Privacy Policy
Last updated June 2, 2026
This Privacy Policy explains how Spilla ("we", "us", or "our") collects, uses, stores, and protects your information when you use our anonymous micro-story service at https://spilla.app, our mobile app, or any related service (together, the "Service"). Reading this policy will help you understand your privacy rights and choices.
If you do not agree with this policy, please do not use the Service. If you have questions, contact us at privacy@spilla.app.
Summary of key points
- We are anonymous-by-design. Spilla shows other users a generated handle — never your real name, email, or phone number.
- We collect the minimum we need to run the Service. Phone number (to sign you in), the stories and comments you post, and basic device telemetry for crash and performance monitoring.
- We do not sell your data and we do not run third-party advertising. No tracking pixels, no ad networks, no data brokers.
- You can delete your profile at any time. Doing so removes your stories, comments, reactions, and saved items.
- Our third-party processors are Supabase (auth + database), Twilio (SMS delivery for the sign-in code), Sentry (crash reporting), PostHog (anonymous product analytics), Expo (push notification delivery), Apple Push Notification Service / Firebase Cloud Messaging (push relays downstream of Expo), and — for users who subscribe to Spilla Premium — Stripe (web payments), RevenueCat (in-app subscription management on iOS / Android), and the Apple App Store / Google Play Billing systems for in-app purchases.
- Premium subscribers' card details never reach Spilla. Stripe handles web checkout on their own hosted page; Apple and Google handle in-app purchases through their billing systems. We only receive opaque identifiers (Stripe customer / subscription id, RevenueCat app_user_id which equals the Spilla profile UUID) and the subscription state.
Table of contents
- What information do we collect?
- How do we use your information?
- What legal bases do we rely on?
- When and with whom do we share your information?
- Third-party websites and integrations
- Cookies and similar technologies
- International data transfers
- How long do we keep your information?
- How do we keep your information safe?
- Information from minors
- Your privacy rights
- Do-Not-Track signals
- United States residents
- Updates to this notice
- How to contact us
- Reviewing, updating, or deleting your data
1. What information do we collect?
Information you provide directly
- Phone number. Used to send the one-time sign-in code via SMS. Stored as a salted SHA-256 hash; the plaintext number leaves our servers only to reach Twilio for the SMS delivery and is not retained.
- Profile data. A randomly-generated handle (e.g.
red-fox-2143) and an avatar color derived from your profile id. No display name, photo, or bio fields. - Preferred languages. Chosen during onboarding so the feed shows you stories in languages you read. Editable any time from your profile.
- Stories, comments, reactions, and saved items. What you post and react to on the Service. Stored against your profile id.
- Recovery code. A 26-character random code you can save offline to recover a profile if you sign in from a new device. We store only a PBKDF2 hash of the code; the plaintext is never written to disk on our side.
- Drafts and scheduled posts (Premium only). If you subscribe to Spilla Premium, you can save drafts and schedule posts for later publication. Drafts are stored on Spilla's database, scoped to your profile via Row-Level Security, and are visible only to you and to the internal scheduled-publish system. Drafts are deleted from the database on publish or explicit deletion.
- Subscription identifiers (Premium only). When you subscribe to Spilla Premium we record opaque values on your profile. For web subscriptions: three Stripe-issued identifiers (
stripe_customer_id,stripe_subscription_id, andpremium_until). For iOS / Android in-app purchases: RevenueCat'sapp_user_id(which equals your Spilla profile UUID — no new identifier is exposed) and the samepremium_untilfield. None of these identify a real person on their own. Your card number, Apple ID, Google account, billing address, and any email you enter into a checkout flow never reach Spilla. - Mobile push notification tokens (mobile app only). If you grant the OS notification permission on iOS or Android, we register an Expo Push Token for that device in a
mobile_push_tokenstable keyed by your Spilla profile and a stable per-device identifier. The token is opaque, per-install, and rotates when you reinstall the app. We use it solely to deliver push notifications about reactions and comments on your own stories.
Information collected automatically
- Device and app diagnostics. Operating system version, app version, general device model, crash stack traces, and performance traces. Sent to Sentry for crash reporting and to PostHog for anonymous product analytics. Both processors receive your profile id (a UUID with no link to your phone number) but never your phone number, recovery code, or message content.
- Log data. Standard web server access logs (IP address, timestamp, URL, user agent) retained for up to 30 days for abuse mitigation and debugging.
- Moderation telemetry. When you submit a story or comment, our AI content classifier scores it for hate speech, harassment, and other policy violations. The score + the story or comment id are written to an internal log; the classifier's output is never shared with other users.
2. How do we use your information?
- To authenticate you (phone-OTP sign-in flow).
- To show you a feed of stories that fits your language preferences.
- To deliver stories, reactions, comments, and saved items to your account.
- To moderate content for policy compliance (AI classifier + human review).
- To diagnose crashes and performance issues (Sentry).
- To understand how the Service is used in aggregate so we can improve it (PostHog).
- To prevent fraud and abuse (rate limits, ban list, killswitch hook on the auth path).
