Privacy Policy

This privacy policy explains how Spodic collects, uses, stores, shares, and protects your personal data. It applies to the Spodic website at spodic.com, the Spodic browser extension, and the Spodic API (together, "the Service"). Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this policy.

1. Who we are

Spodic is a sole proprietorship (eenmanszaak) based in the Netherlands. For the purposes of the General Data Protection Regulation (GDPR) and the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG), Spodic acts as the data controller for personal data collected through the Service. This means we determine the purposes and means of processing your personal data.

We do not currently have a Data Protection Officer (DPO), as we are not required to appoint one under Article 37 of the GDPR. However, you can contact us directly for any privacy-related questions or requests at [email protected].

2. What data we collect

We collect only the data necessary to provide and improve the Service. Below is a detailed overview of each category of data we process.

2.1 Account data

When you create an account, we collect your email address. This is the only piece of personally identifiable information required to use Spodic. We use passwordless authentication (magic links), so we do not collect or store passwords. We do not ask for your name, phone number, date of birth, or physical address.

Your account also includes metadata generated by the Service: your subscription tier, remaining AI credits, total storage used, and the date your account was created. This metadata is not personally identifiable on its own but is linked to your email address.

2.2 Reading data

To provide the speed reading features, we store data about items in your reading library: item titles, source URLs (for web-imported articles), file types, word counts, your reading progress (current word position), reading speed (words per minute), whether an item is favourited or completed, and timestamps for when items were added and last read. This data exists solely to let you resume reading where you left off and to track your reading history.

2.3 User content

When you paste text, import articles by URL, or upload files (PDF, ePub, DOCX, TXT, HTML, Markdown), the text content is stored in our database to enable the reading and AI summarization features. Uploaded file binaries are stored separately in cloud object storage. All user content is stored within your personal account scope and is isolated from other users. Spodic staff do not access user content as part of normal operations; access would only occur if required to resolve a technical issue you report or to comply with a legal obligation.

2.4 Settings and preferences

Your reader settings (reading speed, font preferences, theme selection, keyboard shortcuts, and other customization options) are stored as a JSON object linked to your account. This data contains no personally identifiable information.

2.5 Technical and operational data

When you interact with the Service, our infrastructure automatically processes certain technical data:

IP address: Used for rate limiting and abuse prevention. IP addresses are stored temporarily in a key-value cache and expire automatically, typically within one hour. We do not store IP addresses in our permanent database or use them for tracking, profiling, or analytics.
HTTP metadata: Standard request information (browser user-agent string, request timestamps, HTTP method, requested URL path) is processed by Cloudflare's network as part of delivering the Service. This data is subject to Cloudflare's own retention policies and is used for operational monitoring, not for user profiling.

2.6 Payment data

If you subscribe to a paid plan, payment processing is handled entirely by our Merchant of Record, Polar. Spodic never receives, processes, or stores your credit card number, bank account details, billing address, or other financial information. Polar handles all payment collection, VAT calculation, invoicing, and financial compliance on our behalf. The only payment-related information we retain is your subscription tier and its status (active, cancelled, or expired), which Polar communicates to us so we can provide the correct level of service. See Polar's privacy policy for details.

2.7 Data we do not collect

To be explicit: Spodic does not collect your name, phone number, physical address, date of birth, social media profiles, location data (GPS or otherwise), device identifiers (such as advertising IDs), or any biometric data. We do not use analytics trackers, advertising pixels, fingerprinting scripts, or any form of cross-site tracking.

3. How we use your data

We use the data described above for the following purposes:

Providing the Service: Your email address is used for authentication (sending magic links) and for account-related communications (such as subscription confirmations or critical service notifications). Your reading data and settings are used to deliver the core reading experience, including syncing your library and preferences across devices.
AI features: When you choose to use AI summarization, the text content of the item you select is sent to our AI provider to generate a summary. AI processing is always initiated by you and never happens automatically.
Abuse prevention: IP addresses are used to enforce rate limits (for example, limiting the number of magic link requests per hour) to protect the Service and other users from abuse.
Service improvement: We may use aggregated, non-identifiable usage patterns (such as total items read across all users, or average reading speeds) to improve the Service. We do not build individual user profiles for this purpose.
Communication: We may occasionally send you important service-related emails, such as notifications about changes to these terms, security incidents affecting your account, or critical updates to the Service. We will not send marketing or promotional emails unless you have explicitly opted in, and you may opt out at any time.

