Sprid is operated by Väder AB, a company registered in Sweden (“Sprid,” “we,” “us,” or “our”). Väder AB is the data controller for the personal data described in this policy. This policy explains what we collect when you use the Sprid website at sprid.studio, the web application at app.sprid.studio, the Sprid API, the MCP server, and any related services (together, the “Service”).

We are based in the EU and we process personal data in line with the EU General Data Protection Regulation (GDPR) and applicable Swedish law.

Information you give us:

• Account. Email address and (optionally) display name, used to sign in and contact you.
• Workspace content. Accounts, formats, schedules, lines, prompts, drafts, slides, captions, hashtags, reflections, post-mortems, and any other material you create inside Sprid.
• Uploaded media. Images and videos you upload, scrape from Pinterest through our helpers, or generate with AI tools. Media is stored in Cloudflare R2 and served over our CDN at cdn.sprid.studio.
• Provider keys. If you use a bring-your-own-key plan, the API keys you supply for providers such as Anthropic or fal.ai. These are encrypted at rest.
• Support messages. Email you send to [email protected].

Information we receive from connected platforms: When you connect a channel on Instagram, TikTok, YouTube, or Meta Ads through OAuth, we receive and store:

• OAuth access and refresh tokens, encrypted at rest with AES-256-GCM and never returned through any API response;
• Basic profile information (platform user id, username or display name, avatar);
• Post identifiers, publication status, and public metrics (impressions, reach, likes, comments, saves, plays, watch time) for content you publish through Sprid, so we can show them in your dashboard;
• For Meta Ads: ad account identifiers, campaign, ad set, and ad metadata, spend, and performance metrics for campaigns you run through Sprid.

Information we collect automatically:

• Product events. Basic usage events (for example, “post created,” “publish scheduled,” “slide rendered”) for our own dashboards. We do not run third-party analytics trackers on the marketing site or application.
• Technical logs. IP address, user agent, request path, response code, and timestamps for security, rate limiting, abuse prevention, and debugging. These logs are kept for a limited period.
• Billing. Subscription status, plan, invoices, and payment metadata managed by Stripe. We never see or store your full card number.

We do not read the direct messages of your connected channels. We do not pull in followers, follower lists, or audience demographics beyond the aggregated metrics platforms return for your own posts. We do not run third-party ad trackers, fingerprinting scripts, or session replay tools. We do not sell your data. We do not share your data with data brokers. We do not use Your Content to train artificial intelligence or machine learning models, and we do not grant that right to any of our processors.

We use the information we collect to:

• provide, maintain, and improve the Service, including authoring, rendering, scheduling, publishing, and metrics;
• authenticate you, issue and revoke personal access tokens, and protect your account;
• send prompts, completions, and reference material to third-party AI providers when you ask Sprid to generate or rewrite content;
• post content to Instagram, TikTok, YouTube, or Meta Ads when you or your automation explicitly requests a publish;
• surface metrics from connected platforms inside your dashboard;
• process payments and send billing-related notices;
• respond to support requests and enforce these Terms;
• detect, prevent, and investigate fraud, abuse, and security incidents;
• comply with legal obligations, such as tax and accounting laws.

We process your personal data on the following legal bases:

• Performance of a contract. To provide the Service you have asked us to provide, including authoring, rendering, and publishing.
• Legitimate interests. To secure the Service, prevent abuse, monitor performance, improve features, bill for usage, and respond to support requests.
• Consent. Where required by law, for example when you connect a third-party channel via OAuth or when you supply your own API keys. You can withdraw consent by disconnecting the channel or deleting the key.
• Legal obligation. To comply with tax, accounting, and other mandatory legal requirements.

When you connect a channel, Sprid acts on your behalf through that platform’s official API. Data we receive from each platform (“Platform Data”) is used only to deliver the features you asked for — authoring, scheduling, publishing, commenting, metrics, and ads management. It is not combined with data from any other source for profiling or advertising, and it is not shared with data brokers. Sprid is not affiliated with, endorsed by, or sponsored by Meta Platforms, Instagram, TikTok, Google, or YouTube.

Meta (Instagram and Meta Ads). Processed in accordance with the Meta Platform Terms, the Instagram Platform Terms, and applicable Meta Developer Policies. With the scopes instagram_business_basic, instagram_business_content_publish, and instagram_business_manage_comments we read your connected Business or Creator profile, publish content you explicitly submit, and read and reply to comments on posts published through Sprid. For Meta Ads we use the scopes ads_management, ads_read, pages_show_list, pages_read_engagement, instagram_basic, and business_management to create and manage campaigns you launch from Sprid and read back performance metrics. Instagram and Facebook Platform Data is stored only as long as it is necessary to operate these features and is deleted when you disconnect the channel, delete your workspace, or request deletion. Revoke Sprid at any time from Meta Accounts Center or from Instagram settings → Apps and websites.

