Spinative — Privacy Policy
Effective date: 2026-05-10 Last updated: 2026-05-10
This Privacy Policy explains how Ediciones Candel SL ("Spinative", "we", "us") collects, uses, shares and protects personal data in connection with the Spinative platform and the website at spinative.com.
We act as data controller for personal data we collect from visitors and from individual users of our platform. When our customers (slot studios) upload personal data of their team members or collaborators, we act as data processor on their behalf — the customer remains the data controller and our role is governed by the Data Processing Agreement at dpa.md.
1. Who we are and how to contact us
| Field | Value |
|---|---|
| Data controller | Ediciones Candel SL |
| Registered office | Paseo Martiricos 30, 29009 Málaga, Spain |
| Tax ID (CIF / NIF) | B23914054 |
| Privacy email | hello@spinative.com |
| Data Protection Officer | hello@spinative.com (if appointed) |
| Supervisory authority | Agencia Española de Protección de Datos (AEPD), www.aepd.es |
You have the right to lodge a complaint with the AEPD at any time.
2. What data we collect
2.1 Data you provide directly
- Account data: name, email address, password (hashed via Clerk; we never see plaintext), profile picture, job title, studio name. - Billing data: company name, billing address, VAT ID, payment method (handled by Stripe; we never see full card numbers). - Project content: text, images, design files, math models, comments, prompts and other materials you upload or generate inside the platform. - Communications: support tickets, demo requests, feedback, responses to surveys.
2.2 Data collected automatically
- Usage data: pages visited, features used, generation events, IP address, user-agent, timestamps, error logs. - Device data: browser type and version, operating system, screen size, language preference, timezone. - Cookies and similar technologies: see the Cookie Policy.
2.3 Data from third parties
- Authentication providers (Clerk): when you sign up via Google / GitHub / etc., we receive the basic profile information those providers share. - Payment processor (Stripe): we receive subscription status and limited payment metadata, never full card details.
3. How we use your data and the legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Spinative platform under our Terms of Service | Performance of a contract |
| Authenticate you and secure your account | Performance of a contract; legitimate interests (security) |
| Process payments and manage subscriptions | Performance of a contract; legal obligation (tax / accounting) |
| Send transactional notifications (member invites, comment replies, billing alerts) | Performance of a contract; legitimate interests |
| Improve the platform and understand product usage | Legitimate interests (product improvement) |
| Send marketing emails about new features, blog posts, events | Consent (you can opt out anytime) |
| Comply with legal obligations | Legal obligation |
| Respond to your support requests | Performance of a contract; legitimate interests |
| Detect and prevent fraud, abuse, or violations of our Terms | Legitimate interests |
We do not engage in automated decision-making with legal effects on you, and we do not profile you for advertising.
4. AI generation and your prompts
When you use the AI generation features of Spinative, the prompts you write and the assets we generate from them are processed by third-party AI providers (currently OpenAI's image API and Replicate's hosted models — see sub-processors.md for the full list).
- Prompt content is sent to the AI provider for the duration of the generation request and is governed by that provider's own data-handling terms (we use enterprise / no-training tiers where available so your prompts and outputs are not used to train third-party models). - Generated outputs are stored in our infrastructure (Supabase Storage) under your project. - We retain prompt history server-side to enable the "review every prompt" feature and rerun history. You can delete prompts and generated assets from your project at any time.
5. Who we share data with
We share personal data only with:
1. Sub-processors — service providers that help us run the platform (Clerk, Supabase, Vercel, Stripe, OpenAI, Replicate, Resend, Upstash). The full list is at sub-processors.md. Each is bound by a data-processing agreement and (where applicable) Standard Contractual Clauses for international transfers. 2. Other members of your studio — when you collaborate inside a studio, your name, email and contributions are visible to other members. 3. Recipients of share links — when you generate a project share link, anyone who has the link can view the project according to the role the link grants. We do not show your personal email to share-link visitors. 4. Legal and regulatory authorities — when we are required to disclose by law, court order, or legitimate request from a public authority. 5. In connection with a merger, acquisition or sale — successor entities who agree to honour this Privacy Policy.
We do not sell your personal data, and we do not share it with advertisers.
6. International data transfers
Most of our sub-processors are based in the United States. When we transfer personal data outside the European Economic Area, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary with technical and organisational measures. - Adequacy decisions of the European Commission for the destination country, where available. - Your explicit consent, in narrow circumstances where it applies.
Detailed transfer information for each sub-processor is in sub-processors.md.
7. How long we keep data
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account, then 30 days for backups |
| Project content | Until you delete the project, then 30 days |
| Billing records | 6 years (Spanish Commercial Code Article 30) |
| Generated assets and prompt history | Until you delete them or your account |
| Server logs | 90 days |
| Marketing-email subscription | Until you unsubscribe |
| Support tickets | 3 years from resolution |
When the retention period expires, we delete or anonymise the data.
8. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you and receive a copy - Rectify inaccurate or incomplete data - Erase your data ("right to be forgotten") subject to legal retention obligations - Restrict how we process your data - Object to processing based on legitimate interests - Portability — receive your data in a machine-readable format and transmit it to another controller - Withdraw consent at any time, where processing is based on consent - Not be subject to a decision based solely on automated processing that has legal or similarly significant effects
To exercise any of these rights, email hello@spinative.com. We respond within one month (extendable by two further months for complex requests, with notice). Identity verification may be required.
9. Security
We use industry-standard technical and organisational measures to protect your data, including:
- TLS encryption in transit
- Encryption at rest for stored data and backups
- Access controls (role-based access, least privilege)
- Automated security advisors on our database and infrastructure
- Logging and monitoring of access to production systems
- Regular security review of dependencies and sub-processors
No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify the AEPD and (where the breach is likely to result in a high risk) affected users within 72 hours, in accordance with GDPR Article 33-34.
10. Children
Spinative is a B2B platform intended for professional use by adults working in slot game studios. The platform is not directed to children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact hello@spinative.com and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top - Notify registered users by email at least 30 days before the effective date of material changes - Where required by law, request your renewed consent
12. Contact
For any privacy-related question or to exercise your rights, contact hello@spinative.com or write to Ediciones Candel SL, Paseo Martiricos 30, 29009 Málaga, Spain.
You can also lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.