Legal
Privacy & Data Policy
Privacy and data policy covering how Spiffy collects, uses, shares, and protects information.
Updated: June 11, 2026 | Terms of Service
This Privacy Policy describes Spiffy’s practices regarding the collection, use and disclosure of the information we collect from and about you when you use Spiffy’s web-based and mobile applications (the “Service”). We take our obligations regarding your privacy seriously and have made every effort to draft this Privacy Policy in a manner that is clear and easy for you to understand. By accessing or using the Service, you agree to this Privacy Policy, our Terms of Service, and our Acceptable Use Policy.
Our Collection and Use of Information
Information You Provide to Us
We collect personal information, such as your name and email address, when you register for an account on the Service. You may also provide us with optional information such as a photograph. Your user name, email address and any optional profile information that you elect to associate with your account is referred to herein as your “Profile Information.”
We may use your email address to send you Service-related notices (including any notices required by law, in lieu of communication by postal mail). We may also use your email address to send you announcements and information about other products or services (including third-party services) that you may be interested in (together, the “Marketing Messages”). You may opt-out of receiving Marketing Messages at any time by following the instructions provided in the Marketing Message. Through your account interface, you may also opt-out of receiving categories of Service-related notices that are not deemed by Spiffy to be integral to your use of the Service.
Even if you are not a registered user of our Service, if you email us we may retain a record of such email communication, including your email address, the content of your email, and our response.
If you are a user of our paid premium service, we will utilize a third-party credit card payment processing company to collect payment information, including your credit card number, billing address and phone number. We will share this payment information with the third-party processing company as detailed below in “How We Share Your Information: With Trusted Service Providers and Business Partners.” We do not store your payment information.
If you choose to use our invitation service to invite a friend to the Service, we will ask you for that person’s contact information, which may include their email address or their social network identity, and automatically send an invitation. Spiffy stores the information you provide to send the invitation, to register your friend if your invitation is accepted, and to track the success of our invitation service.
Your Content
Your use of the Service will involve you uploading or inputting various content into the Service; including but not limited to: tasks, attachments, project names, team names, and conversations (together, the “Content”).
You control how your Content is shared with others via your settings on the Service.
Spiffy may view your Content only as necessary (i) to maintain, provide and improve the Service; (ii) to resolve a support request from you; (iii) if we have a good faith belief, or have received a complaint alleging, that such Content is in violation of our Acceptable Use Guidelines; (iv) as reasonably necessary to allow Spiffy to comply with or avoid the violation of applicable law or regulation; or (v) to comply with a valid legal subpoena or request that meets the requirements of our Law Enforcement Guidelines. We may also analyze the Content in aggregate and on an anonymized basis, in order to better understand the manner in which our Service is being used.
Information We Collect Automatically
We use technologies like cookies and pixel tags to provide, monitor, analyze, promote and improve the Service. For example, a cookie is used to remember your user name when you return to the Service and to improve our understanding of how you interact with the Service. You can block cookies on your web browser; however please be aware that some features of the Service may not function properly if the ability to accept cookies is disabled.
Log Files
When you use the Service, our servers automatically record certain information in server logs. These server logs may include information such as your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Service, domain names, landing pages, pages viewed, mobile carrier, and other such information. Log files help us to monitor, analyze, improve and maintain the Service and to diagnose and fix any Service-related issues.
Device Identifiers
When you access the Service using a mobile device, we collect specific device information contained in your mobile device’s “device identifier.” This device identifier includes information such as the type of device you are using, its operating system, and mobile network information, which may include your mobile phone number. We may associate this device identifier with your Service account and will use data associated with your device identifier to customize our Services to your device and to analyze any device-related issues.
Location Information
We may collect and process information about the location of the device from which you are accessing the Service. Location data may convey information about how you browse the Service and may be used in conjunction with personally identifiable information. You can disable location-based services in settings associated with the Service; however please be aware that some features of the Service may not function properly if location services are turned off.
PCI Compliance
We are current with all PCI compliance requirements for how our system operates. Our Service does not store, relay, pass, or handle sensitive credit card data. All sensitive credit card data is stored directly by our third-party payment gateways and merchant processors. Please review your payment gateway’s Terms and Privacy Policy for more information on how your customer’s credit card data is handled.
KYC & AML
We have designed our system to ensure a history of all records is maintained. You are not allowed to delete customer records, or order records in our system. An identifiable history of all transactions and customers is needed to ensure you have a proper history of transactions and customers for all Know Your Customer (KYC) and Anti-Money Laundering (AML) laws and regulations.
