At SpotLite, your trust is the foundation of everything. This Privacy Policy explains clearly and comprehensively what data we collect, why we process it, with whom it is shared, how we secure it, how long we keep it and how you stay in control. It applies to the SpotLite mobile app, the spotlite-app.com website and all of our services. It complies with the General Data Protection Regulation (GDPR), the Google API Services User Data Policy and the requirements of the App Store and Google Play.
1. Data controller#
The data controller is PEREZ LAVADIE JAVIER, registered under number 513648568, whose registered office is located at 6 rue Joséphine Baker 69007, France. For any question about your data or to exercise your rights, contact our Data Protection contact at contact-us@spotlite-app.com, or by mail at the address above.
2. Data we collect#
We apply the principle of minimization: we only collect data that is necessary for the purposes described below.
- Account and authentication data: email address, password (stored encrypted and irreversibly by our authentication provider, never in clear text), and, if you choose to sign in via a third-party provider, the basic information transmitted by Google or Apple (see section 3). Phone number when you verify your account (in particular to access free features subject to anti-abuse measures).
- Professional profile data: first and last name, profile picture, job titles, skills, experience, CVs (imported or generated), presentation videos and audio content, company reviews, and any information you choose to add to your profile.
- Proof Vault (originals not retained): when you import a diploma, license or certification, the original image or PDF file is processed in memory by our certification Artificial Intelligence, then immediately and permanently deleted from our servers. We only keep in the database the metadata extracted as text (document type, date, institution, confidence score). We will therefore never be able to return the original file to you after analysis.
- Usage and Journal data: your browsing history (jobs and videos viewed) is stored locally on your device. This Journal is only transferred to our servers if you explicitly enable synchronization, in order to feed the contextual semantic intelligence of your career assistant. We also collect aggregated and statistical usage data to improve the service.
- Technical data and device identifiers: device model and operating system, device identifier, IP address, push notification tokens, technical logs, account creation and last login dates, and the list of your connected devices. The device identifier is used for security purposes and to combat fraud and abuse (including enforcing bans).
- Transaction data: purchase, credit and subscription history. We never store your full banking details: payments are processed by Apple, Google or our payment provider (see section 7).
3. Sign-in via third-party accounts — Google and Apple user data#
This section describes precisely how SpotLite accesses, uses, stores and shares Google user data, in accordance with the Google API Services User Data Policy (including its Limited Use requirements). The same principles apply to Apple sign-in (Sign in with Apple).
Google data accessed. When you choose "Continue with Google", SpotLite requests only the following permissions (scopes): openid, your email address (email) and your basic profile (profile: name and profile picture), as well as your Google account identifier. SpotLite does NOT request or access ANY sensitive or restricted-scope Google data: we never access your Gmail, Google Drive, Contacts, Calendar, photos or any other Google service.
Use of Google data. This data is used exclusively to: (1) create and secure your SpotLite account and authenticate you; (2) pre-fill your profile (name, email, photo) to save you from re-entering it; (3) send you essential service communications (security, support, billing). We do not use Google data for advertising purposes.
Sharing of Google data. We do not sell or rent Google user data. It is only shared with our technical subcontractors strictly necessary for the operation of authentication and hosting (in particular Google Firebase Authentication and Google Cloud Platform), acting on our instructions and subject to contractual confidentiality obligations (see section 7). No Google data is transferred to third parties for commercial purposes.
Storage and protection of Google data. Data from your Google account is stored within the Google Cloud / Firebase infrastructure (europe-west6 region, Switzerland). It is encrypted in transit (TLS) and at rest, protected by strict access controls, strong administrator authentication and access logging (see section 9).
Retention and deletion of Google data. Google data is kept as long as your SpotLite account is active. You can revoke SpotLite's access at any time from your Google Account (myaccount.google.com, "Security" then "Third-party apps"), and you can permanently delete your account and associated data directly in the app (see section 11) or by writing to contact-us@spotlite-app.com. Deletion is handled as described in section 11.
