This Privacy Policy explains how Spool App LLC ("Spool," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the Spool mobile app, the website at spoolhq.co, and related services (the "Service"). It also describes the privacy rights available to you and how to exercise them.
1. Who We Are (Data Controller)
Spool App LLC is the "data controller" for your personal information under GDPR, UK GDPR, and similar laws. You can reach us at support@spoolhq.co or by mail at Spool App LLC, 522 West Riverside Avenue, Ste N, Spokane, WA 99201, USA.
If you are in the EU, UK, or Switzerland and prefer to contact someone in your region, see Section 11 for our representative contacts.
2. Who This Policy Applies To
The Service is only for people 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, contact us and we'll delete it.
3. What We Collect
We collect only what we need to run the Service. Specifically:
3.1 Information You Give Us
- Account information. When you sign in with Google or Apple, we receive your name, email address, and a unique identifier from the identity provider (Clerk handles authentication; we do not see or store your password).
- Pattern content you upload. When you import a PDF, our extraction pipeline processes it and produces a structured representation (row-by-row instructions, charts, metadata) for your use. Once processing is complete, the original PDF is discarded — we do not retain original pattern files in our storage systems. What we keep is described in Section 6.
- Pattern notes and progress. Notes, row counters, project names, and similar annotations you create inside the app.
- Support and correspondence. If you email us, we keep the messages so we can respond and improve the Service.
3.2 Information We Collect Automatically
- Usage data. Features used, buttons tapped, patterns opened, errors encountered, approximate timestamps. We use Google Analytics 4 (via Google Tag Manager) on spoolhq.co and within the app. We configure analytics with IP anonymization and without advertising features enabled.
- Device and log data. Device model, operating system version, app version, language, crash logs, and similar diagnostic data.
- Cookies and similar technologies on spoolhq.co. See Section 9.
3.3 Information From Payment Processors
- Apple In-App Purchases. When you subscribe or purchase through the iOS app, Apple handles the transaction. We receive a transaction identifier and subscription status from Apple, but we do not receive your payment card information.
- Stripe (web purchases). When you subscribe through spoolhq.co, Stripe processes payment. We receive a customer ID, a subscription status, the last four digits of your card, and billing country (for tax purposes). We do not store full card numbers, CVVs, or bank credentials — Stripe does.
3.4 What We Don't Collect
We don't collect precise location, contacts, photos outside of patterns you explicitly upload, microphone or camera data (except camera access you grant for scanning a pattern), health data, or biometric data. We don't use ad-tracking SDKs.
4. How We Use Your Information
We use your information to:
- Provide the core Service — parse patterns, sync progress, display charts, authenticate your account;
- Process payments, manage subscriptions, and honor Founding Member credits;
- Send operational emails (account confirmations, receipts, security notices, material policy changes) through Zoho Mail;
- Diagnose bugs, monitor performance, and improve the product;
- Detect and prevent fraud, abuse, and security threats;
- Respond to your support requests;
- Comply with legal obligations (tax records, valid legal process, etc.).
we do not:
- Sell your personal information;
- Share your personal information with third parties for their own marketing;
- Use your uploaded patterns, notes, or progress data to train machine learning models;
- Serve third-party advertising in the app.
5. Legal Bases for Processing (GDPR / UK GDPR)
If you are in the EU, UK, or Switzerland, we rely on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Creating and running your account, providing the Service, processing payments | Performance of a contract (Art. 6(1)(b)) |
| Diagnosing bugs, securing the Service, preventing fraud, product analytics | Legitimate interests (Art. 6(1)(f)) — running a reliable, secure product |
| Sending operational emails | Performance of a contract or legitimate interests |
| Complying with tax, accounting, and legal obligations | Legal obligation (Art. 6(1)(c)) |
| Any optional marketing communications | Consent (Art. 6(1)(a)) — which you can withdraw any time |
You can object to processing based on legitimate interests — see Section 8.
6. How We Handle Your Patterns — In Plain English
How Spool handles patterns is a core part of our privacy posture, so it's worth explaining directly.
We don't keep your pattern files. When you upload a PDF, it travels through our extraction pipeline, which parses it into a structured representation (rows, charts, stitch instructions, metadata). Once that's done, the original file is discarded. You can't re-download the PDF from Spool, and we cannot recover it. This is a deliberate architectural choice: the less copyrighted source material we hold, the smaller the footprint of your data we're responsible for.
What we do keep for each processed pattern:
- A cryptographic hash (SHA-256) of the PDF, used for deduplication (see below);
- The derived structured data generated from the PDF (rows, chart grids, stitch counts, extracted imagery such as rendered charts);
- Your personal notes, annotations, and progress tied to that pattern.
Deduplication. To keep Spool fast and affordable, when two people independently upload the exact same PDF, we only run extraction once. If a new upload's SHA-256 hash matches one we've seen before, we reuse the previously generated structured data instead of re-parsing.
What this means for your privacy:
- Your notes, annotations, and progress are yours and are not shared with other users.
- The derived structured data (what row 42 says, where the chart squares are) may be reused across accounts that independently uploaded the same source file. That derived data is not linked to you as an individual when it is reused.