4. Legal basis for processing

Under the GDPR, every instance of processing personal data must have a legal basis. We rely on the following:

Performance of a contract (Art. 6(1)(b)): Processing your email address for authentication, storing your reading data, syncing your settings, and storing your uploaded content are all necessary to perform the contract between you and Spodic (i.e., providing the Service you signed up for). Without this processing, we cannot deliver the Service.
Legitimate interest (Art. 6(1)(f)): IP-based rate limiting and basic operational monitoring protect the Service from abuse and ensure its availability. Our legitimate interest in maintaining a secure and reliable service is balanced against the minimal impact on your privacy, given that IP data is stored temporarily and not used for tracking. You have the right to object to processing based on legitimate interest (see Section 10).
Consent (Art. 6(1)(a)): If we introduce optional features that require additional data processing beyond what is necessary for the Service (such as a marketing newsletter), we will request your explicit, informed consent before processing. You may withdraw consent at any time by contacting us or using the unsubscribe mechanism provided, and withdrawal will not affect the lawfulness of processing performed before withdrawal.

5. AI features and third-party processing

Spodic offers optional AI-powered features, currently including text summarization. When you activate an AI feature on an item, the text content of that item is sent to our AI provider, DeepSeek, via their API over an encrypted (HTTPS/TLS) connection.

The data sent to DeepSeek consists solely of the text content you selected for processing. We do not send your email address, account identifier, IP address, reading history, settings, or any other personal or account-related data to DeepSeek.

AI features are always user-initiated. Spodic will never automatically send your content to an AI provider without your explicit action. Each AI request consumes credits from your account, which serves as an additional confirmation of your intent.

DeepSeek is based in China. We acknowledge that China's data protection framework differs from the GDPR. Because we send only text content (not personal data) and because AI processing is voluntary and user-initiated, we consider this processing proportionate. However, if you are uncomfortable with your text content being processed by a provider based in China, you may choose not to use AI features, and the core reading functionality of Spodic will remain fully available to you.

You can review DeepSeek's privacy policy for details on how they handle data received through their API.

6. Sub-processors

We use the following third-party services ("sub-processors") to operate Spodic. Each sub-processor only receives the minimum data necessary for its function:

Cloudflare, Inc. (United States) — Provides hosting (Cloudflare Pages), serverless compute (Cloudflare Workers), database (Cloudflare D1), file storage (Cloudflare R2), key-value storage for rate limiting (Cloudflare KV), CDN, and DNS. All Service data passes through Cloudflare's network. Cloudflare processes data globally across their network of data centers. See Cloudflare's privacy policy.
Resend, Inc. (United States) — Handles transactional email delivery. Receives your email address and the content of the sign-in email when you request a magic link. See Resend's privacy policy.
DeepSeek (China) — Provides AI text processing for the optional summarization feature. Receives only the text content of items you choose to summarize. Does not receive personal data. See DeepSeek's privacy policy.
Polar (United States) — Serves as our Merchant of Record for payment processing and billing. Receives payment and billing information directly from you when you subscribe to a paid plan. Spodic does not receive or store this financial information. See Polar's privacy policy.

We will update this list if we add or change sub-processors. If we make changes that materially affect how your personal data is processed, we will notify you in advance.

