Privacy Policy

Effective May 12, 2026

Spawn is a group-location app built by TKM Ventures, LLC (“Spawn”, “we”, “us”, “our”). Spawn is designed around a simple promise: help your crew find each other at events without losing each other. This Privacy Policy describes the data we collect, why we collect it, how long we keep it, who we share it with, and the choices you have. By using Spawn you agree to this Policy and to our Terms of Service.

What we collect

• Account data: your email address, display name, optional handle, and optional profile photo.
• Sign-in identifiers: when you use Sign in with Apple or Google, the provider issues us a stable identifier. Apple does not share your email unless you choose to.
• Location: your approximate coordinates while you are in an active group. Used to show your position to crew members and to compute distance to checkpoints. Location sharing turns off automatically when a group is archived or you pause sharing.
• Battery level: shared with your crew inside the app so they know if your phone is about to die.
• Checkpoint content: labels, notes, and photos you attach to checkpoints. Photos are visible only to members of the same group.
• Push tokens: an anonymous device token issued by Apple or Google that lets us deliver notifications to your device.
• Purchases: subscription status and transaction history, received from Apple via RevenueCat.
• Diagnostics: if you opt in, anonymous crash reports and performance data via Sentry.
• Beta-cohort tag: if you signed up during the closed beta, we store the invite code you used so we can identify the founding-tester cohort.

Why we use it

• To run the Service — show your crew where you are, deliver Spawn alerts, sync checkpoints, send push notifications.
• To enforce subscription entitlements (Free vs Pro).
• To prevent abuse and keep invite-only access healthy.
• To investigate crashes and improve stability.
• To comply with legal obligations and enforce our Terms.

We do not sell your data. We do not use your data for advertising. We do not share your location with third parties for marketing.

Who we share it with

• Supabase — our database and authentication provider. Your account data, group membership, checkpoints, and messages are stored in a Supabase-managed Postgres database in the United States (West US — Oregon).
• Apple — Sign in with Apple, Push Notifications, In-App Purchases.
• Google — Sign in with Google and Firebase Cloud Messaging on Android.
• RevenueCat — processes and mirrors your subscription status.
• MapTiler — renders the map tiles you see on the Navigate tab. MapTiler receives your IP address and the map region you are viewing; it does not know who you are.
• Sentry (optional) — receives anonymized crash traces if diagnostics are enabled.
• Law enforcement or regulators — only when required by valid legal process (subpoena, court order, warrant) or to protect the safety of users or the public.

How long we keep it

• Account data: until you delete your account.
• Location history: recent positions are retained while a group is active; older positions are rotated out within 30 days. We do not retain a long-term “trail” of where you have been.
• Checkpoint content (photos, notes): until the group is archived or you delete the checkpoint, plus a short grace period for backups.
• Subscription records: as required by tax and accounting law (typically 7 years), even after account deletion.
• Diagnostics: Sentry crash reports retained for 90 days.
• Backups: encrypted backups may retain deleted records for up to 30 days before being overwritten.

How we protect it

We use industry-standard security practices: HTTPS/TLS for data in transit, encrypted storage at rest via our cloud providers, scoped access controls, and row-level security on our database so users can only read data they are authorized to see. No system is perfectly secure; we cannot guarantee absolute protection against unauthorized access. Report security concerns to security@getspawn.xyz.

Your rights

You can, at any time:

• Access and edit your profile from the Profile tab.
• Pause sharing or leave a group without deleting your account.
• Delete your account entirely from Profile → Delete account. We wipe your profile, groups you lead, invite codes, and location history. This is permanent.
• Export a copy of your data by emailing privacy@getspawn.xyz.
• Contact us with any question or data request at privacy@getspawn.xyz.

California residents

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the “CCPA”) gives you the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising. To exercise any CCPA right, email privacy@getspawn.xyz. We will not discriminate against you for exercising these rights.

International users

Spawn is operated from the United States and data is stored on servers in the United States. If you access the Service from outside the U.S., you understand that your data will be transferred to, stored, and processed in the United States, which may have data-protection laws different from those in your country.

Children

Spawn is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@getspawn.xyz and we will delete it.

Changes to this policy

We’ll update this page and change the effective date if our practices change materially. Continued use of Spawn after a change means you accept the updated Policy.

Contact

TKM Ventures, LLC
privacy@getspawn.xyz