Privacy Policy

Last updated: 16 May 2026

1. Who we are
2. What personal data we collect
3. How we use your data
4. Legal basis (GDPR)
5. Who we share data with
6. How we store and protect data
7. Data retention
8. Your rights
9. Cookies
10. Children
11. Changes to this policy
12. Contact us

1. Who we are

Spuutr is operated by an Australian privately owned startup. We provide AI agent team subscription services.

This policy explains how we collect, use, disclose, and protect your personal information when you use our website (spuutr.com) and services. It covers our obligations under:

AU Australian Privacy Act 1988 (including the Australian Privacy Principles)
GDPR EU General Data Protection Regulation (for users in the European Economic Area)
CCPA California Consumer Privacy Act (for California residents)

2. What personal data we collect

2.1 Information you provide

Waitlist signup: name, email address, and optionally company name — collected via our waitlist form
Account registration: when you log in via Google, GitHub, or Microsoft OAuth, we collect your name, email address, and profile picture from the provider. We do not receive or store the OAuth tokens beyond the initial authentication handshake
Environment keys: you may choose to store API keys (e.g., OpenAI, Anthropic) in your portal. These are encrypted at rest with AES-256-GCM and used only to connect your agent team to third-party AI providers
Enquiries: when you contact us via the enquiry form, we collect your name, email, and message content
Chatbot: conversation messages are stored temporarily to provide context-aware responses. Chat transcripts may be emailed to us for quality and support purposes

2.2 Information collected automatically

Server logs: IP address, browser user-agent, page requested, and timestamp. These are retained briefly for operational security and debugging
Session cookie: a strictly necessary HTTP-only session cookie is set when you log into your portal. No analytics or tracking cookies are used

2.3 What we do not collect

We do not collect payment card details (payments will be handled via Stripe or Wise, and data goes direct to them)
We do not use analytics scripts, tracking pixels, or fingerprinting
We do not sell your data to third parties

3. How we use your data

Purpose	Data used
Managing your waitlist interest	Name, email, company
Providing portal access (future)	Name, email, OAuth profile
Operating your agent team	Environment keys you provide (encrypted at rest)
Responding to enquiries	Name, email, message
Service improvement and security	Server logs, aggregated usage data
Communication about service updates	Email address (opt-out available)

4. Legal basis (GDPR)

If you are in the European Economic Area (EEA), our legal basis for processing your personal data depends on the specific activity:

Consent — waitlist signup, chatbot interactions (you actively submit this data)
Contractual necessity — providing portal access and operating your agent team
Legitimate interests — server security, debugging, and service improvement (non-intrusive)

You may withdraw consent at any time by contacting us.

5. Who we share data with

We use third-party sub-processors to operate the service:

Provider	Purpose	Data shared	Location
Maton (api.maton.ai)	Waitlist persistence (Google Sheets), email delivery (Gmail)	Name, email, company, chat transcripts	US / Global
Google / GitHub / Microsoft	OAuth authentication (login)	Name, email, avatar (per provider's consent screen)	Per provider
DeepSeek	DeepSeek V4 Flash and DeepSeek V4 Pro — used for agent reasoning, chatbot responses, and task execution	Chat messages, agent prompts, and generated responses	China / Global
OpenAI (via OpenRouter)	GPT-4.1 and GPT-4.1-mini — used as reasoning models for selected agent operations and high-judgment tasks	Chat messages, agent prompts, and generated responses	US (routed via OpenRouter)
Anthropic (via OpenRouter)	Claude Opus 4.7, Claude Sonnet 4.6, Claude Haiku 4.5 — used for agent reasoning, complex analysis, and content generation	Chat messages, agent prompts, and generated responses	US (routed via OpenRouter)
Google (via OpenRouter)	Gemma 4 — used for lightweight reasoning and cost-efficient tasks	Chat messages and agent prompts	Global (routed via OpenRouter)
Meta (via OpenRouter)	Llama 3.3 — used for selected agent operations	Chat messages and agent prompts	Global (routed via OpenRouter)
Qwen (via OpenRouter)	Qwen3-Embedding-4B — used for memory search and semantic embedding generation (2560-dimension vectors)	Text content for embedding vector generation (no raw text retained)	Global (routed via OpenRouter)
ElevenLabs	Eleven Multilingual V2 — text-to-speech voice synthesis for agent voice output	Text content to be spoken aloud	Global
Hosting provider (VPS)	Server infrastructure	Server logs (IP, user-agent, timestamps)	US

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

Model providers may change at any time. We regularly evaluate and switch between model providers to optimise cost, quality, and capability. The specific models listed above reflect our current stack and may be updated without notice. We also support Bring Your Own Key (BYOK) — you may supply your own API keys (e.g., OpenAI, Anthropic) via your portal. When BYOK is used, inference routes through your own provider accounts and we act solely as the orchestration layer. Data shared with those providers is governed by your direct agreement with them.

6. How we store and protect data

Encryption at rest: API keys stored in your portal are encrypted with AES-256-GCM using a server-side key. The plaintext is never logged or exposed. If you use Bring Your Own Key (BYOK), your keys are encrypted with the same standard and used only for the specific provider you designate
Encryption in transit: all connections to spuutr.com are served over HTTPS (TLS). API calls to sub-processors use TLS
Access control: portal access requires authenticated login via OAuth. Environment keys are only accessible to the user who stored them
Database: operational data is stored in SQLite databases on a virtual private server with restricted access
Backups: configuration and limited operational data are backed up to private GitHub repositories

7. Data retention

Waitlist data: retained until you request removal or until the waitlist is retired
Account data: retained for the duration of your account, plus 90 days following account deletion for operational recovery purposes
Chatbot conversations: retained for 90 days, then automatically summarised and purged
Server logs: retained for 30 days, then rotated
Environment keys: deleted immediately when you remove them in the portal, or within 30 days of account deletion

8. Your rights

8.1 All users

You have the right to:

Access — request a copy of the personal data we hold about you
Correction — ask us to correct inaccurate or incomplete data
Deletion — request deletion of your personal data (subject to legal retention obligations)
Objection — object to processing based on legitimate interests

8.2 GDPR (EEA users)

In addition to the above, EEA users have the right to:

Data portability — receive your data in a structured, machine-readable format
Restriction — restrict processing in certain circumstances
Lodge a complaint — with your local data protection authority

8.3 CCPA (California residents)

Under the CCPA, California residents have the right to:

Know — what personal information we collect, use, and disclose
Delete — request deletion of personal information
Opt-out — of the sale of personal information (we do not sell data, so this right is not currently triggered)
Non-discrimination — we will not discriminate against you for exercising these rights

8.4 How to exercise your rights

Contact us at admin@spuutr.com. We will respond within 30 days (Australian Privacy Act) or within the timeframe required by applicable law. We may need to verify your identity before processing your request.

9. Cookies

We use a single strictly necessary cookie:

Cookie	Purpose	Duration
`connect.sid`	Session management (logged-in state). HTTP-only, SameSite=Lax	7 days or until logout

No analytics, tracking, advertising, or third-party cookies are used. Because we use only a strictly necessary cookie, no cookie consent banner is required under the ePrivacy Directive / Australian privacy law.

10. Children

Spuutr is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at admin@spuutr.com.

11. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via our website or email. The "Last updated" date at the top of this page will always reflect the most recent revision.

12. Contact us

Email: admin@spuutr.com

Data Protection Officer / Privacy Officer: Pepper (Chief of Staff, admin@spuutr.com)

Jurisdiction: Australia

Entity type: Australian privately owned startup

Regulatory enquiries: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

View revision history on GitHub