7. International data transfers

Spodic is based in the Netherlands, but our sub-processors operate internationally. Your data may be processed outside the European Economic Area (EEA), including in the United States and China. We take the following measures to ensure adequate protection:

Cloudflare has committed to Standard Contractual Clauses (SCCs) approved by the European Commission for the transfer of personal data from the EEA to countries not deemed adequate by the Commission. Cloudflare is also certified under the EU-U.S. Data Privacy Framework.
Resend processes data in the United States. Data transfers are governed by Standard Contractual Clauses (SCCs) included in their data processing terms.
Polar processes payment data in the United States under their own GDPR-compliant framework as Merchant of Record, including SCCs where applicable.
DeepSeek is based in China, which has not received an adequacy decision from the European Commission. As described in Section 5, only the text content of items you voluntarily choose to process with AI features is sent to DeepSeek. No personal data (email, account ID, IP address) is transmitted. Use of AI features is entirely optional.

If you have questions about how your data is protected during international transfers, contact [email protected].

8. Data retention

We retain data only for as long as it is necessary for its purpose. Below is a breakdown of our retention practices:

Account data (email, tier, credits, timestamps): Retained for as long as your account is active. If you delete your account, all account data is permanently deleted within 30 days.
Reading data and settings: Retained for as long as your account is active. Deleted when you delete your account.
User content (text and uploaded files): Retained until you individually delete an item, or until you delete your account. Uploaded file binaries are removed from object storage when the associated item or account is deleted.
Magic link tokens: Expire and become unusable after 15 minutes. Used tokens and expired tokens are cleaned up automatically by the system.
Session tokens: Expire after 30 days of inactivity. A maximum of 5 active sessions per user are retained; when a new session is created, the oldest session beyond this limit is automatically removed.
Rate limiting data (IP-based): Stored as temporary counters in a key-value cache. These counters expire automatically, typically within one hour, and are not backed up or archived.
AI-generated summaries: Stored alongside the original text content of the item for as long as the item exists in your library. Deleted when the item or your account is deleted.

After account deletion, we may retain anonymized, aggregated data (such as total number of items read across all users) that cannot be linked back to any individual. We do not retain identifiable personal data after deletion except where required by law (for example, transaction records for tax compliance, which are held by Polar as Merchant of Record, not by Spodic).

9. Cookies and local storage

Spodic uses a single, strictly necessary cookie:

spodic_session — An HttpOnly, Secure, SameSite=Lax cookie used to maintain your authenticated session. It contains a randomly generated session token and does not contain your email address or any other personal information. It is set on the .spodic.com domain so it works across spodic.com and api.spodic.com. It expires after 30 days or when you explicitly log out.

The Spodic web application also uses your browser's localStorage to cache settings, reading progress, and library data for offline access and performance. This data stays on your device and is not transmitted to third parties. You can clear it at any time through your browser settings.

We do not use analytics cookies, advertising cookies, social media cookies, or any third-party cookies. Because our single cookie is strictly necessary for the functioning of the Service (authentication), no cookie consent banner is required under the ePrivacy Directive (Directive 2002/58/EC, as amended).

10. Your rights

Under the GDPR and the Dutch UAVG, you have the following rights regarding your personal data. These rights apply to all users, regardless of location, though some rights are specific to EU/EEA residents:

Right of access (Art. 15): You have the right to request confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about how and why it is processed.
Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data, or completion of incomplete data.
Right to erasure (Art. 17): You have the right to request deletion of your personal data. You can delete your account at any time, which will result in permanent deletion of all associated data within 30 days. You may also request deletion without deleting your account in specific circumstances (for example, if you withdraw consent for a specific type of processing).
Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have contested.
Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another service provider.
Right to object (Art. 21): You have the right to object to processing based on our legitimate interests (see Section 4). If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right not to be subject to automated decision-making (Art. 22): Spodic does not make automated decisions that produce legal or similarly significant effects on you. AI summaries are informational tools, not decisions about you.

To exercise any of these rights, email [email protected]. We will verify your identity (typically by confirming ownership of the email address on your account) and respond within 30 days, as required by the GDPR. If your request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period.

If you are unsatisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl. If you reside in a different EU/EEA member state, you may also contact your local supervisory authority.

11. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information. This section uses the term "personal information" as defined under those laws.

Categories of personal information we collect

Identifiers: Email address.
Internet or network activity: IP address (temporarily, for rate limiting only), browser user-agent string, pages visited within the Service.
Commercial information: Subscription tier, purchase history (held by Polar, our payment processor, not stored by Spodic).

