Privacy Policy
Last updated July 13, 2026
This Privacy Policy explains how Digital Spoiler handles your personal data when you use our website at digitalspoiler.com, contact us about becoming a customer, or use the Digital Spoiler service. We do not store your card details ourselves: payments are processed securely by our payment processor, Stripe.
1. Who we are
The data controller responsible for your personal data is 38Shift Ltd, operating as Digital Spoiler. You can reach us about anything in this policy, including any request to exercise your rights, at [email protected].
Our postal address is 128 City Road, London EC1V 2NX. If you contact us about a privacy matter, please use the same email address associated with your account so we can verify your identity.
2. What data we collect
We keep data collection deliberately minimal. We collect:
- Contact details: your name, work email, and company when you write to us through the get-started or talk-to-sales forms, used to reply and set up your workspace.
- Account and workspace data: your Google sign-in profile (name, email, profile image) and the business information you give the service so it can find leads for you.
- Payment metadata: when your subscription begins, our payment processor Stripe handles the card transaction. Card details go directly to Stripe and never touch our servers. We receive only limited metadata such as a payment reference, amount, status, and card brand and last four digits. We never see or store your full card number, CVC, or other full card data.
- Marketing consent: a record of whether you opted in to marketing email, including the text you agreed to and a timestamp.
- Source and campaign data: UTM and referral parameters that tell us how you found us, so we can understand which channels work.
- Aggregate analytics: privacy-friendly, aggregated usage measurements about how the site is used (see Section 5).
3. Why we use your data and our lawful basis
We process your data on these legal bases:
- Performance of a contract: to respond to your enquiry, set up and operate your workspace, manage your founding subscription and its pricing, and issue refunds.
- Legitimate interests: to operate, secure, and improve our site, understand our acquisition channels, and prevent fraud and abuse, balanced against your rights.
- Consent: to send you marketing email. You give this consent by explicitly opting in, and you can withdraw it at any time without affecting your subscription.
4. Sub-processors
We share personal data only with the service providers we rely on to run Digital Spoiler. Each is bound by a data processing agreement and may process data outside your country. Where data is transferred internationally, it is covered by appropriate safeguards such as the EU Standard Contractual Clauses.
- Railway: our cloud hosting and Postgres database (EU region), where your account, workspace, and lead data are stored.
- Stripe: our payment processor for subscription billing. Card details go directly to Stripe and never touch our servers. Stripe is certified to PCI-DSS Level 1, the highest level. For payment data, Stripe acts both as our processor and, for its own fraud-prevention and legal-compliance duties, as an independent data controller; its handling of that data is governed by Stripe's Privacy Center and Data Processing Agreement, including Standard Contractual Clauses for international transfers.
- Google: sign-in (OAuth). We receive your name, email, and profile image to authenticate you.
- Anthropic: the AI provider powering the in-app assistant; your prompts and relevant workspace context are processed to generate responses.
- Resend: our transactional email provider, used to deliver sign-in, notification, and account emails.
- Google Analytics: measures how the site is used so we can improve it. In the EEA, UK, and Switzerland its cookies stay off until you accept them in our banner (see Section 5). Data may be transferred outside your country under Standard Contractual Clauses.
5. Cookies & analytics
We use Google Analytics, which does set cookies. We run it with Google Consent Mode, so if you are in the EEA, the UK, or Switzerland its analytics and advertising cookies stay switched off until you choose Accept in the banner shown on your first visit. Choose No thanksand no Google Analytics cookies are set; the site works exactly the same. You can change your mind at any time by clearing this site's cookies and site data in your browser, which brings the banner back. We may also use a small number of strictly necessary cookies where needed to make the site function securely; these do not require consent.
6. Data retention
We keep your personal data for as long as your enquiry is open or your subscription is active. After that, we retain only what we must to meet legal, tax, and accounting obligations (for example, billing and refund records), and then we delete or anonymize it. If you ask us to delete your data, we honor that request subject to those legal retention requirements.
7. Your rights
Depending on where you live, you have rights over your personal data. Under the GDPR you may request access to your data, rectification of inaccurate data, erasure, portability, restriction or objection to certain processing, and you may withdraw consent to marketing at any time.
Under the CCPA, California residents have the right to know what personal information we hold, to request its deletion, and to opt out of the sale of personal information. We do not sell your personal data, and we never have.
To exercise any of these rights, email us at [email protected]. We will respond within the timeframe required by applicable law. You also have the right to complain to your local data protection authority.
8. Marketing email
We send marketing email only to people who have given explicit opt-in consent. Every marketing email includes a one-click unsubscribe link and our postal address, so you can stop receiving these messages at any time. Unsubscribing from marketing does not affect service messages about your account, subscription, or a refund.
9. Changes & contact
We may update this Privacy Policy as our product and legal requirements evolve. When we make material changes, we will update the date at the top of this page and, where appropriate, notify you by email. If you have any questions about this policy or how we handle your data, contact 38Shift Ltd at [email protected] or by post at 128 City Road, London EC1V 2NX.