termination.

7. Data Security

We are deeply committed to ensuring the integrity and confidentiality of personal data. Robust “appropriate technical or organisational measures” are implemented to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Physical Security

  • Spiffing maintains physical access controls to its office premises.
  • The premises is always locked when employees are not present.
  • The use of security cameras to monitor entrances and emergency exits.
  • No guest access unless accompanied by an employee at all times.
  • Personal data is stored in secure areas, with documentation in locked cabinets.

System and Network Security

  • Access to personal data is granted on a need-to-know basis with unique user accounts.
  • Strong authentication mechanisms (complex passwords and two-factor authentication) are enforced.
  • Role-based access control (RBAC) is implemented.
  • Procedures are in place for promptly applying security patches and updates.

Data Handling and Processing

  • We ensure only the minimum necessary personal data is collected and processed.
  • Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, and securely disposed of when no longer required or upon request of the data controller.
  • When transferring personal data to countries outside the European Economic Area (EEA), Spiffing ensures compliance with applicable data protection laws and implements appropriate safeguards, such as the use of EU-approved Standard Contractual Clauses or other approved transfer mechanisms.

Employee Training and Awareness

  • Employees receive documentation and training on data protection policies.
  • All employees are bound by confidentiality agreements that require them to maintain the confidentiality and security of personal data they have access to during the course of their work.

Incident Response

  • Spiffing maintains an incident response plan to promptly detect, respond to, and mitigate any security incidents or data breaches. In the event of a personal data breach, Spiffing will follow the GDPR requirements and notify the relevant data controller(s) without undue delay.

8. International Data Transfers

As stated in Section 5, primary data storage is maintained within the European Economic Area (EEA) in Frankfurt, Germany. If data is transferred outside the EEA for secondary processing, such transfers will comply with GDPR requirements via Standard Contractual Clauses (SCCs).

9. Your Data Subject Rights

As a data subject, you have the following rights under the GDPR:

  • Right of access to your personal data
  • Right to rectification or erasure of your data
  • Right to restrict or object to processing
  • Right to data portability
  • Right to withdraw consent (where applicable)
  • Right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) in Malta

10. Cookies

The Platform may use essential cookies necessary for core functionality. No non-essential cookies are currently in use. A separate Cookie Policy will be published if this changes in the future.

11. Use by Children

We do not offer our Platform for use by children and do not knowingly collect Personal Data from and/or about individuals under the age of eighteen (18).

12. Changes to this Privacy Policy

We may update this Privacy Policy periodically. Any changes will be effective immediately upon posting. For significant changes, we will provide prominent notice through the website or email.

13. Contact Information

If you have any questions or concerns regarding this Privacy Policy, please contact the Data Protection Officer.

For terms governing the use of the Platform, please refer to our Terms & Conditions.