- To deliver and bill Spilla Premium where you have chosen to subscribe. On the web, Stripe handles the card processing. On the iOS / Android app, Apple's or Google's billing system handles the purchase and RevenueCat reads the resulting receipts on our behalf to tell us the subscription state. In every case, Spilla records the resulting
premium_untiltimestamp on your profile and never sees your card details, Apple ID, Google account, or billing address. - To publish your scheduled Premium drafts at their requested time and to make your drafts available for editing.
- To deliver push notifications when someone reacts to or comments on one of your own stories. We send the notification payload (trigger type, an optional snippet, a navigation hint to the related story) to Expo's Push Service, which relays it via Apple Push Notification Service or Firebase Cloud Messaging to your device. You can revoke push permission at any time from your device's OS Settings or by signing out of the app on that device.
- To show free-tier users in-house promotional cards for Spilla Premium inside the feed. These are first-party promotional content; there is no third-party advertising network, no tracking pixel, no behavioural targeting, and no conversion tracking. Premium subscribers see no promotional cards.
- To comply with legal obligations and respond to lawful requests.
We do not use your information for advertising, profiling for marketing purposes, or training third-party AI models.
3. What legal bases do we rely on?
If you are in the European Economic Area or the United Kingdom, we rely on:
- Performance of a contract (Art. 6(1)(b) GDPR) to provide you with the Service.
- Legitimate interests (Art. 6(1)(f) GDPR) for security, fraud prevention, and product analytics. We have completed a balancing test for each such use; you can object at any time by emailing privacy@spilla.app.
- Compliance with a legal obligation (Art. 6(1)(c) GDPR) when we must retain or disclose data to comply with applicable law.
- Consent (Art. 6(1)(a) GDPR) for optional cookies and analytics. You can withdraw consent at any time from the cookie preferences link in the footer.
4. When and with whom do we share your information?
Spilla does not sell your personal information. We share data only with the following categories of recipient:
- Supabase — our database and authentication provider. Hosted in the EU (Frankfurt). They host the database, run the auth flow, and serve our Edge Functions.
- Twilio — sends the SMS one-time code for sign-in. Receives the phone number you enter at sign-in for the duration of the message delivery.
- Sentry — receives crash reports and performance traces. Self-hosted by Sentry; data center region is configured to be EU where available.
- PostHog — receives anonymous product analytics events (no phone numbers, no message content). Hosted in the EU.
- Stripe — payment processor for Spilla Premium subscriptions purchased on the web. When you subscribe through the web, Spilla sends Stripe a synthetic email alias of the form
{profile-uuid}@spilla.appplus the chosen plan; we never send your real email, phone number, name, or address. Card details and any email or address you optionally enter on Stripe's hosted checkout go directly to Stripe and are stored in Stripe's PCI-DSS scope — Spilla has no access to them. Stripe is an independent data controller for the payment data they collect from you; Spilla is the controller for the Stripe-issued identifiers we store on your profile. See Stripe's Privacy Policy. - RevenueCat — subscription-management layer for Spilla Premium subscriptions purchased through the iOS or Android app. When you subscribe in-app, Apple or Google processes the payment through their own billing systems; RevenueCat then reads the resulting billing receipts on Spilla's behalf and reports the subscription's entitlement status to us. The only data we send RevenueCat is your Spilla profile UUID (as their
app_user_id) and the chosen product identifier. We never see your Apple ID, Google account, card details, or billing address through RevenueCat. See RevenueCat's Privacy Policy. - Apple App Store / Google Play Billing — Apple's and Google's own billing systems handle every in-app purchase of Spilla Premium on iOS and Android. They collect your payment information directly and Spilla never sees it. See Apple's Privacy Policy and Google's Privacy Policy.
- Expo Push Service (operated by Expo, the developer-tooling vendor for our mobile app) — receives the per-device Expo Push Token and the notification payload (title, body, navigation hint) when we send you a push notification. Expo relays the payload to Apple Push Notification Service or Firebase Cloud Messaging for actual delivery. We use Expo Push for delivery only; the user-content snippet in a notification ("Someone reacted to your story") is the only message content that passes through. See Expo's Privacy Policy.
- Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM) — the downstream platform infrastructure Expo uses to actually deliver push notifications to iOS and Android devices. Spilla does not communicate with APNs or FCM directly; the notification payload reaches them via Expo.
- Hosting infrastructure — our VPS provider (Contabo, EU region) hosts the web application container.
- Legal requests — we may disclose data if required by valid legal process (court order, lawful subpoena). Where we are permitted to, we will notify you first.
We do not share your data with advertisers, data brokers, or any other third party for marketing purposes.
5. Third-party websites and integrations
The Service may contain links to third-party websites (e.g. links inside user-posted stories). We do not control those sites and are not responsible for their privacy practices. We encourage you to read their privacy policies before submitting any information to them.
6. Cookies and similar technologies
We use a small set of strictly-necessary cookies (or equivalent localStorage entries) to keep you signed in and remember your language preferences. We use optional analytics cookies (PostHog) and an optional crash-monitoring SDK (Sentry) only with your consent. See our Cookie Policy for the full list and your choices.
