Privacy Policy
This Privacy Policy explains how The Spool List ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use our website, mobile application, and related services (collectively, the "Platform"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
1. Data Controller
The Spool List is the data controller responsible for your personal data. If you have questions about how your data is processed, contact us at support@thespoollist.com.
2. Data We Collect
Account Data
When you create an account, we collect your email address, display name, profile photo, and account type (Buyer, Maker, or Both). If you sign in via Apple or Google, we receive the data you authorize those providers to share.
Machine Registration Data
Makers who register equipment provide machine make, model, serial number, and capability specifications. For custom-built machines, a platform-assigned identifier (TSL-CUSTOM-XXXX) is used. Photo verification of equipment may be required. Serial numbers are stored to enforce platform-wide uniqueness and prevent fraud.
Workshop & Location Data
Makers may provide their workshop address or geographic coordinates for proximity-based job matching. City-level location is displayed publicly on the Network Map; precise addresses are never exposed to other users.
Device Identifiers
We collect device identifiers including Apple DeviceCheck tokens and anonymized device fingerprints for fraud prevention, account security, and abuse detection.
Photos & Media
Users may upload photos for portfolios, job attachments, and equipment verification. We process image metadata (EXIF data) including camera model, timestamp, and geolocation tags where present, to verify equipment authenticity. EXIF geolocation data is stripped before any image is displayed publicly.
Payment Data
All payments are processed by Stripe. We store Stripe customer IDs, transaction references, payout records, and subscription status. We never store full card numbers, bank account numbers, or payment credentials on our servers.
Usage & Analytics Data
We collect anonymized usage events (screens viewed, features used, session duration) and crash reports. This data is used solely to improve Platform performance and reliability.
Communications
Messages sent through the Platform's in-app chat are stored to facilitate transactions and for moderation purposes. We do not read private messages except when investigating reported violations or as required by law.
3. Legal Basis for Processing
Under GDPR, we process your data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Operating the marketplace (matching, payments, messaging) | Performance of contract |
| Account creation and authentication | Performance of contract |
| Machine serial number verification and uniqueness | Legitimate interest (platform integrity, fraud prevention) |
| Device identifiers for abuse detection | Legitimate interest (security, fraud prevention) |
| EXIF processing for equipment verification | Legitimate interest (trust and safety) |
| Analytics and crash reporting | Legitimate interest (service improvement) |
| Marketing communications | Consent |
| Cookie-based tracking beyond essential cookies | Consent (managed via Cookiebot) |
| Tax and financial record keeping | Legal obligation |
4. Machine Identifier Ledger
To maintain platform integrity and prevent fraud, The Spool List maintains a persistent ledger of machine serial numbers. This ledger enforces platform-wide uniqueness: each serial number may only be registered to one account at any time.
Retention: Machine serial numbers and associated identifiers are retained indefinitely, even after account deletion. This is necessary to prevent re-registration fraud, ban evasion via equipment re-listing, and to maintain the integrity of the verified equipment ecosystem. Only the machine identifier data is retained; all other personal data associated with a deleted account follows the standard retention schedule below.
The legal basis for this indefinite retention is legitimate interest in platform integrity and fraud prevention. You may object to this processing by contacting us, and we will assess your request on a case-by-case basis, balancing your rights against the security needs of the platform.
5. How We Use Your Data
- To operate the marketplace: matching jobs with makers by equipment capability and geographic proximity, processing payments via escrow, facilitating in-app messaging.
- To verify equipment: confirming machine registration accuracy through serial numbers, photos, and EXIF analysis.
- To personalize your experience: showing relevant jobs based on your registered equipment, categories, and location radius.
- To process payments: managing Stripe transactions, escrow holds, payouts, and subscription billing.
- To improve the Platform: analytics, crash reporting, performance monitoring, and feature development.
- To communicate: transactional emails, push notifications (if enabled), and service announcements.
- To ensure safety: fraud detection, abuse prevention, moderation, and enforcement of our Terms and Guidelines.
- To comply with law: tax reporting, responding to legal requests, and financial record-keeping.
