Privacy Policy
Last updated: April 29, 2026
1. Introduction
Spote ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights in relation to it.
This policy applies to all users of the Spote web application and API, including connections made via MCP-compatible AI clients such as Claude Desktop.
We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Swedish data protection law.
2. Data Controller
Spote is the data controller for the personal data processed through the Service.
Contact: hello@spote.app
3. Data We Collect
3.1 Account Data
When you register, Clerk (our authentication provider) collects and manages:
- Email address
- Name (if provided)
- Profile picture (if provided via social login)
- Authentication identifiers and session tokens
We receive a user ID from Clerk that we use to associate your data within Spote. We do not store your password — Clerk handles all credential management.
3.2 Note Content
When you create or edit notes, we store:
- Note title and body text (markdown)
- Bucket (folder) and tags
- Attached files and images (stored in Cloudflare R2)
- Timestamps (created at, updated at)
3.3 AI Embeddings
To power search and similarity features, the text of your notes is sent to OpenAI's embedding API (text-embedding-3-small). The resulting vector representation is stored in our database alongside the note. We do not send more data to OpenAI than is necessary for this purpose.
3.4 Usage Metadata
We may collect basic technical metadata such as API request logs (timestamps, endpoints, response codes) and error logs for debugging purposes. We do not use third-party analytics or advertising trackers.
3.5 MCP Connection Data
When you connect an AI client via the MCP protocol, the OAuth flow is handled by Clerk. We record which OAuth applications have been authorized, but we do not log the content of individual MCP tool calls beyond what is already stored as note content.
3.6 Personal Access Tokens (PAT)
If you generate a PAT for API access, we store a hashed representation of the token. The raw token is shown to you only once at the time of creation and is not recoverable by us.
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Contract (Art. 6(1)(b) GDPR) |
| Authentication and security | Contract / Legitimate interest |
| AI-powered search and similarity features | Contract |
| Storing and retrieving your notes and files | Contract |
| Debugging and maintaining the Service | Legitimate interest (Art. 6(1)(f) GDPR) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
5. Data Sharing and Third Parties
We share data with the following third-party processors only to the extent necessary to operate the Service:
| Processor | Purpose | Location |
|---|---|---|
| Clerk | Authentication and OAuth | USA (SCCs apply) |
| MongoDB Atlas | Database storage | EU (configurable) |
| Cloudflare R2 | File and image storage | EU |
| OpenAI | Generating note embeddings | USA (SCCs apply) |
| Vercel | Hosting and infrastructure | USA (SCCs apply) |
All third-party processors are bound by data processing agreements. Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as the legal transfer mechanism.
We do not sell your personal data to any third party.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account data | For the duration of your account, deleted within 30 days of termination |
| Note content and files | For the duration of your account, deleted within 30 days of termination |
| AI embeddings | Deleted together with the associated note |
| API/error logs | Up to 90 days |
| Hashed PAT tokens | Until you delete the token or your account |
7. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access — You may request a copy of the personal data we hold about you.
- Right to rectification — You may correct inaccurate or incomplete data.
- Right to erasure — You may request deletion of your data ("right to be forgotten").
- Right to restriction — You may ask us to restrict processing of your data in certain circumstances.
- Right to data portability — You may request your data in a structured, machine-readable format.
- Right to object — You may object to processing based on legitimate interest.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at hello@spote.app. We will respond within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.
8. Security
We take reasonable technical and organizational measures to protect your data, including:
- All data in transit is encrypted via TLS
- Passwords are never stored by us — managed by Clerk
- PAT tokens are stored as hashed values only
- Access to production systems is restricted to authorized personnel
- MongoDB Atlas and Cloudflare R2 provide encryption at rest
No system is completely secure. If you discover a security vulnerability, please report it responsibly to hello@spote.app.
9. Cookies and Local Storage
The Spote web application uses cookies and local storage only for:
- Authentication session management (via Clerk)
- User interface preferences (e.g., sidebar state)
We do not use advertising cookies or third-party tracking. You may manage cookie preferences in your browser settings, though disabling authentication cookies will prevent you from using the Service.
10. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this document. For material changes, we will notify you by email or via an in-app notice. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact
For any questions or requests regarding this Privacy Policy:
Spote
Email: hello@spote.app
For complaints, you may also contact:
Integritetsskyddsmyndigheten (IMY)
Website: imy.se
Phone: +46 8 657 61 00