7. International data transfers
Spilla's infrastructure is in the European Union. Some processors (Twilio, Sentry, PostHog) may transfer data outside the EU as part of their normal operations. Where they do, the transfer is covered by an appropriate transfer mechanism (Standard Contractual Clauses or adequacy decision). On request we can share the specific mechanism for each processor.
8. How long do we keep your information?
- Profile, stories, comments, reactions, saved items — for as long as your account exists. Deleting your profile triggers deletion within 7 days.
- Salted phone hash — kept while you have any active or recoverable profile linked to it, to support sign-in and recovery. Deletion of all linked profiles removes the hash.
- Server access logs — 30 days.
- Moderation audit log — kept for 12 months to investigate appeals and repeat-offender patterns.
- Crash and analytics events — Sentry: 90 days. PostHog: 7 years (per their default retention; we may lower this in a future update).
- Premium drafts — kept until you publish or delete them. A scheduled draft publishes automatically at its scheduled time and is then deleted from the drafts table.
- Stripe identifiers on your profile — kept for as long as your Spilla account exists. Stripe's own retention (for the payment data they collect directly) is governed by their compliance obligations (typically several years for financial records) and is outside Spilla's control.
- RevenueCat customer + subscription records — kept for as long as your Spilla account exists or until RevenueCat's own retention requirements end. Spilla has no control over RevenueCat's internal retention; their policy governs.
- Mobile push tokens — deleted when you sign out from a device, when the OS revokes the token (Expo notifies us via failed-delivery hooks and we delete the row), or when you uninstall and reinstall the app (a new token is registered and the old row is overwritten on next sign-in).
9. How do we keep your information safe?
- All connections to the Service use TLS 1.2+ in transit.
- The database enforces Row-Level Security so a logged-in user can only read and write their own rows (with a small set of explicitly-defined exceptions for moderators).
- Recovery codes are stored as PBKDF2-SHA256 hashes with 600,000 iterations.
- Phone numbers are stored as salted SHA-256 hashes. Plaintext numbers never touch our database.
- We log every administrative action (ban, hide, delete) with the moderator's identity, so abuse of moderator privilege is auditable.
- We run automated invariant checks on every deployment to confirm policies, RLS, and grants stay in their expected state.
No system is perfectly secure. If you become aware of a vulnerability, please email security@spilla.app.
10. Information from minors
Spilla is not directed to children under 16. We do not knowingly collect information from children under 16. If we learn that we have collected data from a child under 16 without verifiable parental consent, we will delete that data promptly. If you believe a child has provided information to us, please contact privacy@spilla.app.
11. Your privacy rights
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, you have the right to:
- Access the personal data we hold about you.
- Request that we correct inaccurate data.
- Request that we delete your data ("right to be forgotten").
- Request a portable copy of your data.
- Object to processing based on our legitimate interests.
- Withdraw consent for analytics and crash reporting at any time.
- Lodge a complaint with your local data-protection authority — though we hope you'll contact us first so we can try to help.
To exercise any of these rights, email privacy@spilla.app. We will respond within 30 days.
Premium subscriberscan cancel their subscription at any time. If you subscribed through the web, cancel from the Stripe-hosted Customer Portal, linked from your profile inside the app. If you subscribed through the iOS or Android app, cancel through Apple's or Google's own subscription settings: on iOS, open Settings → tap your Apple ID name → Subscriptions → Spilla → Cancel; on Android, open the Play Store → tap your profile photo → Payments & subscriptions → Subscriptions → Spilla → Cancel. Spilla cannot cancel a mobile-purchased subscription on your behalf — the platform owns that flow. In every case cancellation takes effect at the end of the current billing period; Premium features remain available until then.
12. Do-Not-Track signals
We do not currently respond to Do-Not-Track browser signals because Spilla does not run cross-site tracking. Our optional analytics (PostHog) is controlled via our cookie preferences UI, which is the actionable equivalent.
13. United States residents
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) including the rights to know, delete, correct, and limit the use of sensitive personal information. To exercise these rights, email privacy@spilla.app. We do not sell or share personal information as those terms are defined under California law.
Residents of other US states with similar laws (Virginia, Colorado, Connecticut, Utah, among others) have substantially the same rights and can exercise them via the same contact path.
14. Updates to this notice
We may update this Privacy Policy from time to time. When we make a material change, we will update the "Last updated" date at the top and notify you in-app or by email (where we have one) before the change takes effect. The current version is always available at /privacy.
15. How to contact us
For privacy questions, data-subject requests, or to report a concern, email privacy@spilla.app. For copyright takedown notices, email dmca@spilla.app. For all other inquiries, see our contact page.
16. Reviewing, updating, or deleting your data
From inside the app, you can view your profile, edit your preferred languages, regenerate your recovery code, and delete or hide your own stories. To request a full export of your data or to delete your account and all linked data, email privacy@spilla.app from the phone number associated with your profile (or from another channel where we can verify your identity).