Privacy Policy
This Privacy Policy ("Policy") describes how Julien Pinto, doing business as Spill ("Company," "we," "us," or "our"), collects, uses, discloses and safeguards information when you use the Spill mobile application and any related services (collectively, the "App").
π‘οΈ Our Privacy Principles
1. Information We Collect
1.1 Information You Provide
Account Information
- Examples: Email address via Apple Sign-In, display name, optional profile photo
- Purpose: Create and maintain your account, authentication
- Legal Basis: Contract performance (GDPR Art. 6(1)(b))
Content Data
- Examples: Videos ("Spills"), captions, comments, reactions
- Purpose: Provide core video journaling and sharing features
- Legal Basis: Contract performance (GDPR Art. 6(1)(b))
Communication Data
- Examples: Messages to support, feedback
- Purpose: Respond to support requests, improve services
- Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
Subscription Data
- Examples: Subscription status, purchase history (via RevenueCat)
- Purpose: Process payments, manage subscriptions
- Legal Basis: Contract performance (GDPR Art. 6(1)(b))
1.2 Information Collected Automatically
Usage Analytics
- Examples: Screens viewed, features used, session duration (via Firebase Analytics)
- Purpose: Improve app performance, understand feature engagement
- Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
Technical Data
- Examples: Device model, iOS version, app version, crash logs
- Purpose: Debug issues, ensure compatibility
- Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
Security Data
- Examples: Authentication tokens, device identifiers
- Purpose: Maintain session security, prevent fraud
- Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
1.3 Information from Third Parties
We may receive information from:
- Apple: Email address, name (via Sign In with Apple)
- App Store: Purchase verification data
- Firebase: Analytics and crash reporting data
2. How We Use Information
2.1 Primary Purposes
π₯ Provide Core Services
- Host, sync and stream your Spills
- Enable private journaling and friend sharing
- Process in-app purchases and manage subscriptions
π§ Improve & Maintain Services
- Analyze usage patterns to improve features (aggregated data only)
- Debug crashes and performance issues
- Ensure app security and prevent fraud
π Communication
- Send essential service notifications (security alerts, feature updates)
- Respond to support inquiries
- Process feedback and feature requests
βοΈ Legal Compliance
- Comply with applicable laws and regulations
- Respond to valid legal requests
- Enforce our Terms of Service
2.2 We Do NOT Use Your Data For
- β Advertising or marketing to third parties
- β Selling or renting personal information
- β Cross-app tracking or profiling
- β Analyzing video content without explicit consent
3. How We Share Information
3.1 Limited Sharing Scenarios
Friends You Invite
- What We Share: Spills you explicitly share, associated reactions/comments
- Why: Deliver core social features
- Safeguards: User-controlled sharing settings
Service Providers
- What We Share: Encrypted data necessary for service provision
- Why: Cloud hosting, payments, analytics
- Safeguards: Data processing agreements, encryption
Legal Authorities
- What We Share: Data required by valid legal process
- Why: Comply with legal obligations
- Safeguards: Challenge overbroad requests, minimal disclosure
Business Transactions
- What We Share: Account data in case of merger/acquisition
- Why: Business continuity
- Safeguards: User notification, data protection commitments
3.2 Service Providers
Supabase
- Service: Database & file storage
- Data Shared: Encrypted Spills, account data
- Location: US/EU (user region)
- Safeguards: SOC 2 certified, encryption at rest
RevenueCat
- Service: Subscription management
- Data Shared: User ID, subscription status, purchase data
- Location: United States
- Privacy Policy: revenuecat.com/privacy
Firebase
- Service: Analytics & notifications
- Data Shared: Pseudonymous usage data, device tokens
- Location: United States
- Privacy Policy: policies.google.com/privacy
Cloudflare
- Service: Content delivery
- Data Shared: IP address, cached video data
- Location: Global CDN
- Privacy Policy: cloudflare.com/privacypolicy
Apple
- Service: Authentication & payments
- Data Shared: Sign-in data, purchase receipts
- Location: United States
- Privacy Policy: apple.com/privacy
β οΈ Important: All service providers are bound by data processing agreements and must use your data solely to provide services to us.
4. Your Rights & Choices
4.1 Content Control
- Privacy Settings: Choose whether Spills are private or shared with friends
- Delete Content: Remove individual Spills or comments at any time
- Friend Management: Add or remove friends from your sharing circles
- Account Deletion: Delete your entire account and all associated data
4.2 Data Protection Rights
πͺπΊ EU/EEA/UK Residents (GDPR Rights)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Limit how we process your data
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Revoke consent for any consent-based processing
πΊπΈ US Residents (State Privacy Laws)
- California (CCPA/CPRA): Right to know, delete, correct, and opt-out of sale (we don't sell data)
- Virginia (VCDPA): Access, correction, deletion, and portability rights
- Colorado (CPA): Similar rights to Virginia residents
π Other Jurisdictions
We comply with applicable data protection laws in your jurisdiction. Contact us for specific rights information.
