Privacy Policy

Last Updated: 2025-08-07

This Privacy Policy (“Policy”) describes how Spiffing, a company incorporated under the laws of Malta and having its registered office at 4, Kent Street, Sliema, Malta (“we”, “us”, or “our”), collects, uses, stores, and discloses personal data when individuals (“you”, “your”, or “User”) access or use the Performance Guardian platform, available at https://performanceguardian.ai (the “Platform”).

This Policy is issued in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

  1. Data Protection Officer

    Mr. Kevin Farrugia (Data Protection Officer)
    4, Kent Street, Sliema, SLM2182, Malta
    Email: info@spiffing.io
    Phone: +356 99218499

  2. Categories of Personal Data Collected

    We collect and process the following categories of personal data:

    • Account and Registration Data. Upon account creation and payment processing, we may collect full name, email address, company name (if applicable), and payment and billing details (processed by third-party payment processors).

    • Website Testing and Credential Data. To facilitate authenticated performance testing of user websites, Users may voluntarily provide login credentials. These credentials are securely encrypted and stored and are used solely for the purpose of executing the requested tests. They are not accessed, used, or disclosed for any other purpose and are deleted upon request or account termination. We do not collect or process any user content or data beyond what is publicly accessible or voluntarily provided via the Platform.

    • Technical and Usage Data. We may automatically collect non-personal data when you access the Platform, including browser type and version, operating system, device information, IP address, timestamps, and activity logs. This data is used for Platform diagnostics, performance optimization, and security monitoring.

    • Customer Data. We do not collect, access, or store any personal data belonging to your end users, unless you or your team manually input test data for testing purposes. In such cases, you remain fully responsible for that data and how it is used, and you are considered the data controller under applicable privacy laws.

  3. Legal Basis for Processing

    We process personal data based on the following legal grounds under the GDPR:

    • Performance of a contract (Article 6(1)(b)): To provide access to and operation of the Platform and related services.
    • Legitimate interests (Article 6(1)(f)): To maintain and improve service quality, security, and user support.
    • Consent (Article 6(1)(a)): For storing login credentials to enable authenticated monitoring (consent may be withdrawn at any time).

  4. Use of Personal Data

    Personal data is processed for the following purposes:

    • Account setup, administration, and user authentication
    • Payment processing via third-party providers
    • Execution of website performance monitoring
    • Performance testing of authenticated journeys (where applicable)
    • Platform maintenance and security
    • Customer service and technical support

  5. Data Sharing and Third-Party Access

    We understand the importance of maintaining the confidentiality and integrity of personal data. Data sharing practices are strictly governed by legal requirements and contractual obligations to ensure consistent data protection standards.

    We engage trusted third-party service providers, acting as Processors, to assist in operating Performance Guardian and providing related services. These may include, but are not limited to, cloud hosting providers for data storage and computing infrastructure, analytics providers for understanding service usage, and payment processors for handling subscriptions and payments. These third parties process personal data strictly on our behalf and according to documented instructions.

    To formalize these commitments, we enter into legally binding Data Processing Agreements (DPAs) with all processors, as required by GDPR Article 28(3).

  6. Data Retention

    Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Credential data provided for authenticated testing is retained securely for the duration of active use and deleted upon request or account termination.

  7. Data Security

    We are deeply committed to ensuring the integrity and confidentiality of personal data. Robust “appropriate technical or organisational measures” are implemented to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

    These measures include:

    • Physical Security

      • Spiffing Ltd maintains physical access controls to its office premises to prevent unauthorized access to personal data. This includes the following security measures and infrastructure:
        • The premises is always locked when employees are not present;
        • The use of security cameras to monitor entrances and emergency exits;
        • No guest access unless accompanied by an employee at all times.
      • The internal office network is protected against unauthorized access using a firewall.
      • Personal data is stored in secure areas. Documentation is stored in locked cabinets and equipment or backup media is kept inside the office.

    • System and Network Security

      • Access to personal data is granted on a need-to-know basis, with unique user accounts assigned to each employee. User access rights are regularly reviewed and revoked when no longer required.
      • Strong authentication mechanisms, such as complex passwords and two-factor authentication, are enforced for system and network access. Role-based access control (RBAC) is implemented to ensure users only have access to necessary data and functionality.
      • Spiffing Ltd has established procedures for promptly applying security patches and updates to systems and software to mitigate vulnerabilities and ensure they are up to date.

    • Data Handling and Processing

      • Spiffing Ltd ensures that only the minimum necessary personal data is collected and processed to fulfill the purposes specified by the data controllers.
      • Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, and securely disposed of when no longer required or upon request of the data controller.
      • When transferring personal data to countries outside the European Economic Area (EEA), Spiffing Ltd ensures compliance with applicable data protection laws and implements appropriate safeguards, such as the use of EU-approved Standard Contractual Clauses or other approved transfer mechanisms.

    • Employee Training and Awareness

      • Spiffing Ltd provides documentation and training to employees to ensure they understand the importance of data protection, and are aware of the company’s policies and procedures.
      • All employees are bound by confidentiality agreements that require them to maintain the confidentiality and security of personal data they have access to during the course of their work.

    • Incident Response

      • Spiffing Ltd maintains an incident response plan to promptly detect, respond to, and mitigate any security incidents or data breaches. In the event of a personal data breach, Spiffing Ltd will follow the GDPR requirements and notify the relevant data controller(s) without undue delay.

  8. International Data Transfers

    All personal data is stored and processed within the European Economic Area (EEA). If data is transferred outside the EEA in the future, such transfers will comply with GDPR requirements, including appropriate safeguards such as Standard Contractual Clauses (SCCs).

  9. Your Data Subject Rights

    As a data subject, you have the following rights under the GDPR:

    • Right of access to your personal data
    • Right to rectification or erasure of your data
    • Right to restrict or object to processing
    • Right to data portability
    • Right to withdraw consent (where applicable)
    • Right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) in Malta

  10. Cookies

    The Platform may use essential cookies necessary for core functionality. No non-essential cookies are currently used. A separate Cookie Policy will be published if this changes in the future.

  11. Use by Children

    We do not offer our Platform for use by children and, therefore, we do not knowingly collect Personal Data from, and/or about children under the age of eighteen (18). If you are under 18, you may not use the Platform or provide any information to the Platform without involvement of a parent or a guardian. In the event that we become aware that you provide Personal Data in violation of applicable laws, we reserve the right to delete it.

  12. Changes to this Privacy Policy

    We may update this Privacy Policy periodically to reflect changes in our data processing practices, service functionalities, or evolving legal requirements. Any changes will be effective immediately upon posting the revised Privacy Policy on the Performance Guardian website. For significant changes, we will provide prominent notice through the website or, where appropriate, directly communicate with users via email. The “Last Updated” date at the top of the policy will always indicate when the latest revisions were made.

  13. Contact Information

    If you have any questions or concerns regarding this Privacy Policy or our data processing practices, please contact the Data Protection Officer.

    For terms governing the use of the Platform, please refer to our Terms & Conditions.