Privacy Policy
1. Introduction
Spotip ("we", "our", or "us") is a market intelligence platform for hospitality founders, operated by spotip.io. This Privacy Policy explains what personal data we collect when you use Spotip, how we use it, and your rights regarding that data.
We are committed to protecting your privacy and handling your data in an open and transparent manner. If you have any questions about this policy, contact us at privacy@spotip.io.
This policy applies to all users of Spotip, including free (Starter) accounts and paid subscribers.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address and a hashed version of your password (we never store passwords in plain text). We do not currently collect your name during registration, though this may change in future.
2.2 Business Information
To provide our core service, we collect the search queries you submit (location, neighbourhood, radius), any business concept descriptions you provide (e.g. "a specialty coffee shop focused on single origin beans"), and the analyses you generate.
2.3 Usage Data
We automatically collect technical information when you use the service: your IP address, browser type and version, device information, pages visited, features used, and error logs. This data helps us maintain and improve the service.
2.4 Payment Information
Payments are processed by Stripe. We do not store your credit card number or full payment details — Stripe handles all payment data in accordance with PCI-DSS requirements. We do receive and store subscription status, plan tier, and billing history from Stripe.
2.5 Venue & Review Data
The venue data and public reviews shown in your analyses are sourced from the Google Maps API. We do not collect reviews directly from individual users — this data belongs to Google and the original reviewers, and is subject to Google's Privacy Policy.
3. How We Use Your Information
We use your data only for the following purposes:
- Providing market analysis services: processing your searches and generating reports
- Managing your account and subscription
- Processing payments via Stripe
- Sending transactional emails: analysis completion notifications, quota warnings, billing receipts
- Sending marketing emails, only if you have opted in (with a clear unsubscribe link in every email)
- Improving service quality, debugging, and fixing bugs
- Complying with legal obligations
- Preventing fraud, abuse, and violations of our Terms of Service
We do not use your data for advertising profiling or sell it to third parties.
4. Data Sharing & Third Parties
We share data with third-party services only where necessary to deliver the service:
4.1 Google Maps API
Your search location is sent to Google to retrieve venue and review data. Google processes this data in accordance with their Privacy Policy and Maps Platform Terms.
4.2 Stripe
Your payment details are handled by Stripe. See Stripe's Privacy Policy.
4.3 OpenAI
To generate AI-powered market narratives, we send anonymised, aggregated venue and review data to OpenAI's API. We do not send personally identifiable information (PII) to OpenAI. See OpenAI's Privacy Policy.
4.4 Hosting & Infrastructure
The service is hosted on AWS infrastructure and deployed via Kamal. Your data is stored in EU data centres. AWS processes data in accordance with their Privacy Notice.
4.5 No Data Sales
We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.
5. Data Retention
- Account data: retained for the lifetime of your account, plus 30 days after deletion to allow recovery
- Analysis data: retained per your subscription tier — 7 days (Starter), 30 days (Business), 90 days (Pro)
- Billing records: retained for 7 years to comply with financial and tax regulations
- Audit logs: retained for 1 year
You can request deletion of your account and personal data at any time by emailing privacy@spotip.io or through your account settings. Billing records cannot be deleted before the 7-year retention period expires due to legal obligations.
6. Data Security
We take the security of your data seriously:
- All data is transmitted over encrypted HTTPS connections (TLS 1.2+)
- Passwords are hashed using bcrypt via Devise — we never store or see your plain-text password
- Database access is restricted to authorised personnel only
- We maintain access controls and authentication on all production systems
- We monitor for security incidents and have incident response procedures in place
Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at support@spotip.io.
7. Your Rights
Under GDPR (EU) and CCPA (California), you have the following rights regarding your personal data:
- Right of access: request a copy of the personal data we hold about you
- Right to rectification: update or correct inaccurate data via your account settings
- Right to erasure: request deletion of your personal data ("right to be forgotten")
- Right to data portability: receive your data in a machine-readable format (JSON)
- Right to restrict processing: ask us to limit how we use your data
- Right to object: object to processing based on legitimate interests
- Right to withdraw consent: withdraw marketing email consent at any time via the unsubscribe link
To exercise any of these rights, email privacy@spotip.io. We will respond within 30 days.
9. International Data Transfers
Your data is primarily stored and processed within the European Union (EU). Where we use third-party services that may process data outside the EU (e.g. OpenAI in the US), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
10. Children's Privacy
Spotip is intended for use by adults aged 18 and over for business purposes. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at privacy@spotip.io and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
For privacy inquiries, data requests, or to exercise your rights:
- Privacy email: privacy@spotip.io
- Support email: support@spotip.io
- Contact form: spotip.io/contact