6. Data Processors
We share your data with the following third-party processors who act on our behalf:
| Processor | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, cloud storage, edge functions | Account data, uploaded files |
| Stripe | Payment processing, escrow, payouts, subscription billing | Payment details, transaction records, payout information |
| Cloudflare | CDN, DDoS protection, DNS | IP addresses, request metadata (not stored long-term) |
| Apple | Sign in with Apple, DeviceCheck, App Store subscriptions | Authentication tokens, device attestation tokens, subscription status |
Each processor operates under a Data Processing Agreement (DPA) that restricts their use of your data to the purposes described above.
7. Who We Share With
- Other Users: Your public profile, portfolio, equipment list, city-level location, and marketplace activity are visible to other users. Messages are visible only to conversation participants.
- Payment Processors: Stripe receives the payment data necessary to process transactions and payouts.
- Law Enforcement: We may disclose data if required by law, court order, or to protect safety.
We do not sell your personal data. We do not share data with advertising networks or data brokers.
8. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of account | Service operation |
| Account data post-deletion | 24 months after deletion | Fraud prevention, dispute resolution, legal claims |
| Transaction records | 7 years | Tax compliance, financial reporting (legal obligation) |
| Machine identifiers (serial numbers only) | Indefinitely | Platform integrity, fraud prevention (see Section 4) |
| Abuse signals & enforcement records | 24 months | Safety, pattern detection, appeal support |
| Analytics data | 14 months | Standard retention period |
| Crash reports | 90 days | Debugging and stability |
| Chat messages | Duration of account + 24 months | Dispute resolution, moderation |
9. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data, subject to our retention obligations (Section 8). Machine identifiers may be retained per Section 4.
- Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.
- Right to Object: Object to processing based on legitimate interest, including the machine identifier ledger. We will assess your objection and cease processing unless we demonstrate compelling legitimate grounds.
- Right to Restrict Processing: Request that we limit the processing of your data in certain circumstances.
- Right to Withdraw Consent: Where processing is based on consent (e.g., marketing, non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France, or your national data protection authority).
To exercise any of these rights, contact support@thespoollist.com. We will respond within 30 days.
10. Your Rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of your personal information, subject to exceptions (e.g., legal obligations, ongoing transactions, fraud prevention).
- Right to Opt-Out of Sale: We do not sell your personal information. There is no sale to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality, or service levels.
To exercise your CCPA rights, contact support@thespoollist.com. We will verify your identity before processing your request and respond within 45 days.
11. Data Export
You may request an export of your personal data at any time by contacting support@thespoollist.com. We will provide your data in a structured, machine-readable format (JSON or CSV) within 30 days of a verified request. Exported data includes your account information, machine registrations, transaction history, and chat messages.
12. International Transfers
The Spool List is incorporated in the Cayman Islands. Your data is stored and processed via Supabase (AWS) and Stripe infrastructure, with servers located in the United States.
For users in the EEA, UK, or Switzerland: where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) and any applicable supplementary measures. Google and Stripe maintain their own compliance frameworks for international data transfers.
13. Cookies & Tracking
Our website uses cookies for essential functionality and, with your consent, for analytics. Cookie consent is managed by Cookiebot. You can review and modify your cookie preferences at any time through the Cookiebot consent banner or by visiting our cookie declaration page.
- Essential cookies: Required for site functionality (authentication, security). No consent required.
- Analytics cookies: Anonymized usage tracking. Deployed only with your consent.
- Marketing cookies: We do not currently deploy marketing or advertising cookies.
The mobile app uses anonymized device identifiers for analytics. You can opt out via your device's privacy settings (iOS: Settings > Privacy & Security > Analytics).
14. Children
The Spool List is not intended for users under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, contact support@thespoollist.com and we will delete the data promptly.
15. Data Security
Data is stored in Supabase Postgres (US region) and Supabase Storage. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is controlled by Row Level Security policies, authenticated API calls, and role-based access controls. We conduct regular security reviews and penetration testing. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.
16. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via in-app notification and/or email at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Platform after changes take effect constitutes acceptance.
17. Contact
For privacy-related questions, data access requests, or to exercise your rights:
- Privacy inquiries: support@thespoollist.com
- Data deletion requests: support@thespoollist.com
- General support: support@thespoollist.com