Privacy Policy

1. Information We Collect

a) Information you provide directly

• Account registration data: name and email address.
• Billing details processed on your behalf by our payment processor (Stripe). We do not store card numbers.
• Content you create: scripts, templates, credentials (stored encrypted), and execution context data.

b) Information collected automatically

• Log data: IP address, browser type and version, pages visited, timestamps, and referrer URLs.
• Session cookies and authentication tokens required to keep you signed in.
• Usage metrics: feature interactions used to improve the Service (never sold).

c) Information from Google Sign-In (OAuth 2.0)

When you choose to sign in with Google, we request only the scopes necessary to authenticate you:

• openid — verifies your identity.
• email — your primary Google account email address.
• profile — your name and profile picture.

We do not request access to your Gmail, Google Drive, Calendar, or any other Google service data through this OAuth flow. If in the future we add optional Google Sheets integration, we will request only the minimum additional scopes required and will ask for explicit consent at that time.

SpreadIt's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How We Use Your Information

• To create and manage your account and authenticate you securely.
• To deliver, operate, and improve the Service.
• To send transactional emails (account confirmation, password reset, billing receipts).
• To respond to support requests.
• To detect, investigate, and prevent fraud or abuse.
• To comply with legal obligations.

We will not use your Google user data for any purpose other than providing or improving user-facing features of the Service. We do not use Google user data for advertising, profiling, or selling to third parties.

3. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data with:

• Service providers who act on our behalf (e.g., cloud hosting, payment processing, email delivery). These parties are contractually bound to protect your data and may not use it for their own purposes.
• Identity provider: We use Zitadel to manage authentication. When you sign in, Zitadel processes your authentication credentials. See Zitadel's Privacy Policy.
• Legal authorities: if required by law, court order, or to protect the rights and safety of SpreadIt or others.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to you.

4. Data Storage and Security

Your data is stored on servers in the United States. API credentials and secrets you store in the Service are encrypted at rest using AES-256-GCM and are never transmitted to the browser in plaintext.

We apply industry-standard technical and organizational measures to protect your information, including TLS in transit, encrypted storage, and access controls. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we will notify you of any breach that affects your data as required by applicable law.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you close your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain it longer (e.g., tax records).

6. Cookies

We use strictly necessary cookies to maintain your authenticated session. We do not use tracking cookies or third-party advertising cookies. You may configure your browser to reject cookies, but this will prevent you from signing in.

7. Your Rights

Depending on your location you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Request deletion of your personal data (see the "Delete My Account" page).
• Object to or restrict certain processing.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time (where processing is based on consent).

To exercise these rights, contact us at privacy@spreadit.app. We will respond within 30 days.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: