Loading
Loading
Your feedback directly shapes Sporos.
Sign in to track your feedback history
Legal
Last Updated: February 17, 2026
Sporos, LLC (“Sporos,” “we,” “us”) is a Minnesota limited liability company. This Privacy Policy explains what data we collect, how we use it, and your choices. By using the Sporos website and services (the “Service”), you agree to this policy. If you do not agree, do not use the Service.
Core commitments: We never sell your data. We do not serve ads. We collect only what is necessary to operate and improve the Service.
Data controller: Sporos, LLC is the data controller responsible for your personal data under this policy. Contact: contact@sporos.ai.
Account Information
Name, email address. Google profile ID if you use Google OAuth sign-in.
Payment Information
Collected and processed directly by Stripe. We never store full card numbers or CVVs.
User Content
Search queries, tracked bills/legislators/topics, alert preferences, folders, AI chat conversations, team-shared content.
Usage Data
IP address, browser, OS, device info, pages viewed, features used, session times, referral URLs.
Cookies
Essential (authentication, security), analytics (Google Analytics, PostHog), and preference cookies. See Section 6.
We never collect sensitive information such as social security numbers, government IDs, or financial account passwords.
Provide the Service
Account management, authentication, bill tracking, AI features, digest emails, team collaboration, payment processing.
Legal basis: Contract performance
Communicate
Digest alerts, account notifications, security alerts, billing receipts, and occasional product announcements (opt-out available).
Legal basis: Contract performance; Legitimate interest (product updates); Consent (marketing)
Improve the Service
Aggregate analytics, performance monitoring, feature development, bug fixes.
Legal basis: Legitimate interest
Security and Fraud Prevention
Monitoring for abuse, unauthorized access, and suspicious activity.
Legal basis: Legitimate interest
Analytics
Google Analytics and PostHog track aggregated usage patterns. Not used for individual profiling or ad targeting.
Legal basis: Consent (EU/UK users); Legitimate interest (U.S. users)
Legal Compliance
Retaining records as required by law; responding to legal process.
Legal basis: Legal obligation
We never: sell data to third parties, serve ads, enable cross-site tracking, allow third-party marketing use, or train AI models on your personal data.
We share data only with service providers contractually bound to use it solely on our behalf, and in the limited circumstances described below.
Stripe — Payments
Card and billing info. PCI-DSS compliant. Privacy Policy
Supabase — Database & Auth
Account data, user content, application data. SOC 2 Type II. Privacy Policy
OpenAI — AI Features
Chat queries and legislative context. API data not used to train models. Privacy Policy
Vercel — Hosting
HTTP requests, IP addresses, request metadata. Privacy Policy
Resend — Email
Email addresses and message content. SOC 2 Type II, GDPR compliant. Privacy Policy
Google — OAuth & Analytics
OAuth: name, email, profile ID. Analytics: anonymized usage data. Privacy Policy
PostHog — Product Analytics
Aggregated usage events. EU-U.S. Data Privacy Framework participant. Privacy Policy
Other sharing: Within your team (content you share is visible to team members); as aggregated, de-identified data that cannot identify you; in connection with a merger, acquisition, or sale of assets (with notice as required by law); when required by law, subpoena, or court order (minimum necessary, with notice to you unless legally prohibited); or with your explicit consent.
What is sent: Your chat message, relevant bill text and metadata, and conversation history needed for context. We do not send your name, email, payment info, or personal identifiers to OpenAI.
How it is used: OpenAI processes data solely to generate your response. Under their API policy, submitted data is not used to train or improve their models.
Retention: OpenAI may retain API inputs/outputs for up to 30 days for abuse monitoring, then deletes them. Sporos stores your chat history so you can access past conversations.
Your control: Delete chat sessions anytime through the Service. Deletion removes data from our systems but cannot retroactively remove data already processed by OpenAI during their retention window.
Essential
Authentication, session management, security. Required for core functionality. Cannot be disabled.
Analytics
Google Analytics and PostHog. Aggregate usage data for internal improvement only. No ad targeting. EU/UK users: requires consent.
Preferences
Remember your settings and customizations.
You can manage cookies through your browser settings. Disabling essential cookies may impair functionality. We do not use advertising cookies or cross-site trackers. We do not currently respond to “Do Not Track” signals due to lack of a universal standard; however, we only track activity on our own Service.
Account Data
Retained while active. Deleted or anonymized within 30 days of account deletion, except where legally required (e.g., financial records).
User Content
Deleted with account. Team-shared content may persist within the team.
Usage Logs
Raw logs with identifiers: maximum 12 months. Aggregate statistics (non-identifying): retained indefinitely.
Backups
Encrypted backups may retain data up to 90 days after deletion. Accessed only for disaster recovery.
Email Suppression
If you unsubscribe, your email remains on a suppression list to honor your opt-out.
We implement commercially reasonable security measures including: HTTPS/TLS encryption in transit; encryption at rest via Supabase; industry-standard password hashing; row-level security policies restricting data access to authorized users; least-privilege access controls for personnel and service providers; and regular review of provider security certifications (Supabase SOC 2 Type II, Stripe PCI-DSS, Resend SOC 2 Type II).
No system is 100% secure. In the event of a breach involving personal data, we will notify affected users without undue delay and in any event within any timeframe required by applicable law, and will notify relevant authorities as required.
Depending on your jurisdiction, you may have the right to: access and receive a copy of your data; correct inaccurate data; delete your data; restrict or object to processing; withdraw consent; and data portability. You can exercise many of these directly in your account settings, or contact us at contact@sporos.ai. We respond within 30 days (or shorter if required by law).
California (CCPA/CPRA): You may request to know, delete, or correct your data. You may opt out of the sale or sharing of personal information — though we do not sell or share data for cross-context behavioral advertising. We will not discriminate against you for exercising these rights.
EEA/UK (GDPR): Our legal bases are identified in Section 3 above. You may lodge a complaint with your local data protection authority. We encourage you to contact us first so we can resolve the issue.
Sporos is based in the United States and processes data primarily in the U.S. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. We protect international transfers using Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework (where applicable), or your consent. Our key U.S.-based providers (PostHog, Resend, Vercel) participate in the EU-U.S. Data Privacy Framework or have executed Data Processing Agreements incorporating SCCs.
The Service is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we learn we have, we will delete it promptly. Users between 13 and 18 should use the Service with parental or guardian involvement where required by law. If you believe a child under 13 has provided us data, contact us at contact@sporos.ai. We comply with COPPA.
We may update this policy and will revise the “Last Updated” date accordingly. Material changes will be communicated through the Service or by email before taking effect. Continued use after changes constitutes acceptance.