Privacy Policy (US‑only)

Effective Date: October 14, 2025

Entity / Controller: WSTBD LLC (“WSTBD,” “we,” “our,” “us”)
Address: 218 W 123RD St, New York, NY 10027-5683, United States
Website: https://the-spread.org
Contact (Privacy): support@the-spread.org • legal@the-spread.org

This Privacy Policy explains how we collect, use, disclose, and protect information when you use The Spread mobile application, website, and related services (the “Service”). This Policy applies to U.S. residents only. By using the Service, you agree to this Policy.

1) Overview & Scope

We collect only what we need to run and improve the Service you request.
We do not sell or share personal information for cross-context behavioral advertising (as those terms are defined under California law).
We use trusted service providers (e.g., authentication, hosting, storage, diagnostics, basic analytics).
This Policy incorporates the Notice at Collection for California and discloses the categories of personal information we collect, the purposes, sources, and disclosures.

2) Notice at Collection (What we collect, why, from whom, and to whom)

We may collect the following categories of personal information. The examples are illustrative; actual data depends on how you use the Service.

Category (CPRA)	Examples	Purpose of Use	Sources	Disclosed To	Typical Retention
Identifiers	Name, email, IP address, device/advertising identifiers	Account creation/login, security, deliver core features, fraud prevention	You; your device	Service providers (auth, hosting, security)	Account life + up to 24 months backups/logs
Customer Records	Profile name, date of birth (DOB) (optional), support requests	Age-gating, personalization you choose, support	You	Service providers	Account life + up to 24 months backups
User Content	Tarot readings you save, notes, tags; photos you upload (e.g., spreads, avatar)	Core features (save/read/view privately), library management	You	Service providers (storage/hosting)	While in your library + up to 12 months in backups
Internet / Activity	App interactions, diagnostic & crash logs, device/OS metadata	Security, fraud prevention, debugging, quality, performance	Your device/SDKs	Service providers (diagnostics/analytics)	90–180 days unless needed longer for security or legal
Approximate Location	Country/region inferred from IP or device settings	Localization, security/abuse signals	Device/SDKs	Service providers	90–180 days
Sensitive Personal Information (SPI)	Account log-in & password	Authenticate and secure your account	You	Service providers (authentication/security)	Account life + security backups

Important about SPI. We use Sensitive Personal Information (log-in and password) only to provide and secure your account. We do not use SPI to infer characteristics. Because our use is limited to permitted purposes, a “Limit Use of Sensitive PI” link is not required.

3) Do we sell or share personal information?

No. We do not sell personal information and do not share it for cross-context behavioral advertising. If this changes, we will update this Policy and provide a clear “Do Not Sell or Share My Personal Information” link before such activities occur.

4) Sources of Personal Information

Information you provide (e.g., account, profile, saved readings, notes, tags, photos).
Information from your device and in-app activity (e.g., diagnostics, security logs, performance).
Information from service providers that support authentication, hosting, storage, diagnostics, and security.

5) How we use information (Purposes)

Provide the Service you request (accounts, saved readings, photos you upload).
Operate, secure, and troubleshoot the Service (diagnostics, error logs, anti-abuse/fraud).
Improve quality and performance (product analytics configured for product operations, not ad targeting).
Communicate with you about the Service (e.g., support responses, important notices).
Comply with law and enforce terms, protect users, our rights, and the Service.

We do not use personal information for cross-context behavioral advertising.

6) Disclosures to Service Providers (and When Else We Disclose)

We disclose information to service providers under written agreements limiting their use to our instructions, including for:

Authentication and account security
Cloud hosting, database, and storage
Diagnostics, crash reporting, and product analytics (configured for product quality/security)
Customer support tools and anti-abuse/security

We may also disclose information:

If required by law or legal process, or to protect users, our rights, or the Service
In connection with a business transfer (e.g., merger, acquisition); if ownership changes, we will notify you if required and your information will remain protected under this Policy or an equivalent policy

We do not allow service providers to sell or share your personal information for advertising.

