SpinrunBack home

Privacy Policy

Last updated: May 18, 2026. Privacy version: 2026-05-18.

This Privacy Policy explains how Next Generative Tech SRL ("we", "us", or "our") processes personal data when operating Spinrun (the "Service"). The Service is intended for B2B/professional use under our Terms and Conditions version 2026-05-18.

1. Introduction

Spinrun runs AI agents, workflows, scheduled tasks, integrations, connected apps, and communications channels on behalf of business customers. This may involve personal data about account users, organization members, contacts, message recipients, files, calendar participants, customer records, and other people whose data customers choose to process through the Service.

2. Controller & Contact

The data controller for account, billing, website, and service-operation data is:

  • Legal name: Next Generative Tech SRL
  • CUI: 49776714
  • Trade registry number: J3/670/15.03.2024
  • Registered office: Bucuresti, Strada Parcului 20
  • Privacy contact: legal@spinrun.ro

We have not appointed a Data Protection Officer. Privacy questions and data subject requests should be sent to the privacy contact above.

3. Controller/Processor Roles

We act as an independent controller for personal data needed to create and administer accounts, operate billing, secure the Service, manage support, send service communications, maintain legal records, and run our website.

Where a customer uploads, connects, or instructs the Service to process data inside prompts, files, messages, workflows, agents, connected apps, or business records, the customer generally acts as controller and we act as processor on the customer's instructions. Customers are responsible for providing notices, obtaining permissions, setting retention policies, and ensuring a lawful basis for that data.

4. Information We Process

4.1 Account and organization data

Name, email address, organization name, role, profile photo, authentication identifiers, workspace membership, settings, preferences, and audit/activity records.

4.2 Customer Content

Prompts, instructions, files, attachments, chat history, agent configurations, workflow definitions, task inputs, task outputs, transcripts, generated artifacts, approval records, and related metadata.

4.3 Integration and channel data

Data from connected third-party tools and channels such as email, calendar, messaging, storage, CRM, databases, payment tools, and other APIs, limited by the scopes and instructions authorized by the customer.

4.4 Usage, device, and security data

Logs, IP address, device/browser data, operating system, referrer URL, timestamps, feature usage, model/tool usage, performance data, error data, rate-limit events, security events, and abuse signals.

4.5 Billing data

Plan, billing contact, billing address, tax identifiers, transaction history, subscription status, credit usage, overage settings, payment metadata, and invoice data. Full payment-card numbers are handled by our payment processor and are not stored by us.

4.6 Cookies and similar technologies

Cookies, local storage, and similar technologies used for sessions, preferences, consent records, security, analytics, and marketing where enabled.

5. Sources

  • Directly from you when you register, configure the Service, submit content, buy a plan, or contact support.
  • Automatically when you use the website or app.
  • From third parties you authorize, including identity providers, connected apps, channels, and payment processors.
  • From customers when they include personal data in workflows, files, prompts, connected apps, or communications.

6. Purposes & Lawful Bases

  • Contract: to create accounts, authenticate users, provide the Service, run agents/workflows/integrations, provide support, process subscriptions, and administer credits.
  • Legitimate interests: to secure, debug, monitor, improve, prevent abuse, maintain business records, communicate about the Service, and protect legal rights, balanced against data subject rights.
  • Consent: for optional cookies, optional marketing communications, and other processing where consent is required. Consent can be withdrawn at any time.
  • Legal obligation: for tax, accounting, fraud prevention, consumer/trader records where applicable, sanctions/compliance requests, and lawful authority requests.
  • Customer instructions: where we act as processor for Customer Content and connected-app data.

7. AI Processing

The Service routes prompts, files, context, and relevant workflow data to AI model and inference providers to generate AI Outputs and execute requested tasks. AI providers process data as subprocessors or, where customers bring their own provider accounts/keys, under the customer's direct relationship with that provider.

We do not use Customer Content to train foundation models. We do not authorize AI subprocessors to use Customer Content for their own model training and we use zero-retention or short-retention settings where available for the relevant service.

Users are interacting with AI systems when using Spinrun. Customers are responsible for human review and for labelling or disclosing AI-generated or AI-manipulated content where applicable law, including EU AI Act transparency rules, requires it.

