Customer data protection — FAQ
Audience: prospects, customers, and partners who ask "where does my data live and who can see it?" Maintained by: Ediciones Candel SL — hello@spinative.com Last updated: 2026-05-17
This document is a plain-English digest of the controls described in trust-and-security.md and the legal commitments in privacy-policy.md and dpa.md. Use it verbatim in sales replies, drop it on a public trust page, or expand it for an RFP response.
TL;DR (the answer in 90 seconds)
- Where your data lives: EU only. Postgres database in Supabase EU-North (Stockholm). Generated assets in Supabase Storage, same region. Files never leave the EU unless OpenAI/Replicate processes a generation request (transient, see §4). - Who can access it: only people you've invited to your studio. Spinative staff have no routine production access; data-recovery access is gated by Supabase 2FA + service-role keys held in Vercel env (no employee laptops). - Encryption: TLS 1.2+ in transit, AES-256 at rest on both database and Storage. Auth tokens never persisted on our infra (Clerk). - Your IP: you own the generated assets (ToS §7). Spinative claims no rights to your slot designs, prompts, art, or math. - Provenance: every PNG we generate carries an EXIF stamp identifying it as Spinative-origin (v246h) so you can prove ownership of derivative outputs later. - Deletion: delete a project → it's gone within 24h including all generated assets. Delete your studio → cascade to everything.
1. Where is my data hosted?
| Data class | Location | Provider |
|---|---|---|
| Project payloads, math models, game settings | Postgres (Stockholm, EU-North-1) | Supabase |
| Generated PNG assets, marketing renders, exports | Object storage (Stockholm) | Supabase Storage |
| User accounts, auth sessions | Frankfurt, EU | Clerk |
| Subscription + invoice data | Ireland (EU) | Stripe |
| Transactional email | Ireland (EU) | Resend |
| Application code + deploys | EU region | Vercel |
| Error tracking (Spinative team only) | Frankfurt (EU) | Sentry |
No data is replicated to US infrastructure for ongoing storage. The only US round-trip is a transient API call to OpenAI or Replicate during the seconds it takes to generate an image — see §4.
2. Who can access my data?
Inside your studio: - Owner — full access to projects, billing, member management. - Admin — projects + member management, no billing. - Finance — billing only, no project access. - Member — only the projects they've been added to. - Reviewer (share-token) — single project, read-only or comment-only, scoped by token + expiry.
Cross-studio access is impossible by construction. Every server action that takes a project ID runs through assertProjectAccess which verifies the caller is a member of the studio that owns the project. The same check runs on every API route, every export, every asset upload.
Spinative staff: - No routine production access. Our codebase doesn't have any "admin god-mode" UI. Customer support requests are answered using whatever you've shared with us (a screenshot, a share-link, etc.). - Break-glass debugging requires the Supabase service-role key, which lives only in Vercel's encrypted env vars — never on a laptop, never in git. Two engineers have access. Every break-glass query is logged in Supabase's audit log. - No customer impersonation. We can't log in "as you" — Clerk's user sessions are bound to the original device's tokens.
3. How is my data protected on the wire and at rest?
- In transit: HTTPS-only. HSTS enabled on spinative.com. TLS 1.2+ enforced at the Vercel edge and at every sub-processor's ingress. - At rest: - Database: Postgres tablespace encrypted with AES-256 (Supabase managed). - Storage: AES-256 on every object (S3-compatible). - Backups: encrypted with the same key material. - Secrets: Stripe / OpenAI / Resend / Clerk credentials live in Vercel encrypted env vars. Rotated annually or on any team change. - Multi-tenant isolation: every row in every multi-tenant table (projects, studio_members, generated_assets, …) carries a studio_id foreign key. Application-layer authorisation enforces the boundary; Postgres RLS is enabled and locked to the service role (we explicitly chose app-layer auth over RLS-only because of the cross-table joins our editor needs — full rationale in trust-and-security.md §3).
4. What about the AI providers? Don't OpenAI / Replicate get my prompts?
Yes, transient processing of your prompts is unavoidable — that's how AI generation works. What we've done to limit exposure:
- OpenAI (image generation + chat): - Spinative is on the API plan, not the consumer ChatGPT plan. - OpenAI's API terms (March 2024+) state that API inputs and outputs are NOT used to train OpenAI models. - OpenAI retains API request bodies for 30 days for abuse monitoring, after which they're deleted. We do not opt into longer retention. - Replicate (background-removal for character cutouts): - Used only for the rembg model. No training; outputs deleted within 24h per Replicate's terms. - Anthropic (referenced in some docs as an experimental chat path, not yet wired in production) — when/if enabled, same posture: API terms, no training, short retention.
