Privacy Policy

Effective date: October 26, 2025

Applies to: readspicebound.com, any subdomains, and the Spicebound web app (collectively, the "Service").

Who we are: "Spicebound," "we," "us," or "our" refers to the operator of the Service. We are based in the United States (Florida). If and when Spicebound incorporates, we anticipate forming a Delaware entity; we will update this notice accordingly.

1) Scope and Summary

This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. It applies to visitors and registered users of the Service, including users who save books to TBR lists, add ratings, or follow outbound purchase links.

We designed this policy to address U.S. federal and state privacy laws (including the California Consumer Privacy Act as amended by the CPRA), and to provide additional information for individuals in the EEA/UK where the GDPR/UK GDPR may apply.

2) Information We Collect

A. You provide directly

  • Account info: first name, email address, password or SSO identifier.
  • Profile & preferences: reading statuses (e.g., TBR/Reading/Read/DNF), lists, re-ordering, saved books, star ratings, optional notes (if/when enabled).
  • Subscriptions & payments: plan selection and billing metadata (handled by our payment processor; we do not store full card numbers).
  • Communications: support requests, feedback, or survey responses.
  • Marketing choices: newsletter opt-ins/outs and notification settings.

B. Collected automatically

  • Device/usage data: IP address, device and browser type, operating system, language, timestamps, pages viewed, referral URLs, errors/crashes, and interactions with features.
  • Cookie/identifier data: cookies, web storage, pixels, mobile identifiers (as applicable) used for core functionality, analytics, and (if enabled) personalization/ads.
  • Outbound link/affiliate events: clicks on outbound links (e.g., to Amazon or Bookshop.org) so we can attribute referrals.

C. From third parties

  • Service providers: analytics, hosting, authentication, fraud-prevention, email delivery, and payments provide data needed to run those services.
  • Public/book data sources and partners: book metadata (e.g., cover image, author, series status, genres) from lawful sources and partners. We aim to use APIs and publicly available information consistent with applicable terms; we do not ingest content in a way that violates third-party terms of service.

We do not intentionally collect sensitive personal information like precise geolocation, health, or government IDs. Under CPRA, account log-in credentials may be deemed "sensitive"; we use them only to operate your account and do not use them to infer characteristics.

3) How We Use Information (Purposes)

  • Provide the Service: create and secure your account; show book reports and lists; enable rating, saving, sorting, archives, and other features.
  • Personalize & improve: remember settings; measure performance; debug; develop new features; maintain availability and security.
  • Communications: send transactional emails (e.g., sign-in, receipts, important updates). With your consent, send newsletters or product updates (you can opt out).
  • Payments & subscriptions: process purchases, prevent fraud, and manage entitlements.
  • Compliance & enforcement: comply with legal obligations; protect our rights, users, and the Service; prevent abuse.
  • Advertising/attribution (if/when enabled): measure campaign performance and show interest-based content in accordance with your choices.

Legal bases (EEA/UK only)

  • Contract: to provide the Service you request.
  • Legitimate interests: service quality, security, limited analytics, and product improvement (balanced with your rights).
  • Consent: where required for marketing emails, certain cookies/identifiers, and cross-context behavioral advertising.
  • Legal obligation: record keeping, tax, and regulatory requirements.

4) Disclosing Information

We share personal information only as described below:

  • Service providers (processors): hosting, storage, security, analytics, payment processing (e.g., Stripe), email delivery, logging/monitoring, customer support tools. They may access personal information only to perform services for us under contracts with confidentiality obligations.
  • Affiliate/commerce partners: we may share pseudonymous identifiers or click events necessary to attribute referrals and commissions (e.g., Amazon Associates, Bookshop.org).
  • Legal & safety: to comply with law, enforce our terms, or protect rights, property, and safety.
  • Business changes: if we explore or complete a merger, financing, or sale of assets, information may be transferred subject to continued protection consistent with this Policy.

We do not sell your personal information for money. Under CPRA, some analytics, marketing, and cross-context behavioral advertising could be considered a "sale" or "share" of personal information. See Section 8 for your choices, including a "Do Not Sell or Share" option and recognition of Global Privacy Control signals.

5) Cookies & Similar Technologies

  • Strictly necessary: sign-in, security, load balancing, core features.
  • Functional: remember preferences and improve experience.
  • Analytics: understand feature usage and performance.
  • Advertising (if enabled): personalize or measure ads across sites.

You can manage cookies through your browser settings and (where required) our cookie banner/controls. Blocking some cookies may limit functionality.

6) Data Retention

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements, then delete or de-identify it.