Data Retention and Your Controls
We retain personal information, account information, customer records, order records, transaction records, audit records, security logs, and related business records for as long as reasonably necessary to provide, operate, secure, support, and improve the Service; comply with legal, tax, accounting, fraud prevention, KYC, AML, payment network, and regulatory obligations; resolve disputes; enforce our agreements; preserve transaction history; and maintain backup and disaster recovery systems.
You can review, update, export, or control certain information through your account settings and product features. You may also contact us at [email protected] to request help with access, correction, deletion, portability, marketing preferences, or other privacy controls, subject to identity verification, account ownership, applicable law, contractual commitments, transaction-history requirements, and security obligations.
When you close, cancel, or hibernate an account, we may continue to retain records where needed for the purposes described above. We may also retain de-identified, aggregated, or anonymized information that does not reasonably identify you or your customers.
How We Share Your Information
We may share the information we collect from you with third parties as detailed below.
As Directed By You
We will display your Profile information on your profile page and elsewhere on the Service in accordance with the preferences you set in your account. You can review and revise your Profile information at any time.
We will display your Content within the Service as directed by you, including but not limited to your checkouts, portals, and customer-facing emails.
If you elect to use a third-party application to access the Service, then we may share or disclose your account and Profile information and your Content with that third-party application as directed by you. Please remember that we are not responsible for the privacy practices of such third parties so you should make sure you trust the application and that it has a privacy policy acceptable to you.
AI Apps, MCP Connections, and Third-Party Integrations
If you choose to connect Spiffy to a third-party artificial intelligence application, assistant, agent, automation tool, MCP client, custom connector, or similar integration (“AI App”), we may share or disclose information from your Spiffy account with that AI App as directed by you and according to the accounts, scopes, user role, access controls, and permissions granted to the connection.
The Spiffy MCP connector uses OAuth authorization. During connection, you may be asked to select the Spiffy account or accounts and permission scopes the AI App can access. The connector can only operate within the access you approve and the permissions available to your Spiffy user account. Depending on the scopes and permissions granted, the connector may read, create, update, delete, refund, retry, cancel, rotate, test, search, or return information from your account. A current technical reference for connector tools is available at https://developers.spiffy.co/connectors/spiffy/tools.
Connector inputs may include your prompts or instructions, tool-call parameters, account identifiers, record identifiers, search filters, dates and times, requested actions, confirmation decisions, authentication events, IP addresses, device or browser information, and related logs. Connector outputs may include records, status messages, validation errors, audit or log references, dashboard links, generated summaries based on account data, and other information returned by the requested tool.
We use AI App and MCP connection information to operate requested tools, authenticate and authorize access, enforce scopes, show results in the AI App, confirm write or destructive actions, audit changes, support and troubleshoot requests, secure the Service, meter API usage, comply with law, and improve the Service in aggregate or anonymized form where applicable.
Connector information may be received by the AI App you connected, Spiffy service providers, payment processors or gateways where relevant, Spiffy University or help-doc systems for support searches, destination systems you configure, legal or safety recipients where required, and successor entities in a business transfer.
The following table summarizes the main information categories:
| Category | What may be used or returned | Controls and retention |
|---|---|---|
| Accounts and users | Account details, user details, roles, selected accounts, scopes, and permission grants. | You choose accounts and scopes during connection. OAuth grants and tokens last until revoked or expired. |
| Customers and cards | Customer records, contact details, notes, saved-card metadata, and payment card tokens. | Raw card numbers are not exposed through the connector. Cards are tokenized by payment processors. |
| Orders and billing | Orders, refunds, payments, subscriptions, payment plans, billing dates, failed-payment retries, and related customer communications. | Write or destructive actions should require user confirmation in compliant clients. Transaction and audit records are retained as needed for required account history. |
| Products and programs | Products, prices, promos, affiliates, affiliate programs, payouts, tracking links, and related actions. | Access depends on approved scopes and account permissions. Records may be retained for operations, accounting, tax, fraud, and dispute needs. |
| Webhooks and integrations | Webhook endpoints, signing-secret rotation results, test events, delivered events, retry attempts, event types, and integration fields. | You control configured endpoints and granted scopes. Security and event logs may be retained for operations, troubleshooting, and audit needs. |
| Help and time tools | Spiffy University searches, help article content, current UTC time, account time zone, and date/time conversions. | Help-doc searches cover Spiffy support content, not your account data, unless combined with other authorized tool results. |
| Connector records | Access tokens, refresh tokens, approved scopes, tool calls, requested actions, completed actions, timestamps, users, account IDs, IP addresses, API usage, errors, and audit history. | You may disconnect through the AI App or revoke access through Spiffy connected-apps settings where available. Revocation prevents future access but does not delete prior audit records, transaction records, or information already sent to a third-party AI App. |
AI Apps may be provided by third parties and may process, store, use, or disclose information according to their own terms, privacy policies, data processing terms, security practices, and retention practices. Requests, responses, outputs, prompts, summaries, and tool results may pass through or be stored by the AI App you choose, such as ChatGPT, Claude, or another MCP-compatible client. Spiffy does not control and is not responsible for the privacy, security, or data handling practices of third-party AI Apps or providers. You should only connect an AI App if you trust the provider and have confirmed that its terms and privacy policy are acceptable to you.
