Privacy Policy

Effective Date: August 22, 2025 · Version 1.0

This Privacy Policy ("Policy") describes how Julien Pinto, doing business as Spill ("Company," "we," "us," or "our"), collects, uses, discloses and safeguards information when you use the Spill mobile application and any related services (collectively, the "App").

By accessing or using the App, you agree to the practices described in this Policy. If you do not agree, please do not use the App.

🛡️ Our Privacy Principles

Privacy by Design — We collect only the minimum data necessary to provide our services

Transparency — We clearly explain what data we collect and why

User Control — You have full control over your content and privacy settings

Security First — Your videos and personal data are encrypted and protected

No Ads — We do not sell your personal information or use it for advertising

1. Information We Collect

1.1 Information You Provide

Account Information

Examples: Email address via Apple Sign-In, display name, optional profile photo
Purpose: Create and maintain your account, authentication
Legal Basis: Contract performance (GDPR Art. 6(1)(b))

Content Data

Examples: Videos ("Spills"), captions, comments, reactions
Purpose: Provide core video journaling and sharing features
Legal Basis: Contract performance (GDPR Art. 6(1)(b))

Communication Data

Examples: Messages to support, feedback
Purpose: Respond to support requests, improve services
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))

Subscription Data

Examples: Subscription status, purchase history (via RevenueCat)
Purpose: Process payments, manage subscriptions
Legal Basis: Contract performance (GDPR Art. 6(1)(b))

1.2 Information Collected Automatically

Usage Analytics

Examples: Screens viewed, features used, session duration (via Firebase Analytics)
Purpose: Improve app performance, understand feature engagement
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))

Technical Data

Examples: Device model, iOS version, app version, crash logs
Purpose: Debug issues, ensure compatibility
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))

Security Data

Examples: Authentication tokens, device identifiers
Purpose: Maintain session security, prevent fraud
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))

1.3 Information from Third Parties

We may receive information from:

Apple: Email address, name (via Sign In with Apple)
App Store: Purchase verification data
Firebase: Analytics and crash reporting data

2. How We Use Information

2.1 Primary Purposes

🎥 Provide Core Services

Host, sync and stream your Spills
Enable private journaling and friend sharing
Process in-app purchases and manage subscriptions

🔧 Improve & Maintain Services

Analyze usage patterns to improve features (aggregated data only)
Debug crashes and performance issues
Ensure app security and prevent fraud

📞 Communication

Send essential service notifications (security alerts, feature updates)
Respond to support inquiries
Process feedback and feature requests

⚖️ Legal Compliance

Comply with applicable laws and regulations
Respond to valid legal requests
Enforce our Terms of Service

2.2 We Do NOT Use Your Data For

❌ Advertising or marketing to third parties
❌ Selling or renting personal information
❌ Cross-app tracking or profiling
❌ Analyzing video content without explicit consent

3. How We Share Information

3.1 Limited Sharing Scenarios

Friends You Invite

What We Share: Spills you explicitly share, associated reactions/comments
Why: Deliver core social features
Safeguards: User-controlled sharing settings

Service Providers

What We Share: Encrypted data necessary for service provision
Why: Cloud hosting, payments, analytics
Safeguards: Data processing agreements, encryption

Legal Authorities

What We Share: Data required by valid legal process
Why: Comply with legal obligations
Safeguards: Challenge overbroad requests, minimal disclosure

Business Transactions

What We Share: Account data in case of merger/acquisition
Why: Business continuity
Safeguards: User notification, data protection commitments

3.2 Service Providers

Supabase

Service: Database & file storage
Data Shared: Encrypted Spills, account data
Location: US/EU (user region)
Safeguards: SOC 2 certified, encryption at rest

RevenueCat

Service: Subscription management
Data Shared: User ID, subscription status, purchase data
Location: United States
Privacy Policy: revenuecat.com/privacy

Firebase

Service: Analytics & notifications
Data Shared: Pseudonymous usage data, device tokens
Location: United States
Privacy Policy: policies.google.com/privacy

Cloudflare

Service: Content delivery
Data Shared: IP address, cached video data
Location: Global CDN
Privacy Policy: cloudflare.com/privacypolicy

Apple

Service: Authentication & payments
Data Shared: Sign-in data, purchase receipts
Location: United States
Privacy Policy: apple.com/privacy

⚠️ Important: All service providers are bound by data processing agreements and must use your data solely to provide services to us.

4. Your Rights & Choices

4.1 Content Control

Privacy Settings: Choose whether Spills are private or shared with friends
Delete Content: Remove individual Spills or comments at any time
Friend Management: Add or remove friends from your sharing circles
Account Deletion: Delete your entire account and all associated data

4.2 Data Protection Rights

🇪🇺 EU/EEA/UK Residents (GDPR Rights)

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data ("right to be forgotten")
Portability: Receive your data in a machine-readable format
Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interests
Withdraw Consent: Revoke consent for any consent-based processing

🇺🇸 US Residents (State Privacy Laws)

California (CCPA/CPRA): Right to know, delete, correct, and opt-out of sale (we don't sell data)
Virginia (VCDPA): Access, correction, deletion, and portability rights
Colorado (CPA): Similar rights to Virginia residents

🌏 Other Jurisdictions
We comply with applicable data protection laws in your jurisdiction. Contact us for specific rights information.

