Skip to content

Privacy Policy

Last updated:

SpotRez ("SpotRez," "we," "us," or "our") operates the SpotRez service ("Service"). This Privacy Policy explains what personal data we collect, why, how we use it, who we share it with, and your rights. This policy is part of our Terms of Service. The legal entity that operates the Service and acts as data controller is identified in Section 14.

1. Information We Collect

1.1 Account Information

When you create an account through Clerk (our authentication provider), we collect:

  • Email address (required): for account identification, notifications, billing, and recovery
  • Name (optional): displayed in your dashboard
  • Timezone: to display times in your local zone

If you sign up via Google OAuth, Clerk receives your Google profile (name, email, photo). We store only your email and name.

1.2 Payment Information

All payment processing is handled by Stripe. We never receive, transmit, or store your credit card number or payment credentials. From Stripe, we store: a Stripe customer ID, pass purchase records (transaction amounts and dates), and Stripe payment intent IDs.

1.3 Alert Preferences

When you create a monitoring alert, we store:

  • Restaurant selection, date range, party size
  • Meal type and time window preferences
  • Notification channel preferences (email, push)

1.4 Notification Data

  • Contact methods: email addresses you add for notifications, with verification status
  • Push subscriptions: if you enable web push, we store the push endpoint URL, encryption keys (p256dh and auth), and browser user agent required by the Web Push protocol
  • Notification history: channel, delivery status, timestamps, and any error information

1.5 Usage Data

  • Active passes, their speed tiers, and remaining watch counts
  • Pass purchase history (one-time purchases, watch usage, refunds when applicable)
  • Alert creation history, check counts, and hit counts
  • Account creation and modification timestamps

1.6 Technical and Security Data

  • Audit logs: records of significant account actions (admin operations), including IP address and user agent, retained for security
  • Abuse detection: IP addresses, violation type, and severity when rate limits or abuse rules are triggered
  • Server logs: standard HTTP logs (IP address, browser, pages visited, timestamps) generated by our hosting provider
  • Error reports: our error tracking service captures technical context (browser state, request information, stack traces) when errors occur. For error sessions, the service may record a session replay of user interactions at the time of the error to help diagnose the issue.
  • Analytics: our analytics tools collect anonymous page view metrics and aggregated usage events (pages visited, features used). They respect browser privacy signals where supported.

2. How We Use Your Information

  • Service delivery: creating alerts, monitoring availability, sending notifications
  • Billing: processing one-time pass purchases and handling refunds through Stripe
  • Transactional communications: account confirmations, alert notifications, billing receipts, security notices. These cannot be opted out of while your account is active.
  • Marketing: with your consent, information about new features or promotions. You may unsubscribe at any time (Section 12).
  • Service improvement: understanding usage patterns and fixing issues. Analytics data is not used to build advertising profiles.
  • Security: detecting fraud, unauthorized access, rate limit violations, and abuse
  • Legal compliance: responding to lawful requests and obligations

3. Legal Basis for Processing (GDPR)

For users in the EEA, UK, and other jurisdictions requiring a legal basis:

Processing ActivityLegal Basis
Account creation and managementContract performance (Art. 6(1)(b))
Alert monitoring and notificationsContract performance (Art. 6(1)(b))
Payment processing and billingContract performance (Art. 6(1)(b))
Transactional emailsContract performance (Art. 6(1)(b))
Marketing emailsConsent (Art. 6(1)(a)): withdrawable at any time via unsubscribe link
Analytics and service improvementLegitimate interest (Art. 6(1)(f))
Security and abuse preventionLegitimate interest (Art. 6(1)(f))
Billing record retention (7 years)Legal obligation (Art. 6(1)(c)): tax reporting requirements

Where we rely on legitimate interest, we have conducted a balancing test. You may object to processing based on legitimate interest (Section 7).

4. Who We Share Data With

We share personal data with third-party service providers as needed to operate the Service. Each provider receives only the minimum data necessary for its function.

  • Clerk (authentication): receives your email, name, and login sessions. You interact with Clerk directly when signing in.
  • Stripe (payments): receives your email and payment details. You enter payment information directly into Stripe's secure checkout. We never see or store your card number.
  • Cloud infrastructure providers: host our database, caching, and background workers. These providers store or process platform data on our behalf in the United States.
  • Email delivery provider: receives recipient email addresses and notification content to deliver alerts and transactional emails.
  • Analytics and error monitoring tools (including Google Analytics for aggregate, cookieless traffic measurement): receive anonymized usage events and error reports (including session replays when errors occur) to help us improve the Service. Our analytics set no cookies and respect the Do Not Track browser setting.
  • Hosting provider: generates standard server logs (IP address, request paths, user agent) and collects anonymous performance metrics.

We do not sell, rent, or trade your personal data for marketing or advertising. We may disclose information if required by law, court order, or to protect rights and safety.

5. Cookies and Tracking

We use only cookies that are essential for the Service to function:

  • Clerk session cookie: maintains your login session. Cannot be disabled without losing authenticated features.

Our analytics, where enabled, operate in cookieless mode and respect browser privacy signals. When privacy signals are on, no analytics data is collected. We do not use advertising cookies, retargeting pixels, or cross-site tracking.

