Legal

Privacy Policy

Last updated: May 31, 2026 · Effective: May 31, 2026

The short version. We collect what we need to run the platform and to keep it safe. We don't sell your data, ever. You can read your data, export it, or ask us to delete it from the settings page.

1. Who's responsible for your data

Spectrum Connect, Inc. is the “controller” of your personal data for the purposes of GDPR, UK GDPR, and similar laws. We're based at 340 Pine Street, Suite 800, San Francisco, CA 94104, USA. If you'd rather talk to someone specifically about data protection, our Data Protection contact is privacy@spectrumconnect.co.

2. What we collect

Three buckets, roughly:

What you give us

  • Account basics: name, email, password (we never store this in plain text), and the username you pick.
  • Profile content: bio, location, skills, portfolio links, profile photo, hourly rate, work history.
  • Identity and payment: phone number, ID documents you upload for verification, and the billing or payout details our payment processors need.
  • Communications: messages you send to other users, proposals, project briefs, deliverables, and any support tickets.

What we collect from using the product

  • Activity: projects you post or apply to, milestones, reviews, ETF Points events.
  • Device and network: IP address, browser type, operating system, screen size, timezone, and language.
  • Logs: which pages you loaded and when, what API calls your client made, what errors fired.

What we get from third parties

  • If you sign in with Google, we get the email address and basic profile data Google shares with us. Same for any other social login we add later.
  • Payment processors (Stripe and similar) tell us whether a charge succeeded or failed, plus risk signals to fight fraud, but we don't see full card numbers.

3. Why we collect it (legal bases for EU/UK users)

If you're in the EU, UK, or EEA, here's the legal basis we rely on for each kind of processing:

  • Contract — running your account, processing payments, delivering the features you signed up for.
  • Legitimate interest — keeping the Platform secure, preventing fraud, improving the product, analytics on aggregate usage.
  • Consent — non-essential cookies, marketing emails, sharing your work in featured collections.
  • Legal obligation — tax, accounting, anti-money-laundering and sanctions checks, responding to court orders.

You can withdraw any consent at any time. See section 8 for how.

4. How we use it

To match creators with projects (Smart Connect uses your skills, history, and ETF level as ranking inputs). To process payments and hold funds in escrow. To surface trust signals other users see when deciding to work with you. To answer your support questions. To investigate complaints and disputes. To build better features (we look at what people actually use and where they get stuck). To meet our own legal obligations.

We do not sell your personal data, full stop. We don't use your messages or project content to train large language models. If we ever wanted to do either of those things, we'd ask for separate, explicit consent and we'd let you say no without breaking your account.

5. Who we share it with

We share data with the following kinds of recipients, only for the purposes described:

  • Other users, when you choose to be visible to them. Your profile, portfolio, and trust signals are visible to clients reviewing proposals; your name and avatar show up in conversation threads.
  • Payment processors like Stripe, who handle card data, escrow holding accounts, and payouts. Their privacy notices govern what they do with that data.
  • Cloud infrastructure providers who host our servers and databases (AWS in the Mumbai region, plus MongoDB Atlas). They're under contractual data protection obligations.
  • Communication tools for transactional email (currently Brevo) and customer support.
  • Analytics, in aggregated or anonymised form only. We don't hand identifiable user data to ad networks.
  • Law enforcement and courts, when we receive a valid legal demand. We push back on overbroad requests and tell you about it where the law allows.
  • A successor company if Spectrum Connect is ever acquired or merged. You'd be told before that transfer takes effect.

6. International transfers

Spectrum Connect is a US company with infrastructure in India (ap-south-1). If you upload data from the EU, UK, or anywhere else, that data may travel to the US or India for processing. We rely on the European Commission's Standard Contractual Clauses and similar mechanisms to make those transfers lawful, and we apply the protections in this policy regardless of where the data ends up sitting.

7. How long we keep it

While your account is open, we keep your data so the Platform works. When you close your account:

  • Most of your profile data is deleted within 30 days.
  • Things tied to financial records (transactions, tax forms, invoices) are kept for up to 7 years to satisfy tax and anti-fraud law.
  • Audit logs of suspended or banned accounts may be kept longer for repeat-offender prevention.
  • Encrypted backups roll off on a 90-day cycle.

If you want everything gone faster than this schedule allows, ask us and we'll tell you exactly what we can and can't delete, and why.

8. Your rights

Depending on where you live, you have some or all of the following rights. EU/UK/EEA users have all of them. California users have most of them under the CCPA/CPRA.

  • Access the data we hold about you.
  • Correct data that's inaccurate.
  • Delete your data (subject to the legal-retention bits above).
  • Export your data in a portable format.
  • Object to processing based on legitimate interest.
  • Restrict processing while we work out a dispute.
  • Withdraw consent for anything based on consent (marketing emails, non-essential cookies).
  • Complain to your local data protection authority. EU/UK users can lodge a complaint with their national regulator. We'd like the chance to fix it first, but you don't have to ask us first.

To exercise any of these rights, email privacy@spectrumconnect.co from the address linked to your account, or use the in-product Data Rights tools (see our GDPR & Data Rights page). We respond within 30 days, faster when we can.

9. How we protect your data

TLS for all traffic between your browser and our servers. AES-256 at rest for sensitive data. Access to production systems is on a need-to-know basis with logging. Passwords are hashed with bcrypt. We run regular dependency scans, security reviews, and we publish a responsible-disclosure address at security@spectrumconnect.co for researchers.

No system is bulletproof. If we have a breach affecting your data we'll notify you and (where required) the regulator within the timeframes the law sets, including the 72 hours required by GDPR.

10. Cookies and similar tech

We use a small set of cookies. Essential ones keep you logged in and keep the site working. Optional ones help us understand how people use the product. There's a consent banner at the bottom of the screen the first time you visit, and you can change your choices any time at /cookies.

11. Children

Spectrum Connect is for adults (18+). We don't knowingly collect data from children under 18. If you're a parent or guardian who's found an account that you think belongs to a minor, please email us and we'll close it and delete the data.

12. Changes to this policy

We'll post any material change here at least 14 days before it takes effect, and we'll email you if the change affects your rights or our use of your data. Small clarifications might land without notice, but we date this page so you can see when it moved.

13. Contact

For privacy questions: privacy@spectrumconnect.co.
For everything else: support@spectrumconnect.co.
By post: Spectrum Connect, Inc., Data Privacy Officer, 340 Pine Street, Suite 800, San Francisco, CA 94104, USA.