Privacy Policy

1. Scope

This Privacy Policy explains how we collect, use, retain, and disclose personal data when you use Sprime websites, APIs, dashboards, hosted tools, and checkout flows on sprime.us, sprime.io, and related service domains.

2. Data We Collect

• Account and key data: email, hashed API keys, plan metadata, and account timestamps.
• Checkout and billing metadata: Stripe customer and session identifiers, plan and product metadata, billing status, and transaction references. We do not store full card numbers.
• Usage and security data: endpoint usage counts, request timing, abuse-prevention counters, and service reliability metrics.
• Webhook and monitor data: webhook URLs and trigger settings, monitor URLs and labels, snapshot hashes, short extracts, and change logs.
• Public-form submissions: scenario suggestions, interest forms, and conversion telemetry events, each with timestamp and abuse-prevention metadata.
• Tool input data: URLs, payment-method queries, and contract text that you submit for analysis.

3. How We Use Data

• Provide and secure service access, plan enforcement, and support workflows.
• Process billing events and provision paid entitlements.
• Detect abuse, enforce limits, and protect service integrity.
• Improve product quality through operational analytics and conversion telemetry.
• Send transactional notices, including account and service communications.

4. Legal Bases for Processing

Where required by law, we process personal data under one or more of these legal bases: contract performance, legitimate interests (security, abuse prevention, product operations), legal obligations, and consent where applicable.

5. Tool-Specific Privacy Handling

• Sprime Verify: submitted URLs are processed to produce risk signals. Unauthenticated flows are cached briefly in memory. Authenticated flows may be associated with your account for product functionality.
• Payment Safety: method lookups are local and do not require outbound third-party enrichment.
• Contract Clause Translator: submitted text is processed in memory. We do not store full submitted contract text in Firestore.
• ToS Library: library content is static reference material. Requests are only sent when you initiate scans or related actions.
• Offer Monitor: stored monitor records include URL metadata, hashes, and short extracts for change detection. Full page bodies are not persisted as account records.

6. IP Address Handling

• Raw IP information may be processed at request time for routing, security, and rate-limit enforcement.
• For selected public forms and telemetry events, we store one-way hashed IP metadata for abuse defense.
• Infrastructure providers may keep standard request logs under their own retention and compliance rules.

7. Third-Party Processors and Infrastructure

We use service providers for hosting, database, caching, payments, and transactional email. These include Google Cloud, Stripe, and email infrastructure providers. We also call upstream data providers when endpoint functionality requires it.

8. Cookies and Local Storage

We use local browser storage for operational features such as theme preference and signed-in key state. You can clear local storage through your browser settings at any time.

9. Data Retention

• Account records: retained while active, then deleted or de-identified after verified closure workflows.
• Usage records: retained for security, operations, and billing integrity, then purged under retention schedules.
• Webhook and monitor records: retained until deleted by you, removed through account closure, or removed for policy reasons.
• Contract text submissions: processed in memory and not stored as long-term database content.
• Suggestion and conversion telemetry: retained up to 120 days unless extended for abuse or legal hold needs.

10. Security Controls

We use layered technical and organizational safeguards, including key hashing, secret-management workflows, abuse-rate controls, transport security, and environment-level access controls. No system is perfectly secure, so we cannot guarantee absolute security.

11. International Transfers

Your data may be processed in countries outside your own. Where required, we use lawful transfer mechanisms and contractual controls designed to protect personal data.

12. Children's Privacy

The service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has submitted personal data, contact us for deletion review.

13. No Sale of Personal Data

We do not sell personal data for money. We do not share personal data for third-party cross-context behavioral advertising.

14. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export personal data, and to object to or restrict certain processing. California residents may exercise CCPA and CPRA rights. EEA and UK users may exercise GDPR rights.

15. Rights Requests

Send requests to support@sprime.io with enough detail for verification. We may request additional information to confirm identity and prevent unauthorized disclosure. We respond within timelines required by applicable law.

16. AI and Model Training

We do not use your private account content, API payloads, or tool submissions to train third-party foundation models without explicit written authorization.

17. Changes to this Policy

We may update this Privacy Policy. The latest version and effective date are posted on this page. Material changes may be communicated through service channels.

18. Contact

Privacy questions, rights requests, and legal notices can be sent to support@sprime.io.