We do not collect sensitive personal information as defined by the CPRA (such as Social Security numbers, precise geolocation, racial or ethnic origin, or biometric data).

Your California privacy rights

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
Right to delete: You may request that we delete personal information we have collected from you, subject to certain legal exceptions.
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale or sharing: Spodic does not sell your personal information as defined by the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to opt out, but you retain this right should our practices change.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights. You will not receive a different level of service or pricing for making a privacy request.

To exercise these rights, email [email protected]. We will verify your identity before fulfilling any request and respond within 45 days, as required by California law.

12. Children's privacy

Spodic is not directed at children. In accordance with the Dutch UAVG, which sets the minimum age for digital consent at 16, we do not knowingly collect personal data from individuals under the age of 16. We do not have age verification mechanisms because our Service is intended for a general adult audience and does not target or attract minors.

If you believe that a child under 16 has created an account or provided personal data to Spodic, please contact us at [email protected]. We will take steps to verify the report and, if confirmed, promptly delete the account and all associated data.

13. Security

We implement reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption in transit: All data transmitted between your browser and the Service is encrypted using HTTPS/TLS. API requests between our services are also encrypted.
Secure authentication: Session cookies are set with HttpOnly, Secure, and SameSite=Lax flags to prevent cross-site scripting (XSS) attacks and cross-site request forgery (CSRF). Magic link tokens are single-use and expire after 15 minutes.
Rate limiting: Automated rate limiting protects against brute-force attacks on authentication endpoints and prevents API abuse.
Data isolation: Uploaded files are stored in per-user scoped paths in object storage. Database queries enforce user ownership checks, ensuring users can only access their own data.
Session management: A maximum of 5 concurrent sessions per user are allowed. Older sessions are automatically revoked when this limit is reached. Users can log out to immediately invalidate a session.
Input validation and sanitization: File uploads are validated by type and size. Filenames are sanitized before storage. Request payloads are size-limited to prevent abuse.
Infrastructure security: Our infrastructure runs on Cloudflare's globally distributed network, which provides DDoS mitigation, a Web Application Firewall (WAF), and automatic TLS certificate management.

No system is perfectly secure, and we cannot guarantee absolute security. We continuously review and improve our security practices. If you discover a security vulnerability in the Service, please report it responsibly to [email protected]. We appreciate responsible disclosure and will work to address verified vulnerabilities promptly.

14. Third-party links

The Service may contain links to third-party websites or services that are not operated by Spodic. This includes articles you import by URL and links within content you upload. If you follow a link to a third-party site, that site's own privacy policy will govern how your data is handled. We have no control over the content, privacy practices, or security of third-party sites, and we are not responsible for them. We encourage you to review the privacy policy of any external site you visit.

15. Do Not Track

Some web browsers transmit a "Do Not Track" (DNT) signal to websites. Because there is no universally accepted standard for how websites should respond to DNT signals, we do not currently change our behavior in response to them. However, as described throughout this policy, we do not engage in tracking, profiling, or cross-site behavioral advertising regardless of any DNT signal.

16. Business transfers

If Spodic is acquired by or merged with another company, or if substantially all of its assets are transferred to another entity, your personal data may be among the assets transferred. In such an event, we will notify you by email or by a prominent notice on the Service before your personal data becomes subject to a different privacy policy. You will have the opportunity to delete your account and data before any such transfer takes effect.

17. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, our sub-processors, or applicable laws. When we make changes, we will revise the "last updated" date at the top of this page. For changes that materially affect how your personal data is processed, we will make reasonable efforts to notify active users by email at least 14 days before the changes take effect.

Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes. If you do not agree with the updated policy, you should stop using the Service and delete your account.

Previous versions of this policy are available upon request by emailing [email protected].

18. Contact

For any questions, concerns, or requests related to this privacy policy or the processing of your personal data, you can reach us at:

Email: [email protected]
Spodic
The Netherlands

For security-related matters (such as reporting a vulnerability), use [email protected].

For general inquiries and support, use [email protected].