Privacy Policy

Spinveri ("Spinveri," "we," "us") is operated by Lumen Limitless LLC, a New York limited liability company. This policy describes what data we collect when you use our website at spinveri.com and the associated Spinveri service (collectively, the "Service"), how we use it, with whom we share it, how long we keep it, and the choices you have. If you have questions, email privacy@spinveri.com.

1. What we collect

Account data. When you create a Spinveri account we collect your email address and (if you authenticate via Google or Facebook) the unique identifier and display name your identity provider returns. We never see your Google or Facebook password.

Instagram connection data. When you connect an Instagram Business Account to Spinveri, we receive and store:

• Your Instagram Business Account ID and username
• The Facebook Page ID associated with that Instagram account, and your Facebook user ID
• A long-lived Instagram access token, stored encrypted at rest using envelope encryption via Supabase Vault

Giveaway and draw data. When you run a draw, we fetch and snapshot the public comments on the specific Instagram post you select. We store the snapshot, the entry filters you configured, the cryptographic seed used for selection, and the chosen winner. The snapshot is retained for 90 days to support the public audit page, then permanently deleted.

Payment data. If you purchase a paid feature, our payment processor (Stripe) collects your payment details directly. We receive only a Stripe customer ID and the subscription/charge status — we do not see or store full card numbers.

Operational data. Standard server logs (timestamps, IP, user agent, request paths), error reports captured by Sentry, and usage events if you opt into product analytics.

2. What we do not collect

• Instagram direct messages
• Your follower or following list
• Stories, Reels, or any media other than the post you select
• Any data from Instagram accounts you have not personally connected
• Any data from posts on your connected account that you have not explicitly chosen in the Spinveri UI

3. How we use it

• To operate the Service: fetching comments, running draws, generating audit pages
• To bill you and to keep your subscription current
• To respond to support requests and notify you of important account events (commitment receipts, draw completions, token expirations, deletion confirmations)
• To diagnose and fix bugs and keep the Service secure

We do not use your Instagram data, comment snapshots, or draw history for advertising, third-party analytics, or to train machine learning models.

4. Who we share it with

We do not sell your data. We share data only with the following service providers ("subprocessors"), each strictly to operate the Service on our behalf:

• Supabase — database, authentication, and at-rest encryption of your Instagram access tokens (US-hosted)
• Vercel — application hosting (US-hosted)
• Stripe — payment processing
• Resend — transactional email delivery
• Sentry — error monitoring
• Meta (Facebook / Instagram)— at the moment a draw is created or executed, we fetch comments and post metadata from Meta's Graph API on your behalf using the access token you authorized

We may also disclose data when required to comply with applicable law or to protect the rights, property, or safety of Spinveri, our users, or others.

5. How long we keep it

• Account, connection, and draw metadata: for as long as your account is active, plus a brief window for backups
• Comment snapshots: 90 days from the date of the draw, then permanently deleted
• Public audit pages: remain accessible until you delete the underlying draw or your account
• Server logs and error reports: typically 30–90 days
• Tax and billing records: for the period required by applicable law (typically seven years)

6. Your rights and choices

You can disconnectInstagram from your Spinveri account at any time via Settings → Connected accounts. Disconnecting revokes the access token on Meta's side and deletes the connection record on ours.

You can delete your account and all associated data via Settings → Account → Delete my account, or by emailing privacy@spinveri.com. See our Data Deletion page for the full process.

Depending on your jurisdiction (e.g., the EU/UK under GDPR, California under CCPA), you may have additional rights to access, correct, export, or restrict processing of your data. Email privacy@spinveri.com to exercise any of these rights — we will respond within 30 days.

7. Meta data deletion callback

In accordance with Meta's Platform Terms, we operate a data deletion callback at https://spinveri.com/api/meta/data-deletion. If you remove Spinveri from your Facebook account or request data deletion through Facebook, Meta will notify this endpoint, and we will delete the associated data within 30 days. You can check the status of a deletion request using the confirmation code returned by Meta at the URL provided in their response.

8. Security

Instagram access tokens are encrypted at rest. Service-role database credentials are never exposed to the browser. Payments are handled by Stripe, which is PCI-DSS Level 1 certified. We use HTTPS for all traffic. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify you in accordance with applicable law.

9. Children

Spinveri is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

10. International users

Spinveri is operated from the United States, and data is stored on US infrastructure (Supabase and Vercel US regions). If you use the Service from outside the United States, you understand and consent to the transfer of your data to and processing in the United States.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email or in-app notice at least 14 days before they take effect. The "Effective" date at the top of this page always reflects the current version.

12. Contact

Lumen Limitless LLC
Email: privacy@spinveri.com