SPIRALSIDE

Privacy Policy

Effective Date: March 20, 2026

1. What We Collect

We collect the minimum data necessary to run Spiralside:

Account dataYour email address and authentication credentials, managed through Supabase Auth.

Usage dataCredits balance, daily message count, daily image count, and reset dates. Used solely to enforce usage limits.

Payment dataPayPal order IDs and credit amounts. We do not store full payment card details — all processing is handled by PayPal.

Vault filesFiles you upload, stored by filename, size, and type under your user ID.

Gift codesCode, credit value, creation date, and redemption status if you purchase or redeem a gift code.

We do not collect your real name, phone number, location, browsing history, or any data beyond what is listed above.

2. How We Use Your Data

We use your data only to operate Spiralside:

Authenticate your account and keep your session secure
Track and enforce credit and usage limits
Process and verify PayPal purchases
Store and retrieve your vault files
Prevent fraud and abuse

We do not use your data for advertising. We do not sell your data.

3. Third-Party Services

Spiralside uses the following services to operate:

Supabase — database and file storage
Vercel — frontend hosting
Railway — backend infrastructure
PayPal — payment processing
Anthropic API — AI language model processing
Hugging Face — AI image generation

Each of these services has its own privacy policy. Your data is processed by these services only as necessary to deliver Spiralside functionality.

4. Your Content

Files and content you upload or generate are stored under your user ID. They are not accessible to other users. We do not review, analyze, or use your content for any purpose other than delivering it back to you.

5. Data Retention

We retain your account data for as long as your account is active. Usage and transaction data is retained for up to 12 months for fraud prevention. Vault files are retained until you delete them or close your account.

Upon account deletion, we will remove your personal data within 30 days, except where longer retention is required by law.

6. Your Rights

You have the right to access, correct, or delete your personal data, and to export your vault files at any time. To exercise these rights, contact us at [email protected].

7. Security

We use Row Level Security (RLS) on all database tables, meaning your data is only accessible by your own authenticated session. We use HTTPS for all data in transit.

If you believe there has been a security incident, contact us immediately at [email protected].

8. Children's Privacy

Spiralside is not directed at children under 13. We do not knowingly collect data from children under 13.

9. Changes to This Policy

We will notify you of material changes via email or platform notice before they take effect.

10. Contact

Privacy: [email protected]

Complaints: [email protected]

Security: [email protected]