Privacy policy
Last updated: March 2026
1. Data controller
SPARRING LABS, S.L. is committed to the protection of its users' personal data. We process personal information with the highest guarantees of security and confidentiality, in strict compliance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the protection of personal data and the guarantee of digital rights (LOPDGDD). The identification details of the data controller are as follows:
| Company name | SPARRING LABS, S.L. |
| Tax ID (CIF) | B75876110 |
| Registered address | Calle Chile 54, 26007 Logroño, La Rioja, Spain |
| legal@emethra.com |
2. Personal data we collect
We collect and process the following categories of personal data. In all cases, we apply the principle of data minimisation, collecting only the information strictly necessary for each purpose:
2.1. Registration data
To create and manage the user's account on the Platform, we need to collect basic identification and access data. This data is essential to provide the contracted service:
- Full name.
- Email address.
- Company or organisation name (optional).
- Password (stored encrypted, never in plain text).
2.2. Platform usage data
To ensure account security, provide technical support and improve service quality, we record certain information about the user's activity on the Platform:
- Scan records (date, project, aggregated results).
- Access IP address and session metadata.
- Activity log (audit log) for sensitive account operations.
2.3. Source code
Users may upload source code or connect Git repositories for analysis. This code is processed automatically for the sole purpose of performing the requested cyber resilience analysis.
Deletion guarantee: source code is automatically and irrecoverably deleted from our servers once the analysis is complete. No copies, backups or fragments of the original source code are retained. Only the analysis results (SBOM, vulnerability reports, compliance reports) are kept.
2.4. Payment data
Payment data (card numbers, bank details) is processed directly by our payment provider, Stripe, Inc. SPARRING LABS, S.L. does not store or have access to full payment card data. We only receive a transaction identifier and the payment status.
3. Purposes of processing
In accordance with the principle of data minimisation (Article 5(1)(c) GDPR), personal data is collected exclusively for specific, explicit and legitimate purposes, and is not processed in a manner incompatible with those purposes. Each piece of data collected corresponds to a specific service requirement:
| Purpose | Description |
|---|---|
| Registration and authentication | Management of user registration and authentication on the Platform, including identity verification and access control. |
| Service provision | Execution of the contracted cyber resilience analysis, including source code processing and results generation. |
| Report generation | Creation of SBOMs, vulnerability reports and regulatory compliance documentation (CRA, NIS2). |
| Transactional communications | Sending scan confirmations, security alerts, account notifications and service-related communications. |
| Billing | Payment management, invoicing and user subscription administration. |
| Legal obligations | Compliance with tax, accounting and regulatory obligations applicable to the company's activity. |
| Service improvement | Aggregated and anonymised analysis of Platform usage to improve performance, features and user experience. |
4. Legal basis for processing
All processing of personal data requires a legal basis to legitimise it. The following table details the applicable basis for each type of processing, together with the corresponding GDPR article:
| Legal basis | GDPR article | Application |
|---|---|---|
| Performance of contract | Art. 6(1)(b) | Processing necessary for the provision of the service contracted by the user (registration, analysis, report generation). |
| Consent | Art. 6(1)(a) | Sending of commercial communications, where applicable. Consent may be withdrawn at any time. |
| Legitimate interest | Art. 6(1)(f) | Service improvement, fraud prevention, Platform security and aggregated usage analysis. |
| Legal obligation | Art. 6(1)(c) | Compliance with tax, accounting and document retention obligations required by applicable legislation. |
5. Retention periods
Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected. Once this period has elapsed, data is securely deleted or anonymised. The following table details the retention periods applicable to each type of data:
| Data type | Retention period | Justification |
|---|---|---|
| Account data | Contract duration + 5 years | Duration of the contractual relationship and legally required periods for tax data. |
| Source code | Immediate deletion | Automatically deleted once the analysis is complete. No copies are retained. |
| Analysis results | Active account (on demand) | While the user maintains an active account. The user may request deletion at any time. |
| Activity logs | 2 years | In accordance with security best practices and applicable traceability regulations. |
| Billing data | 5 years | In accordance with current tax legislation (Spanish General Tax Law). |
6. Data recipients
Personal data may be disclosed to third parties only when strictly necessary for service provision or for compliance with legal obligations. In all cases, we require our providers to offer adequate data protection guarantees.
