Spine/

Legal

Privacy Policy

Last updated: 26 June 2026

Pre-launch notice. Spine's apps are in a pre-launch / TestFlight phase. This policy describes how we intend to handle data at launch and is reviewed as the products mature. It is provided in good faith and should be read alongside our Terms and Cookie Policy.

Spine is the account, billing and shared-catalogue platform behind our reading apps — Snippet, and the forthcoming Marginally and TBX. This policy explains what personal data we collect, why we collect it, where it is stored, how long we keep it, and the rights you have over it.

1. Who we are (data controller)

The data controller for Spine and its apps is Spine (operated by Tom Weaver). For any privacy question or to exercise your data rights, contact us at privacy@madebyspine.com (or support@madebyspine.com).

2. What data we collect

We collect only what we need to run your account and the apps:

We do not sell your personal data, and we do not use it for third-party advertising.

3. How we use your data (legal basis)

4. Where your data is stored

Application data is stored in Supabase (PostgreSQL) hosted on AWS in the EU (eu-west-1). Authentication is handled by Supabase Auth. Our API runs on Fly.io (London region) and our marketing site is served by Netlify. Some data may be processed in other regions by these providers as part of their standard infrastructure; they act as our processors under appropriate data-protection terms.

5. Third parties and sub-processors

6. Data retention

We keep personal data only as long as we need it:

DataRetention
Account, profile, reading status, contributionsUntil you delete your account, then removed/anonymised promptly.
Operational telemetry (e.g. OCR attempts)Up to 90 days, then deleted.
Server logsUp to 30 days (our hosting providers’ default), then rotated out.
Marketing list (if you opted in)Until you unsubscribe.

7. Your rights

Depending on where you live (for example under the UK GDPR, EU GDPR or California’s CCPA), you have rights to:

To exercise any of these rights, email privacy@madebyspine.com. We will respond within the timeframe required by applicable law (generally within one month). You also have the right to complain to your local data-protection authority (in the UK, the ICO).

8. Children

Our apps are not directed at children under 13 (or the minimum age in your country), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

9. Security

We protect your data with encryption in transit (HTTPS/TLS), row-level access controls in the database, scoped service credentials, rate limiting, and security headers. No system is perfectly secure, but we work to limit the data we hold and the access to it.

10. Changes to this policy

We may update this policy as our apps evolve. When we make material changes we will update the “last updated” date above and, where appropriate, notify you in the app or by email.

11. Contact

Questions about this policy or your data? Email privacy@madebyspine.com.