Privacy Policy

Effective Date: June 23, 2025

1. INTRODUCTION

SpiniX ("we," "us," "our," or the "Company") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website spinix.so (the "Website") and use our review management and revenue optimization services (the "Services").

This Privacy Policy applies to all users of our Website and Services, including business clients, reviewers, and website visitors. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. INFORMATION WE COLLECT

2.1 Personal Information You Provide

  • Account registration information (name, email address, phone number, company name, business address)
  • Payment and billing information (credit card details, billing address, tax identification numbers)
  • Business profile information (website URL, industry type, company size, business description)
  • Communication preferences and marketing consent
  • Support ticket information and correspondence
  • Profile photos and company logos
  • Review responses and content you submit

2.2 Information Collected from Your Customers (Reviewers)

When you use our Services to collect reviews, we may collect:

  • Customer names and email addresses (provided by you or your customers)
  • Review content, ratings, and feedback
  • Customer verification information (when customers verify their reviews)
  • Social media profile information (if customers choose to verify through social media)
  • Photos and videos submitted with reviews
  • IP addresses and location data of reviewers
  • Device information and browser data
  • Newsletter subscription preferences and consent status
  • Prize/reward claim information and preferences

2.2A Information Collected via WhatsApp

When customers opt to receive communications via WhatsApp:

  • Phone numbers provided voluntarily by customers
  • WhatsApp message delivery and read status
  • Communication preferences (WhatsApp vs email)
  • Message interaction timestamps

2.3 Newsletter Subscription and Email Sharing Process

When reviewers complete a review and claim a reward/prize:

  • We collect explicit consent for newsletter subscriptions to your business
  • Email addresses are only shared with you after explicit subscriber consent
  • We track subscription status and consent timestamps
  • Opt-in confirmation data and double opt-in verification
  • Subscription source attribution (review-to-subscription tracking)

2.4 Automatically Collected Information

  • IP addresses and geolocation data
  • Browser type, version, and language settings
  • Operating system and device information
  • Website usage patterns and analytics data
  • Cookies and similar tracking technologies
  • Session recordings and heatmap data
  • Search queries and interaction data
  • Referral sources and campaign attribution data

2.5 Third-Party Information

  • Information from integrated platforms (Google, Facebook, Shopify, etc.)
  • Google Business Profile data accessed via OAuth, including business reviews (reviewer display name, star rating, review text, review date), location information, and account metadata
  • Public business information from directories and databases
  • Social media profile information (when you connect social accounts)
  • Payment processor information
  • Email service provider data

2.6 Information processed by AI services

When you use our Review Manager feature, the following data may be sent to third-party AI providers (Anthropic Claude, OpenAI) for processing:

  • Review text content and star ratings (no personally identifiable reviewer information is sent)
  • Your business name and type (for context-appropriate response generation)
  • Language of the review (for multilingual response generation)

AI-generated review responses are always presented as drafts for your review and approval before publication. No review responses are published automatically without explicit business owner action, unless the business owner has enabled auto-reply for positive reviews in their settings. We do not use your data to train AI models. Our AI providers process data under strict data processing agreements.

3. HOW WE USE YOUR INFORMATION

3.1 Service Provision

  • Providing and maintaining our review management Services
  • Processing and displaying customer reviews
  • Generating review invitations and follow-up communications
  • Managing prize/reward distribution after review completion
  • Processing newsletter subscription requests from reviewers
  • Facilitating email list building with proper consent management
  • Creating analytics reports and dashboards
  • Facilitating review syndication across platforms
  • Generating AI-assisted draft responses to Google Business Profile reviews on your behalf
  • Analyzing review content for potential Google policy violations and generating appeal drafts
  • Publishing approved review responses to your Google Business Profile via API
  • Managing your account and providing customer support

3.2 Newsletter and Email Marketing Management

  • Collecting and verifying newsletter subscription consent from reviewers
  • Transferring email addresses to business clients only after confirmed opt-in
  • Providing subscription management tools for businesses
  • Tracking subscription attribution and conversion rates
  • Managing unsubscribe requests and consent withdrawal

We store timestamped consent records linked to the review flow and source. Where double opt-in is enabled, confirmation is required before sharing an email with a business. Consent can be withdrawn at any time via unsubscribe links or by contacting us.

