Privacy Policy
Your privacy matters to us. This policy explains how Spoyy collects, uses, and protects your personal data.
Last updated: February 26, 2026
Table of Contents
1. Data Controller
The data controller responsible for processing your personal data is:
Spoyy (“we”, “us”, “our”) operates the Spoyy platform (spoyy.com), a content creator and brand campaign management platform. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our services.
2. Data We Collect
2.1 Account Information
When you register, we collect:
- Full name
- Email address
- Password (stored encrypted, never in plain text)
- Profile avatar
- Selected interests and content categories
2.2 Profile Information (Content Creators)
Content creators may optionally provide:
- Gender
- Date of birth
- Portfolio bio and links
- Additional biographical information
2.3 Social Media Platform Data
When you connect your social media accounts (Instagram, Facebook, TikTok, YouTube), we receive data from those platforms through their official APIs. This data is detailed in Section 3 (Meta Platform Data) below.
2.4 Usage Data
We automatically collect:
- Session data (login times, browser type)
- Pages visited within the platform
- Campaign interactions (applications, favorites)
3. Meta Platform Data
This section specifically addresses data we receive from Meta Platforms, Inc. (“Meta”) through their APIs, as required by Meta’s Platform Terms.
3.1 Instagram Business Data
When you connect your Instagram Business account, we access:
- Account information: account type, Instagram user ID, username, display name
- Profile media: profile picture URL
- Account metrics: follower count, following count, media (post) count
Permissions requested: instagram_business_basic, instagram_business_manage_comments, instagram_business_manage_insights
3.2 Facebook Data
When you connect your Facebook account, we may access:
- Basic profile: name, profile picture, profile link
- Demographics: gender, birthday, age range, hometown, current location
- Interests: likes, favorite athletes, favorite teams, inspirational people
- Other: languages spoken, website, quotes
3.3 How We Use Meta Platform Data
We use Meta Platform Data exclusively to:
- Verify your identity as a content creator
- Display your social media profile information on your Spoyy creator profile
- Help brands evaluate content creators for campaign partnerships based on audience metrics
- Provide you with a seamless login experience via social authentication
3.4 Meta Platform Data Restrictions
In accordance with Meta’s Platform Terms, we:
- Do not sell, license, or purchase Meta Platform Data
- Do not transfer Meta Platform Data to any ad network, data broker, or other advertising or monetization-related service
- Do not place Meta Platform Data in a search engine or directory
- Do not use Meta Platform Data for surveillance
- Will delete all Meta Platform Data related to a user upon their request or when it is no longer necessary for the purpose for which it was collected
3.5 Token Management
We store OAuth access tokens securely to maintain your connection with Meta’s services. Instagram Business tokens are exchanged for long-lived tokens (valid for 60 days) and refreshed automatically. You can revoke access at any time by disconnecting your account from your Spoyy profile settings, or directly through Meta’s settings.
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR) and applicable Serbian data protection law (Zakon o zaštiti podataka o ličnosti), we process your personal data on the following legal bases:
- Consent (Article 6(1)(a) GDPR): When you connect your social media accounts, you explicitly consent to us accessing and processing the data from those platforms. You may withdraw consent at any time.
- Contract Performance (Article 6(1)(b) GDPR): Processing your account data is necessary to provide you with the Spoyy platform services, including campaign matching and creator profiles.
- Legitimate Interest (Article 6(1)(f) GDPR): We process usage data to improve our services, ensure platform security, and prevent fraud.
- Legal Obligation (Article 6(1)(c) GDPR): We may process data to comply with applicable laws and regulations.
5. How We Use Your Data
We use your personal data to:
- Create and manage your Spoyy account
- Build your content creator profile visible to brands
- Match content creators with relevant brand campaigns
- Facilitate campaign applications and collaboration
- Display verified audience metrics to potential brand partners
- Send you notifications about campaign updates and platform news
- Provide customer support
- Improve and secure our platform
- Comply with legal obligations
6. Data Sharing & Third Parties
We may share your personal data with:
- Brands and Companies on Spoyy: When you apply to a campaign, the brand can see your public creator profile, including connected social media metrics. They cannot access your private data, OAuth tokens, or raw Meta Platform Data.
- Hosting & Infrastructure Providers: Our servers and databases are hosted by third-party providers who may have access to data as part of providing their services. These providers are bound by data processing agreements.
- Legal Requirements: We may disclose data if required by law, court order, or governmental request.
We do not sell your personal data to third parties. We do not share Meta Platform Data with advertising networks, data brokers, or any unrelated third parties.
7. Data Retention
- Account Data: Retained for as long as your account is active. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law.
- Social Media Platform Data: Retained while your social accounts are connected. When you disconnect a platform or revoke access via Meta, the associated platform data (tokens, profile data, metrics) is deleted.
- Meta Platform Data: Deleted promptly upon receiving a data deletion callback from Meta, or when you disconnect your Meta-linked account. We retain only a confirmation code for audit purposes.
- Campaign Data: Campaign-related data (applications, messages) may be retained for legitimate business purposes and legal compliance.
8. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of Access (Article 15): You can request a copy of all personal data we hold about you.
- Right to Rectification (Article 16): You can update or correct inaccurate data through your profile settings or by contacting us.
- Right to Erasure (Article 17): You can request deletion of your personal data. See Section 9 for the deletion process.
- Right to Restriction (Article 18): You can request that we limit the processing of your data in certain circumstances.
- Right to Data Portability (Article 20): You can request your data in a machine-readable format.
- Right to Object (Article 21): You can object to processing based on legitimate interests.
- Right to Withdraw Consent: You can withdraw consent at any time by disconnecting your social media accounts or contacting us.
To exercise any of these rights, contact us at info@spoyy.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti).
9. Data Deletion
9.1 Deleting Your Account
You can request complete deletion of your account and all associated data by contacting us at info@spoyy.com.
9.2 Disconnecting Social Media Accounts
You can disconnect individual social media accounts from your Spoyy profile at any time through your account settings. This will delete the associated platform data (profile information, metrics, and tokens).
9.3 Meta Data Deletion Callbacks
When you remove the Spoyy app from your Meta (Facebook/Instagram) account settings, Meta sends us an automated data deletion request. Upon receiving this request, we:
- Delete all stored Meta Platform Data associated with your account
- Remove any locally stored avatars from Meta
- Delete your platform connection record
- Provide a confirmation code for you to verify the deletion status
You can check the status of a Meta data deletion request at spoyy.com/data-deletion/status/[confirmation-code]
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmitted between your browser and our servers is encrypted using TLS/SSL
- Passwords are hashed using industry-standard algorithms and never stored in plain text
- OAuth tokens are stored encrypted in our database
- Access to personal data is restricted to authorized personnel only
- We regularly review and update our security practices
- Meta webhook requests are validated using signed request verification
11. Cookies
We use only essential cookies that are strictly necessary for the functioning of our platform:
- Session cookie: Maintains your login session and authentication state
- CSRF token: Protects against cross-site request forgery attacks
- Language preference: Remembers your selected language
- Theme preference: Remembers your dark/light mode setting
We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No data is shared with advertising networks through cookies.
12. Children's Privacy
Spoyy is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will notify you by:
- Updating the “Last updated” date at the top of this page
- Sending a notification through the platform for significant changes
We encourage you to review this Privacy Policy periodically.