# Privacy Policy for SpnLabs

**Effective Date: November 19, 2025**

SpnLabs ("we," "us," or "our") operates the SpnLabs service (the "Service"), accessible via spnlabs.com (the "Site"). We are committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use the Service, including any mobile applications.

This Privacy Policy is incorporated into and forms part of our [Terms of Service](tos.md) ("Terms"). By using the Service, you consent to the practices described here. If you do not agree, please do not use the Service.

We are based in Montana, USA, and operate under Montana and applicable U.S. laws. For users outside the U.S., your information may be transferred to and processed in the U.S., where privacy protections may differ from your home country.

## 1. Information We Collect

We collect information to provide, improve, and secure the Service. This includes:

### Personal Information
- **Account Information**: When you create an account, we collect your email address and any other details you provide (e.g., name, if optional). For OAuth sign-ins (e.g., Google as our current provider, with Apple or similar providers planned for future mobile support), we receive and store limited profile information such as your email, user ID, and profile picture (as permitted by the provider's terms). We do not store full OAuth credentials (e.g., passwords); instead, we use secure tokens for authentication.
- **Payment Information**: When you purchase tokens, we collect billing details (e.g., credit card info) via our third-party processor, Stripe. We do not store full payment card details on our servers—Stripe handles this securely and complies with PCI DSS standards.
- **Communications**: If you contact us (e.g., via support email at slockhartbiz@gmail.com or the /contact endpoint), we collect your email, message content, and any attached files.

### Usage and Technical Information
- **Log Data**: Automatically collected details about your interactions, including IP address, browser type, device information, operating system, session duration, pages viewed, and timestamps. This helps with functionality, analytics, and fraud detection.
- **Token and Activity Logs**: Records of your token purchases, usage (e.g., generations, API calls, storage), and feature interactions to manage your account balance and prevent abuse.
- **Cookies and Similar Technologies**: See Section 6 for details. We use only first-party cookies for essential functions and user preferences.

### Content and Generated Data
- **User Content**: Prompts, uploaded files (e.g., for processing), and metadata about generated outputs (e.g., image/video descriptions, timestamps). You own this content, but we process and store it temporarily for service delivery (e.g., generation, storage features).
- **AI-Generated Outputs**: Files you generate (e.g., images/videos) are stored in your account until you download or delete them. We may retain anonymized metadata (e.g., prompt types, success rates) for improving the Service.

We do not collect sensitive personal information (e.g., health data, political views) unless you voluntarily provide it in communications, in which case we treat it with extra care.

## 2. How We Use Your Information

We use collected information for:
- **Providing the Service**: Authenticating accounts (via email/OAuth), processing token purchases (via Stripe), generating content, handling API requests, and managing storage.
- **Improving and Personalizing**: Analyzing usage patterns to enhance features (e.g., better AI models), troubleshoot issues, and develop new functionalities. This includes using anonymized user content and metadata for training and improving AI models, as described in our Terms. Future internal analytics will be handled solely by SpnLabs.
- **Communications**: Sending transactional emails (e.g., purchase confirmations, refund notifications) or responses to your support inquiries. We may send occasional service updates or policy changes if you have an account.
- **Security and Fraud Prevention**: Monitoring for suspicious activity (e.g., via IP logs, token usage patterns), scanning uploads/outputs for malware (e.g., using ClamAV), and complying with legal obligations.
- **Analytics and Business Purposes**: Aggregating anonymized data for internal metrics (e.g., usage trends) to operate and grow the business. We do not sell your personal information.

## 3. Sharing and Disclosure of Information

We do not sell, rent, or trade your personal information. We may share it in limited circumstances:
- **Service Providers**: With trusted third parties who help operate the Service, such as:
  - Stripe for payments.
  - OAuth providers (e.g., Google, Apple) for authentication—limited to what's necessary.
  - AI and media processing providers (e.g., for generation or FFmpeg features) to deliver outputs; they may process your prompts/content but are bound by data processing agreements.
  - Hosting/cloud services (e.g., for storage).
  These parties are contractually required to use your information only for the specified purposes and protect it. No automated transfers to non-EU countries without appropriate safeguards.
- **Legal and Safety**: If required by law, subpoena, or government request; to enforce our Terms; to protect rights, property, or safety (e.g., reporting illegal content); or in connection with a merger, acquisition, or sale of assets.
- **With Your Consent**: If you explicitly agree (e.g., sharing features in future updates).