3.2B WhatsApp Communications

  • Sending prize notifications via WhatsApp when customers opt for this channel
  • Delivering review reminders and expiry notifications
  • Processing message delivery status for service improvement
  • Managing communication channel preferences

3.3 Business Operations

  • Processing payments and managing billing
  • Detecting and preventing fraud and abuse
  • Enforcing our Terms & Conditions
  • Complying with legal obligations and regulatory requirements
  • Conducting internal research and product development
  • Maintaining security and preventing unauthorized access

3.4 Marketing and Communications

  • Sending service-related notifications and updates
  • Providing customer support and responding to inquiries
  • Sending marketing communications (with your consent)
  • Personalizing your experience and recommendations
  • Conducting surveys and collecting feedback

3.5 Legal Bases (GDPR)

Where the GDPR applies, our processing relies on the following legal bases:

  • Contract (Art. 6(1)(b)): Providing, maintaining and supporting the Services you requested.
  • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement and proportionate analytics.
  • Consent (Art. 6(1)(a)): Newsletter subscriptions and marketing communications, which you can withdraw at any time.
  • Legal obligation (Art. 6(1)(c)): Accounting, tax and regulatory compliance.

4. INFORMATION SHARING AND DISCLOSURE

4.1 Email Sharing with Business Clients

IMPORTANT: Customer email addresses are only shared with our business clients under the following strict conditions:

  • The customer has completed a genuine review
  • The customer has claimed a prize/reward
  • The customer has explicitly consented to join the business's newsletter/mailing list
  • The customer has confirmed their subscription through our verification process
  • All applicable privacy laws and consent requirements are met

4.2 With Your Consent

We may share your information with third parties when you provide explicit consent or direct us to do so.

4.3 Service Providers

We share information with trusted third-party service providers who assist us in operating our business:

  • Cloud hosting and infrastructure providers
  • Payment processors and billing services
  • Email and communication service providers
  • WhatsApp Business API and messaging services (Meta/Twilio)
  • Analytics and marketing platforms
  • Customer support tools
  • Google Business Profile API (review data access and response publishing, authorized via OAuth by the business owner)
  • AI language model providers (Anthropic, OpenAI) for review response generation and content analysis
  • Security and fraud prevention services

4.4 Business Partners

  • Integration partners (e.g., e-commerce platforms, CRM systems)
  • Review syndication partners (Google, Facebook, industry-specific platforms)
  • Marketing and advertising partners (with your consent)

4.5 Legal Requirements

We may disclose information when required by law or when we believe disclosure is necessary to:

  • Comply with legal obligations or court orders
  • Protect our rights, property, or safety
  • Investigate potential violations of our Terms
  • Prevent fraud or other illegal activities

4.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

5. REVIEWER RIGHTS AND NEWSLETTER SUBSCRIPTIONS

5.1 Subscription Control

Reviewers have the right to:

  • Choose whether to subscribe to business newsletters after leaving a review
  • Receive clear information about what they're subscribing to
  • Unsubscribe from business newsletters at any time
  • Request deletion of their email from business mailing lists
  • Withdraw consent for email sharing

5.2 Email Protection

  • We do not share reviewer email addresses without explicit consent
  • Businesses cannot access reviewer emails unless subscription consent is given
  • All email transfers are logged and tracked for compliance
  • Reviewers can request information about which businesses have their email

6. DATA CONTROLLER VS. DATA PROCESSOR

6.1 When We Are the Data Controller

We act as the Data Controller for:

  • Account holder information
  • Website visitor data
  • Marketing and communication preferences
  • Published reviews and associated reviewer information
  • Analytics and usage data
  • Newsletter subscription consent management

6.2 When We Are the Data Processor

We act as a Data Processor when:

  • Processing customer data on behalf of our business clients
  • Managing review invitations sent by our clients
  • Handling customer information before reviews are submitted
  • Managing newsletter subscriptions on behalf of business clients

7. INTERNATIONAL DATA TRANSFERS

7.1 Data Hosting on Supabase

We host our application data on Supabase-managed infrastructure. Business customers may request an EU region for core datasets (e.g., reviewer emails, consent logs, rewards and related analytics). Unless you select an EU region in your account or via support, data may be processed in other regions supported by Supabase. We apply consistent baseline security controls across regions and maintain appropriate transfer safeguards where required by law.

