Privacy Policy
Effective May 28, 2026 · Last updated May 28, 2026
Spotr (“Spotr,” “we,” “us”) is a restaurant intelligence service for independent operators. This Privacy Policy describes the information we collect when you join our waitlist or use the Spotr application, how we use that information, who we share it with, how long we keep it, and the choices and rights you have. It applies to thespotr.com and the Spotr application reachable from it (together, the “Service”).
We have written this policy to be specific and readable. If anything is unclear, email privacy@thespotr.com and we will explain.
1. Summary
- We collect the work email and restaurant URL you give us to join the waitlist, the connected-account data you authorize, and a small amount of telemetry needed to run the product.
- We use that data to operate Spotr for you and to ground its recommendations in your own restaurant’s reality.
- We do not sell personal information. We do not use your data or your connected-account data to train general-purpose machine-learning models.
- Spotr’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
2. Information we collect
You give us directly
- Waitlist intake. Work email, restaurant website URL, and invite code.
- Account profile. Name, role, restaurant name(s), location(s), and onboarding preferences.
- Operator input. Notes, review-reply drafts, ledger decisions, and feedback recorded inside the Service.
You authorize us to fetch on your behalf
- Google Business Profile (GBP) via the
https://www.googleapis.com/auth/business.managescope. Detailed access table in Section 3. - Point-of-sale (Square, Toast). Catalog, order, and sales data we read to ground recommendations in your own numbers. Operator-initiated; revocable from product settings.
- Public web signals. Competitor menus, local press, permits, and other publicly available context tied to your trade area. No private data about other businesses.
Collected automatically
- Product telemetry. Pages viewed, actions taken, request timing, and error traces, used to keep the product working and to debug issues.
- Device and network. IP address, browser/user agent, and approximate region (derived from IP), used for rate limiting, fraud prevention, and security logging.
- Cookies. First-party cookies only; see Section 9.
3. Google user data — scopes, fields, and purposes
When you connect a Google account, you grant Spotr access only to the scopes you approve on Google’s consent screen. The following table is the complete list of Google scopes Spotr requests, the specific fields we read or write, and the user-facing feature each one powers.
| Scope | Data accessed | User-facing purpose |
|---|---|---|
business.manage | Read: locations, location attributes, recent reviews (rating, text, author display name, timestamp), insights metrics (views, searches, calls, direction requests). Write: review replies you have drafted and explicitly approved by clicking “Post via Google” inside Spotr. | Daily intelligence brief, deep-dive review-response workflow, and operator-initiated posting of review replies to your Google Business Profile. |
openid, email, profile | Your Google account ID, email address, name, and avatar. | Sign-in and account identification. |
Spotr never posts to, edits, or deletes anything on your Google Business Profile without an operator-initiated action inside the Service.
Limited Use compliance
Spotr’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing features of Spotr that are visible and prominent in the requesting application’s user interface.
- We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based ads.
- We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or where the data has been aggregated and anonymized for internal operations.
- We do not use Google user data, or data derived from Google user data, to develop, improve, or train generalized AI or machine-learning models.
Revoking Spotr’s Google access
You can disconnect Spotr from your Google account at any time from inside the Service (Settings → Connected accounts) or directly from Google at myaccount.google.com/permissions. Revocation stops new data collection immediately. We delete tokens and cached Google user data within 30 days of revocation unless we are legally required to keep them longer.
4. How we use information
- To operate, secure, and improve the Service.
- To generate your daily brief, deep-dives, and recommendations, and to keep them grounded in your own restaurant’s data.
- To post review replies and other operator-approved actions to connected accounts on your behalf, only when you have explicitly approved each action inside Spotr.
- To send transactional emails (magic links, account notices, security alerts).
- To detect, investigate, and prevent abuse, fraud, and security incidents.
- To comply with legal obligations.
We do not sell your personal information. We do not use your data or your connected-account data to train general-purpose machine-learning models. AI inference performed to produce your intelligence brief uses your data only as the input to that specific inference call.
Automated decision-making
Spotr produces recommendations using AI inference. These are advisory: they are designed to inform operator judgment, not to replace it. We do not make legal or similarly significant decisions about you using solely automated means. If you believe a recommendation has affected you unfairly, contact privacy@thespotr.com and we will review with a human.
5. Legal bases for processing (EU/UK users)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to provide the Service you have signed up for.
- Consent — for connecting Google, Square, Toast, or any other third-party account. You can withdraw consent at any time by disconnecting that account.
- Legitimate interests — to keep the Service secure, prevent fraud, and improve product quality, balanced against your rights and freedoms.
- Legal obligation — to comply with applicable law and respond to valid legal process.
6. How we share information
We share information only in the cases below.
- Service providers (subprocessors). Infrastructure vendors that host the Service or process specific workloads on our behalf, bound by contract to use the data only to provide services to us. Our current subprocessor categories are listed in Section 7.
- At your direction. When you connect an account, we exchange data with that platform on your behalf (for example, posting a review reply to Google Business Profile).
