Last updated: February 18, 2026

1. Data Controller

The data controller is Jakub Tarabasz, responsible for the development and operation of the "Spinella" application.

You can contact the Controller at: kontakt@spinella.app

2. Scope of Collected Data

When using the Spinella application, we collect the following data:

  • Basic user profile: email address
  • Encrypted password (managed by Supabase Auth) and data from Google OAuth and Apple Sign In
  • In-app profile data: profile name, avatar, optional bio, account privacy setting
  • Social features data: published posts (content, optional image, post type, referenced move for achievement posts), comments and replies
  • Interaction data: likes (hearts) for posts, comments, and replies
  • Relationship data: following (who follows whom)
  • In-app notifications: information about follows, likes, comments, and replies

The processing of personal data is based on:

  • Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the data subject is party (using the Spinella.app application constitutes entering into an agreement for the provision of services by electronic means)
  • Art. 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller (ensuring the security and functionality of the application)

4. Purposes of Data Processing

Personal data is processed for the purpose of:

  • Enabling registration and login to the Spinella.app application
  • Ensuring the proper functioning of all application features
  • Enabling the social module (profiles, posts, comments, likes, following, and notifications)
  • Ensuring the security of application usage
  • Contact regarding technical matters and handling user inquiries

5. Method and Place of Processing

  • The application is hosted on Vercel infrastructure, which may use servers in various locations, including outside the European Economic Area.
  • Data is stored in a Supabase database located in the eu-central-1 region (Frankfurt, Germany), which means that the main user data remains within the European Union.
  • Media files (e.g., avatars and images added to posts) are stored in Supabase infrastructure and are accessible only to authenticated users of the application.

6. Data Retention Period

User personal data is stored for the period of having an active account in the Spinella.app application. After account deletion, data is permanently deleted from our systems, except for data that may be stored longer due to applicable legal regulations (e.g., billing data).

Social content and activity (posts, comments, likes, following) are stored until deleted by the user or until the account is deleted.

7. Data Recipients

User data is not shared with any external companies except service providers necessary for the operation of the application:

  • Supabase – database and authentication service provider
  • Vercel – hosting and security service provider
  • Google – authentication and authorization service provider in the case of logging in through Google OAuth (only basic profile data)
  • Apple – authentication and authorization service provider in the case of logging in through Apple Sign In (only basic profile data)

As part of the social module, selected data may be visible to other authenticated users of the application if the account is not set to private (e.g., profile name, avatar, and the content of published posts and comments).

If an account is set to private, the account and posts are not visible to other users.

These service providers have access to user data only to the extent necessary to provide their services and are subject to appropriate data protection obligations.

8. Data Transfer to Third Countries

Due to the use of Vercel services, some data may be processed on servers located outside the European Economic Area (EEA). In such cases, we ensure that data transfer is carried out with appropriate safeguards, such as standard contractual clauses approved by the European Commission.

9. Cookies and Other Tracking Technologies

The Spinella.app application uses essential cookies necessary for the proper functioning of the application, in particular for user session management and security. These cookies are necessary for using the application and do not require separate user consent in accordance with legal regulations.

10. Automated Decision-Making and Profiling

The Spinella.app application does not use automated decision-making or profiling within the meaning of GDPR.

11. User Rights

Each user has the following rights:

  • Right of access to their personal data
  • Right to rectification (correction) of their data
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to data processing
  • Right to withdraw consent at any time, if processing is based on consent
  • Right to lodge a complaint with a supervisory authority (President of the Personal Data Protection Office)

To exercise the above rights, please contact us at: kontakt@spinella.app

The user can delete their account in the app settings at /dashboard/settings. If the user no longer has access to their account, please contact us at kontakt@spinella.app.

12. Security

We make every effort to secure user data, including:

  • Password encryption (we never store passwords in plain text)
  • Security measures provided by Vercel and Supabase platforms
  • Connection encryption using HTTPS protocol
  • Regular security updates

13. Privacy Policy Changes

The Controller reserves the right to make changes to the Privacy Policy. Users will be informed of any changes via email associated with the user account. Using the application after changes have been made is equivalent to accepting the new version of the Privacy Policy.

14. Final Provisions

  • The application may contain links to external sites or services; we are not responsible for their privacy policies.
  • By using the Spinella.app application, the user accepts this Privacy Policy.
  • In matters not covered by this Privacy Policy, the relevant legal provisions shall apply, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).