Privacy Policy

This Privacy Policy explains how Emira Studio OÜ ("Spruvly", "we"), registry code 16939876, Tallinn, Estonia, processes your personal data when you use spruvly.com and related services (the "Platform"). Spruvly is the data controller for the processing described below.

1. Data we collect

1.1. You provide. Email address, password (stored only as a scrypt hash), display name, handle, profile information (location, avatar, AI stack, offerings, availability, bio, taglines), the content you post (cases, projects, briefs, proposals, comments, endorsements, pledge messages), payment details (when paying or receiving via Stripe — Stripe holds the card data, not us).

1.2. We collect automatically. IP address (used for rate-limiting and abuse detection; hashed with a daily salt and not stored in plaintext beyond the current request), user-agent, basic session metadata (login time, last active time), event log (which pages you visit while signed in — used for product analytics and security investigation), and Stripe event log (records of webhook events for billing).

1.3. We receive from third parties. From Stripe — the status of your payment, your Stripe Customer ID, and your Connected Account ID; never the full card number. From Better Auth + Resend — email-delivery status (delivered / bounced / opened, where Resend reports it). From your email provider — if you click a verification or password-reset link.

2. Legal bases (GDPR Article 6)

We process your data on the following legal bases:

2.1. Performance of a contract (Art. 6(1)(b)) — for everything required to provide the Platform: account creation, profile hosting, posting content, payment processing, sending transactional emails (verify, reset, milestone-hit notifications, payment confirmations).

2.2. Legitimate interest (Art. 6(1)(f)) — for operational security, fraud prevention, rate-limiting, moderation of community content, fixing bugs, improving the Platform, communicating with you about important changes, and defending against legal claims. We balance our interests against your fundamental rights and only rely on this basis where the balance is in our favour.

2.3. Consent (Art. 6(1)(a)) — for the marketing newsletter (you must opt in explicitly), non-essential cookies (see /legal/cookies), and any other processing for which we ask your consent. You may withdraw consent at any time without affecting prior lawful processing.

2.4. Legal obligation (Art. 6(1)(c)) — to comply with Estonian and EU laws, tax obligations, court orders, and lawful requests from authorities.

3. Why we process — purposes

3.1. To create and operate your account, host your profile and cases, allow you to post and discover other users.

3.2. To process payments (subscriptions, boosts, brief payments, pledge conversions, sponsor grants) and to send receipts and tax invoices.

3.3. To send transactional emails (account, billing, milestone, moderation outcomes) — these are not marketing and cannot be opted out of while your account exists, because we cannot operate the Platform without them.

3.4. To run the AI matcher at /find. Your search query is sent to Anthropic (see Sub-processors below) and matched against publicly published builder profiles. Queries are hashed, deduped, and cached for cost reasons; raw queries are deleted after 30 days.

3.5. To moderate community content — endorsements, projects pending review, reports of abuse — to keep the Platform safe.

3.6. To improve the Platform — aggregate, non-identifying usage analytics, and individual error logs.

3.7. To enforce our Terms, defend against legal claims, and respond to lawful authority requests.

4. Sub-processors

We use the following third parties to operate the Platform. Each processes personal data only on our documented instruction, under appropriate data processing agreements:

4.1. Hetzner Online GmbH — primary hosting (Helsinki, Finland; EEA region). Hosts the server and database.

4.2. Stripe Payments Europe Limited (Ireland) — payment processing for all paid features. Stripe is the merchant of record for card transactions and holds payment card data per PCI-DSS. Stripe's privacy notice: stripe.com/privacy.

4.3. Resend.com (Resend Inc.) (United States) — transactional email delivery. Subject to EU Standard Contractual Clauses for the international transfer.

4.4. Cloudflare, Inc. (United States) — DNS, CDN, SSL termination, R2 object storage (which serves images from images.spruvly.com), and Turnstile (CAPTCHA). Subject to EU SCCs.

4.5. Anthropic PBC (United States) — Claude Haiku API for the AI matcher at /find. Your search query and the matched builder profile data are sent to Anthropic. Anthropic states that API inputs are not used to train models. Subject to EU SCCs.

4.6. GitHub, Inc. (United States) — source-code hosting and CI/CD pipeline. Receives no personal data of users in normal operation, but may indirectly receive personal data in error logs.

5. International transfers

Where our sub-processors are outside the EEA (US-based ones listed above), transfers are based on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures recommended by the EDPB, including TLS-in-transit encryption and access logging at our side.

6. Retention

6.1. Account data — retained while your account is active and for 6 months after closure for dispute defence, unless mandatory law requires longer.

6.2. Published content (cases, projects, endorsements, comments) — retained as long as the content is published, plus a reasonable archive window after deletion.

6.3. Payment records (invoices, Stripe payment intents, sponsor grants) — retained for 7 years per Estonian Accounting Act (Raamatupidamise seadus).

6.4. Stripe event log — retained 7 years for accounting + audit.

6.5. Server logs (IP, user-agent, requests) — 90 days, then automatically deleted.

6.6. Email-delivery records (Resend) — 30 days.

6.7. AI matcher raw queries — 30 days; hashed cache key may persist longer for cost optimisation.

7. Your GDPR rights

As a data subject in the EU/EEA, you have the following rights:

7.1. Right of access (Art. 15) — request a copy of the personal data we hold about you.

7.2. Right to rectification (Art. 16) — correct inaccurate data. Most data is directly editable in your Dashboard.

7.3. Right to erasure (Art. 17) — request deletion. We will delete your account and personal data, subject to records we are legally required to retain (e.g. payment history under accounting law).

7.4. Right to restriction of processing (Art. 18).

7.5. Right to data portability (Art. 20) — we export your account data in JSON format on request.

7.6. Right to object (Art. 21) — to processing based on legitimate interest. We will weigh your interest against ours and stop unless we have compelling grounds.

7.7. Right not to be subject to automated decision-making (Art. 22) — the AI matcher and catalog-ranking algorithms produce informational rankings; no automated decision has legal or similarly significant effect on you within the meaning of Article 22.

7.8. Right to lodge a complaint with a supervisory authority — in Estonia, the Andmekaitse Inspektsioon (aki.ee), or with the authority in your country of residence.

To exercise any of these rights, contact [email protected]. We respond within 30 days.

8. Security

We protect personal data with industry-standard measures including TLS encryption in transit, scrypt password hashing, principle-of-least-privilege access, audit logging of admin actions, daily encrypted backups (GPG, password-protected), rate-limiting and CAPTCHA on sensitive endpoints, and EU-region hosting. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the Estonian Data Protection Inspectorate per GDPR Article 33-34.

9. Cookies and similar technologies

See our separate Cookie Policy. Briefly: we use strictly-necessary cookies for authentication and CSRF protection; preference cookies for locale; and (if added) analytics cookies only with your consent.

10. Children

The Platform is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided personal data to us, contact [email protected] and we will delete it.

11. Changes

We may update this Policy. Material changes are notified by email or via a prominent in-app notice at least 15 days before they take effect.

12. Contact

Data controller: Emira Studio OÜ · Registry code 16939876 · Tallinn, Estonia
Data protection: [email protected]
Supervisory authority (Estonia): Andmekaitse Inspektsioon (aki.ee)