TikTok. Processed in accordance with the TikTok Developer Terms of Service and the TikTok Developer Data Sharing Agreement. With the scopes user.info.basic, user.info.profile, user.info.stats, video.list, video.publish, and video.upload we (i) read your basic profile (open id, display name, avatar) to identify the connected channel; (ii) read your extended profile (username, bio, profile deep link, verified badge) to display the channel card; (iii) read your public account statistics (follower, following, likes, video counts) to display the channel card; (iv) read public metrics for posts you previously published through Sprid (views, likes, comments, shares) to show analytics in your dashboard; (v) publish photo carousels and videos straight to your feed when you explicitly request a Direct Post; and (vi) deliver photo carousels and videos into your TikTok drafts inbox when you explicitly request a Send to Inbox publish, so you can finish them in the TikTok app. When you publish through Sprid you also consent to TikTok’s Music Usage Confirmation as required by the TikTok Content Posting API, and to any branded content disclosure you toggle on. TikTok Platform Data is retained only while it is needed to operate these features and is deleted when you disconnect the channel, delete your workspace, or request deletion. Revoke Sprid at any time from TikTok settings → Manage account → Connected apps.

YouTube (Google). Your use of Sprid’s YouTube features is subject to the YouTube Terms of Service, and Google’s handling of your information is described in the Google Privacy Policy. With the scopes https://www.googleapis.com/auth/youtube.upload and https://www.googleapis.com/auth/yt-analytics.readonly we upload videos you explicitly submit and read basic analytics for the videos you published through Sprid. In compliance with the YouTube API Services Developer Policies, Sprid does not store YouTube Authorized Data for longer than 30 calendar days, except for aggregated statistics and analytics which we may retain longer if we refresh or re-verify them at least every 30 days. You can revoke Sprid’s access to your Google data at any time via the Google security settings page at https://security.google.com/settings/security/permissions. You can request deletion of YouTube data we hold about you by emailing [email protected]; we will honour the request within 7 calendar days.

Prohibited uses of Platform Data. Sprid does not, and will not, use Platform Data to: build or enrich third-party profiles; target users with advertising on behalf of anyone other than the connected account’s owner; train machine learning or AI models; make eligibility determinations about housing, employment, insurance, credit, education, or government benefits; discriminate on the basis of protected characteristics; support surveillance; sell, license, or disclose to data brokers; or attempt to de-anonymise or reverse-engineer the data.

When you use AI features (hook suggestions, slide rewrites, lint explanations, reference image generation), Sprid sends the relevant prompts and inputs to a third-party AI provider (currently Anthropic for text and fal.ai for images, including xAI/Grok models). These providers process the data as independent processors under their own terms.

On metered plans the provider relationship is between Sprid and the provider. On bring-your-own-key plans (for example, the Dev tier), prompts and completions are sent using your own key and your relationship is directly with that provider. Sprid does not retain AI provider outputs beyond what is needed to show you the result and, if you save it, to store it as part of your workspace content.

Neither Sprid nor our AI providers are permitted to use Your Content to train models.

We rely on a small number of trusted sub-processors to run the Service. Each of them is bound by a data processing agreement that restricts how they can use your data.

• Cloudflare — hosting of the marketing site and web app on Pages, hosting of the API on Workers, and R2 object storage/CDN delivery for media;
• Neon — managed Postgres database;
• Stripe — payment processing, subscription billing, and invoicing;
• Anthropic — LLM for text suggestions and scoring;
• fal.ai — image generation queue and inference (including xAI/Grok models);
• Meta, TikTok, Google/YouTube — publishing, metrics, and advertising APIs.

We may change sub-processors from time to time. Material changes will be reflected here. If you need an up-to-date list for a procurement process, email [email protected].

Some of the processors listed above are based in, or transfer data to, countries outside the European Economic Area, including the United States. Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards — in most cases the European Commission’s Standard Contractual Clauses, supplemented by additional technical and organisational measures such as encryption in transit and at rest — or on an adequacy decision by the European Commission. You can request a copy of the transfer safeguards by contacting [email protected].

We take the confidentiality and integrity of your data seriously. Technical and organisational measures include:

• encryption in transit (HTTPS/TLS) for all application and API traffic;
• encryption at rest for OAuth tokens and provider keys using AES-256-GCM;
• tokens and keys are never returned through any API response;
• scoped personal access tokens (sprd_…) that can be revoked at any time;
• access controls, audit logs, and principle of least privilege for internal tooling;
• regular updates of dependencies and infrastructure.

