Spot — Privacy Policy
Last updated: 2026-06-14. Version: 1.0.0.
This document describes what personal data Spot collects, how it uses that data, who it shares it with, and the rights you have over it. It is written to satisfy the disclosure requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR + Data Protection Act 2018, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Note. Spot is operated under the trading name Spot App. We use email (privacy@spotgrocery.com) as our contact and do not publish a postal address.
1. Who we are (Controller)
- Service name: Spot — a shared, real-time grocery / to-do list app for two partners with a Manual Veto photo confirmation flow.
- Controller (the entity that decides why and how your data is processed): Spot App (a trading name). We do not publish a postal address; contact us by email for all matters, including any request that legally requires a postal response.
- Privacy contact: privacy@spotgrocery.com. We have not appointed a Data Protection Officer (our processing scale does not trigger GDPR Art. 37(1)).
2. What data we collect
| Category | Why we collect it | Where it lives | When we delete it |
|---|---|---|---|
| Account credentials — your email, a password hash (we never see your plaintext password). | To create your account, sign you in, and let your partner invite you by email. | Supabase Auth (our backend processor; see § 5). | When you delete your account (§ 7), or after 36 months of inactivity. |
| Grocery list contents — list names, item names, scratched/done state, who created each list. | Core service: storing and syncing the lists you create. | Supabase Postgres. | 1 day after the list expires + 1 day grace window; then permanently deleted. |
| Verification photos — the photos you take through the Manual Veto flow. | To show your partner the item you’re verifying. | Supabase Storage (S3-backed). | Within 5 minutes of an item or list being deleted. |
| Invitation records — your email when someone invites you, and their email when you invite someone. | To deliver invites between partners. | Supabase Postgres. | When the invite is accepted, declined, or your account is deleted. |
Tier metadata — which tier you’re on (free / premium once monetization ships). | To enforce per-tier limits. | Supabase Postgres. | When your account is deleted. |
| Push token — a device identifier from Google Firebase Cloud Messaging (FCM) when you enable notifications. | To wake your device when your partner acts. The payload is opaque metadata (event type + record ids); names, list contents, and photos never transit Google — your device fetches details and composes the notification locally. | Supabase Postgres + Google FCM (transport). | When you sign out, delete your account, or the token goes stale (~9 months unused). |
| Consent record — timestamp and version of this policy you agreed to. | To prove you consented at sign-up (GDPR Art. 7(1)). | Supabase Auth user metadata. | When your account is deleted. |
| Diagnostic logs — error logs may include your user id. We do not log message bodies. | To diagnose bugs. | Server logs (Supabase-managed). | Typically ≤ 30 days. |
What we do NOT collect:
- Plaintext passwords (Supabase Auth hashes before storage).
- Location data (we do not request location permission).
- Device identifiers / IDFA / advertising IDs (Spot ships no advertising SDKs).
- Contact lists or phonebook data.
- Browsing history outside the app.
- Biometric data.
3. How we use your data
| Purpose | Lawful basis |
|---|---|
| Run the service (sign-in, sync lists, deliver invites, show your partner’s photos) | Contract (Art. 6(1)(b)). |
| Enforce tier caps | Contract. |
| Diagnose bugs and abuse | Legitimate interests (Art. 6(1)(f)). |
| Respond to your privacy requests (access, erasure, portability) | Legal obligation (Art. 6(1)(c)). |
| Send transactional emails (invitation, password reset) via Supabase Auth | Contract. |
| Comply with mandatory CSAM-reporting obligations (§ 9) | Legal obligation — 18 U.S.C. § 2258A where it applies; equivalent national law elsewhere. |
We do not use your data for advertising or sell it to third parties. We do not profile you for automated decisions that produce legal effects.
4. Who can see your data
| Recipient | What they see | Why |
|---|---|---|
| Your partner(s) on a shared list | List name, item names, scratched/done state, photos you take for verification on that list. | This is the service. |
| Supabase Inc. (backend processor) | All data in the table above. They host the database, storage, and auth under a Data Processing Agreement, only on our instructions. | Infrastructure provider. |
| Google LLC (FCM push transport) | Your device’s push token and opaque event metadata. Never names, emails, list contents, or photos. | Push-notification delivery. |
| Law enforcement / regulators | Specific records when legally compelled. For CSAM (§ 9), we report proactively. | Legal obligation. |
| Successor entity (hypothetical merger / acquisition) | Same data scope, bound by the same commitments. | Business continuity. |
We do not share your data with advertising networks, data brokers, cross-service analytics platforms, or other third parties not listed above.
5. International transfers
Our backend is hosted by Supabase in the European Union (AWS Frankfurt, region eu-central-1). Your account data, lists, and verification photos are stored and processed there.
If you use Spot from inside the EU/EEA or the UK, your data stays in the EEA and no international transfer is involved. If you use Spot from outside the EEA — for example, from the US or Canada — your data is processed in the EU; that inbound transfer does not weaken the protections this policy describes.
For any onward transfer of EU/UK personal data to a country outside the EEA — for instance, a sub-processor engaged by Supabase — our data-processing agreement with Supabase relies on Standard Contractual Clauses (the EU Commission’s 2021 SCCs), supplemented by Supabase’s documented security posture (encryption in transit + at rest, access controls). You may request a copy of the SCCs from us by email.
