Legal
Privacy policy
How Spanda collects, uses, shares, and protects your personal information. We minimize what we collect, encrypt what we keep, and hand you the controls to access, correct, export, or delete it.
1. Overview
Spanda is a creator marketplace. This policy explains what personal information we collect from creators, brands, and agency waitlisters, how we use it, whom we share it with, and what rights you have over it.
Spanda does not sell personal information for money. We share a minimum set of data with payment, identity, and authentication processors to operate the marketplace, which we describe below.
2. Information we collect
From creators
- Identity data: legal name, email, date of birth, country of residence, and the answers you provide to the tax-residency wizard.
- Work-authorization self-attestation and, when you upgrade to Paid Mode, identity documents uploaded to our KYC provider (Persona). Those documents are stored by Persona, not by Spanda.
- Banking and payout data collected by Stripe Connect Express or Trolley during their hosted onboarding. Spanda never sees your full bank account number, routing number, or tax identification number. We store only a tokenized reference.
- Social profile data obtained through your authorized TikTok or Instagram OAuth connection: handle, follower count, engagement metrics, and public post metadata.
- Profile content you create on Spanda: bio, portfolio links, pricing, and sample work.
- Communications with brands and with Spanda support, including dispute-related messages.
From brands
- Business identity: legal business name, authorized signatory name and email, and either EIN or SSN depending on how your business is structured.
- Payment method data collected by Stripe. Spanda stores a tokenized reference, not the card or bank number.
- FTC attestations and campaign briefs you publish.
- Communications with creators and with Spanda support.
From agency waitlisters
- Email address and the agency name you provide. Nothing else until full agency access is launched.
Automatically collected
- Device and session data: IP address, user-agent string, approximate location derived from IP, and session identifiers needed to keep you signed in.
- Product analytics events strictly necessary to run the service. We do not enable advertising analytics or third-party ad pixels.
3. How we use your information
- To operate the marketplace: accept signups, route payouts, run discovery, and deliver transactional emails.
- To meet legal and regulatory obligations: tax form collection, Portfolio Mode enforcement, FTC disclosure scanning, and record-keeping.
- To investigate fraud, abuse, or Terms of Service violations.
- To provide customer support and resolve disputes within the published service level.
- To communicate product changes and, if you opt in, marketing emails. You can opt out of marketing at any time.
We do not use your personal information to train third-party foundation models or sell you to advertisers.
4. Third-party processors and sub-processors
Spanda relies on named third parties to deliver the service. Each of these companies is contractually bound to protect your information.
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payouts to US tax residents, brand payment processing, tax form collection (W-9, 1099-K). | Name, email, banking, TIN, transactions. |
| Trolley | Payouts to non-US tax residents, tax form collection (W-8BEN, 1042-S). | Name, email, banking, country, TIN equivalent, transactions. |
| Persona | Identity verification at Paid Mode upgrade. | Government ID images, selfie, and metadata. |
| Amazon Web Services (Cognito, Aurora, S3, SES) | Authentication, database, file storage, transactional email. | All Spanda-stored data, encrypted at rest. |
| Cloudflare | Bot protection and DDoS mitigation at the edge. | IP address, request metadata. |
We will update this list when we add or remove processors. Material changes are announced under section 13 below.
5. How long we keep your information
- Account and profile data: for the life of your account, plus thirty days after you close it. After that we either delete or anonymize.
- Transaction records, tax forms, and dispute records: retained for seven years after the transaction to meet US tax and financial recordkeeping obligations.
- Work-authorization attestation audit logs: retained for seven years for immigration-compliance recordkeeping.
- Identity documents uploaded to Persona at Paid Mode upgrade: retained by Persona under Persona’s retention policy.
- Support communications: retained for three years after the ticket closes.
- Product analytics events: retained in anonymized form for twenty-four months.
6. Security (including NY SHIELD Act)
Spanda maintains administrative, technical, and physical safeguards designed to protect your personal information, consistent with the reasonable security requirements of the New York Stop Hacks and Improve Electronic Data Security Act.
- Encryption at rest for all stored personal information using AWS KMS-managed keys.
- TLS 1.2 or higher for all data in transit.
- Principle-of-least-privilege access controls for Spanda staff.
- Logging and monitoring of access to production systems.
- Annual security review and incident-response plan.
Spanda services Inc. is a Canadian federal corporation. In the event of a data breach, Spanda will provide notification consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy law. For users in the United States and other jurisdictions, Spanda will meet the breach-notification requirements of applicable state, provincial, and national law. Specific notification timelines and the form of notice are pending counsel review.
7. European visitors (UK-GDPR and GDPR)
If you visit Spanda from the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation and the UK-GDPR. These include the right of access, rectification, erasure, restriction, portability, and objection to processing.
Our legal bases for processing your information are the performance of a contract (when you create an account), our legitimate interests (operating and securing the marketplace), your consent (for marketing emails and optional cookies), and compliance with legal obligations (tax and immigration recordkeeping).
If you are in the European Economic Area you also have the right to lodge a complaint with your national supervisory authority.
8. California residents (CCPA and CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act.
- The right to know what personal information we collect, use, disclose, and share.
- The right to delete personal information, subject to statutory exceptions.
- The right to correct inaccurate personal information.
- The right to limit the use of sensitive personal information.
- The right to opt out of the sale or sharing of personal information. Spanda does not sell personal information. See Do Not Sell or Share My Personal Information.
- The right to non-discrimination for exercising any of these rights.
9. Other US state privacy laws
Spanda also honors analogous rights for residents of other US states that have enacted comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and others as they come into force. Requests can be submitted through the contact in section 14.
10. Your rights and how to exercise them
You can exercise any of the rights described above by emailing privacy@spanda.services. We may ask you to verify your identity before fulfilling the request, to protect you from impersonation. Most requests are answered within thirty days, with a possible extension up to sixty days where the law permits.
You may also designate an authorized agent to submit a request on your behalf by providing written authorization.
11. International data transfers
Spanda is headquartered in the United States and stores personal information in AWS regions located in the United States. If you are outside the United States, your information will be transferred to and processed in the United States. Payouts through Trolley route globally, which may involve additional transfers to the country where you receive funds.
Where a transfer leaves the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses and equivalent UK and Swiss addenda.
12. Children
Spanda is an eighteen-and-over service. We do not knowingly collect personal information from anyone under eighteen. If you believe we have collected information from a minor, contact privacy@spanda.services and we will delete it.
13. Changes to this policy
We will update this policy from time to time. When we make a material change, we will post the updated policy on this page and notify you by email at least thirty days before the change takes effect.
14. Privacy contact
Privacy questions and rights requests can be sent to privacy@spanda.services.