No system is perfectly secure. If you discover a vulnerability, please report it to [email protected] and we will respond as quickly as we can.

We retain personal data for as long as your account is active and for a limited period afterwards, so you can recover data you deleted by mistake and so we can meet our legal obligations. Specifically:

• Account and workspace content — retained while your account is open. On deletion, content is removed from the live database within a reasonable period; encrypted backups are rotated out on a rolling schedule.
• OAuth tokens — retained while the channel is connected; deleted when you disconnect it.
• Technical and security logs — retained for a short rolling window (typically up to 30 days) for debugging and abuse prevention.
• Billing records — retained for as long as required by Swedish tax and accounting law (normally seven years after the end of the financial year).

Under GDPR and comparable laws in other jurisdictions, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your personal data (the “right to be forgotten”);
• request restriction of processing, or object to processing based on legitimate interests;
• request data portability in a common, machine-readable format;
• withdraw consent for processing based on consent, at any time;
• lodge a complaint with your local data protection authority. In Sweden, that is Integritetsskyddsmyndigheten (IMY).

To exercise any of these rights, email [email protected] from the address on your account. We will respond within 30 days as required by GDPR.

You can request deletion of your account and the workspace content you created at any time. Step-by-step instructions — including the in-app flow, the email route, and the data deletion request URL required by the Meta Platform Terms — are at sprid.studio/privacy/data-deletion.

When we receive a deletion request we will:

• disconnect any connected Instagram, Meta Ads, TikTok, and YouTube channels and delete their stored OAuth tokens;
• delete your workspaces, formats, lines, drafts, slides, and media from the live database and from Cloudflare R2;
• remove your account from the user table.

Our response time targets are 7 calendar days for deletion of Platform Data (as required by the YouTube API Services Developer Policies and consistent with the Meta Platform Terms) and 30 days for all other personal data (as required by GDPR). Encrypted backups are rotated on a rolling schedule and remaining copies will be overwritten within that cycle. Billing records that we are legally required to keep under Swedish accounting law will be retained for the period required by law.

Deleting Sprid data does not delete posts that have already been published to Instagram, TikTok, or YouTube. You must delete those directly from the destination platform.

The Sprid mobile app for iOS and Android renders slides on-device and, optionally, shares rendered carousels to your photo library or to connected platforms. It requests the following permissions, and only uses them for the stated purpose:

• Photo Library (read). On iOS, used to import analytics screenshots from TikTok and Instagram that you select for reflection. Sprid never reads your camera roll in the background; only the specific photos you pick are imported. On Android, the equivalent “read media images” permission is used for the same purpose.
• Photo Library (add). Used to save rendered carousel slides back to your photo library when you tap Save or Export.
• Share extension. iOS and Android let you share an image or URL to Sprid from another app. Shared content is attached to the draft you pick and is not collected otherwise.

Sprid does not use the iOS App Tracking Transparency (ATT) framework for cross-app or cross-site tracking, and does not include any advertising SDKs. If iOS shows an ATT prompt, you can safely decline; it has no effect on the Service. Sprid is not linked to the SKAdNetwork or to any ad attribution provider.

The marketing site at sprid.studio does not set marketing or advertising cookies, and does not run third-party analytics. The application at app.sprid.studio uses a small number of strictly necessary cookies (for authentication, CSRF protection, and short-lived OAuth state) and localStorage for UI state such as the last account you viewed. You can block these cookies in your browser, but the application may not work correctly without them. Sprid honours the Global Privacy Control (GPC) signal and does not engage in any form of cross-site or cross-app tracking.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the right to know what personal information we collect about you, to request deletion or correction, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. Sprid does not sell or share your personal information within the meaning of the CCPA, we do not use personal information for cross-context behavioural advertising, and we do not knowingly process the personal information of consumers under 16. You can exercise your rights by emailing [email protected]; we will verify your request against your account email and respond within the statutory timeframe. You will not be discriminated against for exercising a privacy right.

The Service is not directed to children. You must be at least 18 to use it. If we learn that we have collected personal information from someone under 18, we will delete it. Parents and guardians who believe we might have data about a minor can contact [email protected].

We disclose customer data only when we are required to do so by a valid legal process, such as a court order or subpoena from a competent authority in Sweden or the EU, or when necessary to protect the safety and rights of our users or the Company. We evaluate every request for legal validity and scope, disclose only the minimum required, and, where permitted by law, notify affected users before disclosure.

We may update this policy from time to time. Material updates will be communicated by email or in-app notice, and by updating the date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

Questions about this policy or about how we handle your data can be sent to [email protected].

Data controller: Väder AB, Sweden.