Privacy Policy
1. Introduction
Spashta ("we", "us", "our") is a profit diagnostic tool for Shopify sellers. This policy explains what information we collect, how we use it, and your rights. We keep this simple and honest — no legal bloat, no hidden practices.
2. Information We Collect
When you use Spashta we collect:
- Your email address, used to send you a magic link to access your account
- The store financial inputs you enter manually to generate your report (up to 13 data points including revenue, costs, ad spend, and similar metrics)
- Basic account data including your credit balance and report history
We do not collect payment card details. All payment processing is handled directly by Stripe.
3. How We Use Your Information
We use your information to:
- Send you a magic link to sign in to your account
- Generate your profit diagnostic report
- Display your credit balance and report history in your account
- Respond to your support requests
4. What We Do Not Do
- We do not sell your data to any third party
- We do not use your data for advertising or targeting
- We do not share your financial inputs with anyone except the processors named in Section 5
- We do not use advertising trackers, behavioral analytics, or marketing pixels on our website
5. Third-Party Services
We use the following trusted services to operate Spashta. Each processes limited data on our behalf:
- Stripe — processes your payment. Stripe handles all card and billing data directly. We never see your card details. Stripe's privacy policy applies to payment processing.
- Supabase — stores your account data including your email address, credit balance, and generated report outputs. Data is stored in Sydney, Australia.
- Anthropic — your store financial inputs are sent to Anthropic's API to generate your report narrative. This is transient processing only. Anthropic does not use API inputs to train its models by default.
- Vercel — hosts and serves the Spashta application. Standard server logs including IP addresses and response codes are retained by Vercel for up to 14 days as part of normal hosting operations.
- Resend — delivers transactional emails including your magic link and account confirmation emails. Resend retains email delivery logs for up to 30 days.
6. Cookies and Session Technologies
We use essential session technologies to keep you signed in:
- A session token stored in your browser's local storage to maintain your login state
- Stripe sets its own cookies when you open the checkout page, used for fraud prevention
We do not set any cookies for marketing, advertising, or analytics purposes.
7. Data Retention
We do not store the original form inputs you enter. We store generated report outputs and account history so you can access previous reports. Report history contains analysis results and financial metrics derived from the information you submitted.
Specifically:
- Raw financial inputs you enter are not permanently stored after report generation is complete
- Generated report outputs are retained in your account history while your account is active
- Your email address and credit balance are retained while your account is active
- Account deletion removes all report history and account data permanently
- Payment records are retained by Stripe for up to 7 years in accordance with Australian tax law requirements
- Vercel server logs are retained for up to 14 days then automatically deleted
- Resend email delivery logs are retained for up to 30 days then automatically deleted
- Inputs sent to Anthropic are governed by Anthropic's own retention policies. Anthropic does not use API inputs to train its models by default.
8. Data Security
We use industry-standard security practices to protect your data:
- All data in transit is encrypted via HTTPS
- Your account data is stored with Supabase using their built-in security infrastructure
- Payment data is handled entirely by Stripe and never passes through our servers
9. Your Rights
You have the right to:
- Request access to the data we hold about you
- Request deletion of your account and associated data
- Ask questions about how your data is used
To exercise any of these rights, contact us at hello@spashta.io. We will respond within a reasonable timeframe.
10. International Visitors
Spashta is operated from Australia and is subject to the Australian Privacy Act 1988. We handle personal data in a manner consistent with applicable privacy principles including GDPR principles where applicable. If you are located in the EU or UK, you may have additional rights under local law.
11. Contact
For any privacy questions or requests:
Email: hello@spashta.io
Business: Spashta, Australia
12. Updates to This Policy
We may update this policy from time to time. The date at the top of this page reflects when it was last changed. We encourage you to review this policy periodically for any updates.