Privacy Policy

This policy covers two groups of people: Spyder customers (the operators who sign up to build a site) and site visitors (people who later visit one of those published sites). Different rules apply to each.

When you sign up for Spyder we collect:

• Your email address (required for account recovery and billing receipts).
• A password hash (we never store the plaintext password).
• Sites, pages, blog posts, forms, and uploaded assets you create.
• Custom domain configuration if you bring your own.
• Billing metadata (Stripe customer ID, subscription state, plan tier). Card numbers are never stored on our infrastructure — only Stripe sees them.
• Session cookies (signed JWT, HTTP-only, secure) to keep you logged in.
• Basic request logs (IP, user-agent, path, timestamp), kept up to 30 days for abuse detection.

When someone visits a site built on Spyder we collect minimal telemetry on behalf of the site owner: aggregate page view counts per page, and form submissions that the visitor explicitly submitted. We do not set advertising or tracking cookies on visitor browsers, and we do not sell visitor data to anyone.

A site owner may add third-party scripts (analytics, fonts, embeds) to their own site, in which case those third parties get whatever data the visitor's browser sends them. That's the site owner's choice and is governed by the site owner's own privacy policy.

• To operate the service (authenticate you, render your site, generate AI content you requested, process payments).
• To prevent abuse (rate-limit suspicious requests, detect spam, respond to copyright/abuse complaints).
• To improve the product (aggregate, anonymized usage statistics — never tied to identifiable visitors).
• To communicate operational changes (billing receipts, security notices, plan-tier changes). We don't send marketing email without your opt-in.

When you use AI site-generation or AI text-rewrite, the prompt you enter is sent to a third-party model provider (Groq or Cloudflare Workers AI) for inference. We don't retain prompts after the response is returned, and we don't use your prompts to train any model.

• Account + site data: Cloudflare D1, deployed in Cloudflare's global edge network.
• Uploaded assets (images, video): Cloudflare R2.
• Billing: Stripe (PCI-DSS Level 1 certified).
• Email delivery: Resend (operational email only).

• Account data: as long as your account is active, plus 30 days after deletion request.
• Backups: 30 days, then permanently purged.
• Request logs: 30 days rolling.
• Billing records: retained per applicable tax law (typically 7 years).

You can at any time:

• Request a copy of all data we hold about you.
• Correct or update inaccurate data.
• Delete your account and all associated data.
• Export your sites, pages, and assets in a portable format.
• Object to processing, or restrict it (where legally available).

To exercise any of these, email privacy@spyderapp.com. We respond within 30 days.

Spyder isn't directed at children under 13. We don't knowingly collect data from anyone under 13. If you believe a child has signed up, email us and we'll delete the account.

We post the date this policy was last updated at the top of this page. Material changes trigger an email to active customers at least 14 days before they take effect.

Questions, requests, complaints — privacy@spyderapp.com.