1. Introduction
This Privacy Notice (the "Notice") explains how DSPT Finder LLC ("DSPT Finder", "we", "us", or "our") collects, uses, shares, and otherwise processes personal data in connection with our sales-intelligence service for international investment dispute monitoring (the "Service"), our website at https://dsptfinder.com (the "Website"), and our other business activities.
We take privacy seriously. This Notice is written to be readable. If anything is unclear, please contact us using the details in Section 14.
2. Who This Notice Applies To
This Notice applies to three groups of individuals, and our role and obligations differ for each group:
| Group | Who you are | Our role |
|---|---|---|
| Authorised users | Lawyers, business-development professionals, and other personnel of organisations that subscribe to the Service. | Processor on behalf of your organisation (the Controller). See Section 3. |
| Website visitors and prospects | Anyone who visits our Website, attends our marketing events, or contacts us about the Service. | Independent Controller. |
| Individuals identified in public source material | Parties, counsel, arbitrators, experts, and other individuals named in publicly available materials concerning international investment disputes that the Service monitors. | Independent Controller. |
3. Our Two Roles
3.1 Where we act on behalf of subscriber organisations (Processor)
Where authorised users access the Service through a subscription paid for by their organisation (for example, a law firm), we Process certain data — such as account details, usage logs, and content the user creates within the Service — on behalf of that organisation. In that case, the user's organisation is the Controller and we are the Processor. The organisation's own privacy notice and policies govern that processing, and individuals exercising data-subject rights in respect of that data should contact their organisation in the first instance. We will support our customers in responding to such requests as required by our Data Processing Agreement.
3.2 Where we act on our own behalf (Independent Controller)
We act as an independent Controller in respect of:
- our Website, marketing, and prospect activities;
- information we collect from publicly available source material to build the substantive content of the Service (see Section 5.3); and
- our own employees, contractors, suppliers, and similar relationships (which are governed by separate notices not addressed here).
4. Information We Collect
4.1 Information you provide directly
You may provide us with personal data when you sign up for an account, request a demo, contact us, or use the Service. Categories include:
- Identity and contact data: name, business email address, business phone number, employer, job title, professional credentials.
- Account and authentication data: username, hashed password (where SSO is not used), single sign-on identifiers, multi-factor authentication metadata.
- Marketing data: communications preferences, event attendance, survey responses.
- Communications data: the content of correspondence with us, including support and sales enquiries.
- User-generated content: notes, tags, watchlists, comments, and other content you submit through the Service.
4.2 Information we collect automatically
When you use the Service or the Website, we automatically collect:
- Usage data: pages and items viewed, queries submitted, alerts subscribed to, time stamps, and similar interaction data.
- Device and connection data: IP address, browser type and version, operating system, device identifiers, and approximate location derived from IP address.
- Cookies and similar technologies: see Section 10.
4.3 Information we obtain from publicly available source material
A core function of the Service is to monitor, organise, and surface information about international investment disputes from publicly available source material. That source material may include personal data — typically names and professional roles of:
- parties to disputes (including individual claimants);
- legal counsel acting in disputes;
- arbitrators, tribunal secretaries, and other tribunal members;
- expert witnesses; and
- other individuals named in tribunal documents, registry records, official publications, news reports, and similar public materials.
We Process this information for the legitimate-interest purposes set out in Section 6.3. We do not seek out non-public information about these individuals, and we do not knowingly Process special category data about them within the meaning of Article 9 GDPR.
4.4 Information we obtain from other third parties
We may obtain limited information about you from:
- your organisation (e.g., when it provisions your access to the Service);
- your organisation's identity provider (e.g., when SSO is used);
- our service providers and sub-processors, who provide hosting, authentication, analytics, and similar services; and
- publicly available business sources, where we use them for marketing or business-development purposes (such as professional networks).
5. How We Use Your Information
We use the information described above for the following purposes:
| Purpose | What this involves |
|---|---|
| Providing the Service | Authenticating users, delivering monitoring and alerting, supporting customer use of the Service, and providing related services. |
| Improving the Service | Aggregated and de-identified analysis of how the Service is used, in order to improve features, performance, and reliability. We do not use Customer Personal Data to train, fine-tune, or otherwise improve our own AI/ML models or those of any third-party provider. |
| Building and maintaining the public-source content of the Service | Collecting, organising, classifying, summarising, and presenting publicly available material concerning international investment disputes, so that the Service's users can monitor and analyse this domain effectively. |
| Service-related communications | Sending operational messages, security and incident notifications, billing and contractual communications, and similar non-marketing communications. |
| Marketing and business development | Sending marketing communications about the Service to business contacts and prospects, in accordance with applicable law and your preferences. |
| Security, fraud prevention, and abuse detection | Monitoring access and use of the Service to detect and prevent unauthorised activity, abuse, and security incidents. |
| Compliance and legal claims | Complying with our legal, regulatory, and contractual obligations, and establishing, exercising, or defending legal claims. |
| Corporate transactions | In connection with a contemplated or actual financing, merger, acquisition, sale of assets, or similar transaction, with appropriate confidentiality protections. |
6. Legal Bases (GDPR / UK GDPR)
Where the EU GDPR or UK GDPR applies, we rely on the following legal bases for our Processing:
6.1 Performance of a contract
To provide the Service to authorised users, we rely on the performance of our contract with their organisation (or, where the user contracts directly, with the user). Where the contract is between us and the user's organisation, our role in respect of personal data of authorised users is typically that of a Processor.
