Spinstack Privacy Policy

Last updated: December 17, 2025

DocMap Inc. (d/b/a "Spinstack") ("Spinstack," "we," "us," "our") respects your privacy. This Policy explains how we collect, use, disclose, and protect Personal Data when you use the Platform.

"Personal Data" means information that identifies or relates to an identifiable individual.

1. Scope

This Policy applies when you:

  • visit spinstack.dev (and subdomains),
  • create an account,
  • build, publish, purchase, or run Workflows/Products,
  • call Spinstack APIs or use app pages,
  • connect Stripe (Creators),
  • interact with Tools integrated into Workflows.

2. Data We Collect

2.1 Categories

Account & Contact

name, email, password hash, profile info

Business & Compliance (Creators)

business name, EIN, beneficial owner info, government ID (collected primarily by Stripe)

Payment & Payout

Stripe transaction IDs, payout status, fees, dispute/chargeback data (from Stripe)

Workflow & Product Configuration

workflow definitions (steps/nodes), prompts, tool selections, parameters, product listings, pricing, version history

Runtime Inputs/Outputs

Buyer inputs (queries), step inputs/outputs, Tool responses, extracted web content, structured outputs

Usage & Logs

API keys, request/response metadata, telemetry (CPU-seconds, storage, bandwidth), error logs, audit logs, abuse/fraud signals

Device & Cookies

device identifiers, browser type, OS, IP address, analytics events, essential cookies

User Content

files, code, data you upload; any personal data contained within such content

We do not knowingly collect data from children under 13.

2.2 Sources

  • From you (Account, Workflows, inputs)
  • From Buyers interacting with Products (inputs/usage)
  • From Stripe (payments/payouts/compliance)
  • Automatically from your device/browser
  • From Tool Providers as part of executing Tool calls (e.g., responses, usage metadata)

3. How We Use Data

We use Personal Data to:

  • provide, secure, and maintain the Platform;
  • execute Workflows and deliver Product outputs;
  • authenticate users and manage accounts;
  • process billing, payouts, refunds, and chargebacks via Stripe;
  • measure usage and calculate fees/credits;
  • prevent fraud and enforce Terms;
  • communicate about updates and security incidents;
  • comply with legal obligations (tax, KYC/AML, sanctions, lawful requests);
  • debug and improve the Platform (including aggregated or de-identified analytics).

4. Sharing & Disclosure

We share Personal Data only as needed:

Service Providers/Subprocessors

Stripe (payments), cloud hosting and compute (including AWS), databases, analytics, and error tracking.

Tool Providers

When your Workflow calls a Tool, we may transmit relevant inputs (and sometimes extracted content) to the Tool Provider to execute that step. Tool Providers process such data under their own terms/policies.

Creators and Buyers

Creators receive data necessary to operate/support their Products (e.g., Buyer usage metrics, inputs/outputs) depending on Product configuration.

Buyers receive outputs generated by Products they use.

Authorities and Legal Requests

We may disclose data to comply with law, court orders, or to protect rights, safety, and property.

Corporate Transactions

We may share data in connection with a merger, acquisition, or sale of assets.

We do not sell Personal Data and do not permit third-party advertising cookies.

5. International Transfers

Spinstack operates primarily in the United States. Tool Providers and infrastructure providers may process data in other jurisdictions. By using the Platform, you understand your data may be transferred and processed internationally.

6. Security

We use reasonable safeguards (access controls, encryption in transit, and other measures appropriate to our size and risk profile). No method is 100% secure. You are responsible for safeguarding your credentials and API keys.

7. Data Retention

We retain Personal Data:

  • while your account is active, plus a limited period after closure (generally 30 days),
  • backups and logs may persist up to 90 days (or longer if required by law, dispute resolution, or security investigations),
  • payment/tax/compliance records as required by law,
  • workflow logs/telemetry as needed for billing, abuse prevention, and reliability.

Creators are responsible for their own retention practices for data they export or store outside Spinstack.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your data, or object/restrict certain processing.

To exercise rights, email ty.phamswann@spinstack.dev. We may verify identity before responding.

9. Creator Responsibilities to Buyers

Creators may build Products that collect or process personal data. Creators are responsible for:

  • providing any legally required disclosures to Buyers,
  • ensuring a lawful basis for processing,
  • complying with applicable privacy and data protection laws for their Products.

10. Cookies

We use essential cookies and may use first-party analytics. You can disable cookies in your browser, but the Platform may not function properly.

11. Changes to This Policy

We may update this Policy. For material changes, we will provide notice (e.g., by email or dashboard) and, where required, 30 days' notice. Continued use after the effective date constitutes acceptance.

12. Contact

DocMap Inc. (d/b/a Spinstack)

Email: ty.phamswann@spinstack.dev