Cookie Policy
Last updated: 15.11.2025
Applies to: https://www.spayo.xyz and https://app.spayo.xyz
1. Introduction
This Cookie Policy explains how Spayo (“we”, “us”, “our”) uses cookies and similar tracking technologies on our marketing website (spayo.xyz) and our application (app.spayo.xyz). It describes what these technologies are, why we use them, and your rights to control their use.
We comply with the GDPR, ePrivacy Directive, Swiss FADP, and US privacy frameworks including CCPA/CPRA. Where legally required (EU/EEA, UK), we request explicit consent before setting non-essential cookies.
2. What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help websites recognize your browser, store preferences, enhance security, and measure performance.
Spayo also uses related technologies:
- Local Storage – stores cached preferences inside the browser.
- Session Storage – used for temporary data during a session.
- Pixel tags / web beacons – tiny transparent images used for analytics.
- Server logs – IP address, device information, timestamps (for security and fraud prevention).
All of these are collectively referred to as “cookies” in this policy.
3. How We Use Cookies
We use cookies for the following purposes:
3.1. Strictly Necessary Cookies (Essential)
These cookies are required for the website and app to function. They include:
- Authentication sessions
- Security & fraud prevention
- Token credit system (ensuring correct token balance and usage)
- Core app functionality (uploading images, rendering designs)
Legal basis (GDPR):
Article 6(1)(b) – necessary to perform the service you request.
Consent not required.
3.2. Analytics & Performance Cookies
Used to understand how users interact with our site and improve user experience.
We use:
- Privacy-friendly analytics
- Google Analytics 4 (IP anonymization enabled) on marketing site
- Privacy-mode analytics inside the app (Supabase / minimal logs)
- Heatmaps / User behavior (optional, only if enabled)
- Hotjar or Microsoft Clarity
- Installed only after consent (EU/EEA/UK)
Legal basis:
- Consent (EU/EEA/UK)
- Legitimate interest (non-EU users)
You may opt out at any time (see Section 7).
3.3. Functionality Cookies
Used to remember user preferences such as:
- Selected language
- UI theme
- Saved filters
- Cookie consent status
These cookies make your experience smoother but are not strictly required.
Legal basis: consent.
3.4. Advertising & Marketing Cookies
Used only on the marketing website, not inside the application.
We may use:
- Google Ads Remarketing
- Meta Pixel
- TikTok Pixel
- Pinterest / Twitter Ads (if enabled)
These cookies help display relevant ads and measure campaign performance.
They are not loaded until you explicitly consent.
No behavioral advertising is shown inside the Spayo app.
3.5. Affiliate Cookies (Referral Tracking)
Spayo has a referral program where both the inviter and invited user get bonus tokens.
To operate this program we use:
- First-party referral cookies
- UTMs stored in local storage
- Click-through tracking
These are required for the affiliate rewards to work.
Legal basis: Article 6(1)(b) – performance of a contract (affiliate tracking).
4. Cookies We Place
Below is an overview of the main types of cookies.
(The exact names may vary depending on updates.)
4.1. Essential Cookies
| Cookie Name | Purpose | Duration |
|---|---|---|
sb-access-token | Authentication (Supabase) | Session |
sb-refresh-token | Keeps user logged in | Up to 1 year |
referral_code | Tracks invitation source | 30 days |
cookie_consent | Saves cookie preferences | 6–12 months |
4.2. Analytics Cookies
| Cookie | Provider | Duration | Purpose |
|---|---|---|---|
_ga | 2 years | Anonymous visitor analytics | |
_gid | 24h | Pageview tracking | |
_hjSession_* | Hotjar (if enabled) | Session | Heatmaps & UX analytics |
clck | Clarity | Persistent | Scroll & click analytics |
Loaded only after explicit consent.
4.3. Advertising Cookies
| Cookie | Provider | Duration | Purpose |
|---|---|---|---|
_fbp | Meta | 3 months | Ad performance |
_ttcid | TikTok | 13 months | Attribution |
_gcl_au | Google Ads | 3 months | Conversion tracking |
Loaded only after explicit consent.
5. Third-Party Providers
We may integrate third-party tools that set cookies if you consent:
- Google Analytics 4
- Google Ads
- Meta Pixel
- TikTok Pixel
- Hotjar
- Microsoft Clarity
- Stripe (for secure payments; uses cookies for fraud prevention)
All providers meet GDPR & FADP requirements via SCCs (Standard Contractual Clauses) for international transfers.
6. International Data Transfers
If data collected through cookies is transferred outside Switzerland/EEA (e.g., to the United States), we ensure protection through:
- Standard Contractual Clauses (SCCs – updated 2021)
- Swiss Addendum (for FADP)
- Data Processing Agreements
- IP anonymization when possible
- Minimization of personal data stored through cookies
7. Your Choices & Managing Cookies
You have full control over cookies:
7.1. Cookie Banner (EU/EEA/UK + Switzerland)
You can choose:
- Accept all cookies
- Reject non-essential cookies
- Customize individual categories
The banner reappears every 6–12 months, or when policies change.
7.2. Browser Controls
You can delete or block cookies through your browser settings.
However, essential cookies required for Spayo’s functionality will remain active.
7.3. Opt-Out Links (for Advertising)
- Google Ads: https://adssettings.google.com
- Meta Ads: https://www.facebook.com/adpreferences
- TikTok Ads: https://www.tiktok.com/legal/privacy-policy
- Hotjar Opt-Out: https://www.hotjar.com/policies/do-not-track
8. Do Not Track (DNT)
Our systems currently do not respond to DNT signals because no standard exists, but we respect all legal opt-out signals where required (e.g., Global Privacy Control – GPC for California users).
9. California Residents (CCPA/CPRA Rights)
If you reside in California, you have rights under the CCPA/CPRA:
- Right to opt-out of “sale” or “sharing” of personal information
- Right to know what categories of data cookies collect
- Right to request deletion
- Right to restrict use of sensitive information
We do not sell personal data.
Advertising cookies may be considered “sharing” under CPRA — you may opt out at any time.
10. Changes to This Cookie Policy
We may update this Cookie Policy from time to time.
If the changes are material, we will:
- Update the “Last Updated” date
- Prompt the cookie banner again in jurisdictions where required
- Provide in-app notification for significant updates
11. Contact Information
If you have questions, contact:
Spayo
Operated by a sole proprietor in Switzerland
Email: [email protected]
Website: https://www.spayo.xyz
App: https://app.spayo.xyz
For GDPR & FADP questions: [email protected]
For CCPA requests: [email protected]
