Privacy Policy

1. What We Collect

When you use SPCTR, we collect:

• Account data: email address and password (stored by Supabase Auth).
• Profile data: name, gaming platform, niche, content preferences, and onboarding responses you provide.
• Usage data: content items you create, challenge responses, coach conversations, and scheduling activity.
• Connected platform data: when you choose to connect an Instagram, YouTube, Twitch, or TikTok account, we receive data from that platform's API as described in Section 4.
• Calendar availability data: when you choose to connect a Google Calendar account, we read your busy/free time intervals (start and end times, no event content) and we write SPCTR-scheduled deliverables and posts back to your calendar as events. We only ever modify or delete the calendar events SPCTR itself created. Details in Section 4.

We do not collect, upload, store, or process your video files or audio files. We only store metadata (titles, descriptions, public counts, timestamps, thumbnails).

2. How We Use Your Data & Legal Basis

Your data is used to:

• Personalize content suggestions, coaching, and challenge recommendations.
• Build your memory profile — the behavioral model that makes SPCTR smarter over time.
• Generate content outlines and scripts in your voice.
• Track your progress (XP, streaks, segment advancement).

For users in the EEA, UK, and Switzerland, our legal bases under Article 6 GDPR are:

• Account and profile data — performance of a contract (Art. 6(1)(b)): we need it to deliver the service you signed up for.
• Connected platform data — your explicit consent given at OAuth (Art. 6(1)(a)). You can withdraw at any time by disconnecting the platform.
• Coach interactions and behavioral signals — legitimate interest (Art. 6(1)(f)) in delivering and improving a personalized service, balanced against the privacy controls described in Sections 9–10.
• Security, fraud prevention, and legal compliance — legitimate interest and legal obligation (Art. 6(1)(c) and (f)).

We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising as those terms are defined under the California Privacy Rights Act (CPRA). We never share your data with other creators.

3. Data Isolation

SPCTR enforces single-tenancy at the database level using Row Level Security (RLS). No other creator's data ever enters your AI context. Your data is structurally isolated — not just by policy, but by how the system retrieves and assembles information.

4. Connected Accounts (Creator Platforms & Google Calendar)

SPCTR lets you connect your creator accounts on Instagram, YouTube, Twitch, and TikTok via each platform's official OAuth flow. Connections are optional. You authorize each connection individually and may disconnect at any time from your profile page.

What we request and why:

• Instagram (via the Instagram Graph API, accessed through Facebook Login for Business): your Instagram Business or Creator account ID, username, and profile picture, along with insights about your account and posts (reach, impressions, engagement, follower demographics summary). We access your Instagram account through a Facebook Page you administer; the OAuth flow lists Pages you manage so we can identify the linked IG Business account. Used to display your content in the SPCTR calendar, power the sponsor kit and pricing benchmark, and surface performance signals to the Coach.
• YouTube (via the YouTube Data API v3): your channel ID, channel title, channel statistics (subscriber count, view count, video count), and public metadata for videos on your channel (title, description, thumbnail, publish date, public view/like counts). Used for content planning, analytics, and Coach context.
• Twitch (via the Twitch Helix API): your Twitch user ID, login, display name, profile image, follower count, and metadata about recent streams (title, game, view counts, start time). Used for stream planning, analytics, and Coach context.
• TikTok (via TikTok Login Kit and the TikTok Display API): your open ID, union ID, display name, avatar, follower/following/likes counts, and metadata about your public videos (caption, cover image, video ID, public view/like/comment/share counts, create time). Used to display your content in the SPCTR calendar and surface performance signals to the Coach.

What we do NOT request: the ability to post, message, comment, follow, or take any action on your behalf. We never request publish/upload scopes. We never download or store your raw video or audio files.

How the data is used: connected platform data is used solely to provide you with the SPCTR service — calendar, analytics, Coach context, and content recommendations. We do not share connected platform data with other SPCTR users. We do not sell it. We do not use it for advertising. We do not use it to train AI models.

Storage and refresh: we store access tokens and refresh tokens encrypted at rest (AES-256-GCM, per-user keys) so we can refresh your connection on a schedule. Platform metadata is cached in our database to power the dashboard.

How to revoke access:

• In SPCTR: open your profile and disconnect the platform. This deletes the stored tokens and removes associated metadata.
• Directly on the platform: Google account permissions, Twitch connections, TikTok connected apps, or Instagram apps and websites.
• By emailing [email protected] — we will revoke and purge within 30 days.