7) Your Privacy Rights (U.S. State Laws, incl. California)

Subject to applicable law and verification, you may have the right to:

Know/Access the categories and specific pieces of personal information we collected about you.
Delete personal information (with legal/operational exceptions, e.g., security or compliance).
Correct inaccurate personal information.
Obtain a portable copy of certain information.
Opt out of sale or sharing of personal information (we do not sell/share; if that changes, we will provide opt-out mechanisms).
Limit use of Sensitive Personal Information (not required here because we use SPI only for permitted purposes).
Non-discrimination for exercising rights.
Appeal a decision regarding your privacy request (see below).

How to exercise your rights

Use Settings → Privacy & Security → Privacy Requests in the app or email support@the-spread.org or legal@the-spread.org with subject “Privacy Request.” We will verify your identity (e.g., signed-in request, email verification, reasonable match against account data). We typically respond within 45 days; we may extend once if reasonably necessary and permitted by law, and will notify you of the extension.

Authorized agents

An authorized agent may submit a request on your behalf if they provide proof of authorization and we can verify your identity and the agent’s authority.

Appeals process

If we deny your request (in whole or in part), you may appeal by replying to our decision or emailing legal@the-spread.org with subject “Privacy Appeal”. We will review and respond within applicable legal timelines.

“Do Not Track” and Global Privacy Control

There is no uniform “Do Not Track” standard; however, we honor applicable Global Privacy Control (GPC) signals to the extent required by law. Our current practice of no sale/share means your opt-out is already respected.

Financial incentives

We do not offer financial incentives related to personal information.

8) Children’s Privacy

The Service is not directed to individuals under 16 in the United States. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information, please contact us so we can delete it.

9) Security

We implement reasonable technical and organizational safeguards appropriate to the nature of the data and the risks of processing (e.g., encryption in transit, access controls, monitoring). No method is 100% secure; use a strong, unique password and keep it confidential.

10) Data Retention

We retain personal information only as long as necessary for the purposes described above or as required by law. Typical retention periods:

Account & Profile (including identifiers): while your account is active + up to 24 months in backups/logs.
Saved readings & photos: while you keep them in your library + up to 12 months in backups.
Diagnostics / logs: typically 90–180 days, unless needed longer for security/legal.

Actual periods may vary based on law, disputes, enforcement, or technical limitations (e.g., backup overwriting cycles).

11) Additional Disclosures (California “Last 12 Months”)

In the last 12 months, we collected the categories listed in Section 2, disclosed them to service providers for business purposes, and did not sell or share personal information for cross-context behavioral advertising. We did not knowingly collect personal information from children under 13.

We do not share personal information with third parties for their direct marketing purposes.

12) International Use

The Service is intended for U.S. residents and is operated in the United States. If you choose to use the Service from another country, you understand that your information will be transferred to, stored, and processed in the United States under U.S. law.

13) Changes to this Policy

We may update this Policy to reflect changes in our practices or legal requirements. We will post the updated Policy with a new Effective Date and, where required by law, provide additional notice. Your continued use of the Service after the Effective Date means you acknowledge the updated Policy.

14) Accessibility

If you need this Policy in an alternative format, contact support@the-spread.org.

15) Contact Us

WSTBD LLC
218 W 123RD St, New York, NY 10027-5683, United States
support@the-spread.org • legal@the-spread.org

16) Key Definitions (plain language)

“Personal information” (or “PI”): Information that identifies, relates to, or could reasonably be linked with an individual or household (as defined by applicable U.S. state privacy laws).
“Sensitive Personal Information” (SPI): Certain protected data (e.g., account log-in and password). We use SPI only for permitted purposes (authentication/security).
“Sell” / “Share”: Have the meanings under California law; we do not sell or share PI for cross-context behavioral advertising.
“Service providers”: Vendors that process PI on our behalf under written contracts that restrict their use of PI to our instructions.
“User Content”: Content you choose to upload or save (e.g., readings, notes, photos).
“AI Outputs”: Text or other outputs generated by the Service based on your inputs; governed by our Terms of Use.

Version: v1 • Effective Date: October 14, 2025