Typical retention periods:

  • Account data: while your account is active and for up to 24 months after closure (unless a longer period is legally required).
  • Logs/analytics: ~12-24 months, aggregated or de-identified sooner where feasible.
  • Payment records: per tax and accounting requirements (generally 7 years in the U.S.).
  • Marketing consent records: while you are subscribed and for a reasonable period thereafter to document opt-out.

7) Security

We implement administrative, technical, and physical safeguards appropriate to the nature of the data (e.g., encryption in transit, salted/password hashing, least-privilege access). No system is 100% secure; we cannot guarantee absolute security. If we discover a breach affecting your information, we will notify you and/or authorities as required by law.

8) Your Privacy Rights & Choices

A. All users

  • Access/Export: request a copy of your personal information.
  • Correction: ask us to correct inaccurate information.
  • Deletion: request deletion of personal information (subject to legal/operational exceptions).
  • Objection/Restriction (where applicable): object to or restrict certain processing.
  • Marketing controls: opt out of non-transactional emails at any time (links in emails or in account settings).

Contact us at info@spicebound.com to exercise rights (or use in-product controls where available). We may need to verify your request.

B. U.S. state privacy laws (e.g., CA, CO, CT, UT, VA)

Residents of certain states have additional rights, including:

  • Right to know: categories and specific pieces of personal information we collected, sources, purposes, and categories of recipients.
  • Right to delete and correct personal information.
  • Right to opt out of 'sale'/'sharing' and targeted advertising (cross-context behavioral advertising).
  • Right to limit use/disclosure of sensitive personal information (we use SPI only to provide the Service).
  • Non-discrimination for exercising rights.

Opt-out mechanisms:

  • Use the "Do Not Sell or Share My Personal Information" control (when available in the footer or settings).
  • We honor Global Privacy Control (GPC) signals for browser-based opt-outs where required.

Authorized agents may submit requests on your behalf where permitted by law. We will respond within statutory timelines.

C. EEA/UK

Where GDPR/UK GDPR applies, you also have the right to data portability and to lodge a complaint with your local supervisory authority. If we rely on consent, you may withdraw it at any time.

9) Children's Privacy

The Service is intended for users 13 and older. We do not knowingly collect personal information from children under 13 (or a higher age where required by local law without verifiable parental consent). If you believe a child has provided us personal information, contact hello@readspicebound.com and we will take appropriate steps to delete it.

10) International Transfers

We process and store information in the United States and may transfer it to service providers in other countries. Where applicable law requires, we use approved safeguards (e.g., Standard Contractual Clauses) for transfers from the EEA/UK.

11) Third-Party Sites & Services

Links to third-party sites (e.g., retailers, book sources) are provided for convenience. Their privacy practices are governed by their own policies; we are not responsible for them. Please review those policies before sharing information.

12) State "Notice at Collection" (California)

Categories collected (past 12 months):

  • Identifiers: name (optional), email, IP address, account IDs.
  • Protected classifications: Not collected.
  • Commercial information: subscription plan, purchase/referral events.
  • Internet/Network activity: device info, usage data, cookies, interactions.
  • Geolocation: coarse (derived from IP); no precise tracking.
  • Sensory/Biometric: Not collected.
  • Employment/Education: Not collected.
  • Inferences: limited preference inferences (e.g., saved lists/spice preferences); no sensitive profiling.

Sources: you, your devices, service providers, partners, and public/book data sources.

Business purposes: as described in Section 3.

Disclosure: to service providers and partners as in Section 4.

Sale/Share: we do not sell for money; analytics/ads may constitute "sale" or "share." See Section 8 for opt-out options.

13) Changes to This Policy

We may update this Policy to reflect changes to our practices, technologies, or legal requirements. We will post the updated Policy with a new effective date and, where required, notify you or seek consent. Your continued use of the Service after an update signifies acceptance.

14) Contact Us

Questions or requests about this Policy or your information:
Email: info@spicebound.com

15) Additional Disclosures for Transparency

  • Passwords & authentication: We never store plain-text passwords. If you use social sign-in, your identity and email may be confirmed by that provider per their policies.
  • Affiliate transparency: If you click to buy a book, we may earn a commission. Affiliate partners may set cookies/identifiers to attribute sales; see their policies and our cookie controls.
  • No automated decisions with legal effects: We do not make decisions producing legal or similarly significant effects solely by automated means.
  • De-identification: Where we de-identify data, we commit not to re-identify it except as needed to verify de-identification or for security/compliance.

Quick Controls (at a glance)

  • Delete account/data: In-app (when available) or email info@spicebound.com
  • Export data: Email us; we'll provide a machine-readable file (e.g., JSON/CSV)
  • Marketing opt-out: Use unsubscribe links or account settings
  • Do Not Sell or Share: Use the footer link or send a GPC signal (recognized where required)