Requested OAuth scopes (current):

• YouTube: youtube.readonly and yt-analytics.readonly — read-only access to your channel and analytics. No upload, edit, or comment permission.
• Twitch: user:read:email, channel:read:subscriptions, analytics:read:games — read-only.
• TikTok: user.info.basic, user.info.profile, user.info.stats, video.list — read-only.
• Instagram (via Facebook Login): instagram_basic, instagram_manage_insights, pages_show_list, pages_read_engagement, business_management — all read-only. We do not request instagram_content_publish or any other write permission.

Platform-specific notices:

• SPCTR's use and transfer of information received from Google APIs (including YouTube and YouTube Analytics) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is not used to develop, improve, or train generalized AI or machine-learning models. Google user data is not sold and is not used for advertising. Your use of YouTube data is also subject to the YouTube Terms of Service and Google Privacy Policy.
• Use of Twitch data is subject to the Twitch Developer Services Agreement.
• Use of TikTok data is subject to the TikTok API Terms of Service.
• Use of Instagram and Meta data is subject to the Meta Platform Terms and Meta Privacy Policy.

Google Calendar (separate from the creator platforms above): if you choose to connect a Google Calendar account, SPCTR uses the connection to (a) show your own calendar inside SPCTR alongside the content you have scheduled, and (b) write the SPCTR-scheduled deliverables and posts you create into your Google Calendar so they appear there too. Each SPCTR user — creator or agency admin — connects their own personal Google Calendar; SPCTR never reads one user's calendar on behalf of another. The Google Calendar integration is optional and independent of any creator-platform connection above.

Requested OAuth scopes:

• openid and email — used only to display which Google account is connected on your own calendar sync sheet so you can tell which account is linked. These scopes are not used to send you mail or build a profile.
• https://www.googleapis.com/auth/calendar.events — read and write events on your primary calendar. This is the narrowest scope that lets SPCTR (a) authorize freebusy.query for the agency-side availability view of a creator (see “The wall” below), (b) show your existing calendar events alongside your SPCTR-scheduled content in your own hub view, and (c) write your SPCTR-scheduled deliverables and posts back to your calendar. We do not request https://www.googleapis.com/auth/calendar (the full-control scope, which would also authorize creating, deleting, or sharing the calendars themselves) or any scope that would grant access to calendar ACLs or account settings.

What SPCTR reads on your own connection (for your own hub view): events on your primary calendar via events.list, for display next to your SPCTR-scheduled content. From each event SPCTR keeps only the event ID, title (summary), start time, end time, and the source link if any. SPCTR discards the event description, attendees, location, conferencing details, attachments, recurrence rules, and reminders before storage. This data flows only into your own SPCTR account — never into any other user's account, and never to your agency partner or any creator on your roster.

What SPCTR writes to your calendar: events for the deliverables and posts you schedule inside SPCTR, via events.insert, events.update, and events.delete. Each event contains the title, scheduled time, the content brief or script body you authored in SPCTR, and a plain URL pointing back to the corresponding item in SPCTR so you can jump there from Google Calendar. The event is tagged with a private extended property (extendedProperties.private.spctr_content_item_id) that is not displayed in any Google Calendar surface and is used only by SPCTR to identify its own events at sync time. SPCTR will only ever modify or delete the events it created itself, identified by that private property — never the events you or any other app added. If you delete an SPCTR-created event directly in Google Calendar, SPCTR will not re-create it. SPCTR will not create, delete, or modify the calendars themselves, and will not add any product-branding text (such as a “SPCTR” prefix or attribution chip) to the events it writes.

The wall between you and your agency partner. The creator-vs-agency privacy boundary is enforced by the application's code path, not by trust. Specifically:

• Each SPCTR user (creator or agency admin) has their own, separate Google Calendar connection. SPCTR never holds a single shared connection that crosses users.
• When an agency views a creator's availability inside SPCTR, the request runs through a dedicated server module that calls only freebusy.query on the creator's connection. That endpoint returns time-blocked busy/free windows with zero event metadata.
• The single-tenant modules that call events.list, events.insert, events.update, and events.delete for a user's own hub view are kept in separate source files that the agency-of-creator code path does not import. A static import-boundary test in our CI suite fails the build if any code under the agency-side routes imports these single-tenant modules. The agency therefore cannot see your event titles, descriptions, attendees, or locations even though SPCTR has the technical capability to read them for your own hub view.
• The same wall protects agency admins from creators: a creator never sees the events on an agency admin's calendar. Agency admins' calendar connections are also isolated from other admins at the same agency — only the connecting admin sees their own events.
• All calendar data — tokens, cached events, busy/free blocks — is isolated at the database level using Row Level Security keyed to the connecting user. No SQL path returns another user's calendar data.