6. How long we keep your data
- Account data: until you delete your account, or 36 months of inactivity.
- Lists + items: ~2 days after the list’s TTL elapses (1-day TTL + 1-day grace), with automatic hard-deletion.
- Photos: within 5 minutes of the parent item or list being deleted.
- Logs: ≤ 30 days, per Supabase’s rotation.
- Reported CSAM (§ 9): preserved for 90 days per 18 U.S.C. § 2258A(h) or its equivalent, or longer under a law-enforcement preservation order.
7. Your rights
These rights apply to all users; the strictest wording (GDPR) is used. CCPA / PIPEDA equivalents are bundled into the same request paths.
| Right | How to invoke | We respond in |
|---|---|---|
| Access (GDPR Art. 15 / CCPA / PIPEDA Principle 9) | Email privacy@spotgrocery.com from your account email. | 30 days (extendable by 60 if complex, with notice). |
| Erasure (GDPR Art. 17 / CCPA / PIPEDA Principle 5) | In-app: ⋮ menu → Delete my account → Delete forever. Uninstalled the app? See the account-deletion page or email privacy@spotgrocery.com. | “Without undue delay” — immediate in-app, ≤ 30 days for emailed requests. |
| Rectification (GDPR Art. 16) | Account fields are editable in-app; otherwise email privacy@spotgrocery.com. | 30 days. |
| Portability (GDPR Art. 20 / CCPA) | Email privacy@spotgrocery.com. Format: JSON. | 30 days. |
| Restriction (GDPR Art. 18) | Email privacy@spotgrocery.com. | Within reasonable time. |
| Objection (GDPR Art. 21) | Email privacy@spotgrocery.com. | We will stop unless we have an overriding legitimate basis. |
| Withdraw consent (GDPR Art. 7(3)) | Email privacy@spotgrocery.com. | Effective from the date of withdrawal. |
| Complain to a regulator | EU users: national DPA. UK: ICO. California: CPPA. Canada: OPC. | Their process. |
| Non-discrimination (CCPA §1798.125) | Automatic. | N/A. |
8. Security
Spot uses Supabase’s security posture as its baseline: encryption in transit (TLS 1.2+) and at rest (AES-256). Database access is gated by Row-Level Security (RLS) policies enforced server-side. Server-side state-machine transitions flow through SECURITY DEFINER Postgres functions so a malicious or buggy client cannot bypass enforcement.
For Phase 1, Spot ships no device-local persistence — if your device is lost, an attacker who unlocks it cannot extract your lists or photos from local storage (they don’t exist there).
In the event of a personal-data breach, we will notify the supervisory authority within 72 hours per GDPR Art. 33, and you directly per GDPR Art. 34 if the breach is likely to result in high risk to your rights.
9. Mandatory CSAM reporting
If we discover child sexual abuse material (CSAM) on the service — through a user report (§ 10) or operator review — we will report to the designated authority in the applicable jurisdiction:
- United States: NCMEC’s CyberTipline, per 18 U.S.C. § 2258A.
- United Kingdom: Internet Watch Foundation + National Crime Agency.
- European Union: the relevant member-state hotline within the INHOPE network, and Europol’s European Cybercrime Centre (EC3).
- Canada: Cybertip.ca (Canadian Centre for Child Protection).
We will preserve the reported content for 90 days from the report (or longer under a law-enforcement preservation order) so investigators can secure legal process before evidence is destroyed.
We do not notify the uploader that they have been reported; the relevant statutes impose a non-disclosure obligation that overrides this policy’s transparency commitments for this specific class of report.
We do not actively scan all uploaded content with perceptual-hash tools (e.g. PhotoDNA) at this stage. § 2258A(f) expressly states providers are not required to monitor their service for such content; we rely on user reports and operator review. See our child-safety standards.
10. Reporting other unlawful or objectionable content
For non-CSAM content that you believe violates our Terms or applicable law (harassment, hate speech, IP infringement, etc.), use the in-app Report affordance on the affected item. EU users may also exercise their rights under Article 16 of the Digital Services Act (Regulation (EU) 2022/2065) — we treat the in-app report as a DSA notice.
We will act on substantiated reports within 7 days. Where we remove content, the uploader receives a statement of reasons per DSA Art. 17 (EU users) unless legally prohibited from disclosure.
11. Children
Spot is not intended for users under 13 (US: COPPA threshold) or under 16 in EU member states that set a higher digital-consent age. We do not knowingly collect data from children under those ages. If you become aware that a child has created a Spot account, please email privacy@spotgrocery.com and we will delete the account.
12. Changes to this policy
We will update this policy as the service evolves. Material changes are signaled by incrementing the version number at the top + a re-consent prompt in the app on the next launch. Non-material changes are reflected by updating the “Last updated” date.
Your continued use of Spot after a re-consent prompt confirms acceptance of the new version. If you do not consent, you may delete your account before the prompt expires (§ 7).
13. Contact
- Email: privacy@spotgrocery.com — our primary contact for all privacy matters. We do not maintain a public postal address; if a request legally requires a postal reply, email us and we will arrange it.
This document is informational and reflects best-effort drafting based on the regimes named. It is not legal advice.