Spinstack Privacy Policy

Last updated: March 10, 2026

DocMap Inc. (d/b/a "Spinstack") ("Spinstack," "we," "us," "our") respects your privacy. This Policy explains how we collect, use, disclose, and protect Personal Data when you use the Platform.

"Personal Data" means information that identifies or relates to an identifiable individual.

1. Scope

This Policy applies when you:

  • visit spinstack.dev (and subdomains),
  • create an account,
  • build, publish, purchase, or run Agents/Products,
  • call Spinstack APIs or use app pages,
  • connect Stripe (Creators),
  • interact with Tools integrated into Agents.

2. Data We Collect

2.1 Categories

Account & Contact

name, email, password hash, phone number, profile info; one-time passcodes (OTPs) are generated and transmitted via Twilio but are not stored by Spinstack after verification

Business & Compliance (Creators)

business name, EIN, beneficial owner info, government ID (collected primarily by Stripe)

Payment & Payout

Stripe transaction IDs, payout status, fees, dispute/chargeback data (from Stripe)

Agent & Product Configuration

agent definitions (steps/nodes), prompts, tool selections, parameters, product listings, pricing, version history

Runtime Inputs/Outputs

Buyer inputs (queries), step inputs/outputs, Tool responses, extracted web content, structured outputs

Usage & Logs

API keys, request/response metadata, telemetry (CPU-seconds, storage, bandwidth), error logs, audit logs, abuse/fraud signals

Device & Cookies

device identifiers, browser type, OS, IP address, analytics events, essential cookies

User Content

files, code, data you upload; any personal data contained within such content

Important Notice Regarding File Uploads

Files uploaded to an Agent (including as part of Agent inputs or configurations) may be publicly accessible via their URL and should be treated as public. Do not upload sensitive, confidential, or private information through file uploads to Agents. Spinstack does not guarantee the confidentiality of uploaded files.

We do not knowingly collect data from children under 13.

2.2 Sources

  • From you (Account, Agents, inputs, phone number provided for OTP verification)
  • From Buyers interacting with Products (inputs/usage)
  • From Stripe (payments/payouts/compliance)
  • From Twilio (SMS delivery status and metadata for OTP authentication)
  • Automatically from your device/browser
  • From Tool Providers as part of executing Tool calls (e.g., responses, usage metadata)

3. How We Use Data

We use Personal Data to:

  • provide, secure, and maintain the Platform;
  • execute Agents and deliver Product outputs;
  • authenticate users and manage accounts, including sending SMS one-time passcodes (OTPs) via Twilio for sign-up and sign-in verification;
  • process billing, payouts, refunds, and chargebacks via Stripe;
  • measure usage and calculate fees/credits;
  • prevent fraud and enforce Terms;
  • communicate about updates and security incidents;
  • comply with legal obligations (tax, KYC/AML, sanctions, lawful requests);
  • debug and improve the Platform (including aggregated or de-identified analytics).

4. Sharing & Disclosure

We share Personal Data only as needed:

Service Providers/Subprocessors

Stripe (payments), Twilio (SMS OTP delivery for sign-up and sign-in authentication — your phone number and OTP delivery metadata are shared with Twilio solely to send verification messages; Twilio processes this data under its own Privacy Policy), Composio (credential and secret storage for third-party tool integrations), cloud hosting and compute (including AWS), databases, analytics, and error tracking.

Tool Providers

When your Agent calls a Tool, we may transmit relevant inputs (and sometimes extracted content) to the Tool Provider to execute that step. Tool Providers process such data under their own terms/policies.

Creators and Buyers

Creators receive data necessary to operate/support their Products (e.g., Buyer usage metrics, inputs/outputs) depending on Product configuration.

Buyers receive outputs generated by Products they use.

Authorities and Legal Requests

We may disclose data to comply with law, court orders, or to protect rights, safety, and property.

Corporate Transactions

We may share data in connection with a merger, acquisition, or sale of assets.

We do not sell Personal Data and do not permit third-party advertising cookies.

5. International Transfers

Spinstack operates primarily in the United States. Tool Providers and infrastructure providers may process data in other jurisdictions. By using the Platform, you understand your data may be transferred and processed internationally.

6. Security

We use reasonable safeguards (access controls, encryption in transit, and other measures appropriate to our size and risk profile). No method is 100% secure. You are responsible for safeguarding your credentials and API keys.

7. Data Retention

We retain Personal Data:

  • while your account is active, plus a limited period after closure (generally 30 days),
  • backups and logs may persist up to 90 days (or longer if required by law, dispute resolution, or security investigations),
  • payment/tax/compliance records as required by law,
  • agent logs/telemetry as needed for billing, abuse prevention, and reliability.

Creators are responsible for their own retention practices for data they export or store outside Spinstack.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your data, or object/restrict certain processing.

To exercise rights, email phamswannty@gmail.com. We may verify identity before responding.

9. Creator Responsibilities to Buyers

Creators may build Products that collect or process personal data. Creators are responsible for:

  • providing any legally required disclosures to Buyers,
  • ensuring a lawful basis for processing,
  • complying with applicable privacy and data protection laws for their Products.

10. SMS and OTP Communications

When you register or sign in using phone-based OTP authentication, we collect your phone number and use it solely to send one-time passcodes via SMS through Twilio. Specifically:

  • What we send: transactional SMS messages containing one-time passcodes for account verification. We do not send marketing SMS messages.
  • Data retention: your phone number is stored as part of your account record. OTP codes are ephemeral and are not retained after verification or expiry.
  • Carrier charges: standard message and data rates from your carrier may apply.
  • Opt-out: if you no longer wish to use phone-based OTP sign-in, contact us at phamswannty@gmail.com to request removal of your phone number from your account. Note that disabling OTP may affect your ability to sign in if it is your only authentication method.

Your phone number is never sold or shared with third parties except Twilio (for delivery of verification messages) and as required by law.

11. Cookies

We use essential cookies and may use first-party analytics. You can disable cookies in your browser, but the Platform may not function properly.

12. Changes to This Policy

We may update this Policy. For material changes, we will provide notice (e.g., by email or dashboard) and, where required, 30 days' notice. Continued use after the effective date constitutes acceptance.

13. Contact

DocMap Inc. (d/b/a Spinstack)

Email: phamswannty@gmail.com