Privacy Policy

1. Introduction

Welcome to Spiryted. Spiryted is operated by Abdullah Shabbir, an individual based in Pakistan, who acts as the data controller responsible for your personal data. This policy explains what we collect, how we use and share it, and how to delete it. You can reach the data controller at support.reflekt@gmail.com.

2. Data We Collect

• Account Data: Email address and password (securely stored via Supabase Authentication).
• Profile Data: Username, display name, avatar emoji, timezone, whether your profile is public or private, verified status, and your streak history.
• Photos & Captions: The daily “win” photo and optional caption you post to your board, stored in an access-controlled storage bucket.
• Direct Messages: Messages you send and receive with friends — text, shared photos, photo captions, custom stickers you upload, timestamps, and read receipts. Messages are stored on our servers and protected by access controls so only the two participants can read them; they are not end-to-end encrypted.
• Social Data: Your friend connections, follow relationships (who you follow and who follows you), reactions you leave on friends’ photos, and records of “streak saves” (when you or a friend cover a missed day).
• Device Information: Push notification subscriptions (one per device where you enable reminders) and timezone, used to send daily reminders. You can turn notifications off in Settings at any time.
• Subscription Data: Your Spiryted Pro subscription status and past trial usage, used to determine which features are unlocked. Payment details (card numbers, billing address) are handled by Lemon Squeezy, our merchant of record — we never receive them.
• Cookies & Local Storage: Essential cookies and local storage for authentication, your cookie-banner choice, and app preferences. We use Vercel Analytics, which is cookieless and does not track you across sites. We do not use advertising or tracking cookies.

3. Who Can See Your Content

Private accounts (the default): your board photos, captions, current streak, and reactions are visible only to you and your accepted friends, and your profile can be found by username search and follow requests require your approval.

Public accounts (opt-in): if you switch your profile to public in Settings, your profile and board become visible to any signed-in Spiryted user, and anyone can follow you without approval. Switching back to private re-restricts visibility.

Messages are visible only to you and the other participant, regardless of profile visibility. Donated photos (streak saves) appear on the recipient’s board and are visible to whoever can see that board. Remember that people who can see your content can save or screenshot it — content shared with another user may remain with them (e.g. in their export) even after you delete it.

4. How We Use Data & Legal Bases

We process your data only to operate the service: authenticating you, storing and showing content to the people described above, computing streaks, sending reminders and message notifications you’ve opted into, and managing subscriptions (performance of contract); securing the service and preventing abuse (legitimate interests); and sending push notifications (consent, withdrawable in Settings). We do not sell your data, show ads, or use your content to train AI models.

5. Third-Party Providers & International Transfers

Your account, profile, photo, message, and social data are stored with our database and storage provider, Supabase. We rely on Vercel for application hosting and privacy-friendly, cookieless analytics, and on Lemon Squeezy for payment processing of Spiryted Pro subscriptions. Our web fonts are served via Google Fonts. International transfers: these providers operate servers that may be located outside your country, including in the United States, so your data may be transferred to and processed in other countries. Where required by law, these transfers are covered by the providers’ Standard Contractual Clauses or equivalent safeguards.

6. Retention & Deletion

We retain your data for as long as your account is active. Free accounts can browse the most recent 90 days of board history in the app; Spiryted Pro unlocks unlimited history — in both cases photos remain stored until you delete them or your account. We may delete accounts that have been inactive for 24 consecutive months, after attempting to notify the account email.

Account deletion is available instantly from the Settings page. It permanently removes your profile, your board photos (including the stored files), friendships, follows, reactions, streak-save records, direct messages (entire conversations disappear for both participants, including media you sent), your stickers, push subscriptions, settings, and login credentials. One exception: if you previously donated a photo to cover a friend’s missed day, that photo remains on the friend’s board as part of their data, since it documents their streak. Residual copies in encrypted backups are removed within 30 days.

7. Your Rights & Data Export

If you are an EU/UK resident, you have the right to access, rectify, or erase your personal data, to restrict or object to its processing, and to data portability; you can exercise the main ones directly in the app — deletion from Settings (above), and a full machine-readable export. The Export button on the Settings page downloads a JSON file containing your account info, profile, settings, photos, friendships, follows, messages, stickers, reactions, streak saves, and push subscriptions. We do not carry out automated decision-making that produces legal effects about you. You also have the right to lodge a complaint with your local data protection supervisory authority. For anything you can’t do in-app, email support.reflekt@gmail.com and we will respond within 30 days.

8. Children

Spiryted is not intended for children under 16, and we do not knowingly collect their data. If you believe a child under 16 has an account, contact us and we will delete it.

9. Security

Your data is protected with Row-Level Security (RLS) in our PostgreSQL database and access-controlled storage, so content is only readable by the people described in Section 3. All traffic is encrypted in transit (HTTPS). No system is 100% secure, and we cannot guarantee absolute security; if a breach affecting your personal data occurs, we will notify affected users and authorities as required by law.

10. Changes to This Policy

We may update this policy as the service evolves. For material changes we will give notice in the app or by email before the changes take effect. The “Last updated” date above always reflects the current version.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at: support.reflekt@gmail.com