Privacy Policy

Effective date: May 7, 2026

Introduction

Spensr Events is operated by Spensr LLC at spensrevents.com. This Privacy Policy describes how we collect, use, and protect information when you use our service.

Contact: legal@spensrevents.com

This policy is effective as of the date listed above. Continued use of the service after changes to this policy constitutes acceptance of the updated terms.

What Data We Collect

Email address

We collect your email address only when you create a Verified Sandbox or a paid account. The anonymous sandbox requires no account and no email.

Usage analytics

We collect page-level analytics via GA4 (Google Analytics 4) and behavioral analytics via PostHog. Both are active on the marketing site and the app.

Webhook payload content

Event payloads POSTed by customers to Spensr ingest endpoints are stored temporarily on your behalf. See the Webhook Payload Storage section for retention details.

API keys and HMAC secrets

API keys and HMAC secrets are stored as KMS-encrypted ciphertext. They are not readable in plaintext by Spensr staff.

Cookies and Analytics

GA4 sets first-party cookies for session and attribution tracking.
PostHog may set cookies or use local storage for session identification.
Users may opt out via browser settings or standard opt-out mechanisms provided by each service.

How We Use Your Data

Email

Your email is used for:

Account creation
Transactional notifications such as delivery failures and quota warnings
Product communications

Your email is not sold or shared with third parties for marketing.

Analytics

Analytics data is used for aggregate product improvement. We do not build individual profiles for advertising purposes.

Webhook payload content

Payload content is processed solely to deliver events to your configured destinations. It is not analyzed, sold, or used for any purpose outside your own pipeline.

Webhook Payload Storage

Payloads are stored at rest in DynamoDB with plan-based TTL retention:

Verified Sandbox: 24 hours
Simple plan: 48 hours
Pro plan: 14 to 30 days

Storage details:

Encryption at rest: DynamoDB server-side encryption (SSE)
Encryption in transit: HTTPS/TLS
SQS messages carry only event IDs and metadata; full payload content is not transmitted via SQS
API keys and HMAC secrets are encrypted with a KMS customer-managed key (CMK); payload content is protected by DynamoDB SSE

Payment Data

Billing and payment card data is handled exclusively by Stripe. Spensr Events does not store or process payment card information. See Stripe's privacy policy for details on how payment data is handled.

Data Sharing

We share data with the following infrastructure providers as necessary to operate the service:

AWS (DynamoDB, SQS, CloudFront, KMS)
Vercel (marketing site hosting)
Google (GA4)
PostHog

We do not sell personal data to third parties. We disclose data only as required by law or to enforce these policies.

Your Rights (GDPR / CCPA)

You have the following rights regarding your personal data:

Right to access your data
Right to correct inaccurate data
Right to delete your data
Right to export your data
Right to opt out of sale (Spensr Events does not sell personal data)

To submit a request, contact legal@spensrevents.com. We will respond within 30 days.

Data Retention

Email addresses: retained while your account is active and for a reasonable period after account deletion
Webhook payload content: governed by plan-tier TTLs described in the Webhook Payload Storage section
Analytics data: subject to the retention policies of the respective provider (Google for GA4, PostHog for behavioral analytics)

Children's Privacy

The service is not directed at children under 13. We do not knowingly collect personal data from minors.

Changes to This Policy

When we make material changes, we update the effective date at the top of this document. Continued use of the service after the updated effective date constitutes acceptance of the changes.

Contact

Questions or requests regarding this policy: legal@spensrevents.com