SpicyshowTerms of Service

Privacy Policy

Last updated: February 25, 2026

1. Introduction

Spicyshow ("we," "us," or "our") operates the spicyshow.com website and platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you visit our website, create an account, or use our Service. It applies to all users, including photographers ("Account Holders") and their clients who view galleries ("Gallery Visitors").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Contact: For privacy inquiries, email us at privacy@spicyshow.com. Our mailing address is provided in Section 16 below.

2. Information We Collect

We collect personal information in the following categories as defined under applicable privacy laws:

A. Information You Provide Directly

  • Identifiers: Full name, email address, business name, subdomain, mailing address.
  • Account Credentials: Password (stored in hashed form only; we never store plaintext passwords).
  • Commercial Information: Subscription plan, billing history, Stripe customer ID. We do not store full credit card numbers — payment processing is handled entirely by Stripe, Inc., a PCI Level 1 certified payment processor.
  • User-Generated Content: Photographs, videos, blog posts, gallery titles, descriptions, and branding assets uploaded by Account Holders.
  • Communications: Emails, support requests, or messages you send to us.

B. Information Collected Automatically

  • Internet/Network Activity: IP address, browser type and version, operating system, referral URLs, pages visited, time spent on pages.
  • Device Information: Device type, screen resolution, unique device identifiers.
  • Usage Data: Gallery views, download events, favorite actions, slideshow plays, search queries within the Service.
  • Cookies and Similar Technologies: We use essential cookies for authentication and session management. See Section 9 (Cookies) below.

C. Information from Third Parties

  • Stripe: When you subscribe to a paid plan, Stripe provides us with a customer ID, subscription status, and the last four digits of your payment card. Stripe may also collect behavioral data (such as typing patterns and mouse movements) for fraud detection via Stripe Radar. For details, see Stripe's Privacy Policy.
  • Supabase (Authentication): We use Supabase for authentication and may receive your email address when you sign up or log in.

3. Sources of Personal Information

  • Directly from you when you create an account, upload content, or contact us.
  • Automatically from your device and browser when you access the Service.
  • From third-party service providers (Stripe for payment data, Supabase for authentication).

4. How We Use Your Information

We use personal information for the following business and commercial purposes:

  • Provide the Service: Host and display galleries, process uploads, deliver downloads, manage subscriptions, authenticate users.
  • Billing and Payments: Process subscription payments via Stripe, manage plan upgrades and downgrades, issue invoices.
  • Analytics and Improvement: Track gallery views, downloads, and favorites to provide photographers with performance insights; improve and optimize the Service.
  • Communications: Send transactional emails (account confirmation, password resets, subscription receipts), and, with your consent, marketing communications.
  • Security and Fraud Prevention: Detect, investigate, and prevent unauthorized access, abuse, and fraudulent activity.
  • Legal Compliance: Comply with applicable laws, regulations, legal processes, or enforceable government requests.

Legal Basis for Processing (GDPR): Where the EU General Data Protection Regulation applies, our legal bases for processing are: (a) performance of a contract (providing the Service you signed up for); (b) legitimate interest (analytics, security, service improvement); (c) consent (marketing communications); and (d) legal obligation (tax records, law enforcement requests).

5. How We Share Your Information

We share personal information with the following categories of third parties solely to operate the Service:

  • Stripe, Inc. — Payment processing. Receives billing information, email, and behavioral data for fraud detection.
  • Supabase (via AWS) — Cloud infrastructure, database hosting, file storage, and authentication.
  • Vercel — Website hosting and content delivery.

We may also disclose personal information if required to do so by law, regulation, subpoena, court order, or other governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell or share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

6. Data Retention

We retain your personal information for the following periods:

  • Account Data (name, email, business name): Retained for the duration of your account, plus 30 days after account deletion to allow recovery.
  • User-Generated Content (photos, videos, blogs): Retained until you delete the content or your account. After account deletion, content is permanently deleted from all servers within 30 days.
  • Billing Records: Retained for 7 years after the transaction date to comply with tax and financial record-keeping requirements.
  • Analytics Data (views, downloads, favorites): Retained for 24 months, after which it is aggregated and anonymized.
  • Server Logs: Retained for 90 days for security and debugging purposes.