Limited Use. SpotLite's use of information received from Google APIs complies with the Google API Services User Data Policy, including its Limited Use requirements. In particular: Google user data is used only to provide and improve user-facing features; it is never sold; it is not transferred to third parties except as necessary to provide the service, for security reasons, or to comply with the law; and Google user data is never used to develop, train or improve generalized or foundation AI models. The training of our AI models (section 5) relies exclusively on the content you publish on SpotLite, and never on data from your Google or Apple account.
4. Purposes and legal bases of processing (GDPR)#
We process your data on the following legal bases:
- Performance of a contract: create and manage your account, provide the features (CV, videos, matching, payments, credits).
- Consent: Journal synchronization, public visibility / "Headhunter" mode (B2B sourcing), use of your content to train AI (section 5), optional marketing communications. You can withdraw your consent at any time.
- Legitimate interest: platform security, prevention of fraud and abuse, automated content moderation, statistical improvement of the service.
- Legal obligation: retention of accounting records and response to requests from competent authorities.
5. Artificial Intelligence, automated processing and model training#
SpotLite uses artificial intelligence to: generate and contextualize CVs (Dalia assistant), assess the consistency of applications, analyze and certify Vault documents, recommend content and audio atmospheres, and automatically moderate content (videos, images, text, profiles) to protect the community.
Training of proprietary models. SpotLite develops its own artificial intelligence models. To this end, and subject to your consent where required by law, we may use, in raw, transformed or anonymized form, the content you create and publish on the platform (CVs, videos, audio content, reviews, synchronized journals, content from the Musicians and Journalists programs) to train, evaluate and improve these models. This use is subject to the following safeguards:
- We never use, for AI training purposes, data from your third-party Google or Apple accounts (see section 3).
- We do not process special categories of data (so-called "sensitive" data) for training purposes without your explicit consent, and we apply pseudonymization or anonymization measures whenever possible.
- You can object to the use of your content for AI training, or withdraw your consent, at any time from your settings (Cockpit) or by writing to us. This withdrawal applies for the future and does not affect the lawfulness of processing already carried out nor the models already trained, whose learning is by nature irreversible.
Automated decisions. Certain moderation decisions may be made automatically. You have the right to obtain human intervention, to express your point of view and to contest these decisions with our support team. AI-generated CVs and analyses may contain inaccuracies: it is your responsibility to check them before any use.
6. Sharing of information and professional access (B2B)#
We do not sell your personal data to advertising third parties. SpotLite offers a suite of tools and APIs intended for recruiters and companies. If — and only if — you enable the public visibility option or "Headhunter" mode in your settings, your unified skills, your AI-generated CV and your certified diploma proofs (without your direct contact details) become viewable and extractable by our certified professional partners. You can disable this sharing or revoke this access at any time from your Cockpit. We may also disclose data if required by law, to protect the rights, safety or property of SpotLite and its users, or in connection with a corporate transaction (merger, sale), in which case you would be informed.
Developer API (B2B). Authorized recruiters and companies may access certain features via our professional APIs, using a personal API key and after approval. This access is limited to the data you have chosen to make accessible (public / sourcing mode) and is governed by terms requiring API clients to maintain confidentiality, security, GDPR compliance and a prohibition on resale. Details are set out in our API & Extensions Terms.
Browser extensions. We offer two optional browser extensions. In both cases, the extension only acts when you trigger it yourself on the page you are viewing: it never tracks your browsing, does not read pages in the background, does not collect your history and does not sell any data. These extensions comply with the Limited Use requirement of the Chrome Web Store program. Their detailed operation is set out in our API & Extensions Terms.
- SpotLite Copilot (job seekers). When you click "Save" on a job posting page, the extension sends the displayed content of that page to SpotLite in order to save the job to your account. It authenticates via a personal key linked to your account, stored hashed, with a limited number of simultaneous devices.
