Privacy Policy

1. What We Store

Sprime stores the following in Google Cloud Firestore:

• Account data: Your email address, API key (hashed), plan type, and account creation date. For paid plan subscribers: your Stripe customer ID. We never see or store your credit card details.
• Usage data: Daily request counts per API key, used for rate limiting and billing.
• Webhook data (Pro plan): Webhook URLs, trigger conditions, HMAC secrets, delivery timestamps, and failure counts.
• Offer Monitor data: URLs you register, their labels, SHA-256 hashes of fetched content, short text extracts (up to 2,000 characters per snapshot), and change records. The full page content is never stored.
• Homepage scenario suggestions: If you submit a "Suggest a scenario" entry, we store the text you send, submission timestamp, and a SHA-256 hash of your IP address for abuse prevention and roadmap triage.
• Conversion telemetry events: We store selected interaction events from the public site (for example contract scan starts, triage selection, verify starts, checkout starts) with timestamp, limited event context, and a SHA-256 hash of IP for abuse prevention and product analytics.

2. How We Handle IP Addresses

• Signup rate limiting: Your IP is held temporarily in server memory to prevent abuse and is not written to our database by the signup flow.
• Homepage scenario suggestions: To prevent abuse, we store a one-way SHA-256 hash of the submitting IP with the suggestion. We do not store the raw IP in Firestore for this flow.
• Conversion telemetry: We store a one-way SHA-256 hash of the submitting IP with tracked events. We do not store the raw IP in Firestore for this flow.
• Auto-location weather (/v1/weather/auto): Your IP is sent to ipapi.co to determine your approximate location. We do not store the IP or the result.
• IP Lookup (/v1/ip-lookup): If you query this endpoint, the target IP is sent to ipwho.is for geolocation. Results are cached in server memory for 24 hours, then discarded.
• Platform logs: Google Cloud Run may log request metadata including IP addresses in its infrastructure logs. We do not actively collect or analyze these logs.

3. Third-Party Processors

Your requests may cause data to be sent to these third-party services:

• Stripe: Payment processing and subscription management. You pay through Stripe's hosted checkout; we never see your card details. Stripe provides us with your subscription status and customer ID only.
• SendGrid: Transactional email (API key delivery, service notices).
• Google Cloud: Hosting (Cloud Run), database (Firestore), and secret storage (Secret Manager).
• Redis / Upstash: Ephemeral cache for API responses. Cache entries expire and are not used for analytics.

When you make API calls, your request parameters (not your identity) may be forwarded to upstream data providers: Open-Meteo, CoinGecko, NewsAPI, Frankfurter (ECB), World Time API, ipwho.is, Nager.Date, ipapi.co, and public WHOIS registries and DNS resolvers (for Sprime Verify).

4. Sprime Verify Submissions

• Unauthenticated checks: The URL is probed and results are cached in server memory for 60 seconds, then discarded. We do not log the URL or associate it with any identity.
• Authenticated checks: The URL and a result summary are written to Firestore, associated with your API key, for your own record-keeping. Cache duration depends on your plan.
• Upstream lookups: Verification triggers outbound requests from our server to the submitted URL (HTTPS probe), WHOIS registries, and DNS resolvers. The submitted URL is never shared with any third-party analytics or advertising service.

5. Verify Suite Tool Submissions

• Payment Safety Checker: Your input is normalized and looked up in a local built-in dataset. Nothing is sent to any third party. Results are cached in server memory by method key for 24 hours. We don't log individual queries or tie them to your identity for unauthenticated requests.
• Contract Clause Translator: Your contract text is processed by a local pattern-matching engine running on our server. No text is forwarded to any third-party model service or analytics provider. A SHA-256 hash of the text is used as a cache key; the full text is held in server memory for up to 24 hours, then discarded. The text is never written to our database. When you use the ToS Library panel, clause patterns are loaded from a static file served to your browser — no server request occurs until you click "Load & Scan" or "Analyze", at which point the text is handled identically to any manually pasted input.
• Offer Monitor: URLs you register are stored in Firestore linked to your API key. When a check runs, our server fetches the target URL and stores a SHA-256 hash, a short text extract, and change metadata. The full page content is not persisted. Monitor data is retained until you delete the monitor or close your account.

6. Homepage Suggestions and Conversion Telemetry

When you submit a scenario suggestion from the homepage, we use it to prioritize future tool and workflow improvements.

We also collect a small set of conversion telemetry events on public pages (for example: contract clause scan started, triage scenario selected, triage CTA clicked, verify check started, checkout started). This helps us measure where users get stuck and improve the safety workflow. We do not use these records for ad targeting.

7. Browser Storage

The Sprime dashboard and Offer Monitor store your API key in your browser's localStorage so you don't have to re-enter it on each visit. This data never leaves your device unless you make an API call. Clear it at any time through your browser settings.

The homepage mission progress board uses localStorage to store your earned points and completed mission IDs (sprime_hero_progress_v1) and the panel's expanded/collapsed state (spm_expanded). These values never leave your device — no server request is involved in reading or writing them. You can clear them at any time through your browser's developer tools or storage settings.

8. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of a deletion request.
• Usage counts: Retained for billing accuracy. Purged 90 days after account deletion.
• Webhook and monitor data: Retained until you delete the item or your account.
• Contract clause analysis: Processed in server memory only. Never persisted to any database.
• IP addresses: Not persisted beyond the request (rate-limit checks only).
• Homepage scenario suggestions: Retained for up to 180 days, then deleted unless required for abuse investigation.
• Conversion telemetry events: Retained for up to 120 days, then deleted unless needed for abuse investigation.

9. We Do Not Sell Your Data

Sprime does not sell, rent, or share your personal information with advertisers or data brokers. We do not use your data for targeted advertising. The only third parties who receive your data are the processors listed in Section 3, and only to the extent required to run the service.

10. Your Rights

You may request access to, correction of, or deletion of your personal data by emailing support@sprime.us. Upon a verified deletion request, we will revoke your API key and remove your account data, usage records, webhook configurations, and monitor records from Firestore. If you have an active paid subscription, cancel it through Stripe before requesting deletion. We'll respond within 30 days.

11. EEA Users: GDPR Rights

If you are in the European Economic Area, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Ask us to fix inaccurate or incomplete data.
• Deletion: Ask us to delete your data (subject to legal retention obligations).
• Portability: Receive your data in a machine-readable format.
• Object or restrict: Object to processing or ask us to limit how we use your data.

To exercise any of these rights, email support@sprime.us. We process your data to provide the service you signed up for and to fulfill your subscription contract. We do not use your data for automated profiling or marketing. If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local data protection authority.

12. California Residents: CCPA Rights

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we collect about you.
• Delete: Request that we delete your personal information (subject to certain exceptions).
• Opt out of sale: We do not sell your personal information, so there is nothing to opt out of.
• Non-discrimination: We will not treat you differently for exercising your CCPA rights.

To submit a request, email support@sprime.us with the subject "CCPA Request."

13. Changes to This Policy

We may update this policy from time to time. We'll post the new version here with an updated effective date. For material changes, we'll notify registered users by email at least 7 days before the change takes effect.

Questions? Email support@sprime.us.