6. Data Retention

Data CategoryRetentionBasis
Active account dataUntil you delete your accountContract performance
Deleted account dataDeleted or anonymized within a reasonable periodGDPR Art. 17
Billing and transaction records7 yearsTax reporting (IRS)
Notification logs30 daysOperations and support
Audit logs (admin actions)365 daysChargeback support and operator audit trail
Audit logs (system or user-initiated)90 daysSecurity
Abuse records90 days (resolved), account lifetime (unresolved)Fraud prevention
Error reports90 daysReliability
Server logsPer our hosting provider's policy (typically 30 days)Infrastructure

Account Deletion

When you delete your account (Dashboard → Account → "Delete My Account"):

  1. Your account is immediately disabled and alerts are deactivated
  2. Personally identifiable information is deleted or anonymized within a reasonable period
  3. Billing records are retained in anonymized form for tax compliance
  4. We initiate deletion with third-party processors (Clerk, Stripe) on your behalf, subject to their processes

7. Your Privacy Rights

7.1 GDPR Rights (EEA and UK Residents)

References to GDPR in this policy include the UK General Data Protection Regulation (UK GDPR) as retained under the UK Data Protection Act 2018.

  • Access (Art. 15): request a copy of your data
  • Rectification (Art. 16): correct inaccurate data
  • Erasure (Art. 17): request deletion, subject to legal retention obligations
  • Restriction (Art. 18): limit processing in certain circumstances
  • Portability (Art. 20): receive your data in JSON format via Dashboard → Account → "Export My Data"
  • Object (Art. 21): object to processing based on legitimate interest or for direct marketing
  • Withdraw consent (Art. 7(3)): for marketing emails, via unsubscribe link
  • Lodge a complaint with your local data protection authority

We do not make decisions based solely on automated processing that produce legal or similarly significant effects.

7.2 CCPA Rights (California Residents)

  • Right to know: what personal data we collect, from what sources, for what purposes, and with whom we share it
  • Right to delete: request deletion, subject to legal exceptions
  • Right to correct: request correction of inaccurate personal information
  • Right to opt-out of sale: we do not sell or share your data for cross-context behavioral advertising
  • Non-discrimination: we will not penalize you for exercising your rights

7.3 Exercising Your Rights

Most rights can be exercised through your dashboard:

  • Export data: Dashboard → Account → "Export My Data"
  • Update info: Dashboard → Account
  • Delete account: Dashboard → Account → "Delete My Account"
  • Unsubscribe from marketing: unsubscribe link in any marketing email

For other requests, email privacy@spotrez.com. We will verify your identity and respond within 30 days (extendable by 30 days with notice).

8. Children's Privacy

The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect data from children under these ages, per COPPA and GDPR Article 8. If you believe a child has created an account, contact privacy@spotrez.com and we will delete the account promptly.

9. International Data Transfers

The Service is operated from the United States. If you access it from the EEA, UK, Switzerland, or other regions with cross-border transfer restrictions, your data will be transferred to and processed in the US.

Safeguards for international transfers:

  • Our primary processors maintain Standard Contractual Clauses (SCCs) or equivalent mechanisms for EEA/UK to US transfers
  • Our payment processor (Stripe) is certified under the EU-US Data Privacy Framework
  • All data in transit is encrypted via TLS (HTTPS)

10. Data Security

We protect your data with encryption in transit (TLS) and at rest (AES-256, SOC 2 Type II certified database), parameterized queries (preventing SQL injection), input validation on all API endpoints, role-based access controls with audit logging, and cryptographic webhook signature verification. Authentication and payment processing are handled by dedicated third-party providers under PCI DSS Level 1 compliance. We never store passwords or payment card data.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Breach Notification

U.S. residents: We will notify affected residents within the timeframes required by applicable state breach notification laws (typically within 30 to 60 days of discovery) and notify the relevant state attorney general where required.

GDPR (Art. 33/34): We will notify the relevant supervisory authority within 72 hours. If the breach poses high risk, we will notify affected individuals without undue delay.

12. Email Communications (CAN-SPAM)

We comply with the CAN-SPAM Act (15 U.S.C. § 7701). Every marketing email includes a one-click unsubscribe link (honored within 10 business days), our physical address, and accurate sender and subject information.

Transactional emails (alert notifications, confirmations, receipts, security notices) are essential to the Service and will be sent while your account is active. Marketing emails require your consent and always include an unsubscribe option. Unsubscribing from marketing does not affect transactional emails.

13. Changes to This Policy

For material changes, we will email you at least 30 days before they take effect. The revised policy will be posted here with an updated date. Continued use after the effective date constitutes acknowledgment.

14. Contact & Legal Entity

14.1 Contact

Privacy inquiries: privacy@spotrez.com
Support: support@spotrez.com
Mail: 1000 Brickell Avenue, Suite #715-114, Miami, FL 33133

We respond to privacy inquiries within 30 days. EEA/UK residents may lodge a complaint with their local data protection authority.

14.2 Legal Entity and Data Controller

SpotRez is a service operated by R&R Labs LLC, a Florida limited liability company. R&R Labs LLC is the data controller for personal information processed through the Service. The mailing address shown above is the contact address for both general inquiries and data-protection matters.