Privacy
What we collect, why, and your rights.
This page covers personal data processing on asperityhq.app, the marketing site for the Asperity product. The product itself (the platform you sign into) is covered by a separate, contract-level Data Processing Agreement and is not in scope here.
1. Who runs this site
SPES SIA, the legal entity behind the Asperity product, is the data controller for this site.
- Company: SPES SIA — see spes.lv for company details
- Contact: [email protected]
- DPO: not required at this scale; the email above reaches the responsible person directly.
2. What we collect on this website
The short version: as little as possible. The marketing site is a static page — there are no accounts, no cookies, no analytics scripts, no tracking pixels.
- Server logs. When you load a page, the server temporarily records your IP address, user-agent, and the URL fetched. Used to keep the service up, detect abuse, and nothing else. Rotated and deleted within 14 days.
- Email you send us. If you click any "Request access", "Forgot?", or "[email protected]" link, your mail client opens a draft to
[email protected]. We receive only what you choose to write. Stored as long as the conversation is operationally useful. - Contact form. The Contact us section on the home page posts to
/api/contact, a Cloudflare Worker on our domain. The Worker validates the input, verifies a Cloudflare Turnstile token (bot protection), and emails the message to[email protected]via Cloudflare Email Routing. Nothing is written to disk. No database, no logs of submission contents. We receive only what you type (name, email, company, role, message). Kept as long as the conversation is operationally useful; deleted on request. - Demo login (interactive). The
/login.htmlpage is an unauthenticated demo. Anything you type into the email / password / OTP fields stays in your browser tab — nothing is transmitted off-device.
3. Third-party requests this page makes
Loading the home and login pages makes no third-party requests. Typography (Geist + Geist Mono, OFL-licensed) is self-hosted on our own servers — no Google Fonts, no remote CDN for fonts. The only external request happens when you reach the contact form:
challenges.cloudflare.com— Cloudflare Turnstile widget script and verification endpoint. Loads only when the contact section enters the viewport or when you focus a form field; sees your IP and browser characteristics to score your traffic as human vs. bot. No tracking, no analytics.
No other third-party requests are made. There is no Google Analytics, no Facebook Pixel, no Hotjar, no LinkedIn Insight Tag.
4. Cookies
None set by this site. No banner needed because there is nothing to consent to.
5. Legal basis (Art. 6 GDPR)
- Server logs: legitimate interest (Art. 6(1)(f)) in keeping the site running and detecting abuse.
- Email you send us: performance of pre-contractual measures at your request (Art. 6(1)(b)).
6. Recipients
- Our hosting provider: Hetzner Online GmbH (Germany, EU).
- Our edge network: Cloudflare, Inc. (US) — routes traffic through their tunnel; sees IP and TLS metadata.
We do not sell or share personal data with any other party. We use no marketing automation, ad networks, or data brokers.
7. International transfers
Cloudflare is US-based. Transfers rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Hetzner data stays in the EU.
8. Retention
- Server logs: ≤ 14 days, then automatically deleted.
- Emails you send us: kept as long as we have an open conversation with you, plus 12 months for record-keeping. Removed on request.
9. Your rights (Art. 15–22 GDPR)
You can ask us to:
- tell you what we hold about you (access);
- correct it if it's wrong (rectification);
- delete it (erasure);
- restrict or object to processing;
- send you a portable copy.
Email [email protected]. We respond within 30 days.
You also have the right to lodge a complaint with the data protection supervisory authority in your EU/EEA country of residence, place of work, or where the alleged infringement took place. You can find the authority for your country in the European Data Protection Board's list of national supervisory authorities.
10. Automated decision-making
None on this site.
11. Children
This site addresses business audiences. We do not knowingly process the personal data of children under 16.
12. Changes
If we materially change this policy, we update the date below. There is no version history yet because this is the first publication.