LEGAL

Privacy Policy

Last updated: January 2026

StateSpine is built on a simple principle: your data is yours. This privacy policy explains what data we collect, why we collect it, and how we protect it.

The short version: We collect the minimum data necessary to provide the service. Your code stays on your machine unless you explicitly sync it. We never sell your data. We never will.

1. Data We Collect

1.1 Account Information

When you create a StateSpine account, we collect:

  • Email address (required for account creation and communication)
  • Name (optional, used for personalization)
  • Birthday month (optional, used for birthday discount — we don't store the day or year)
  • Password (stored hashed, never in plain text)

1.2 Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number. Stripe provides us with:

  • Last four digits of your card (for display purposes)
  • Card expiration date
  • Billing address

1.3 Usage Data

We collect anonymized usage data to improve StateSpine:

  • Feature usage (which features you use, not what you build with them)
  • Performance metrics (crash reports, load times)
  • Error logs (to fix bugs)

This data is anonymized and cannot be used to identify you or your projects. You can opt out of anonymized data collection in settings.

1.4 Your Code and Projects

Your code never leaves your machine unless you explicitly choose to sync it.

StateSpine is a local-first application. By default:

  • All project files are stored locally on your computer
  • All version history is stored locally
  • All AI embeddings are generated and stored locally
  • We cannot access your code

If you enable cloud sync (a paid feature), your synced projects are:

  • Encrypted end-to-end before leaving your device
  • Stored encrypted on our servers
  • Only decryptable by you with your encryption key

2. How We Use Your Data

We use your data to:

  • Provide and maintain the StateSpine service
  • Process payments and manage subscriptions
  • Send essential communications (password resets, security alerts, billing)
  • Improve the product based on anonymized usage patterns
  • Provide customer support

We do NOT:

  • Sell your data to third parties
  • Use your code to train AI models
  • Share your personal information with advertisers
  • Send marketing emails without explicit consent

3. Data Storage and Security

3.1 Local Data

Data stored locally on your machine is protected by your operating system's security features. We recommend enabling full-disk encryption on your device.

3.2 Cloud Data

Data stored in the cloud (account information, synced projects) is:

  • Stored on servers in secure data centers
  • Encrypted at rest using AES-256
  • Transmitted over encrypted connections (TLS 1.3)
  • Backed up regularly with encrypted backups

3.3 Access Controls

Access to user data is strictly limited to:

  • Automated systems that need it to provide the service
  • Support staff, only when you request help and grant access
  • No one else, ever

4. Third-Party Services

StateSpine uses the following third-party services:

  • Supabase: Account management and authentication
  • Stripe: Payment processing
  • Anthropic (Claude): Cloud AI features (optional, only processes data you explicitly send)

Each of these services has their own privacy policy. We've selected them for their strong privacy and security practices.

5. Your Rights

You have the right to:

  • Access: See all data we have about you
  • Export: Download all your data in a standard format
  • Correct: Fix any inaccurate information
  • Delete: Request deletion of your account and all associated data
  • Opt-out: Disable anonymized data collection

To exercise these rights, contact us at privacy@statespine.com.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account:

  • Account information is deleted within 30 days
  • Synced projects are deleted immediately
  • Payment records are retained for 7 years (legal requirement)
  • Anonymized usage data may be retained indefinitely

7. Children's Privacy

StateSpine is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us immediately.

8. International Data Transfers

StateSpine is operated from Australia. If you're accessing from outside Australia, your data may be transferred to and processed in Australia or other countries where our service providers operate. We ensure appropriate safeguards are in place for such transfers.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes via email or through the application. Continued use of StateSpine after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have any questions about this privacy policy or how we handle your data, contact us at:

Our commitment: We built StateSpine because we believe tools should respect their users. That means respecting your privacy, being transparent about data practices, and never compromising your trust for profit.