We do not share user content or generated outputs with third parties except as needed for service delivery (e.g., to AI providers) or as described above. Anonymized, aggregated data may be shared for research or marketing (e.g., "X% of users generate images").

## 4. GDPR Compliance for EU/EEA Users

If you are in the EU/EEA, we process your personal data in accordance with GDPR. Our lawful bases for processing include:
- **Contract**: For providing the Service (e.g., account management, token processing).
- **Legitimate Interests**: For security, fraud prevention, and internal analytics (balanced against your rights).
- **Consent**: For non-essential communications (e.g., updates); you can withdraw via email.

We do not rely on consent for core functions. For AI training, we use only anonymized data under legitimate interests. EU users have enhanced rights (see Section 8). Data is processed in the U.S.; we use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers, ensuring equivalent protection.

## 5. International Transfers

If you are outside the U.S., your information may be transferred to Montana or other U.S. locations for processing. We ensure appropriate safeguards (e.g., standard contractual clauses for EU data where applicable), but note that U.S. privacy laws may offer different protections.

## 6. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information (e.g., encryption for data in transit, access controls, regular security audits). However, no system is completely secure—we cannot guarantee absolute protection against breaches, and you use the Service at your own risk. In the event of a data incident, we will notify affected users and authorities as required by law.

For stored files (uploaded or generated), we use secure storage but may delete them at any time for operational reasons (e.g., storage limits), as noted in our Terms. Malware scanning is performed where feasible, but we make no guarantees.

## 7. Cookies and Tracking Technologies

We use only first-party cookies (set by our domain) and similar technologies (e.g., local storage) for essential functions and user preferences. These include:
- **Essential Cookies**: For core functions like login, session management, and authentication.
- **Preferences Cookies**: To remember settings (e.g., language, theme).

We do not use third-party cookies or external analytics tools. All analytics, when implemented, will be handled internally by SpnLabs using anonymized data. You can manage cookies via your browser settings (e.g., clear or block them). Disabling essential cookies may limit Service functionality. We do not respond to "Do Not Track" signals yet but respect opt-outs where available. For more, contact us.

## 8. Data Retention and Deletion

- **Personal Information**: Retained as long as needed for the purposes above (e.g., account data while active; payment logs for 7 years for tax/compliance).
- **Usage Logs**: Kept for up to 2 years for security/analytics, then anonymized or deleted.
- **User Content**: Stored until you delete it or your account is terminated; backups may persist for a short period. Upon request, we will delete your account and associated data (subject to legal holds).
- **AI Training Data**: Anonymized data used for model improvements may be retained indefinitely, but identifiable info is not.

To request deletion, email slockhartbiz@gmail.com. We comply with applicable laws (e.g., no "right to be forgotten" under Montana law, but we'll honor reasonable requests).

## 9. Your Rights and Choices

Depending on your location, including enhanced GDPR rights for EU/EEA users:
- **Access/Update**: Log in to view/edit your account info (e.g., email, token balance). For other data, contact us.
- **Opt-Out**: Unsubscribe from non-essential emails via links. For OAuth, disconnect via the provider's settings.
- **Objection/Deletion**: Request access, correction, or deletion of your data (we'll respond within 30 days, subject to exemptions). EU/EEA users have additional rights: portability (structured data export), erasure ("right to be forgotten," subject to legal obligations), objection to processing (e.g., analytics—we'll cease unless compelling reasons), and withdrawal of consent.
- No automated decision-making (e.g., profiling) that significantly affects you.

For California residents: We do not sell data, so no CCPA "Do Not Sell" rights apply. See our Terms for more.

## 10. Children's Privacy

The Service is intended for adults only and requires users to be at least 18 years old, as stated in our Terms of Service. We do not knowingly collect personal information from minors under 18. If we learn that we have collected data from a minor, we will delete it promptly. Parents or guardians who believe their child under 18 has provided us with information should contact us at slockhartbiz@gmail.com.

## 11. Changes to This Privacy Policy

We may update this Policy to reflect changes in our practices or laws. We'll notify you via the Site, email, or in-app notice for material changes. Continued use after updates constitutes acceptance. Check this page periodically.

## 12. Contact Us

Questions about this Policy? Email slockhartbiz@gmail.com. For EU/UK users, our data protection representative can be reached at the same address.

By using the Service, you acknowledge this Policy.