8. Sharing & Subprocessors

We share personal data only as needed:

  • With service providers and subprocessors under written commitments.
  • With connected third-party tools at customer direction.
  • With payment processors for billing and fraud prevention.
  • With professional advisers, authorities, or counterparties where legally necessary.
  • In connection with a merger, acquisition, financing, reorganization, or asset transfer.
  • With consent or as otherwise disclosed at the time of collection.

We do not sell personal data.

Business customers can review and execute our Data Processing Agreement for GDPR-regulated Processing on behalf of their organization.

Named subprocessor categories

ProviderPurpose
SupabaseDatabase, authentication, storage, and infrastructure
VercelApplication hosting, serverless runtime, sandbox/runtime services
StripeCheckout, subscriptions, billing portal, payments, invoices, fraud checks
ComposioConnected-app tooling, OAuth/integration orchestration, tool execution
OpenAIAI inference, embeddings, image generation, and agent/runtime features
AnthropicAI inference for Claude model features when selected or configured
GoogleGoogle OAuth, Google AI/Gemini, and user-authorized Google integrations
TwilioWhatsApp and messaging channel delivery when enabled
SendblueiMessage/SMS channel delivery when enabled
ResendTransactional email, inbound email routing, and notifications when enabled
SlackSlack OAuth, workspace/channel integrations, events, and messaging when connected
TelegramTelegram bot/channel delivery when enabled by a user

Some connected apps chosen by customers, such as Google Workspace, Microsoft, Slack, Stripe, Shopify, Notion, CRM tools, databases, or custom MCP servers, may also receive or expose personal data based on customer configuration. Those services are governed by their own terms and privacy policies.

9. International Transfers

Some providers may process personal data outside the European Economic Area. Where personal data is transferred to a country without an adequacy decision, we rely on appropriate GDPR safeguards, primarily Standard Contractual Clauses and supplementary technical and organizational measures where necessary. You may request information about relevant safeguards by contacting us.

10. Retention

  • Account and organization data: while the account is active and for a limited period after closure for legal, security, and dispute purposes.
  • Customer Content: while needed to provide the Service, until deleted by the customer, or according to plan/organization retention settings where available.
  • Logs and usage data: typically up to 12 months, longer for security, fraud, abuse, or legal investigations.
  • Billing, tax, and accounting records: for legally required retention periods, typically up to 10 years in Romania.
  • Backups: deleted or overwritten through normal backup rotation unless retained for legal/security reasons.

11. Security

We use technical and organizational measures designed to protect personal data, including encryption in transit, encryption at rest where appropriate, access controls, least-privilege roles, logging, secure development practices, webhook/signature verification, incident-response procedures, and internal access review. No system can be guaranteed fully secure.

12. GDPR Rights

Subject to applicable law, data subjects may request access, rectification, erasure, restriction, portability, objection to legitimate-interest processing, and withdrawal of consent. To exercise rights, contact legal@spinrun.ro. We may need to verify identity and, where we act as processor, forward the request to the relevant customer/controller.

You may lodge a complaint with Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), https://www.dataprotection.ro/, anspdcp@dataprotection.ro, B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucuresti, Romania.

13. Cookies & Analytics

We use strictly necessary cookies and local storage for authentication, security, consent records, and core functionality. Preference cookies remember choices such as theme or recent views. Analytics and marketing technologies are used only where enabled and, where required, after consent.

You can accept, reject, or customize non-essential categories through the cookie banner or the Cookie Settings link in the footer. Rejecting non-essential cookies does not block core Service access.

14. Payments

Payments are processed by Stripe. We receive transaction metadata such as customer identifiers, subscription status, plan, amount, invoice/payment status, and limited card details such as brand and last four digits. Stripe processes full payment details under its own terms and privacy policy.

15. Automated Decision-Making

The Service generates AI Outputs and automated recommendations, but we do not use the Service to make decisions about individuals that produce legal or similarly significant effects solely by automated means within the meaning of GDPR Article 22. Customers are responsible for human review of AI Outputs and agent actions.

16. Children

The Service is not directed to children or to consumers. We do not knowingly collect personal data from children. Contact us if you believe a child has provided personal data.

17. Changes

We may update this Privacy Policy as the Service, providers, or laws change. Material changes will be notified through the Service or by email where reasonably practicable. Continued use after the effective date constitutes acknowledgement of the revised Policy.

18. Contact

Privacy questions and data subject requests should be sent to legal@spinrun.ro.