Privacy Policy

1. Data Controller

The data controller responsible for your personal data is the operator of Spyke, based in Poland. You can reach us at contact@spyke.website for any data protection inquiries.

2. Data We Collect

We adopt a privacy-focused approach and collect only the data necessary to provide our service.

• Device Identifier: We generate a random unique identifier (UUID) on your device. This identifier is stored locally on your device using secure storage and is used to associate your device with your monitoring settings. We do not collect your name, email address, or require account registration.
• Instagram Username: You provide a public Instagram username to monitor. We store this username to perform our service. We only access publicly available information associated with this username.
• Public Instagram Data: We collect publicly available Instagram data associated with the monitored username, including public follower and following lists, public profile picture URL, public display name, and follower and following counts.
• Gender Classification: We use automated processing (artificial intelligence) to classify the likely gender of followers and followed accounts based on publicly available profile information (such as display names). This classification is performed by OpenAI and the results are stored in our database. This constitutes automated profiling under GDPR — see Section 8 for your rights regarding this processing.
• Change History: We store records of changes to followers and following lists (new followers, unfollowers, new following, unfollowing) detected during periodic monitoring.
• Push Notification Token: If you enable push notifications, we collect your device push notification token (provided by Expo/Apple Push Notification Service/Firebase Cloud Messaging) to send you notifications about changes to the monitored account.
• Technical and Analytics Data: We collect device type and operating system version, application version, language/locale preference, anonymous usage analytics (screen views, feature usage) via PostHog, and IP address (processed by our service providers for security and analytics; not stored by us directly).
• Subscription Data: If you subscribe to Spyke Premium, your payment is processed entirely by Apple (App Store) or Google (Google Play Store). We never have access to your credit card number, bank account, or other payment details. We receive from RevenueCat (our subscription management provider) only subscription status, subscription type and expiration date, and a RevenueCat customer identifier.

3. How We Use Your Data

We use your data for the following purposes and legal bases:

• Providing the service: monitoring Instagram followers/following — Legal basis: Performance of contract (Art. 6(1)(b)).
• Sending push notifications: about account changes — Legal basis: Legitimate interest (Art. 6(1)(f)) / Consent.
• Gender classification: of public profiles — Legal basis: Legitimate interest (Art. 6(1)(f)).
• Analytics: to improve the Application — Legal basis: Legitimate interest (Art. 6(1)(f)).
• Preventing fraud: and ensuring security — Legal basis: Legitimate interest (Art. 6(1)(f)).
• Responding to support requests: Legal basis: Legitimate interest (Art. 6(1)(f)).

4. Automated Decision-Making and Profiling

The Application uses automated processing (AI-based gender classification) to categorize public Instagram profiles by likely gender. This processing:

• Is based on publicly available information only (display names).
• Does not produce legal effects or similarly significant effects on the individuals classified.
• Is used solely to provide statistical insights to you.
• Can be opted out of by contacting us at contact@spyke.website.

5. Data Sharing and Third-Party Services

We do not sell your personal data. We share data only with the following service providers, solely to operate the Application:

• Convex (Convex, Inc.): Backend database and server infrastructure — Data shared: Device ID, username, search results, change history — Location: United States.
• Apify (Apify Technologies s.r.o.): Instagram public data scraping — Data shared: Instagram username — Location: Czech Republic / EU.
• OpenAI (OpenAI, LLC): Gender classification of public profiles — Data shared: Public profile names — Location: United States.
• RevenueCat (RevenueCat, Inc.): Subscription management — Data shared: Device ID, subscription status — Location: United States.
• Expo (650 Industries, Inc.): Push notifications, app infrastructure — Data shared: Push token, device info — Location: United States.
• PostHog (PostHog, Inc.): Analytics — Data shared: Anonymous usage data, device info — Location: United States / EU.
• Apple / Google: Payment processing, app distribution — Data shared: Payment data (handled entirely by Apple/Google) — Location: United States.

No other third parties have access to your data.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we ensure GDPR compliance through:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Providers' adherence to applicable data protection frameworks.
• Technical security measures (encryption in transit and at rest).

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All communications are encrypted using HTTPS/TLS.
• Device identifiers are stored in secure on-device storage (SecureStore).
• Server access is restricted and monitored.
• We conduct regular security reviews.
• Data is stored in secure cloud infrastructure with access controls.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): Obtain confirmation of whether your data is being processed and receive a copy of it.
• Right to Rectification (Art. 16): Correct inaccurate personal data.
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"). You can also delete your data directly in the Application via Settings > Delete Account & Data.
• Right to Restriction (Art. 18): Restrict certain processing of your data.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling (such as gender classification).
• Right regarding Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
• Right to Withdraw Consent: Where processing is based on consent (e.g., analytics), you may withdraw consent at any time. For analytics, use the opt-out toggle in Application Settings.

To exercise your rights, contact us at contact@spyke.website. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Polish Data Protection Authority (UODO — Urząd Ochrony Danych Osobowych, uodo.gov.pl).

9. Data Retention

• Device identifier and monitoring data: Stored as long as you use the service. Deleted upon account deletion via the Application or upon request.
• Change history: Stored as long as the associated monitor is active.
• Technical logs: Deleted within a maximum of 12 months.
• Analytics data: Retained in anonymized/aggregated form. You can opt out of analytics collection in Settings.
• Subscription data: Managed and retained by RevenueCat and Apple/Google according to their respective retention policies.
• Deletion: You can delete all your data at any time via Settings > Delete Account & Data, or by emailing contact@spyke.website.

10. Analytics Opt-Out

The Application uses PostHog for anonymous usage analytics to help us improve the service. You can opt out of analytics collection at any time using the toggle in the Application's Settings screen. Opting out will stop all analytics data collection while still allowing the Application to function normally.

11. Use by Minors

Spyke is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at contact@spyke.website and we will promptly delete such data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Any significant changes will be communicated through the Application. We encourage you to review this Privacy Policy periodically. Continued use of the Application after changes constitutes acceptance of the updated policy.

13. Governing Law

This Privacy Policy is governed by the laws of the Republic of Poland and the applicable regulations of the European Union, including the GDPR. Any disputes shall be submitted to the competent courts in Poland.