- If you delete your account, your notes, annotations, and progress are deleted. Derived structured data from files you uploaded may persist if other users are actively relying on it.
If you'd prefer your uploads not participate in deduplication, contact us at support@spoolhq.co.
7. Who We Share Data With
We share personal information only with service providers ("sub-processors") who help us run Spool, and only to the extent they need it. Each is bound by contract to protect your data and use it only for us.
| Provider | Purpose | Region |
|---|---|---|
| Clerk | Authentication (Google/Apple sign-in) | USA |
| Railway | Application hosting, Postgres database, Redis | USA |
| Cloudflare R2 | Object storage for derived pattern assets (rendered charts, extracted images) | Global (we select US regions where possible) |
| Apple | iOS in-app purchases and subscription billing | Global |
| Stripe | Web payment processing | USA, EU |
| Google (Analytics, Tag Manager) | Product analytics with IP anonymization | USA |
| Zoho | Transactional and support email | USA, EU, India |
We may also share personal information:
- To comply with legal process — for example, a valid subpoena, court order, or government request, when we have a good-faith belief that disclosure is legally required;
- To protect rights and safety — to investigate fraud, abuse, or security incidents, or to protect Spool, our users, or the public;
- In a business transfer — if Spool is acquired, merged, or sells substantially all assets, your information may transfer to the acquirer, subject to this Policy.
8. Your Privacy Rights
Depending on where you live, you may have the following rights:
- Access — get a copy of the personal information we hold about you.
- Correction — fix inaccurate or incomplete information.
- Deletion — ask us to delete your personal information.
- Portability — receive your information in a machine-readable format.
- Restriction — ask us to stop certain processing while we review a request.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on consent, you can withdraw it at any time.
- Lodge a complaint — with your local data protection authority (EU, UK, Switzerland) or attorney general (some US states).
To exercise these rights, email support@spoolhq.co from the address associated with your account. We may need to verify your identity before acting. We'll respond within the timeframes required by applicable law (generally 30 days under GDPR/UK GDPR, 45 days under CCPA/CPRA).
You will not be discriminated against for exercising any of these rights.
8.1 California Residents (CCPA / CPRA)
In the past 12 months, we have collected the categories of personal information described in Section 3 (identifiers, commercial information about purchases, internet/app usage data, and content you upload). We use and share this information for the purposes described in Sections 4 and 7.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes requiring a right to limit under CPRA.
California residents have the rights listed above, plus the right to designate an authorized agent to exercise them.
8.2 Other US State Rights
Residents of other US states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others as they come into effect) have similar rights. Contact support@spoolhq.co to exercise them.
9. Cookies and Similar Technologies
On spoolhq.co, we use:
- Strictly necessary cookies required for the site to function;
- Analytics cookies (Google Analytics 4) to understand aggregate usage.
We do not use advertising cookies. You can control cookies through your browser settings. If you are in the EU, UK, or a jurisdiction that requires consent for non-essential cookies, we'll ask you first.
The iOS app does not use web cookies. It may use local device storage for offline access to your patterns and progress.
10. International Data Transfers
Spool is headquartered in the United States, and some of our sub-processors operate outside the EU/UK/Switzerland. When we transfer personal information out of those regions, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum;
- Adequacy decisions, where one applies;
- Other appropriate safeguards required by law.
You can request a copy of the safeguards that apply to a specific transfer by emailing support@spoolhq.co.
11. EU / UK / Swiss Representatives
[Placeholder. If Spool meets the thresholds that require an EU Representative under GDPR Art. 27 or a UK Representative under UK GDPR Art. 27, list their contact details here. Until a representative is appointed, remove this section or mark it "not currently required."]
12. Data Retention
We keep personal information only as long as we need it:
- Original uploaded PDFs — processed and discarded during ingestion; not retained in our storage systems.
- Account data, derived pattern data, notes, and progress — for the life of your account, and deleted (or anonymized) within 30 days of account closure, except as described in Section 6 regarding deduplicated derived data.
- Payment records — retained as long as required by tax and accounting law (typically 7 years in the US, longer in some jurisdictions).
- Support emails — up to 2 years after the matter is closed.
- Log and analytics data — up to 14 months, in aggregated form where possible.
- Backups — encrypted backups may persist for up to 90 days after deletion from live systems, after which they are overwritten.
13. Security
We use industry-standard safeguards: encrypted connections (TLS) in transit, encryption at rest for databases and object storage, scoped access controls, and authentication through Clerk rather than password storage on our servers. No system is perfectly secure, and we can't guarantee absolute security. If we learn of a breach affecting your personal information, we'll notify you as required by law.
14. Automated Decision-Making
We do not use your personal information to make decisions that produce legal or similarly significant effects on you through solely automated means.
15. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we'll notify you through the app, by email, or on spoolhq.co at least 14 days before the changes take effect. The "Last Updated" date above shows when this Policy was last revised.
16. Contact Us
Questions, requests, or concerns?
Spool App LLC
Email: support@spoolhq.co
Mail: 522 West Riverside Avenue, Ste N, Spokane, WA 99201, USA