1. Introduction

Spotter AI ("we," "us," or "our") is operated by Raymond Vargas as a sole proprietorship, powered by Polsia Inc. ("Platform Provider"), which provides the underlying technology infrastructure and AI services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Spotter AI, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you sign up for Spotter AI, we collect:

• Gym owner information: Your name, email address, phone number, gym name, and location
• Account credentials: Email and password (passwords are encrypted and never stored in plain text)
• Pain points and baselines: The growth challenges you select during onboarding and your starting metrics (e.g., member count, churn rate)

2.2 Member Data

You provide member data when you upload CSV files to Spotter AI. This may include:

• Member names, email addresses, and phone numbers
• Membership status (active, trial, cancelled, etc.)
• Join dates, last visit dates, and membership types
• Any other data you include in your CSV uploads

Important: You are responsible for ensuring you have the right to upload and use this data. We process it only on your behalf to deliver the Service.

2.3 Usage and Analytics Data

We automatically collect information about how you use the Service:

• Log data (IP address, browser type, device information, pages visited)
• Campaign activity (messages sent, open rates, click rates)
• Dashboard interactions (features used, time spent in the app)

2.4 Payment Information

When you subscribe to a paid plan, we collect payment information (credit card details). Payment processing is handled by third-party payment processors (e.g., Stripe). We do not store full credit card numbers on our servers.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Run automated campaigns, send messages to your members, and display analytics
• Improve the Service: Analyze usage patterns to build better features and fix bugs
• Communicate with you: Send account notifications, product updates, and support responses
• Process payments: Bill your subscription and manage your account
• Ensure security: Detect fraud, abuse, and security threats
• Comply with legal obligations: Respond to legal requests and enforce our Terms of Service

4. How We Share Your Information

We do not sell your data to third parties. However, we may share your information in the following circumstances:

4.1 Service Providers

We share data with third-party vendors who help us operate the Service:

• Polsia Inc.: Our platform technology provider that processes data on behalf of Spotter AI, providing AI services, infrastructure, and hosting
• Email and SMS providers: To send campaign messages to your members
• Hosting providers: To store your data securely (e.g., cloud databases)
• Payment processors: To handle subscription billing (e.g., Stripe)
• Analytics tools: To understand how users interact with the Service

These providers are contractually obligated to protect your data and use it only to provide services to us.

4.2 Legal Requirements

We may disclose your information if required by law, such as:

• Responding to subpoenas, court orders, or legal processes
• Protecting the rights, property, or safety of Polsia Inc., our users, or the public
• Enforcing our Terms of Service

4.3 Business Transfers

If Polsia Inc. is acquired by or merges with another company, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard security measures to protect your data from unauthorized access, loss, or misuse:

• Encryption in transit: All data is encrypted using HTTPS/TLS (TLS 1.2+) between your browser and our servers
• Encryption at rest: Sensitive data stored in our database is protected through encrypted cloud storage (Neon PostgreSQL with AES-256 encryption)
• Password security: Passwords are hashed using bcrypt (industry-standard, irreversible hashing) — we never store plaintext passwords
• Access control: Access to production systems is restricted to authorized personnel only, with role-based permissions
• Secure authentication: JWT-based session tokens with expiration; cookies are HTTP-only to prevent XSS attacks
• Regular backups: Database backups are performed automatically on a regular schedule to prevent data loss
• Security updates: We apply security patches and dependency updates on a regular basis

However, no system is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

5.1 Data Breach Notification

In the event of a data breach that compromises the security of your personal information, we will:

• Notify affected users within 72 hours of discovering the breach (or as required by applicable law)
• Provide details about what data was affected, how the breach occurred, and steps we are taking to address it
• Notify relevant regulatory authorities as required by applicable law
• Work promptly to contain the breach and prevent further unauthorized access

Breach notifications will be sent to the email address associated with your account.

6. Data Retention and Deletion

6.1 How Long We Keep Your Data

• Active accounts: We retain your data as long as your account is active
• Cancelled accounts: We retain data for 90 days after cancellation to allow reactivation
• Deleted accounts: After 90 days, or upon request, we permanently delete your data

6.2 Requesting Data Deletion

You can request deletion of your account and all associated data by:

• Emailing raymond@tryspotterai.com
• Using the "Delete Account" option in your dashboard (when available)

We will process deletion requests within 30 days. Some data may be retained in backups for up to 90 days.

7. Your Rights

Depending on your location, you may have the following rights:

7.1 California Residents (CCPA)

If you are a California resident, you have the right to:

• Know: Request details about the personal information we collect, use, and share
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of the "sale" of personal information (note: we do not sell data)
• Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at raymond@tryspotterai.com.

7.2 EU/EEA Users — GDPR

If you are located in the European Union (EU) or European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (e.g., CSV export of your member data)
• Right to Object (Art. 21): Object to processing of your data for marketing or profiling purposes
• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting prior processing

Legal Basis for Processing: We process your data based on (a) contractual necessity — to provide the Service you signed up for, and (b) legitimate interests — to improve the Service and prevent fraud.

Data Transfers: Your data may be transferred to and processed in the United States. For EU/EEA users, such transfers are made subject to appropriate safeguards under applicable data protection laws.

To exercise any GDPR rights, contact us at raymond@tryspotterai.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

7.3 General Data Rights

All users have the right to:

• Access: Request a copy of your data
• Correct: Update inaccurate account information
• Delete: Request account deletion
• Export: Download your member data in CSV format

8. Cookies and Tracking

We use cookies and similar technologies to:

• Keep you logged in (session cookies)
• Remember your preferences
• Analyze how you use the Service (analytics cookies)

Third-Party Cookies: We may use third-party analytics services (e.g., Google Analytics) that set their own cookies. You can disable cookies in your browser settings, but this may affect your ability to use the Service.

9. Third-Party Links

The Service may contain links to third-party websites or services (e.g., Google, Yelp). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

10. Children's Privacy

Spotter AI is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately and we will delete it.

11. International Users

Spotter AI is operated in the United States. If you are located outside the U.S., your data will be transferred to and processed in the U.S. By using the Service, you consent to this transfer.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Sending an email to your registered address
• Displaying a notice in the Service

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us:

Email: raymond@tryspotterai.com
Service: Spotter AI
Operator: Spotter AI, operated by Raymond Vargas as a sole proprietorship
Technology Provider: Polsia Inc. (platform infrastructure and AI services)
Location: United States