1. Controller
The controller for data processing on this website is:
Arc Rider Ventures GmbHJänickendorferstr. 64A, 14943 Luckenwalde, Germany
Email: privacy@spicky.de
2. Hosting and backend
Spicky is provided via the Lovable Cloud platform (based on Supabase, hosting within the European Union). Database, authentication and server-side functions run there. A data processing agreement pursuant to Art. 28 GDPR is in place with the provider.
3. Data collected and purposes
a) Account and profile
On registration we store your email address, display name, a hashed password and optional profile information (e.g. avatar color). Legal basis: Art. 6 (1) (b) GDPR (performance of contract).
b) Content (lists, titles, comments, friends)
Your cheat sheets, saved titles, ratings, notes, comments, friendships and invites are stored to provide the service. Legal basis: Art. 6 (1) (b) GDPR.
c) Authentication via Apple (“Sign in with Apple”)
When signing in with Apple, Apple transmits a pseudonymous Apple ID and, at your option, your email address (possibly as an Apple relay address) to us. Provider is Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. Legal basis: Art. 6 (1) (b) GDPR.
d) Server logs
When accessing the site, technical data (IP address, date and time, user agent, referrer) is briefly processed in server logs to ensure operation, security and stability. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest).
e) Email delivery
Transactional and notification emails (e.g. registration confirmation, password reset, optional summaries) are sent from the sender domain notify.spicky.de via the provider Resend (Resend, Inc., USA). We process your email address and a delivery log (status, timestamps) for this. Legal basis: Art. 6 (1) (b) GDPR or Art. 6 (1) (a) GDPR for optional notifications, which you can revoke at any time in settings.
f) External data sources (OMDb, streaming availability)
Movie and TV metadata is sourced via the Open Movie Database (OMDb). Streaming availability data may be retrieved from third-party providers. No personal data is transmitted to these services.
g) Reports, moderation and blocks
When you report other users’ content by email to hello@spicky.de, we process the contents of that message (email address, reported content, reason) to review and act on it. When you block other users in the app, we store this block relationship to enforce visibility rules. Legal bases: Art. 6 (1) (f) GDPR (legitimate interest in a safe platform) and Art. 6 (1) (c) GDPR. Reports are retained for up to 12 months for evidence and repeat-offence review.
4. Cookies and local storage
We only use technically necessary cookies or localStorage entries to store your session (auth token) and preferences (e.g. theme). There is no tracking, no analytics or advertising cookies are used.
5. Recipients and third-country transfers
Personal data is transferred to the following processors:
- Lovable Cloud / Supabase — hosting, database, auth (EU region)
- Resend, Inc. — email delivery (USA; safeguarded via Standard Contractual Clauses)
- Apple Inc. — if “Sign in with Apple” is used (USA)
6. Retention
We store personal data for as long as your account exists. When you delete your account, associated data is deleted immediately unless statutory retention obligations apply. Server logs are deleted or anonymised after a maximum of 30 days.
7. Your rights
- Access to your stored data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing based on legitimate interests (Art. 21 GDPR)
- Withdrawal of consent with effect for the future (Art. 7 (3) GDPR)
Please send requests to privacy@spicky.de.
8. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the Brandenburg State Commissioner for Data Protection and the Right of Access to Files, Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany.
9. Data security
Transmission between your device and our servers is encrypted via HTTPS/TLS. Passwords are stored hashed only.
10. Changes to this policy
We adapt this privacy policy when legal conditions or our processing activities change. The current version is always available here.