- SpotLite Talent · Prospect (recruiters and companies). When you click "Analyze" on a company page, the extension sends the displayed content of that page to SpotLite, which identifies the company, searches its public news and, using AI, infers signals and hiring needs, then saves the result to your "Clients" records. It authenticates via your professional API key (stored hashed); the AI analysis is charged to your AI balance. It only processes public professional information relating to the company being viewed.
7. Subcontractors and recipients#
We use carefully selected subcontractors, acting on our instructions and bound by confidentiality and security commitments:
- Google Firebase / Google Cloud Platform: authentication, database, hosting, server functions, storage and notifications (europe-west6 region).
- Google / Vertex AI (Gemini models): artificial intelligence processing (generation, analysis, moderation). This processing is governed by terms that prohibit the reuse of your data to train the provider's models.
- Apple App Store and Google Play: processing of in-app purchases and subscriptions.
- Payment provider (e.g., Stripe): secure processing of card payments outside the app stores.
- Email provider: sending of transactional and service emails.
An up-to-date list of subcontractors can be obtained on request at contact-us@spotlite-app.com.
8. International data transfers#
Your data is hosted primarily in Europe (Switzerland, europe-west6 region, a country benefiting from an adequacy decision by the European Commission). When a subcontractor processes data outside the European Economic Area, this transfer is governed by appropriate safeguards (European Commission standard contractual clauses or an adequacy mechanism), a copy of which can be requested at contact-us@spotlite-app.com.
9. Data security#
We implement appropriate technical and organizational measures: encryption in transit (TLS) and at rest, access control and the principle of least privilege, strong authentication and facial verification for sensitive administration access, application integrity attestation (App Check) on our server functions, access logging and monitoring, and immediate deletion of original Vault files after processing. As no method of transmission or storage is 100% infallible, we cannot guarantee absolute security, but we are committed to protecting your data and notifying you of any breach in accordance with the law.
10. Retention period#
We keep your data only for as long as necessary for the intended purposes:
- Account and profile data: for the entire lifetime of the account, then deleted or anonymized after its deletion (subject to legal retention periods).
- Original Vault files: deleted immediately after analysis; only metadata is kept with the account.
- Transaction data and accounting records: kept for up to 10 years to meet our legal and tax obligations.
- Technical and security data (logs, device identifiers linked to abuse): kept for as long as necessary to prevent fraud and enforce sanctions.
- Content already published and distributed (videos using music, derivative content): may persist in accordance with the licenses accepted upon publication.
11. Your rights and how to exercise them#
In accordance with the GDPR, you have the following rights: right of access, rectification, erasure ("right to be forgotten"), restriction and objection to processing, portability of your data, withdrawal of your consent at any time, and the right to set directives concerning the fate of your data after your death.
Account deletion. You can delete your account and associated data directly in the app (Settings then "Delete my account"), or by writing to contact-us@spotlite-app.com. Upon receipt, we delete or anonymize your data within a reasonable period not exceeding 30 days, except for data that the law requires us to keep (section 10). Due to our automatic erasure policy, original Vault files cannot be restored. Any remaining credit balance is permanently lost upon account deletion.
To exercise your rights, contact contact-us@spotlite-app.com. We may ask you to verify your identity. You also have the right to lodge a complaint with the CNIL (www.cnil.fr) or your data protection authority.
12. Protection of minors#
SpotLite is a professional platform reserved for persons aged at least 16. We do not knowingly collect data concerning younger persons. If you believe a minor has provided us with data, contact us so that we can delete it.
13. Changes to this policy#
We may update this Privacy Policy. Any significant change is signaled in the app with a new version and, where applicable, a request for re-acceptance. The date of the last update and the version number appear at the top of the document. Translated versions are provided for convenience; in the event of discrepancy, the French version prevails.
14. Contact#
For any question relating to this policy or your personal data: contact-us@spotlite-app.com, or by mail at SpotLite, 6 rue Joséphine Baker 69007, France.