- Legal and safety. If required by law, valid legal process, or to protect the rights, safety, or property of Spotr, our users, or the public.
- Corporate transactions. If Spotr is involved in a merger, acquisition, financing, or sale of assets, your information may transfer as part of that transaction; we will give notice of any change in control or use of your information.
We do not sell personal information.
7. Subprocessors
The categories below describe the third parties that process personal data on our behalf as of the date at the top of this policy.
| Category | Purpose | Region |
|---|---|---|
| Hosting and edge compute | Application hosting, CDN, image optimization. | United States |
| Database and authentication | Primary application database, file storage, magic-link authentication. | United States |
| Transactional email | Magic-link delivery, account notices. | United States |
| Payment processing | Billing for paid tiers, processed independently by the payment provider. | United States |
| AI inference | Generating recommendations from your data. Vendors are contractually prohibited from training general-purpose models on your data. | United States |
| Error monitoring and analytics | Crash reporting and aggregated usage analytics used to keep the product working. | United States |
To request the current list of named subprocessors, email privacy@thespotr.com.
8. Retention
| Data | Retention period |
|---|---|
| Waitlist intake records | Until you ask us to delete them, or until you become an active operator (in which case the record is replaced by your account record). |
| Account and product data | For the life of your account. After you close your account, we delete or de-identify it within a commercially reasonable period (generally within 90 days), except where we are required to retain it longer. |
| Connected-account tokens (Google, Square, Toast) | Until you disconnect, after which we remove them within a reasonable period (generally within 30 days). |
| Cached connected-account data | Refreshed on a rolling basis; removed within a reasonable period after disconnection or account deletion. |
| Telemetry and security logs | Retained only as long as needed for security, debugging, and operations — generally up to 13 months — then deleted or aggregated. |
| Billing records | Retained as required by tax and accounting law (typically seven years). |
We may retain information longer where required by law or to preserve evidence of fraud or abuse.
9. Cookies and similar technologies
Spotr uses a small number of first-party cookies. We do not use third-party advertising or cross-site tracking cookies.
| Cookie | Purpose | Lifetime |
|---|---|---|
| Session | Keeps you signed in after a successful magic-link exchange. | Until you sign out or the session expires. |
| CSRF | Protects sensitive form submissions. | Session. |
| Preferences | Remembers minor UI choices such as collapsed panels. | Up to one year. |
Spotr honors Global Privacy Control (GPC) signals where required by law and treats them as an opt-out of any sale or sharing of personal information for cross-context behavioral advertising — a sale or share we do not engage in to begin with.
10. Security
We protect data in transit with TLS and at rest with encryption provided by our infrastructure vendors. Access to production data is limited to a small number of personnel and is logged. We monitor for suspicious activity and maintain an internal incident response process. If we determine that a security incident has materially affected your personal data, we will notify you and, where required, the relevant supervisory authority, in line with applicable law.
No online service is perfectly secure. Use a strong, unique password, keep your devices up to date, and notify us promptly at security@thespotr.com if you suspect a compromise.
11. Your rights and choices
Depending on where you live, you have some or all of the following rights with respect to your personal data:
- Access — receive a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — ask us to delete personal data (subject to legal retention requirements).
- Portability — request a portable copy of data you provided us.
- Restriction or objection — ask us to limit or stop certain processing.
- Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior processing.
- Lodge a complaint — with your local data protection authority. EU/UK users may also complain to their national supervisory authority.
To exercise any of these rights, email privacy@thespotr.com from the address associated with your account. We verify your identity before acting on a request and respond within the timeframe required by applicable law (generally within 30 to 45 days). Some rights are subject to legal exceptions and to our retention obligations.
California residents (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act, as amended by the CPRA:
- The right to know the categories and specific pieces of personal information we collect, the sources, the business purposes, and the third parties with whom we share it. Those categories are described in Sections 2, 4, 6, and 7.
- The right to delete personal information, subject to exceptions.
- The right to correct inaccurate personal information.
- The right to limit use and disclosure of sensitive personal information.
- The right to opt out of the sale or sharing of personal information. Spotr does not sell or share personal information as those terms are defined under the CCPA.
- The right to non-discrimination for exercising any of these rights.
To submit a verifiable consumer request, email privacy@thespotr.com. Authorized agents may submit requests on a consumer’s behalf with written authorization that we can verify.
12. Children
Spotr is built for restaurant operators and is not directed to children. We do not knowingly collect personal information from children under 13 (or, where applicable, under the higher minimum age set by local law — for example, 16 in parts of the EU/UK and EEA). If you believe a child has provided us with personal information, contact privacy@thespotr.com and we will delete it.
13. International transfers
Spotr is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. Where we transfer personal data of EU/UK/EEA users out of those regions, we rely on legally recognized transfer mechanisms such as the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, notify you by email or through the Service before the change takes effect. Continued use of the Service after the effective date of an update constitutes acceptance of the updated policy.
15. Contact
Privacy questions or rights requests: privacy@thespotr.com. Security issues: security@thespotr.com. General contact: hello@thespotr.com.