What we store: the encrypted OAuth access and refresh tokens (AES-256-GCM, per-user keys), the connected Google account email address (shown only to you), the stripped subset of calendar events used for your own hub view (event ID, title, start, end, source link — nothing else), and a short-lived cache of busy/free intervals (start and end times only) used by the agency-availability path, covering up to a 30-day forward window. Both caches are keyed to your account, refresh at most every 15 minutes, and are deleted immediately when you disconnect.

Google API Services User Data Policy — Limited Use compliance: SPCTR's use and transfer of information received from Google Calendar APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Google user data received from Google Calendar is:

• not used to develop, improve, or train generalized or non-personalized AI or machine-learning models;
• not sold, and not transferred to third parties for advertising, marketing, or other unrelated purposes;
• not used to serve advertisements; and
• not read or processed by humans, except (a) with your explicit affirmative consent for a specific request, (b) as strictly necessary for security investigations to prevent fraud, abuse, or technical issues, or (c) where required by applicable law.

How to revoke Calendar access:

• In SPCTR: open the calendar sync sheet and disconnect. The stored tokens and cached calendar data are deleted immediately. SPCTR will not delete the SPCTR-managed events it has already written to your Google Calendar — you can delete those directly in Google Calendar if you want them removed.
• At Google: revoke at Google account permissions. Revoking at Google immediately stops further reads and writes; the next scheduled refresh will fail and the connection will mark itself inactive.
• By emailing [email protected] — we will revoke and purge within 30 days.

Use of Google Calendar data is also subject to the Google Privacy Policy and the Google Terms of Service.

5. AI, Subprocessors & Third-Party Services

We use OpenAI's API (GPT-4o and GPT-4o-mini) to power the Coach and content generation. Your messages and profile context — which may include metadata from connected platforms — are sent to OpenAI for processing. OpenAI's API data usage policy applies; OpenAI does not use API data to train their models.

Current subprocessors:

• Supabase (United States) — database, authentication, and storage.
• Vercel (United States, global edge network) — application hosting.
• OpenAI (United States) — AI inference for Coach and content generation.
• Resend (United States) — transactional email delivery.
• PostHog (United States) — product analytics and feature flags.
• Connected platforms and integrations — Google (YouTube Data API, YouTube Analytics API, and Google Calendar — freebusy.query on the agency-availability path, plus events.list, events.insert, events.update, and events.delete on the connecting user's own hub path), Twitch, TikTok, and Meta/Instagram, only for users who choose to connect them.

None of our analytics, hosting, or email subprocessors receive your connected platform access tokens. We will update this list and notify you of material changes before adding a new subprocessor that processes personal data.

6. Cookies & Tracking Technologies

SPCTR uses the following first-party storage and tracking:

• Essential cookies and local storage — used by Supabase Auth to keep you signed in. The service cannot function without these.
• Product analytics (PostHog) — used to understand how SPCTR is used so we can improve it. Anonymous before sign-in; tied to your user ID after you sign in. PostHog is configured with identified_only person profiles, manual pageview tracking, and bounce-event capture. No third-party advertising or cross-site tracking pixels are used.

We do not use third-party advertising cookies, retargeting pixels, or cross-context behavioral advertising trackers. You can clear cookies and local storage from your browser at any time; signing out also resets your PostHog identity.

7. Data Storage, Security & International Transfers

• Database: Supabase (PostgreSQL) with Row Level Security enforced on every table — your data is isolated at the database engine level, not just by application code.
• Platform tokens: OAuth access and refresh tokens are encrypted at rest with AES-256-GCM using per-user key derivation.
• Transport security: All connections use HTTPS/TLS.
• Where data is processed: SPCTR is operated from the United States. If you access SPCTR from the EEA, UK, Switzerland, or another jurisdiction with cross-border transfer rules, your data will be transferred to the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK/Swiss safeguards in our agreements with US-based subprocessors. You can request a copy of the relevant transfer mechanism by emailing [email protected].
• Security incidents: In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by Article 33 GDPR, and notify affected users without undue delay where required by Article 34.

