Legal
Privacy Policy
Last updated: 26 June 2026
Pre-launch notice. Spine's apps are in a pre-launch / TestFlight phase. This policy describes how we intend to handle data at launch and is reviewed as the products mature. It is provided in good faith and should be read alongside our Terms and Cookie Policy.
Spine is the account, billing and shared-catalogue platform behind our reading apps — Snippet, and the forthcoming Marginally and TBX. This policy explains what personal data we collect, why we collect it, where it is stored, how long we keep it, and the rights you have over it.
1. Who we are (data controller)
The data controller for Spine and its apps is Spine (operated by Tom Weaver). For any privacy question or to exercise your data rights, contact us at privacy@madebyspine.com (or support@madebyspine.com).
2. What data we collect
We collect only what we need to run your account and the apps:
- Account & authentication — your email address and either a securely hashed password or an OAuth identifier (e.g. Sign in with Apple, Google), managed by our authentication provider, Supabase Auth.
- Profile — display name, optional avatar image URL, genre preferences, and (if you provide one) a short bio.
- Reading activity — per-book reading status you set (for example “reading”, “read”, “want to read”).
- Contributions — content you submit to improve the shared book catalogue (e.g. EPUB-derived chapter structure, extracted text, and any image URLs you attach).
- Push notifications — if you enable them, a device push token so we can deliver notifications.
- Operational telemetry — limited usage records such as OCR/scan attempt timestamps and your subscription tier. We do not store the scanned image content in this telemetry.
- Server logs — request identifiers, your user ID, HTTP status codes and timestamps. Authentication tokens and database credentials are stripped from logs before they are written.
We do not sell your personal data, and we do not use it for third-party advertising.
3. How we use your data (legal basis)
- To provide the service — creating and securing your account, syncing your library and reading status, and processing your contributions (legal basis: performance of a contract).
- To keep the service safe and reliable — abuse prevention, rate limiting, debugging and security monitoring (legal basis: legitimate interests).
- To communicate with you — service messages and, only where you have opted in, launch news (legal basis: consent, which you can withdraw at any time).
4. Where your data is stored
Application data is stored in Supabase (PostgreSQL) hosted on AWS in the EU
(eu-west-1). Authentication is handled by Supabase Auth. Our API runs on Fly.io
(London region) and our marketing site is served by Netlify. Some data may be processed in
other regions by these providers as part of their standard infrastructure; they act as our
processors under appropriate data-protection terms.
5. Third parties and sub-processors
- Supabase — authentication, database and storage.
- Fly.io — API hosting.
- Netlify — marketing website hosting and form submissions.
- Book metadata services (e.g. Google Books, Open Library) — used to enrich catalogue records. We send only book identifiers such as title, author and ISBN; we do not send your personal data to these services.
- App stores (Apple) — process subscription payments and provide receipts. We do not receive or store your full card details.
6. Data retention
We keep personal data only as long as we need it:
| Data | Retention |
|---|---|
| Account, profile, reading status, contributions | Until you delete your account, then removed/anonymised promptly. |
| Operational telemetry (e.g. OCR attempts) | Up to 90 days, then deleted. |
| Server logs | Up to 30 days (our hosting providers’ default), then rotated out. |
| Marketing list (if you opted in) | Until you unsubscribe. |
7. Your rights
Depending on where you live (for example under the UK GDPR, EU GDPR or California’s CCPA), you have rights to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data (much of which you can edit directly in the app).
- Erasure — ask us to delete your account and associated data.
- Portability — receive your data in a portable format.
- Objection / restriction — object to or restrict certain processing.
- Withdraw consent — for anything based on consent, at any time.
To exercise any of these rights, email privacy@madebyspine.com. We will respond within the timeframe required by applicable law (generally within one month). You also have the right to complain to your local data-protection authority (in the UK, the ICO).
8. Children
Our apps are not directed at children under 13 (or the minimum age in your country), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
9. Security
We protect your data with encryption in transit (HTTPS/TLS), row-level access controls in the database, scoped service credentials, rate limiting, and security headers. No system is perfectly secure, but we work to limit the data we hold and the access to it.
10. Changes to this policy
We may update this policy as our apps evolve. When we make material changes we will update the “last updated” date above and, where appropriate, notify you in the app or by email.
11. Contact
Questions about this policy or your data? Email privacy@madebyspine.com.