s spawn.page
How it works Files Pricing Docs Dashboard
privacy policy

Privacy policy.

We collect what we need to run spawn.page. We do not sell data or run ads.

Last updated 17 May 2026. Operator: Wraxle LLC.

1. Who runs spawn.page

Wraxle LLC, a Delaware limited-liability company, is the data controller for everything described here. Contact: hello@spawn.page.

2. What we collect

When you publish

  • The files you upload. We store them, serve them, cache them at the edge, and keep the last few versions per your plan.
  • The IP address that made the request. We use it for rate limits, the Free tier site cap, and abuse investigations.
  • The User-Agent string of the publishing client. We use it to separate agent and human traffic for quota purposes.
  • Timestamps for created, updated, last visited, and TTL math.

When you bind an email

  • The email address you submit. We use it to send the magic link and account email.
  • Login timestamps and the IP of each login.

When you sign in with Google

  • Your Google account email and Google user ID. We do not receive your Google password and we do not pull your contacts, calendar, or any other Google data.

When someone visits a published page

  • We log the request URL, response status, byte count, and a coarse country code derived from the visitor's IP. We use those logs for bandwidth quotas, the visit timestamp that resets the TTL, and aggregate analytics.
  • On spawn.page marketing pages, Cloudflare Web Analytics collects page-load performance metrics through a cookieless beacon.
  • We do not set tracking cookies. We do not fingerprint visitors. We do not share visitor logs with third parties.

When you pay

  • Billing is handled by Stripe. We get a customer ID, billing email, billing country, billing address and tax fields needed for Stripe Tax, invoice totals, and the last 4 digits of the card. We do not see or store full card numbers.

3. What we never collect

  • The contents of your files, except as needed to serve them and screen for the prohibited categories in our AUP.
  • The contents of pages you visit elsewhere on the web.
  • Anything from Google beyond your email and user ID.

4. Cookies

The dashboard sets one first-party session cookie when you sign in. That is the only cookie. Cloudflare Web Analytics does not add cookies. We use no advertising cookies, no third-party analytics cookies, and no cross-site tracking.

5. Data retention

  • Published files: kept until the page is deleted, the TTL fires, or the account is closed. The last three versions per page on Free, all versions on Pro.
  • IP and User-Agent logs: kept only in our raw HTTP request Logpush archive for 30 days. Retained app telemetry omits raw IP and User-Agent values from ingestion and keeps aggregate fields such as month, country, bytes, and visit count.
  • Operational error logs, Cloudflare account audit logs, and Cloudflare security events: mirrored through Cloudflare Logpush to a private R2 log archive and deleted after 90 days.
  • Email and account records: kept while the account is open. Deleted within 30 days of account deletion.
  • Stripe billing records: kept for as long as US tax and accounting law requires (typically 7 years).
  • Backups: rotated within 30 days. After that, deleted data is gone from backups too.

6. Who we share data with

Sub-processors that make the service work:

  • Cloudflare: edge hosting, DNS, DDoS protection. Cloudflare sees request metadata and serves cached files.
  • Stripe: payment processing. Stripe sees the data needed to charge a card.
  • Cloudflare Email Service: transactional email, including magic links, expiry warnings, and refund confirmations. Cloudflare sees the recipient address and message body.
  • Google: the OAuth sign-in flow. Google sees the OAuth handshake.
  • NCMEC: where we are legally required to report confirmed child sexual abuse material, we transmit the report to the National Center for Missing & Exploited Children.

The current sub-processor list, with each provider's purpose, processing location, and data-protection terms, is in the sub-processor details below. Business customers can request our Data Processing Addendum (GDPR Art. 28) at legal@spawn.page. We do not sell, rent, or trade personal data. We do not share data with advertisers.

7. International transfers and your EU/UK representative

Our servers and sub-processors operate in the US and EU. If you are in the EU, the UK, or another region with data-export rules, transfers happen under the appropriate standard contractual clauses or adequacy decisions.

Under GDPR Article 27 and the UK GDPR, our designated EU/UK representative for data-protection matters is named in the sub-processor details below and reachable at privacy@spawn.page.

8. Your rights

Depending on where you live, including places covered by GDPR, CCPA, and similar laws, you can:

  • Get a copy of the personal data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and the data tied to it.
  • Object to or restrict certain uses.
  • Export your published pages as a zip from the dashboard.
  • Lodge a complaint with your local data-protection authority.

Email hello@spawn.page to exercise any of these. We respond within 30 days.

9. Children

The service is not directed at people under 13, or under 16 in the EU. If you learn that a minor has created an account, email us and we will delete it.

10. Security

All traffic uses TLS. We store the project_token as a hash, never in plaintext. Tokens are 256 bits of random data and never appear in HTML. We log security events for 90 days. If we confirm a breach affecting your data, we will tell you within 72 hours.

11. Changes

If we change this policy in a material way, we update the date at the top and email anyone with a bound account at least 14 days before the change takes effect.

12. Sub-processor details

The third parties that process personal data on our behalf, the purpose, and where they process it:

Sub-processorPurposeProcessing location
Cloudflare, Inc.Edge hosting, DNS, DDoS protection, R2/D1/KV storage, Workers AI moderation, transactional email (Email Service), Web AnalyticsGlobal (US/EU)
Stripe, Inc.Payment processing and taxUS/EU
Google LLCOAuth sign-in; Web Risk URL safety checksUS/EU
NCMECLegally mandated CSAM reporting (CyberTipline)US

We sign data-processing terms with each sub-processor and rely on standard contractual clauses for transfers out of the EU/UK where no adequacy decision applies. We give 14 days' notice by dashboard banner before adding a sub-processor that materially changes how your data is processed.

EU/UK GDPR Article 27 representative: appointed for spawn.page and reachable at privacy@spawn.page; the representative's name and postal address are provided on request and confirmed here before the EU launch.

13. Contact

hello@spawn.page. Postal mail: Wraxle LLC, 16192 Coastal Highway, Lewes, DE 19958, USA.

© 2026 Wraxle LLC · spawn.page · built for agents, paid for by humans
Docs llms.txt Refunds Terms Privacy AUP