4.3 How to Exercise Your Rights
- In-App: Use privacy settings in the app for most requests
- Email: Contact hello@joinspill.com for complex requests
- Response Time: We respond within 30 days (or as required by local law)
- Verification: We may request identity verification to protect your privacy
4.4 Marketing & Communications
- No Marketing: We don't send marketing emails by default
- Service Notifications: Essential notifications can't be disabled but are minimal
- Push Notifications: Manage in your device settings
5. Data Retention
5.1 Retention Periods
Spills & Account Data
- Retention Period: Until you delete the Spill/account
- Rationale: User control, service provision
Deleted Data Backups
- Retention Period: Maximum 30 days after deletion
- Rationale: Technical necessity, disaster recovery
Analytics Data
- Retention Period: 26 months, then aggregated/anonymized
- Rationale: Service improvement, compliance
Support Communications
- Retention Period: 3 years after last interaction
- Rationale: Customer service, dispute resolution
Financial Records
- Retention Period: 7 years
- Rationale: Tax obligations, financial regulations
5.2 Automated Deletion
- Inactive Accounts: After 3 years of inactivity, we'll email you before deletion
- Temporary Data: Crash logs and error reports deleted after 90 days
- Cache Data: Video cache cleared based on device storage needs
6. Security Measures
6.1 Technical Safeguards
- π Encryption in Transit: TLS 1.3 for all data transmission
- π Encryption at Rest: AES-256 encryption for stored data
- π Access Controls: Role-based access with multi-factor authentication
- π Security Monitoring: Continuous monitoring for threats and breaches
- π‘οΈ Regular Audits: Annual security assessments and penetration testing
6.2 Organizational Measures
- Staff Training: Regular privacy and security training
- Data Minimization: Collect only necessary data
- Incident Response: 72-hour breach notification procedures (GDPR compliant)
- Vendor Management: Due diligence on all service providers
6.3 Your Security Responsibilities
- Keep your device and Apple ID secure
- Report suspected unauthorized access immediately
- Use strong device passcodes/biometric locks
- Don't share account credentials
7. International Data Transfers
7.1 Transfer Mechanisms
Your data may be processed in countries outside your residence, including the United States. We ensure adequate protection through:
- πͺπΊ EU Standard Contractual Clauses (SCCs): For EU data transfers
- ποΈ Adequacy Decisions: Where available (e.g., EU-US Data Privacy Framework)
- π Additional Safeguards: Encryption, access controls, audit rights
7.2 Data Localization
- EU Users: Where possible, data is processed within the EU
- US Users: Primary processing in the United States
- Other Regions: Processed in nearest secure data center
7.3 Legal Basis for Transfers
- Necessary for contract performance (providing Spill services)
- Legitimate interests (service improvement, security)
- Your explicit consent (where required)
8. Children's Privacy
8.1 Age Requirements
πΊπΈ United States: Minimum age 13 with parental consent
πͺπΊ EU/EEA: Minimum age 16 (or lower as set by member state, but not below 13)
π¬π§ United Kingdom: Minimum age 13 with parental consent
π Other Countries: As required by local law
8.2 Parental Controls
If we learn we've collected data from a child without proper consent:
- We'll delete the account and all associated data within 24 hours
- We'll notify the child (if possible) and request they seek parental permission
- Parents can contact us to review, modify, or delete their child's information
8.3 Special Protections for Minors
- Enhanced privacy settings by default
- Limited data collection and sharing
- No behavioral advertising or profiling
- Priority customer support for safety concerns
9. Health & Wellness Disclaimer
π¨ Important Mental Health Notice
Spill is designed for personal expression and social connection. It is NOT a substitute for professional mental health care, therapy, or crisis intervention.
If you are experiencing:
- Suicidal thoughts or self-harm ideation
- Severe depression, anxiety, or mental health crisis
- Thoughts of harming others
- Substance abuse or addiction issues
π Please seek immediate professional help:
πΊπΈ United States β Crisis Hotline: 988 (Suicide & Crisis Lifeline) Β· Text "HELLO" to 741741
π«π· France β Crisis Hotline: 3114 (National suicide prevention) Β· sos-amitie.com
π¬π§ United Kingdom β Crisis Hotline: 116 123 (Samaritans) Β· samaritans.org
π©πͺ Germany β Crisis Hotline: 0800 111 0 111 (Telefonseelsorge) Β· telefonseelsorge.de
π International β findahelpline.com Β· befrienders.org
AI Features Disclaimer
Any AI-powered features (if available) are for entertainment and reflection purposes only. They do not provide medical, psychological, or therapeutic advice.
10. Regional Compliance
10.1 GDPR Representative (EU/EEA/UK)
EU Representative: [To be designated]
UK Representative: [To be designated]
10.2 Complaints & Regulatory Contacts
- EU: Contact your local Data Protection Authority
- UK: Information Commissioner's Office (ico.org.uk)
- US: Contact us directly at hello@joinspill.com
11. Changes to This Policy
11.1 Notification Process
- Material Changes: 30-day advance notice via email and in-app notification
- Minor Updates: Notice in app and on website
- Emergency Changes: Immediate notice if required for legal/security reasons
11.2 Continued Use
Your continued use of Spill after changes take effect constitutes acceptance of the updated Policy.
12. Contact Us
12.1 Privacy Inquiries
- Email: hello@joinspill.com
- Subject Line: "Privacy Policy Question"
- Response Time: Within 5 business days
12.2 Data Protection Officer
For GDPR-related inquiries: hello@joinspill.com
12.3 Emergency Contact
For urgent security or safety concerns: hello@joinspill.com
Β© 2025 Julien Pinto. All rights reserved.