Privacy Policy

Last updated: 2026-05-19 · Version 5

The short version

  • We collect what you give us — account info, your projects and chats, the files you upload — plus a small amount of usage telemetry (cookieless analytics and error monitoring) to keep the product working.
  • We don’t opt your content into training programs at any LLM provider.
  • Your data is stored in the EU and is encrypted in transit and at rest.
  • Questions or requests? Email privacy@spunto.ai.

Who we are

Spunto is operated by Spunto Labs LLC. Spunto Labs LLC is the data controller for the information described in this policy. You can reach us at privacy@spunto.ai.

What we collect

  • Account data. Email, name, and (if you sign in with a provider) the basic profile info Google returns. Auth is handled by Supabase.
  • Workspace and project data. Your workspace name, the projects and sub-projects you create, and the agents you set up.
  • Your content. Messages you send, artifacts your crew produces, tasks, knowledge items, and any files you upload. This is the work the product exists to help you do.
  • Telemetry. Product analytics via PostHog and, on our public website only and only with your consent, traffic measurement via Google Analytics. Error monitoring via Sentry, with PII scrubbed before events are sent.
  • Inferred data. None beyond what you explicitly provide.

Why we use your data

For users in the EU/UK, our lawful bases under GDPR are:

  • Legitimate interest (Article 6(1)(f)) for delivering and improving the core product. Per the EDPB’s Opinion 28/2024, conversational AI assistance is a recognised legitimate-interest use.
  • Contract performance (Article 6(1)(b)) for paid features — processing payments, enforcing limits, providing support.
  • Consent (Article 6(1)(a)) for anything optional — non-essential analytics or marketing tools — if and when we add them.

Sub-processors

We rely on a handful of vendors to run the product. Each one only touches the data they need to do their job.

  • OpenAI, Google — LLM providers we use today. Based in the US, certified under the EU-US Data Privacy Framework. Neither uses API content to train its upstream models. We may add Anthropic models in the future; if we do, we’ll update this policy.
  • Vercel — web hosting (EU region).
  • Supabase — database, authentication, and transactional email for account verification (EU region).
  • PostHog — product analytics, EU region. On our public website, PostHog runs in cookieless mode from your first visit (a server-side daily-rotating hash, no browser storage, not personal data). If you accept the cookie banner, it switches to cookie mode for returning-visitor tracking; if you reject, it stays cookieless. Inside the authenticated app, PostHog runs with cookies under a legitimate-interest basis (revocable from Settings → Privacy).
  • Google Analytics 4 — traffic measurement on our public website (spunto.ai) only. Loads only after you accept the cookie banner. Operated by Google LLC under the EU-US Data Privacy Framework. Not loaded inside the authenticated app.
  • Sentry — error monitoring, EU region, with PII scrubbed before events leave our servers.
  • Resend — transactional email delivery for product lifecycle messages (account approved, workspace ready). EU region (Ireland, eu-west-1). Operated by Resend, Inc. under the EU-US Data Privacy Framework.
  • Inngest — background job orchestration for long-running agent work.
  • Telegram Messenger LLP — message delivery for users who connect a Telegram chat to their workspace. Sees only the messages you ask us to deliver, plus the chat identifiers needed to route them. See the Telegram integration section below for details and the Telegram privacy policy.

International data transfers

Your data is stored in the EU. When we send your prompts to LLM providers (currently OpenAI and Google) for processing, those providers operate from the United States under the EU-US Data Privacy Framework. Where DPF coverage doesn’t apply to a specific transfer, we rely on the European Commission’s Standard Contractual Clauses.

How LLM providers retain your prompts

The two LLM providers we use today operate as follows:

  • OpenAI — standard API retention applies. Content sent to the API is held for up to 30 days for abuse monitoring and then deleted. OpenAI does not use API content to train its models.
  • Google — content sent to the Vertex AI / Gemini API is not used to train Google’s models. Retention follows Google’s published API policies.

When you delete your data with us, we cannot retrieve copies that may temporarily exist in a provider’s short-lived logs. Those logs are not used to train models and are deleted on each provider’s published schedule.