6.2 Legitimate interests
We rely on our legitimate interests, balanced against the rights and freedoms of data subjects, for:
- improving and securing the Service;
- marketing the Service to business contacts and prospects (and to other businesses), where lawful and consistent with their reasonable expectations;
- detecting fraud, abuse, and security incidents; and
- the Processing of personal data appearing in public source material described in Sections 4.3 and 5. Our legitimate interest is the lawful operation of a sales-intelligence service that organises and surfaces publicly available business and professional information about international investment disputes, for the benefit of our customers (typically law firms) and the broader market for legal and dispute-resolution services. We have considered the interests, rights, and freedoms of the individuals whose information is included, and we believe that our Processing is proportionate and within their reasonable expectations, given that (a) the information concerns their professional activities; (b) it is already publicly available; and (c) we provide a clear mechanism to exercise data-subject rights, including objection (see Section 9).
6.3 Consent
Where required by law, we rely on consent — for example, for certain cookies and tracking technologies (see Section 10) and for certain marketing communications. You can withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.
6.4 Legal obligation
We may Process personal data where necessary to comply with legal obligations, for example tax, accounting, anti-money-laundering, or court orders.
7. How We Share Your Information
We share personal data only as necessary for the purposes described in this Notice, and with the following categories of recipients:
- Sub-processors and service providers such as cloud hosting (Microsoft Azure), authentication and identity management, transactional email and messaging, product analytics and error monitoring, and customer support tooling. A current list of sub-processors is available at [URL] and is provided to customers under our standard Data Processing Agreement.
- Subscribing organisations and their administrators. Where you access the Service through a subscription provided by your employer or another organisation, that organisation will have access to the data you Process through the Service, including usage information, in accordance with its own policies.
- Professional advisers such as lawyers, auditors, and insurers, where required for the legitimate operation of our business and subject to confidentiality obligations.
- Authorities and courts, where required to comply with applicable law, valid legal process, or to protect the rights, property, or safety of any person. Where lawful, we will notify the relevant Customer (in the case of Customer Personal Data) before disclosure and produce only what is legally required.
- Acquirers and successors, in the context of a contemplated or completed corporate transaction.
We do not sell or share personal data within the meaning of the CCPA and equivalent U.S. state laws. We do not provide personal data to third parties for their own independent marketing purposes.
8. International Transfers
We are based in the Netherlands and the United States. Our service providers and sub-processors may be located in other jurisdictions. As a result, personal data may be transferred to, and Processed in, countries other than the country in which it was originally collected.
Where we transfer personal data subject to the EU GDPR, UK GDPR, or Swiss FADP outside of the EEA, the United Kingdom, or Switzerland to a country that is not subject to an adequacy decision, we put in place appropriate safeguards, including:
- the European Commission Standard Contractual Clauses (Decision (EU) 2021/914);
- the UK International Data Transfer Agreement / UK Addendum to the Standard Contractual Clauses; and
- supplementary technical, contractual, and organisational measures where necessary.
Copies of the relevant transfer mechanisms are available on request via the contact details in Section 14.
9. Your Rights
Depending on the jurisdiction in which you are located, you have certain rights in respect of your personal data. We honour these rights in accordance with applicable law.
9.1 Rights under the EU GDPR / UK GDPR
Subject to the conditions in the GDPR, you have the right to:
- request access to your personal data;
- request rectification of inaccurate or incomplete personal data;
- request erasure of your personal data ("right to be forgotten");
- request restriction of Processing of your personal data;
- object to Processing carried out on the basis of legitimate interests, including for direct marketing;
- request portability of personal data you have provided to us;
- withdraw consent (where Processing is based on consent) without affecting the lawfulness of prior Processing; and
- lodge a complaint with a supervisory authority (see Section 14.4).
9.2 Rights under the California CCPA / CPRA
California residents have the right to:
- know what categories of personal information we collect, the sources, the purposes for collection, and the categories of third parties with whom we share personal information;
- access the specific pieces of personal information we have collected about them;
- request correction of inaccurate personal information;
- request deletion of personal information;
- opt out of the sale or sharing of personal information (we do not sell or share personal information as those terms are defined in the CCPA);
- limit the use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes that would trigger this right); and
- not be discriminated against for exercising any of these rights.