You are responsible for ensuring that you have the right to share or make available any account, customer, personal, confidential, payment-related, or business information with the AI Apps you choose to connect. You are also responsible for ensuring that your use of those AI Apps complies with any privacy, data protection, contractual, customer notice, and legal obligations that apply to your business.
We may collect and retain information about AI App connections and activity, including connection details, permission scopes, authentication events, tool calls, requested actions, completed actions, timestamps, users, account identifiers, IP addresses, and related logs. We use this information to provide, secure, monitor, troubleshoot, support, audit, meter, and improve the Service.
You may disconnect an AI App or MCP connection through the AI App or through your Spiffy connected-apps settings where available. Disconnecting an AI App or revoking its OAuth grant prevents future access through that connection but does not undo previous actions, delete transaction or audit records, delete information already shared with the AI App, or require the third-party provider to delete information it has already received. You should review the third-party provider’s terms and privacy policy for information about its data deletion and retention practices.
With Trusted Service Providers and Business Partners
We may utilize trusted third-party service providers to assist us in delivering our Service. For example, we may use third parties to help host our Service, send out email updates, or process payments. These service providers may have access to your information for the limited purpose of providing the service we have contracted with them to provide. They are required to have a privacy policy and security standards in place that are at least as protective of your information as is this Privacy Policy. We may also store personal information in locations outside the direct control of Spiffy (for instance, on servers or databases co-located with hosting providers).
With Law Enforcement or In Order to Protect Our Rights
We may disclose your information (including your personally identifiable information) if required to do so by law or subpoena and if the relevant request meets our law enforcement guidelines. We may also disclose your information to our legal counsel, governmental authorities or law enforcement if we believe that it is reasonably necessary to do so in order to comply with a law or regulation; to protect the safety of any person; to address fraud, security or technical issues; or to protect Spiffy’s rights or property.
In an Aggregate and Non-Personally Identifiable Manner
We may disclose aggregate non-personally identifiable information (such as aggregate and anonymous usage data, platform types, etc.) about the overall use of our Service publicly or with interested third parties to help them understand or to help us improve the Service.
In Connection With a Sale or Change of Control. If the ownership of all or substantially all of our business changes, we may transfer your information to the new owner so that the Service can continue to operate. In such case, your information would remain subject to the promises and commitments contained in this Privacy Policy until such time as this Privacy Policy is updated or amended by the acquiring party upon notice to you.
How We Protect Your Information
The security of your information is important to us. When you enter sensitive information (such as a credit card number) as part of our service, we encrypt the transmission of that information using industry-standard encryption.
Spiffy uses commercially reasonable and industry-standard physical, managerial, and technical safeguards to preserve the integrity and security of your information. For example, we continuously and regularly back up your data to help prevent data loss and aid in data recovery. We also guard against common web attack vectors, host data in secure SAS 70 audited data centers, require multi-factor authentication, and implement firewalls and access restrictions on our servers to secure our network and better protect your information.
If you have any questions about security on our Service contact us at [email protected]
Risks Inherent in Sharing Information
Although we allow you control over where you share your Content and what information is included in your Profile and take reasonable steps to maintain the security of the information associated with your account, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your Content and we are not responsible for third-party circumvention of any privacy settings or security measures on the Service.
Additionally, we provide you and your team the ability to secure your access to the Service with multi-factor authentication to limit the viability of common personal security attack vectors (such as phishing, weak passwords, and brute forcing). Although, it’s solely your responsibility to ensure the security of your login credentials and device access.