Privacy Policy

Spawni is a hosted AI agent platform operated as a sole trader under an Australian Business Number (ABN), based in Gold Coast, Queensland, Australia.

For the purposes of the GDPR, Spawni is the data controller responsible for your personal data. For the purposes of the Australian Privacy Act, Spawni is the APP entity responsible for the handling of your personal information.

We collect the following categories of personal information when you use Spawni:

2.1 Account Information

When you create an account, we collect your name, email address, and password. Authentication is managed through Supabase Auth. Your password is cryptographically hashed and never stored in plain text.

2.2 Payment Information

Payment processing is handled entirely by Stripe. We never receive, access, or store your full credit card number, CVV, or other sensitive payment credentials. We receive from Stripe only the information necessary to manage your subscription, including your Stripe customer ID, subscription status, and the last four digits of your card.

2.3 Agent Data

When you use AI agents, we store your conversations, agent memories, uploaded files, and agent configurations. This data is stored in Supabase (database) and Cloudflare R2 (file storage). This data is necessary to provide persistent, personalised agent experiences.

2.4 Usage Data

We track token consumption and billing records for each agent interaction to calculate usage against your subscription allocation and to provide you with usage analytics in your dashboard.

2.5 Technical Data

We automatically collect your IP address (logged for security and fraud prevention), user agent string, and basic request metadata. This data is used exclusively for security monitoring, rate limiting, and abuse prevention.

2.6 Communications Data

If you connect messaging channels (Telegram, WhatsApp) to your agent, messages sent and received through these channels are processed and stored by the Service to enable agent functionality. Email messages sent through agent email addresses are similarly processed and stored.

We use your personal information for the following purposes:

We do NOT use your data to train AI models. Your conversations, files, and agent data are used solely to provide the Service to you. Your data is never shared with AI model providers for the purpose of model training or improvement.

We do NOT sell your data. We do not sell, rent, or trade your personal information to third parties, data brokers, or advertising networks under any circumstances.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under Articles 6 and 9 of the GDPR for processing your personal data:

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time by contacting us at legal@spawni.ai.

We share your personal data only with the following sub-processors, each of which is necessary for the operation of the Service. We have entered into data processing agreements with each sub-processor as required by the GDPR.

We do not share your data with any other third parties. We do not use data brokers, advertising networks, or social media tracking pixels. We do not sell, rent, or trade your personal information under any circumstances.

In the event we engage a new sub-processor, we will update this Privacy Policy and notify affected users as required by applicable law.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law.

When data is deleted, it is permanently removed from all active systems, including the database, file storage (R2), containers (Render), and payment records (Stripe customer). Backup copies, if any, are purged within 30 days of the primary deletion.

Depending on your jurisdiction, you have the following rights regarding your personal data. We are committed to honouring these rights regardless of where you are located.

7.1 GDPR Rights (EEA, UK, Switzerland)

• Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of your data. You can export all your data from your dashboard or by sending a request to legal@spawni.ai.
• Right to Rectification (Art. 16): You may correct inaccurate personal data through your dashboard settings, or by contacting us.
• Right to Erasure (Art. 17): You may request deletion of your account and all associated data. Account deletion can be initiated from your dashboard or by contacting us. Upon request, we will delete all personal data except where retention is required by law.
• Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format (JSON). Data export is available through the dashboard.
• Right to Restriction (Art. 18): You may request that we restrict processing of your personal data in certain circumstances (e.g., while verifying accuracy).
• Right to Object (Art. 21): You may object to processing based on legitimate interests. Contact legal@spawni.ai to exercise this right.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe we have violated your rights under the GDPR.

7.2 CCPA Rights (California Residents)

• Right to Know: You have the right to know what personal information we collect, how it is used, and whether it is disclosed or sold.
• Right to Delete: You may request deletion of personal information we have collected from you.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.

7.3 Australian Privacy Act Rights

• Access: Under APP 12, you have the right to access the personal information we hold about you.
• Correction: Under APP 13, you have the right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information.
• Complaints: If you believe we have breached the APPs, you may lodge a complaint with us and subsequently with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

7.4 How to Exercise Your Rights

To exercise any of the above rights:

• Data export: Go to your dashboard settings and use the data export feature, or contact legal@spawni.ai
• Account deletion: Go to your dashboard settings and use the account deletion feature, or contact legal@spawni.ai
• Profile correction: Update your profile directly in the dashboard
• All other requests: Email legal@spawni.ai with the subject line “Data Rights Request”

We will respond to all data rights requests within 30 days (or within the time frame required by applicable law). We may need to verify your identity before processing your request.