9.3 Rights under other U.S. state laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have rights similar to those described in Section 9.2, including rights of access, correction, deletion, portability, and opt-out of targeted advertising and sale of personal information. We honour these rights as required by applicable law.
9.4 How to exercise your rights
To exercise any of these rights, contact us using the details in Section 14. We will respond within the time limits required by applicable law (typically one month under the GDPR, or 45 days under most U.S. state laws). We may need to verify your identity before responding to your request.
If we Process your personal data on behalf of a subscribing organisation (i.e., we act as Processor), we will direct your request to that organisation, who is the Controller of the relevant data.
You will not be charged for exercising your rights, unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request, as permitted by law.
9.5 Individuals identified in public source material
If you appear in publicly available source material that we Process for the Service (see Sections 4.3 and 6.3) and you wish to exercise rights in respect of that Processing, please contact us using the details in Section 14. We will consider each request on its merits, taking into account the nature of the source material, the public-interest considerations involved, and applicable law. We will not refuse a valid request without explanation.
Where the source material is in the public domain (for example, a published tribunal award or news article), the right of erasure may not require us to remove the information from our system if we have an overriding legitimate interest in continuing to Process it. We will, however, restrict or correct Processing where required by law.
10. Cookies and Similar Technologies
We use cookies and similar technologies on the Website and in the Service for the following purposes:
- Strictly necessary: to authenticate users and operate the core functions of the Service.
- Functional: to remember your preferences (e.g., language, display settings).
- Analytics: to understand how visitors and users interact with the Website and the Service so we can improve them. We use [analytics provider] for this purpose.
- Marketing: only on the Website, and only with your consent where required.
You can manage cookie preferences using the cookie banner on first visit to the Website and at any time via the cookie preference link in the Website footer. Most browsers also allow you to block or delete cookies through their settings; doing so may affect the functioning of the Service.
11. How Long We Keep Your Information
We retain personal data only for as long as is necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements, and to establish, exercise, or defend legal claims. In particular:
- Account data is retained for the duration of the customer relationship and for a reasonable period afterwards (typically not exceeding 12 months) to support reactivation, service queries, and dispute resolution.
- Usage and log data is typically retained for up to 12 months.
- User-generated content is retained for the duration of the customer relationship and is returned or deleted on termination in accordance with our Data Processing Agreement (subject to a maximum 90-day backup overwrite cycle).
- Marketing data is retained until you opt out, plus a reasonable suppression-list retention period.
- Data drawn from publicly available source material is retained while the source remains relevant to the Service's purpose, and thereafter as needed for historical analysis.
- Records required by tax, accounting, anti-money-laundering, or other laws are retained for the periods required by those laws.
12. Security
We implement and maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage. These measures are described in our Information Security Programme summary, available on request, and include encryption in transit and at rest, role-based access control with multi-factor authentication, network segmentation, vulnerability management, logging and monitoring, personnel training, and incident response. No system is perfectly secure; we work continuously to improve our security posture and respond to emerging threats.
13. Children
The Service is intended for use by professionals in a business context. It is not directed at children, and we do not knowingly collect personal data from individuals under 16 (or 13 in the United States, or such higher age as required by applicable law). If you believe that we have inadvertently collected personal data of a child, please contact us and we will take prompt steps to delete it.
14. Contact and Complaints
14.1 General contact
Questions about this Notice or our privacy practices, or requests to exercise your rights, may be sent to:
- Email: security@dsptfinder.com
14.2 EU representative
Where the EU GDPR applies and we do not have a Union establishment, our representative under Article 27 GDPR is [name and address of EU representative, if applicable, e.g., a representative service]. Individuals in the EU may contact our representative directly with respect to issues relating to the Processing of their personal data.
14.3 UK representative
Where the UK GDPR applies and we do not have a UK establishment, our representative under Article 27 UK GDPR is [name and address of UK representative, if applicable].
14.4 Lodging a complaint
If you are not satisfied with our response, you have the right to lodge a complaint with a competent supervisory authority. In the EU, you may complain to the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement (a list is published by the European Data Protection Board). In the United Kingdom, you may complain to the Information Commissioner's Office. In Switzerland, you may complain to the Federal Data Protection and Information Commissioner.
In the United States, you may contact your state attorney general or, in California, the California Privacy Protection Agency.
15. Changes to This Notice
We may update this Notice from time to time. The "Last updated" date at the top reflects the most recent revision. Where changes are material, we will notify customers and authorised users by email or through the Service before the changes take effect. Previous versions of this Notice are available on request.