Privacy Policy

Last updated: February 9, 2026

1. Data Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Nikolas Burk
Erich-Nehlhans-Str. 29
10247 Berlin, Germany
Email: nikolas@spherica.ai
Phone: +49 176 546 57 147

2. Overview of Data Processing

Spherica is an organizational survey platform for culture surveys, 360-degree feedback, and pulse checks. We process personal data only to the extent necessary to provide our services and as permitted by law.

3. Hosting

This website is hosted by Railway (Railway Corporation, USA). When you visit our website, the hosting provider automatically collects and stores information in server log files that your browser transmits, including:

  • IP address
  • Date and time of the request
  • Browser type and version
  • Operating system
  • Referrer URL

This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of our website).

4. Account Registration & Authentication

To use Spherica, you must create an account. Depending on your role, we offer the following authentication methods:

a) Google OAuth (Administrators)

You can sign in using your Google account. When you do, Google shares your name, email address, and profile picture with us. We do not receive your Google password. Google's privacy policy applies to their processing of your data: https://policies.google.com/privacy

b) Magic Link (Employees)

Employees sign in via a one-time link sent to their email address. We store your email address to authenticate you. Magic links expire after 5 minutes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — providing the service you signed up for).

Data stored: Name, email address, role, organization membership, account creation date.

5. Cookies & Local Storage

a) Essential Cookies

We use a session cookie to keep you signed in. This cookie is HTTP-only, signed, and expires after 7 days. It is strictly necessary for the service to function and does not require consent (Art. 6(1)(b) GDPR).

b) Analytics Consent

We store your analytics consent decision in your browser's local storage (key: spherica_analytics_consent). This is used solely to remember whether you accepted or declined analytics cookies.

6. Analytics (PostHog)

Only with your consent. If you accept analytics via our cookie banner, we use PostHog to understand how the platform is used and to improve it. PostHog collects:

  • Page views and navigation patterns
  • Click interactions (autocapture)
  • Session recordings (with password fields masked)
  • Device type, browser, and screen size
  • A pseudonymous user identifier

PostHog is operated by PostHog, Inc. (USA). Data may be transferred to the United States. PostHog processes data under the EU-U.S. Data Privacy Framework.

Legal basis: Art. 6(1)(a) GDPR (your consent). You can withdraw consent at any time by clicking “Cookie Settings” in the website footer.

PostHog's privacy policy: https://posthog.com/privacy

7. Transactional Emails (Resend)

We use Resend to send transactional emails such as magic link sign-in emails, password reset links, team invitations, and welcome messages. Resend processes your email address to deliver these messages.

Legal basis: Art. 6(1)(b) GDPR (necessary for contract performance).

Resend's privacy policy: https://resend.com/legal/privacy-policy

8. AI-Powered Analysis (OpenAI)

Spherica offers optional AI-powered survey analysis features. When administrators use these features, aggregated and anonymized survey data (not individual responses with personal identifiers) may be sent to OpenAI for processing.

Legal basis: Art. 6(1)(b) GDPR (providing the contracted feature) and Art. 6(1)(f) GDPR (legitimate interest in improving survey insights).

OpenAI's privacy policy: https://openai.com/policies/privacy-policy

9. Survey Response Data

When employees complete surveys, we collect their responses. Depending on the survey configuration, responses may be anonymous or associated with demographic attributes (such as department, site, or role) provided by the employer. Survey responses are stored in our PostgreSQL database hosted by Railway.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest of the employer in organizational development).

10. Data Retention

  • Account data: Retained as long as your account is active. Deleted upon request or account closure.
  • Survey responses: Retained according to the client organization's subscription plan (1–5 years).
  • Session cookies: Expire after 7 days.
  • Analytics data (PostHog): Subject to PostHog's retention policies. Stops being collected if you withdraw consent.
  • Server logs: 30 days.

11. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) — Request a copy of the personal data we hold about you.
  • Rectification (Art. 16 GDPR) — Request correction of inaccurate data.
  • Erasure (Art. 17 GDPR) — Request deletion of your personal data (“right to be forgotten”).
  • Restriction (Art. 18 GDPR) — Request restriction of processing.
  • Data portability (Art. 20 GDPR) — Receive your data in a structured, machine-readable format.
  • Objection (Art. 21 GDPR) — Object to processing based on legitimate interests.
  • Withdraw consent (Art. 7(3) GDPR) — Withdraw consent at any time (e.g., for analytics) by clicking “Cookie Settings” in the website footer.

To exercise any of these rights, contact us at datenschutz@spherica.ai.

12. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
www.datenschutz-berlin.de

13. Data Transfers to Third Countries

Some of our service providers are based in the United States (PostHog, OpenAI, Google, Resend). These transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (Art. 46(2)(c) GDPR).

14. Changes to This Policy

We may update this privacy policy from time to time. The updated version will be indicated by the “Last updated” date at the top of this page.