7. Your Privacy Rights

Depending on your location, you may have some or all of the following rights regarding your personal information. We honor these rights regardless of your state of residence as a matter of policy:

  • Right to Know / Access: Request a copy of the personal information we have collected about you in the preceding 12 months, including the categories, sources, purposes, and third parties involved.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, completing transactions).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information. If this changes, we will provide an opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
  • Right to Lodge a Complaint: EU/EEA residents may lodge a complaint with their local data protection supervisory authority.

How to Exercise Your Rights

You may submit a verifiable consumer request by emailing privacy@spicyshow.com with the subject line "Privacy Rights Request." We will verify your identity before processing any request by confirming information associated with your account. We will respond within 45 days (CCPA) or 30 days (GDPR), with one extension of the same period if reasonably necessary.

You may also designate an authorized agent to make a request on your behalf, provided the agent has your signed written authorization.

8. California-Specific Disclosures (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with additional rights as described in Section 7 above. Additional California-specific disclosures:

  • We have not sold or shared personal information in the preceding 12 months.
  • We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA.
  • We do not knowingly sell or share personal information of consumers under 16 years of age.
  • We honor Global Privacy Control (GPC) signals as a valid opt-out request.
  • We do not use automated decision-making technology for decisions that produce legal or similarly significant effects.

Financial Incentive Disclosure: Our free Essentials plan provides limited features in exchange for standard account information. The value of the data is reasonably related to the cost of providing the free tier (server resources, storage, bandwidth). You are not required to participate and may cancel at any time.

9. Cookies and Tracking Technologies

We use the following categories of cookies:

  • Strictly Necessary Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional Cookies: Remember your preferences (such as gallery password access). These improve your experience but are not essential.

We do not use advertising or tracking cookies. We do not engage in cross-site tracking or behavioral advertising. Stripe may set its own cookies for fraud detection when you interact with payment forms.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Service.

10. International Data Transfers

Spicyshow is based in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EU/EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework where applicable, to ensure an adequate level of data protection.

11. Data Security

We implement and maintain reasonable administrative, technical, and physical safeguards to protect your personal information, consistent with the requirements of the New York SHIELD Act and industry best practices, including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Secure password hashing (bcrypt) — we never store plaintext passwords.
  • Row-level security on database tables to ensure users can only access their own data.
  • Signed, time-limited URLs for all stored files (photos and videos).
  • Regular assessment and monitoring of security controls.
  • Employee access controls and training on data handling practices.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

12. Breach Notification

In the event of a data breach involving your personal information, we will notify affected individuals and applicable regulatory authorities in accordance with all relevant laws, including:

  • GDPR: Within 72 hours of becoming aware of the breach (where required).
  • New York SHIELD Act: In the most expedient time possible and without unreasonable delay, with notification to the NY Attorney General, Department of State, and Division of State Police.
  • California and other state breach notification laws as applicable.

13. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. Account creation requires users to be at least 18 years of age. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@spicyshow.com.

14. Third-Party Links

The Service may contain links to third-party websites or services (such as photographer websites or social media profiles). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email (at the address associated with your account) or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us:

Spicyshow

Email: privacy@spicyshow.com

Physical mailing address available upon request. For CAN-SPAM compliance, our mailing address is included in all commercial email communications.

17. State-Specific Addendum

The following provisions apply to residents of specific US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Indiana, Kentucky, Rhode Island, and others as enacted):

  • You have the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities.
  • You have the right to appeal our decision regarding a privacy rights request. To appeal, email privacy@spicyshow.com with the subject line "Privacy Rights Appeal." We will respond within 60 days.
  • We do not process sensitive personal data without your consent. Sensitive data under applicable state laws includes: racial or ethnic origin, religious beliefs, health data, sexual orientation, citizenship/immigration status, genetic or biometric data, children's data, and precise geolocation.
  • Texas residents: The Texas Data Privacy and Security Act applies regardless of business size. All rights and disclosures in this Privacy Policy apply to you.