What we DON'T send to AI providers: - Your studio name, member emails, billing data, or any auth secrets. - Other users' prompts or assets. - Project IDs only travel inside generation request metadata; they're UUIDs and not linkable back to your studio name from the AI provider side.
5. Who owns the assets I generate?
You do. Spinative claims no rights to the AI-generated assets, the prompts you write, the math models you build, the marketing creatives you compose, or any other Customer Content. See Terms of Service §7.
Important caveats every AI tool customer should understand (these are not Spinative-specific, they're universal to the current state of generative AI): - AI outputs are statistical reconstructions of training data. There is a small but non-zero risk that a generated image will resemble a copyrighted work or registered trademark. Spinative does not warrant that outputs are clear of third-party rights — you should run a trademark search on any logo or named character you intend to ship commercially. - For provenance, every PNG we generate carries an EXIF stamp since v246h (May 2026) identifying it as Spinative-origin with a project ID + prompt hash. If an asset shows up in a dispute later, the EXIF proves it came from your project.
6. How do you handle deletion?
- Per-project delete: removes the project row + all generated_assets rows + cascade-deletes the corresponding files in Storage. Operation completes within seconds; storage cleanup runs within 24h. - Studio delete: cascades through every project, every member row, every audit log entry, every generated asset. Stripe customer record is retained for accounting (Spanish Commercial Code Art. 30 — 6 years). - Account delete: the user record (via Clerk) is removed; studio memberships are revoked. Studios the user owned must be transferred to another owner or deleted first. - What we keep after delete (and why): - Audit log entries for billing-affecting actions (subscription changes, refunds) — 6 years (Spanish Commercial Code). - Stripe invoices — 6 years (same). - Aggregate, anonymous metrics — indefinitely, never linkable back.
GDPR data-export + bulk delete via a self-serve UI is on our Q3 2026 roadmap. Today, request export or full deletion by emailing hello@spinative.com.
7. What about backups? Disaster recovery?
- Supabase runs Point-in-Time Recovery (PITR) on the database with 7-day retention. - Storage has built-in S3-style durability (11 nines). - Off-Supabase backups are on our roadmap (the audit flagged this as a gap) — we'll add weekly pg_dump snapshots to a separate cloud in Q3 2026 so we're not single-vendor for disaster recovery.
If you have a contractual disaster-recovery requirement (RPO/RTO), mention it during the sales conversation — we can scope a custom backup arrangement on an Enterprise plan.
8. Compliance posture
| Standard | Status |
|---|---|
| GDPR (controller + processor) | ✅ Compliant. Privacy Policy + DPA published. AEPD is supervisory authority. |
| ePrivacy / Cookie consent | Cookie banner shipping pre-launch. Cookie Policy published. |
| EU AI Act (Art. 50 transparency) | Watching — phase-in obligations coming 2026-27. We will publish a transparency notice before any deployer-class obligation applies. |
| SOC 2 Type I | Planned Q1 2027. Not certified today. |
| SOC 2 Type II | Planned Q4 2027 |
| ISO 27001 | Planned Q2 2027 |
| PCI DSS | Out of scope — we never touch card data (Stripe handles payment forms). |
| Spanish iGaming licensing | Not applicable — Spinative is a design tool, not a gambling operator. |
We're honest about what we don't yet have. If you need a SOC 2 Type II report today, we are not the right fit — but if you can wait until Q4 2027, we'll be there.
9. The honest gaps
In the spirit of transparency, here's what's not perfect today:
- project-assets storage bucket is currently public-readable (URLs are UUID-prefixed so they're unguessable, but the access-control story is "obscurity + your URLs aren't shared"). The migration to private bucket + signed URLs is documented in our codebase (lib/storage/signed-urls.ts) and will land before public launch. - No formal SLA today. Best-effort availability. Enterprise contracts can add one on request. - Workspace-level bulk export doesn't ship until Q3 2026. Per-project export is available today. - No third-party penetration test has been performed. Planned Q4 2026. - No 24/7 on-call. Issues raised outside European business hours get a response the next morning.
If any of these are blockers, please tell us — we'd rather hear it during the sales conversation than after you've signed.
10. Where to get more detail
| Question | Where to look |
|---|---|
| Technical control inventory | docs/legal/trust-and-security.md |
| GDPR contractual terms | docs/legal/dpa.md |
| Privacy rights and retention periods | docs/legal/privacy-policy.md |
| Acceptable-use boundaries | docs/legal/acceptable-use.md |
| Sub-processor list (with current regions) | docs/legal/sub-processors.md |
| LSSI-CE operator identification (Spain) | docs/legal/legal-notice.md |
For anything else: hello@spinative.com. We answer within one EU business day.