Privacy Policy
Last updated: June 2026
Spotix respects your privacy. This policy outlines how we collect, process, and store information, in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Israel's Privacy Protection Law (including Amendment 13).
This document is written in detailed, technical language to enable organizations, museums, educational institutions, and municipalities to conduct thorough compliance reviews before engaging with our platform.
1. Data Controller
Doron Yosha, Authorized Dealer No. 021393004
Israel
Email: [email protected]
Phone: +972-52-4673663
2. Data Processing Roles
Regarding player data: The tour creator (institution, organization, or individual) is the "Controller" under GDPR Article 4(7). Spotix acts solely as a "Processor," processing player data only according to the creator's instructions and for the purpose of operating the activity.
Regarding creator account data: Spotix acts as an independent Controller for the purpose of managing creator accounts, authentication, billing, and support.
3. Information We Collect
Our data collection is completely separated between two types of users:
A. Players — Anonymous Usage
Players are not required to create an account or provide personally identifiable information. However, we do collect the following gameplay and behavioral data:
Random Device Identifier (UUID): Stored locally in localStorage and on the server. Under GDPR Recital 30 and CCPA, this is considered an "online identifier" used solely for technical purposes (preventing fraud and managing devices within a team) and is not linked to a real-world identity.
Free-form Team Name: Players choose a free-form team name (such as "The Tigers" or "Smith Family"). No real name is required. We recommend not entering full names, ID numbers, or identifying details in this field.
Security Question and Answer: Used for access recovery from the device. The answer is stored as plain text in the database, and therefore personal passwords, ID numbers, or payment details must not be entered.
Gameplay Progress and Answers: Question responses, accumulated points, and completed stations.
Analytics Events: Various event types (such as opening a station, answering a question, solving a lock). Data is linked to the team identifier and station, and used by tour creators for statistical analysis only.
Optional Survey Data: If the tour creator has enabled a pre-game survey, data such as team size, group type, age composition, and first-visit status will be collected. This data is aggregated statistically for the creator.
Media Uploads: Photos, videos, and audio recordings uploaded by players during gameplay. See Section 5 for details.
B. Creators — Registered Account
Creators are required to register with:
- Email address
- Password (stored encrypted using bcrypt via Supabase Auth)
Optional additional information:
- First and last name
- Phone number
- Institution or organization name
This information is used for account management, operational communication, and support.
4. Location Data (GPS)
Certain activities require verification of the player's location.
Transient Processing Only: GPS coordinates are processed on the end device only, for the purpose of verifying proximity to a specific navigation station. GPS coordinates are not stored in the database, are not transmitted to Spotix servers, and are not shared with any third party.
5. Shared Media Gallery and User-Generated Content (UGC)
Players may upload photos, videos, and audio recordings during gameplay.
Public Hosting: Media is stored at a public URL (media.spotix.app). Anyone with the link can access the file.
Shared Gallery: The tour creator may enable a public gallery link that displays all media from the activity. The gallery is openly viewable without registration.
Email Collection for Downloads: When downloading a file from the gallery, the user is prompted to enter an email address to receive a link. The email is stored in our system and used to send a one-time email with the gallery link. If the user has explicitly opted in to receive updates, their email address will be shared with the tour creator for mailing list purposes.
Link Expiration: Gallery share links expire 7 days after creation. After that, the link is no longer accessible, but the files themselves remain stored on the server.
Protection of Minors Online: Since the platform does not require personal registration, minors may participate in activities. Under GDPR Article 8, consent to process the data of minors under the age of 16 requires parental or guardian authorization. Uploaded media has no expectation of privacy. Participation by minors requires supervision by a parent or authorized educational entity, and obtaining such consent is the responsibility of the tour creator.
6. Third-Party Services (Sub-processors)
Our platform relies on leading infrastructure providers. All providers listed below meet international information security standards:
| Provider | Purpose | Data Location | Certifications |
|---|---|---|---|
| Supabase | Database, creator authentication, Realtime | Frankfurt, Germany (EU) | SOC 2 Type II |
| Cloudflare R2 | File storage (images, videos, audio) | Global edge network, automatic locality | ISO 27001, SOC 2 Type II |
| Cloudflare Pages | Application hosting | Global edge network, SSR near user | ISO 27001, SOC 2 Type II |
| Mapbox | Maps infrastructure for navigation | United States | SOC 2 Type II |
| Resend | Operational email delivery | United States | SOC 2 Type II |
| Google Gemini API | Creator content translation (Opt-in) | United States | See Section 7 |
| Google Fonts | Typography (partial, also served locally) | United States | ISO 27001 |
Data Transfers Outside the EU: Our primary database is located within the European Union (Frankfurt). Some services (Mapbox, