Privacy Policy

What we collect

When you create an account we collect your email address and, if you opt in to SMS alerts, your phone number. When you subscribe to a paid plan, Stripe processes your payment — we never see or store your full card number. We also store your watch configurations (restaurant, dates, party size, meal preferences) to run alerts.

What we don't collect

We never collect, store, or request your Disney account credentials. We do not track your browsing activity across other sites. We do not sell, rent, or trade your personal information to third parties.

How we use your data

Your email and phone number are used exclusively to deliver availability alerts and account notifications (password resets, billing receipts, service updates). Watch configurations are used to match detected availability against your criteria.

Third-party services

We use Stripe for payment processing, Twilio for SMS delivery, and Supabase for authentication and data storage. Each operates under its own privacy policy. We share only the minimum data required for each service to function.

Data retention

Your account data is retained as long as your account is active. Alert history is retained for 90 days, then automatically purged. If you delete your account, all personal data is removed within 30 days, except where retention is required by law.

Cookies, analytics, and advertising

SpotSitter uses three categories of cookies and similar technologies:

Necessary (always on). A session cookie for Supabase authentication, your A/B variant assignment, and your saved consent preferences. These are required for the site to function and cannot be disabled.

Analytics (opt-in). Google Analytics 4 and Microsoft Clarity help us understand how visitors use the site, where they drop off, and which features matter. Both are configured to anonymize IP addresses and mask personally identifiable input fields (email, payment). Retention: 14 months for GA4, 30 days for Clarity.

Advertising (opt-in).We use pixels and server-side conversion APIs from Meta (Facebook/Instagram), TikTok, Reddit, Pinterest, and Microsoft Bing to measure ad performance and reach similar audiences. The only data shared is hashed email and event metadata (page viewed, signed up, subscribed) — never your watch configurations, phone number, or Disney activity.

You control it.EEA, UK, and California visitors are opted out by default. Everywhere else, our consent banner asks before any analytics or advertising cookie fires. You can change your choice at any time via the “Cookie preferences” link in the footer. We automatically honor the Global Privacy Control (GPC) browser signal. California residents can also use the “Do Not Sell or Share My Personal Information” link in the footer.

Your rights

You may export or delete your data at any time from your account settings. You may also request data deletion by emailing privacy@spotsitter.com. We respond to all requests within 30 days.

Changes

We'll email you about material changes to this policy at least 14 days before they take effect. The latest version is always available at this URL.

Contact

Privacy questions? Email privacy@spotsitter.com.