For transfers to countries without an adequacy decision, we use the European Commission's Standard Contractual Clauses (SCCs). Depending on the relationship, Module 2 (Controller→Processor) or Module 3 (Processor→Processor) applies, supplemented by technical and organizational measures such as strong encryption and access controls. Our Data Processing Addendum (including SCCs) is available here:/dpa.

8. DATA RETENTION

8.1 General Retention Periods

  • Account information: Retained for the duration of your account plus 7 years for legal compliance
  • Review data: Retained indefinitely as published content (unless deletion is requested)
  • Newsletter subscription data: Retained until consent is withdrawn or 3 years of inactivity
  • Email sharing consent records: Retained for 7 years for compliance purposes
  • WhatsApp message logs: Retained for 2 years for billing and compliance purposes
  • Phone numbers: Retained until customer requests deletion or 3 years of inactivity
  • Marketing data: Retained until you withdraw consent or 3 years of inactivity
  • Analytics data: Retained for 26 months
  • Support communications: Retained for 7 years

9. YOUR RIGHTS AND CHOICES

9.1 Access and Portability

  • Request access to your personal data
  • Obtain a copy of your data in a structured format
  • Request data portability to another service

9.2 Correction and Deletion

  • Correct inaccurate or incomplete information
  • Request deletion of your personal data (subject to legal requirements)
  • Request restriction of processing

9.3 Newsletter and Email Rights

  • Unsubscribe from business newsletters at any time
  • Request removal of your email from specific business mailing lists
  • Withdraw consent for email sharing with businesses
  • Request information about which businesses have received your email

9.4 Marketing Communications

  • Opt out of marketing emails via unsubscribe links
  • Update communication preferences in your account settings
  • Contact us to withdraw consent

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Types of Cookies We Use

  • Essential cookies for website functionality
  • Analytics cookies for usage statistics
  • Marketing cookies for advertising and personalization
  • Preference cookies for user settings

10.2 Cookie Management

You can control cookies through:

  • Your browser settings
  • Our cookie preference center
  • Third-party opt-out tools

EU/EEA visitors will see a consent banner with options to enable/disable analytics and marketing cookies. You can change your choices at any time in our Cookie Preferences center. Essential cookies are always on to provide core functionality.

11. SECURITY MEASURES

We implement appropriate technical and organizational security measures to protect your personal data:

  • TLS encryption in transit; encryption at rest for personal data
  • Role-based access control, least-privilege, and MFA for administrators
  • Server-side validation of spins and single-use reward codes to prevent abuse
  • Rate-limiting, bot and anomaly detection (device/IP signals)
  • Audit logs for administrative and sensitive actions
  • Regular backups; target RPO ≤ 24h and RTO ≤ 24h for core services
  • Periodic security reviews and penetration testing of critical components

11.1 Security Incidents & Notifications

If we become aware of a personal data breach impacting you, we will notify you without undue delay and, where the GDPR applies, within 72 hours of becoming aware, providing details of the nature of the breach, affected data categories, likely consequences and measures taken or proposed. You can reach our incident team at hello@spinix.so.

12. CHILDREN'S PRIVACY

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete such information promptly.

Where EU/EEA laws apply, if we ever process marketing consent for individuals under the relevant age of consent for information society services, we will seek verifiable parental consent as required by law.

13. CALIFORNIA PRIVACY RIGHTS

California residents have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising privacy rights

14. EUROPEAN PRIVACY RIGHTS

Under the General Data Protection Regulation (GDPR), European residents have rights including:

  • Right of access and data portability
  • Right to rectification and erasure
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with supervisory authorities

15. CONTACT INFORMATION

For privacy-related questions or to exercise your rights, contact us:

16. UPDATES TO THIS POLICY

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending email notifications to account holders
  • Displaying prominent notices on our platform

View Terms & ConditionsBack to Home