4.3 How to Exercise Your Rights

In-App: Use privacy settings in the app for most requests
Email: Contact hello@joinspill.com for complex requests
Response Time: We respond within 30 days (or as required by local law)
Verification: We may request identity verification to protect your privacy

4.4 Marketing & Communications

No Marketing: We don't send marketing emails by default
Service Notifications: Essential notifications can't be disabled but are minimal
Push Notifications: Manage in your device settings

5. Data Retention

5.1 Retention Periods

Spills & Account Data

Retention Period: Until you delete the Spill/account
Rationale: User control, service provision

Deleted Data Backups

Retention Period: Maximum 30 days after deletion
Rationale: Technical necessity, disaster recovery

Analytics Data

Retention Period: 26 months, then aggregated/anonymized
Rationale: Service improvement, compliance

Support Communications

Retention Period: 3 years after last interaction
Rationale: Customer service, dispute resolution

Financial Records

Retention Period: 7 years
Rationale: Tax obligations, financial regulations

5.2 Automated Deletion

Inactive Accounts: After 3 years of inactivity, we'll email you before deletion
Temporary Data: Crash logs and error reports deleted after 90 days
Cache Data: Video cache cleared based on device storage needs

6. Security Measures

6.1 Technical Safeguards

🔒 Encryption in Transit: TLS 1.3 for all data transmission
🔒 Encryption at Rest: AES-256 encryption for stored data
🔑 Access Controls: Role-based access with multi-factor authentication
📊 Security Monitoring: Continuous monitoring for threats and breaches
🛡️ Regular Audits: Annual security assessments and penetration testing

6.2 Organizational Measures

Staff Training: Regular privacy and security training
Data Minimization: Collect only necessary data
Incident Response: 72-hour breach notification procedures (GDPR compliant)
Vendor Management: Due diligence on all service providers

6.3 Your Security Responsibilities

Keep your device and Apple ID secure
Report suspected unauthorized access immediately
Use strong device passcodes/biometric locks
Don't share account credentials

7. International Data Transfers

7.1 Transfer Mechanisms

Your data may be processed in countries outside your residence, including the United States. We ensure adequate protection through:

🇪🇺 EU Standard Contractual Clauses (SCCs): For EU data transfers
🏛️ Adequacy Decisions: Where available (e.g., EU-US Data Privacy Framework)
🔒 Additional Safeguards: Encryption, access controls, audit rights

7.2 Data Localization

EU Users: Where possible, data is processed within the EU
US Users: Primary processing in the United States
Other Regions: Processed in nearest secure data center

7.3 Legal Basis for Transfers

Necessary for contract performance (providing Spill services)
Legitimate interests (service improvement, security)
Your explicit consent (where required)

8. Children's Privacy

8.1 Age Requirements

🇺🇸 United States: Minimum age 13 with parental consent
🇪🇺 EU/EEA: Minimum age 16 (or lower as set by member state, but not below 13)
🇬🇧 United Kingdom: Minimum age 13 with parental consent
🌏 Other Countries: As required by local law

8.2 Parental Controls

If we learn we've collected data from a child without proper consent:

We'll delete the account and all associated data within 24 hours
We'll notify the child (if possible) and request they seek parental permission
Parents can contact us to review, modify, or delete their child's information

8.3 Special Protections for Minors

Enhanced privacy settings by default
Limited data collection and sharing
No behavioral advertising or profiling
Priority customer support for safety concerns

9. Health & Wellness Disclaimer

🚨 Important Mental Health Notice

Spill is designed for personal expression and social connection. It is NOT a substitute for professional mental health care, therapy, or crisis intervention.

If you are experiencing:

Suicidal thoughts or self-harm ideation
Severe depression, anxiety, or mental health crisis
Thoughts of harming others
Substance abuse or addiction issues

🆘 Please seek immediate professional help:

🇺🇸 United States — Crisis Hotline: 988 (Suicide & Crisis Lifeline) · Text "HELLO" to 741741

🇫🇷 France — Crisis Hotline: 3114 (National suicide prevention) · sos-amitie.com

🇬🇧 United Kingdom — Crisis Hotline: 116 123 (Samaritans) · samaritans.org

🇩🇪 Germany — Crisis Hotline: 0800 111 0 111 (Telefonseelsorge) · telefonseelsorge.de

🌍 International — findahelpline.com · befrienders.org

AI Features Disclaimer

Any AI-powered features (if available) are for entertainment and reflection purposes only. They do not provide medical, psychological, or therapeutic advice.

10. Regional Compliance

10.1 GDPR Representative (EU/EEA/UK)

EU Representative: [To be designated]
UK Representative: [To be designated]

10.2 Complaints & Regulatory Contacts

EU: Contact your local Data Protection Authority
UK: Information Commissioner's Office (ico.org.uk)
US: Contact us directly at hello@joinspill.com

11. Changes to This Policy

11.1 Notification Process

Material Changes: 30-day advance notice via email and in-app notification
Minor Updates: Notice in app and on website
Emergency Changes: Immediate notice if required for legal/security reasons

11.2 Continued Use

Your continued use of Spill after changes take effect constitutes acceptance of the updated Policy.

12. Contact Us

12.1 Privacy Inquiries

Email: hello@joinspill.com
Subject Line: "Privacy Policy Question"
Response Time: Within 5 business days

12.2 Data Protection Officer

For GDPR-related inquiries: hello@joinspill.com

12.3 Emergency Contact

For urgent security or safety concerns: hello@joinspill.com

Last Updated: August 22, 2025 · Version: 1.0