Privacy Policy

Last Updated: November 2025

1. Data Controller

Problem Solving Agency Zenahr Barzani
Berlin, Germany
Email: hello@spamsmacker.dev

2. Data We Collect

Account Data

Email address (via Google OAuth)
Google Account profile (name, avatar)
Account creation date and authentication timestamps

YouTube Data

Public YouTube comment text, author display names, and timestamps
Video titles and metadata for videos you scan
Channel statistics (public subscriber count, video count)

Service Usage Data

Feature usage analytics (which pages you visit, actions you take)
Moderation actions (comments you marked as spam/clean)
Detection engine interactions (scans, results)

Billing Data

Subscription tier and status
Transaction history (processed by Paddle — we do not store payment details)

3. How We Use Your Data

We process your data for the following purposes:

Service delivery: Analyzing comments, providing moderation recommendations
Account management: Authentication, subscription management
Service improvement: Detecting patterns in spam, improving detection accuracy
Communication: Service updates, billing notifications, security alerts
Legal compliance: GDPR obligations, law enforcement requests where required

Consent (6.1.a): YouTube data access (you explicitly authorize via Google OAuth)
Contractual necessity (6.1.b): Account creation, Service delivery, billing
Legitimate interest (6.1.f): Service improvement, security, fraud prevention

5. Data Retention

Data Type	Retention Period
YouTube comment data	180 days (or until account deletion)
Account data	Duration of account + 30 days post-deletion
Access logs	90 days
Billing records	7 years (legal requirement)
Analytics data	24 months (anonymized after 12 months)

We share data only with subprocessors necessary for Service delivery:

Subprocessor	Purpose	Data Shared
Supabase	Database, auth	Account data, YouTube data
Vercel	Hosting	All Service data
Paddle	Payment processing	Email, subscription tier
Google	YouTube API access	OAuth tokens, API requests

We do not sell your data. We do not use your YouTube comment data to train machine learning models for other customers.

7. International Transfers

Data is processed in the EU (Supabase EU region). When data is processed outside the EU (Vercel global CDN), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Art. 46.

You have the right to:

Access: Request a copy of your personal data
Rectify: Correct inaccurate data
Erase: Request deletion of your data (“right to be forgotten”)
Restrict: Limit processing under certain conditions
Port: Receive your data in a machine-readable format
Object: Object to processing based on legitimate interest

To exercise these rights, contact us at privacy@spamsmacker.dev. We respond within 30 days.

9. Cookies

SpamSmacker uses essential cookies for:

Authentication sessions (Supabase)
CSRF protection
Feature preferences (e.g., UI theme)

We do not use advertising or tracking cookies. Our cookie consent widget (CookieChimp) manages cookie preferences.

10. Security

We implement:

Encryption in transit (TLS 1.3)
Encryption at rest (AES-256)
Row-Level Security (Supabase RLS) for multi-tenant data isolation
Regular security audits and dependency updates
Access logging and anomaly detection

11. Children’s Privacy

SpamSmacker is not directed at children under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected such data, contact us immediately.

12. Changes to This Policy

We will notify you of material changes via email or in-Service notification. Continued use after changes constitutes acceptance.

13. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. For Germany:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany

Contact

For privacy-related inquiries:
Email: privacy@spamsmacker.dev
Postal: Problem Solving Agency Zenahr Barzani, Berlin, Germany