Spawni is based in Australia, but your data may be processed in other countries where our sub-processors operate, including the United States. When your data is transferred internationally, we ensure appropriate safeguards are in place.

8.1 EU/EEA/UK Transfers

For transfers of personal data from the EU/EEA/UK to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). Our sub-processors (Anthropic, Stripe, Render, Cloudflare, Resend, Supabase) maintain SCCs or equivalent transfer mechanisms for EU data.

8.2 Australian Cross-Border Transfers

Under APP 8 of the Australian Privacy Act, before disclosing personal information to overseas recipients, we take reasonable steps to ensure that the overseas recipient handles the information in a manner consistent with the Australian Privacy Principles. Our sub-processors are contractually obligated to protect your personal information to a standard comparable to the APPs.

Countries where your data may be processed include:

• United States — Anthropic, Stripe, Render, Resend, Supabase
• Global (edge network) — Cloudflare

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Container isolation: Each agent runs in a dedicated, sandboxed Docker container with no access to other users’ environments
• Row-Level Security (RLS): Database-level enforcement ensuring queries are scoped to the authenticated user
• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
• Audit logging: All security-relevant actions are recorded in a protected audit log with 22 tracked action types
• Authentication: Secure, HttpOnly, SameSite session cookies with server-side verification
• Rate limiting: Per-user rate limiting on all endpoints
• PII detection: Agent responses are scanned for sensitive data patterns

For a comprehensive overview of our security practices, visit our Security page.

Spawni uses artificial intelligence to generate agent responses, suggestions, and outputs. You should be aware of the following:

• AI agents produce automated suggestions and outputs, but they do not make legally binding decisions or take actions with legal or similarly significant effects on individuals without human intervention.
• You are responsible for reviewing, evaluating, and acting on all agent output. The Service is designed as a tool to assist you, not to replace human judgment.
• Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. The Service does not make such decisions.

Australian Automated Decision-Making Disclosure: In accordance with upcoming Australian automated decision-making transparency requirements (effective December 2026), we disclose that our Service uses automated systems (AI agents) to generate suggestions and content. These automated outputs are advisory in nature and require human review. No automated system used by Spawni makes binding decisions that materially affect your rights, entitlements, or obligations. You may request human review of any AI-generated output by contacting us at legal@spawni.ai.

Spawni is intended for users who are 18 years of age or older. We do not knowingly collect, solicit, or store personal information from anyone under the age of 18.

If we discover that we have collected personal information from a minor, we will take immediate steps to delete the account and all associated data. If you believe a minor has provided us with personal information, please contact us immediately at legal@spawni.ai.

We take a minimal approach to cookies and tracking technologies:

12.1 Cookies We Use

• Essential Authentication Cookies (Supabase): Secure, HttpOnly session cookies required for user authentication. These are strictly necessary for the Service to function and cannot be disabled.
• Vercel Analytics: We use Vercel Analytics, a privacy-friendly analytics solution that does not use cookies, does not collect personal data, and does not track individual users across websites. No consent is required.

12.2 Cookies We Do Not Use

• No advertising or retargeting cookies
• No third-party tracking cookies
• No social media tracking pixels or cookies
• No cross-site tracking of any kind

Because we do not use non-essential cookies, a cookie consent banner is not required. You can manage cookie settings through your browser preferences, but disabling essential cookies may prevent you from logging in to the Service.

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable laws, or business operations.

• Material Changes: We will provide at least 30 days’ prior notice of any material changes via email and/or a prominent notice within the Service.
• Non-Material Changes: Minor clarifications or formatting updates that do not affect your rights may be made without prior notice.

The “Last Updated” date at the top of this page indicates when this policy was most recently revised. We encourage you to review this policy periodically.

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy enquiries within 5 business days.

14.1 Complaints Process

If you are not satisfied with our response to a privacy complaint, you may escalate to the relevant authority:

• Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
• EU/EEA: Your local data protection authority (supervisory authority). A list of EU data protection authorities is available at edpb.europa.eu
• UK: Information Commissioner’s Office (ICO) — ico.org.uk

As an Australian business, we are committed to compliance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This section summarises how we comply with each applicable APP:

Notifiable Data Breaches Scheme: In the event of an eligible data breach, we will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, including notifying the OAIC and affected individuals as required.