| Recipient | Purpose | Guarantees |
|---|---|---|
| Infrastructure providers | Data hosting and processing | Data centres located entirely within the European Union, subject to EU legislation. |
| Stripe, Inc. | Payment processing | Acts as a data processor. Complies with the European Commission's standard contractual clauses for international transfers. |
| Resend | Transactional email delivery | Limited access to email addresses. Data processing agreement in place. |
| Public authorities | Legal obligation compliance | Disclosure only when there is a legal obligation or court order. |
SPARRING LABS, S.L. does not sell, rent or share personal data with third parties for commercial, advertising or profiling purposes. Our business model is based exclusively on the provision of the contracted service, not on the commercialisation of our users' data.
7. International transfers
All EMETHRA processing infrastructure is located within the European Union. Where an ancillary service provider operates outside the European Economic Area (such as Stripe for payments), transfers are carried out under the standard contractual clauses approved by the European Commission (Decision 2021/914), in accordance with Chapter V of the GDPR.
8. Security measures
Security is a fundamental pillar of EMETHRA. Given that the Platform processes source code and security data from our users, we have adopted a security-by-design approach that permeates every layer of our architecture. The technical and organisational measures implemented are reviewed and updated periodically to adapt to emerging threats.
Encryption
- Data encryption in transit using TLS 1.3 for all communications.
- Data encryption at rest across all databases and storage systems.
- Encrypted backups with periodic integrity verification.
Authentication and access control
- Passwords stored using secure hash functions (bcrypt/argon2).
- Session-based authentication with secure cookies (HttpOnly, SameSite).
- Support for two-factor authentication (2FA).
Isolation and multitenancy
- Per-tenant data isolation (secure multitenancy) to prevent cross-access.
- Audit logging of all sensitive operations.
- Automatic deletion of source code after analysis.
Infrastructure
- Infrastructure hosted entirely within the European Union.
- Continuous infrastructure monitoring and real-time security alerts.
9. Data subject rights
In accordance with the GDPR, you may exercise the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Access | Obtain confirmation of whether your data is being processed and access it, including a copy of the personal data being processed. |
| Rectification | Request the correction of inaccurate data or the completion of incomplete data. |
| Erasure | Request the deletion of your data when it is no longer necessary for the purpose for which it was collected. |
| Restriction | Request the restriction of processing in the circumstances provided by Article 18 of the GDPR. |
| Portability | Receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller. |
| Objection | Object to the processing of your data in certain circumstances, particularly when based on legitimate interest. |
| Withdrawal of consent | Withdraw consent at any time, without affecting the lawfulness of prior processing. |
To exercise any of these rights, send an email to legal@emethra.com stating your identity and the right you wish to exercise. We will respond within a maximum period of 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
10. Security incident notification
In the event of a personal data breach, SPARRING LABS, S.L. shall act in accordance with Article 33 of the GDPR:
- Notification to the competent supervisory authority (AEPD) within a maximum period of 72 hours from becoming aware of the breach.
- Notification to affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
- Internal documentation of all security incidents, including the facts, effects and corrective measures adopted.
Additionally, in line with the NIS2 Directive requirements for relevant entities, EMETHRA maintains internal incident notification procedures with the following timelines:
| Phase | Deadline |
|---|---|
| Early warning | 24 hours from incident detection |
| Intermediate notification | 72 hours with initial impact and severity assessment |
| Final report | 1 month with detailed description, root cause and corrective measures |
11. Changes to this policy
SPARRING LABS, S.L. reserves the right to modify this privacy policy to adapt it to legislative changes, case law developments or changes in our practices. Any modification will be published on this page indicating the date of the last update. In the event of substantial changes, registered users will be notified by email.