Privacy Policy

Last updated: May 25, 2026

This Privacy Policy explains how Spoolr ("Spoolr", "we", "us") collects, uses, and protects information when you use the Spoolr mobile app and website (the "Service"). We aim to keep this short and clear.

1. Who we are

Spoolr is a disposable-camera app for events. Hosts create events; guests scan a QR code, take photos, and the host reveals the album afterward.

2. What we collect

From hosts (account holders):

  • Email address (for sign-in via one-time code)
  • Optional display name
  • Stripe customer identifier (after a purchase) — payment card details are stored by Stripe, not by us
  • Events you create: name, date, tier, invite code, photo and guest limits

From guests:

  • Photos you take through the Spoolr app at an event
  • A device identifier (a random string stored locally on your device) so we can count your photos against the event's photo limit
  • We do not ask for your name, email, or account

Automatic: standard request logs (IP, timestamp, route) for security and debugging. Cookies are first-party only and used for session.

3. How we use it

  • To run the Service — create events, deliver photos, enforce limits, send sign-in codes and event notifications
  • To process payments via Stripe
  • To investigate abuse, fraud, or technical issues
  • We do not sell your data. We do not use your event photos to train AI models. We do not show ads.

4. Where it lives

  • User accounts and event metadata: PostgreSQL hosted on Neon (US East region)
  • Photos: Amazon S3 (US East region), served through Amazon CloudFront
  • Email delivery: Amazon SES
  • Payments: Stripe (we never see card numbers)

All data is encrypted in transit (HTTPS/TLS) and at rest (AWS-managed encryption + provider defaults).

5. How long we keep it

  • Event photos: automatically deleted 90 days after event creation (180 days for custom-quoted events). After deletion, photos are unrecoverable.
  • Account data: kept until you delete your account. You can delete your account from inside the app.
  • Payment records: retained for tax/accounting purposes (typically 7 years) as required by law.
  • Request logs: 30–90 days.

6. Your rights

You can:

  • Access the data we have about you (email hello@getspoolr.app)
  • Delete your account from inside the app (this wipes events, photos, and account data — except payment records we're legally required to retain)
  • Export your event albums via the Download buttons in-app or on the web dashboard
  • Opt out of marketing email (we currently don't send any)

California residents have rights under CCPA (right to know, delete, correct, opt-out of sale). EU/UK residents have rights under GDPR (access, rectification, erasure, portability, restriction, objection). Reach us at hello@getspoolr.app to exercise any of these.

7. Children

Spoolr is not directed to children under 13. If you are a host, you are responsible for the conduct of guests at your event. Do not use Spoolr with children under 13 as guests without parental consent.

8. Subprocessors

We rely on these third parties to operate the Service:

  • Amazon Web Services — storage, email, CDN
  • Neon — database
  • Vercel — hosting
  • Stripe — payment processing

9. Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top and, where appropriate, notify you by email. Continued use after changes means you accept the updated policy.

10. Contact

Questions? Email hello@getspoolr.app.