Privacy Policy

1. What We Store

Sprime stores the following in Google Cloud Firestore:

• Account data: Your email address, API key (hashed), plan type, and account creation date. For paid plan subscribers: your Stripe customer ID. We never see or store your credit card details.
• Usage data: Daily request counts per API key, used for rate limiting and billing.
• Webhook data (Pro plan): Webhook URLs, trigger conditions, HMAC secrets, delivery timestamps, and failure counts.
• Offer Monitor data: URLs you register, their labels, SHA-256 hashes of fetched content, short text extracts (up to 2,000 characters per snapshot), and change records. The full page content is never stored.

2. How We Handle IP Addresses

• Signup rate limiting: Your IP is held temporarily in server memory to prevent abuse. It is not written to any database or log file by our application.
• Auto-location weather (/v1/weather/auto): Your IP is sent to ipapi.co to determine your approximate location. We do not store the IP or the result.
• IP Lookup (/v1/ip-lookup): If you query this endpoint, the target IP is sent to ipwho.is for geolocation. Results are cached in server memory for 24 hours, then discarded.
• Platform logs: Google Cloud Run may log request metadata including IP addresses in its infrastructure logs. We do not actively collect or analyze these logs.

3. Third-Party Processors

Your requests may cause data to be sent to these third-party services:

• Stripe: Payment processing and subscription management. You pay through Stripe's hosted checkout; we never see your card details. Stripe provides us with your subscription status and customer ID only.
• SendGrid: Transactional email (API key delivery, service notices).
• Google Cloud: Hosting (Cloud Run), database (Firestore), and secret storage (Secret Manager).
• Redis / Upstash: Ephemeral cache for API responses. Cache entries expire and are not used for analytics.

When you make API calls, your request parameters (not your identity) may be forwarded to upstream data providers: Open-Meteo, CoinGecko, NewsAPI, Frankfurter (ECB), World Time API, ipwho.is, Nager.Date, ipapi.co, and public WHOIS registries and DNS resolvers (for Sprime Verify).

4. Sprime Verify Submissions

• Unauthenticated checks: The URL is probed and results are cached in server memory for 60 seconds, then discarded. We do not log the URL or associate it with any identity.
• Authenticated checks: The URL and a result summary are written to Firestore, associated with your API key, for your own record-keeping. Cache duration depends on your plan.
• Upstream lookups: Verification triggers outbound requests from our server to the submitted URL (HTTPS probe), WHOIS registries, and DNS resolvers. The submitted URL is never shared with any third-party analytics or advertising service.

5. Verify Suite Tool Submissions

• Payment Safety Checker: Your input is normalized and looked up in a local built-in dataset. Nothing is sent to any third party. Results are cached in server memory by method key for 24 hours. We don't log individual queries or tie them to your identity for unauthenticated requests.
• Contract Clause Translator: Your contract text is processed by a local pattern-matching engine running on our server. No text is forwarded to any third-party AI or analytics service. A SHA-256 hash of the text is used as a cache key; the full text is held in server memory for up to 24 hours, then discarded. The text is never written to our database.
• Offer Monitor: URLs you register are stored in Firestore linked to your API key. When a check runs, our server fetches the target URL and stores a SHA-256 hash, a short text extract, and change metadata. The full page content is not persisted. Monitor data is retained until you delete the monitor or close your account.

6. Browser Storage

The Sprime dashboard and Offer Monitor store your API key in your browser's localStorage so you don't have to re-enter it on each visit. This data never leaves your device unless you make an API call. Clear it at any time through your browser settings.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of a deletion request.
• Usage counts: Retained for billing accuracy. Purged 90 days after account deletion.
• Webhook and monitor data: Retained until you delete the item or your account.
• Contract clause analysis: Processed in server memory only. Never persisted to any database.
• IP addresses: Not persisted beyond the request (rate-limit checks only).

8. We Do Not Sell Your Data

Sprime does not sell, rent, or share your personal information with advertisers or data brokers. We do not use your data for targeted advertising. The only third parties who receive your data are the processors listed in Section 3, and only to the extent required to run the service.

9. Your Rights

You may request access to, correction of, or deletion of your personal data by emailing support@sprime.us. Upon a verified deletion request, we will revoke your API key and remove your account data, usage records, webhook configurations, and monitor records from Firestore. If you have an active paid subscription, cancel it through Stripe before requesting deletion. We'll respond within 30 days.

10. EEA Users: GDPR Rights

If you are in the European Economic Area, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Ask us to fix inaccurate or incomplete data.
• Deletion: Ask us to delete your data (subject to legal retention obligations).
• Portability: Receive your data in a machine-readable format.
• Object or restrict: Object to processing or ask us to limit how we use your data.

To exercise any of these rights, email support@sprime.us. We process your data to provide the service you signed up for and to fulfill your subscription contract. We do not use your data for automated profiling or marketing. If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local data protection authority.

11. California Residents: CCPA Rights

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we collect about you.
• Delete: Request that we delete your personal information (subject to certain exceptions).
• Opt out of sale: We do not sell your personal information, so there is nothing to opt out of.
• Non-discrimination: We will not treat you differently for exercising your CCPA rights.

To submit a request, email support@sprime.us with the subject "CCPA Request."

12. Changes to This Policy

We may update this policy from time to time. We'll post the new version here with an updated effective date. For material changes, we'll notify registered users by email at least 7 days before the change takes effect.

Questions? Email support@sprime.us.