Telegram integration

If you connect Telegram to your workspace, you can chat with your crew from the Telegram app. The conversation itself still lives with us in the EU — Telegram is the delivery channel that carries each message between your phone and our servers.

To make the integration work, some of your data passes through Telegram’s servers. Here’s exactly what:

  • What we send to Telegram. Replies from your assistant and crew, approval prompts, and artifacts the assistant chooses to share (images, files, short text). A welcome message when you first pair, and a disconnected message if you unlink.
  • What we receive from Telegram. The messages you send to the bot, button taps on approval cards, your Telegram chat identifier (so we can route replies back to the right chat), an update identifier (so we don’t process the same message twice), and your Telegram username and display name if you have them set. We’re also told if you block the bot, so we can clean up the pairing automatically.
  • What stays with us. Your password, your session tokens, your project data, your knowledge items, and the work of other people in your workspace. A pairing is per-person; another member’s Telegram doesn’t see your chats and yours doesn’t see theirs.

Telegram has its own retention and operational practices for the messages that travel through their servers — see the Telegram privacy policy. Once a message arrives in our systems, the EU-residency and retention rules described elsewhere in this policy apply.

For users in the EU/EEA/UK, transfers to Telegram fall under the European Commission’s Standard Contractual Clauses.

You can disconnect at any time from Settings → Integrations. Disconnecting deletes the pairing on our side and sends a confirmation message to the chat. Blocking the bot in Telegram has the same effect — we receive the block event and clean up the pairing automatically.

How long we keep things

  • Account data — for the life of your account, then up to 30 days after you delete it.
  • Your content (messages, artifacts, tasks, files) — for the life of your account; deleted within 30 days of account deletion.
  • Sentry error logs — 90 days.
  • PostHog product analytics — 12 months.
  • Google Analytics — event-level data is retained per the period configured in our GA4 admin (capped at the GA4 maximum of 14 months). Aggregate reports are retained for the lifetime of the property.
  • Telegram pairing record — for as long as the integration is connected. Deleted within minutes of you disconnecting or blocking the bot.

Your rights — EU and UK

If you’re in the EU, EEA, or UK, the GDPR (and UK GDPR) gives you the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data (rectification)
  • Delete your data (erasure)
  • Restrict how we process it
  • Receive a portable copy
  • Object to processing based on legitimate interest
  • Lodge a complaint with your local supervisory authority if you believe we’ve mishandled your data

To exercise any of these, email privacy@spunto.ai or use the controls in your account settings.

Your rights — United States

California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), and the comprehensive privacy laws in Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, and Texas grant residents rights including access, deletion, correction, portability, and opt-out of sale, sharing, or profiling. To exercise them, email privacy@spunto.ai.

Spunto does not sell or share your personal information for cross-context behavioural advertising. We honour Global Privacy Control (GPC) signals from your browser as a valid opt-out.

Children

Spunto is for adults. We don’t knowingly collect data from anyone under 18. If you believe a child has signed up, email us and we’ll delete the account.

Cookies and tracking

On our public website (spunto.ai), you’ll see a cookie banner the first time you visit. The full cookie inventory and the legal basis for each cookie live on the Cookie Policy. The short version:

  • Strictly necessary cookies (auth session, CSRF protection) run without consent — they are required for the site to function.
  • Analytics cookies (PostHog, Google Analytics) load only after you click Accept. If you click Reject, PostHog stays in cookieless mode and Google Analytics never loads.
  • Inside the authenticated app, PostHog runs under a legitimate-interest basis (Article 6(1)(f)) for product improvement. You can switch it off at any time from Settings → Privacy.

Security

Data is encrypted in transit (TLS) and at rest. Access to your workspace is restricted to your account. Secrets are managed server-side and never exposed to the browser. Logs are scrubbed for tokens and sensitive headers before being written.

Changes to this policy

We’ll update this policy when our practices change. The version and date at the top of this page tell you when we last updated it.

Contact us

Email privacy@spunto.ai for anything privacy-related — data requests, questions about this policy, or to flag a concern.

We’d like to measure how people find Spunto and what they do next. We won’t track you until you decide. Cookie policy.