Your photos, your data, your rules.

Spreadu is operated by Visual Playground SL ("we", "us", "our"), a company registered in the European Union. We are the data controller for your personal data processed through the Service.

You can reach us at [email protected].

Account information

Your name, email address, and password hash when you register. If you sign in with a social provider (Google, etc.), we receive your name, email, and profile picture from that provider.

Photos and album designs

The photos you upload and the album layouts you create. We process these solely to provide the Service. We do not use your photos for AI training, advertising, or any purpose beyond delivering the features you use.

Usage data

We collect anonymous usage analytics (pages visited, features used, performance metrics) to improve the product. This data is processed by PostHog and cannot be used to identify you personally.

Payment information

Payment details are handled entirely by our payment processor. We store only a transaction reference and your subscription status. We never see or store your full card number.

Support conversations

When you contact us, we keep the conversation so we can provide better support and improve the Service.

We process your data under the following legal bases:

• Contract performance: Processing your photos and account data to deliver the Service you signed up for
• Legitimate interest: Anonymous analytics, fraud prevention, and service improvement
• Consent: Marketing emails and optional cookies. You can withdraw consent at any time
• Legal obligation: Tax records and legal compliance

We use your personal data to:

• Provide, maintain, and improve the Service
• Process your photos and generate album layouts
• Send transactional emails (account verification, password resets, subscription updates)
• Send product updates and tips (only if you opt in. You can unsubscribe anytime)
• Respond to support requests
• Detect and prevent fraud or abuse
• Comply with legal obligations

We do not sell your data. Full stop. We share data only with:

• Infrastructure providers: Cloud hosting (Hetzner, EU-based), storage, and CDN services necessary to run the platform
• Payment processor: To handle subscriptions and billing
• Analytics: PostHog for anonymized usage data
• Email delivery: Resend, for transactional and marketing emails

All processors are bound by data processing agreements and GDPR-compliant terms. We only share what is strictly necessary for each service to function.

Your data is stored on servers located in the European Union. We protect it with:

• Encryption in transit (TLS/HTTPS) and at rest
• Regular security updates and monitoring
• Access controls and authentication for all internal systems
• Regular backups with point-in-time recovery

No system is 100% secure, but we take every reasonable step to protect your data. If a breach occurs that affects your personal data, we will notify you and the relevant authorities within 72 hours as required by GDPR.

Under GDPR and applicable privacy laws, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interest
• Withdraw consent: For any processing based on consent, at any time

You can exercise most of these directly from your account settings. We also provide a GDPR export tool that packages all your data for download.

For any request, email [email protected]. We'll respond within 30 days.

We keep cookies minimal:

• Essential cookies: Session authentication and security. Required for the Service to function. Can't be disabled.
• Analytics cookies: Anonymous usage tracking via PostHog. You can opt out anytime from your account settings or browser.

We do not use advertising cookies or third-party tracking cookies. For full details, see our Cookie Policy.

We keep your data only as long as necessary:

• Account data: While your account is active, plus 30 days after deletion for recovery
• Photos and designs: Until you delete them or close your account
• Analytics data: Aggregated and anonymized data may be retained indefinitely
• Payment records: As required by tax law (typically 7 years)
• Support conversations: 2 years after last contact

Spreadu is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

Your data is primarily stored and processed within the European Union. If any data needs to be transferred outside the EU (for example, to service providers), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

We may update this policy from time to time. For significant changes, we'll notify you via email or an in-app notice at least 30 days before they take effect. Minor clarifications may happen without notice.

Something about your privacy you'd like to know? We're here.

• Email: [email protected]
• Entity: Visual Playground SL
• Region: European Union

You also have the right to lodge a complaint with your local data protection authority.