8. Data Retention

We keep your data only as long as we need it to deliver the service and meet our legal obligations:

• Account and profile data: retained until you delete your account, then permanently removed within 30 days.
• Connected platform tokens: deleted immediately when you disconnect a platform (typically within minutes).
• Cached platform metadata (video titles, follower counts, etc.): purged within 30 days of disconnect or account deletion.
• Google Calendar caches: the busy/free cache (used by the agency-availability path) is refreshed at most every 15 minutes and covers a forward window of up to 30 days; the event cache (used for your own hub view) is refreshed on demand. Both caches are deleted immediately on disconnect. SPCTR-managed events that were already written to your Google Calendar are not deleted on disconnect — you can remove them in Google Calendar directly.
• Coach conversations and memory events: retained for the life of the account; you can delete individual conversations at any time.
• Audit and security logs: retained for up to 12 months for fraud and abuse investigation.
• Backups: rolling 30-day retention; deletion requests propagate through backups within that window.

9. Your Rights

Subject to your jurisdiction, you have the right to:

• Access your full memory profile at any time (“What SPCTR knows about you” in your profile).
• Rectify / correct any field in your profile.
• Erase your account and all associated data permanently.
• Port your data — we provide exports in machine-readable JSON.
• Restrict or object to certain processing where applicable.
• Disconnect any connected platform at any time, which immediately revokes our access.
• Withdraw consent — where processing relies on consent, you can withdraw it at any time by disconnecting platforms, editing your profile, or deleting your account. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Lodge a complaint with your local data protection authority. EEA users can find their authority at edpb.europa.eu; UK users at the ICO (ico.org.uk).

To exercise any of these rights, use the controls on your profile page or contact us at [email protected]. We will respond within 30 days (or 45 days for California requests as described in Section 10).

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), gives you specific rights regarding your personal information.

Categories of personal information we have collected in the past 12 months:

• Identifiers — name, email, account ID, IP address.
• Customer records — profile fields you provide.
• Commercial information — none during the beta (no purchase history).
• Internet or network activity — pages viewed, features used, error reports (via PostHog).
• Inferences — behavioral signals derived from your activity to personalize coaching and recommendations.
• Professional or employment-related information — your gaming creator profile data and connected-platform statistics, where applicable.
• Sensitive personal information — account login credentials (held only by Supabase Auth in hashed form).

Sources: directly from you, from connected platforms you authorize, and automatically from your use of the service.

Business purposes for collection: providing the service, personalizing recommendations, building your memory profile, security and fraud prevention, customer support, and product improvement.

Categories of third parties with whom we share PI: our subprocessors listed in Section 5 (Supabase, Vercel, OpenAI, Resend, PostHog) and the connected platforms you choose to link.

No sale or sharing. SPCTR does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the CPRA. Because no sale or sharing occurs, no “Do Not Sell or Share My Personal Information” opt-out is required.

No use or disclosure of sensitive PI beyond what is necessary to provide the service, so the right to limit sensitive PI use does not produce additional restrictions.

Your California rights:

• Right to know what PI we collect, use, disclose, and share.
• Right to delete PI we've collected from you.
• Right to correct inaccurate PI.
• Right to opt out of sale or sharing (not applicable — we do neither).
• Right to limit use of sensitive PI (not applicable — see above).
• Right to non-discrimination for exercising your rights.

How to submit a request: email [email protected], or use the in-product controls on your profile page. We will verify your identity using account information you provide and respond within 45 days, with one 45-day extension where reasonably necessary. Authorized agents may submit requests on your behalf with written authorization.

11. Age Requirements

SPCTR is designed for creators aged 16 and older. If you are under 16, you may not use the platform. For creators aged 16–17, we limit data collection to what is strictly necessary for the product to function. You must also meet the minimum age requirements of any platform you choose to connect.

12. Accessibility

We work to keep SPCTR usable for everyone. If you experience an accessibility barrier or need this policy in an alternative format, email [email protected] and we will accommodate where reasonably possible.

13. Changes to This Policy

We may update this policy as SPCTR evolves. We'll notify you of material changes via email or in-app notice and update the “Last updated” date at the top.

14. Contact

Privacy inquiries: [email protected].

Mailing address:
SPCTR
1580 N Logan St, Ste 660 #542489
Denver, CO 80203
United States

We have not appointed a Data Protection Officer because our processing activities do not currently meet the thresholds of Article 37 GDPR. We will appoint one and update this policy if and when required.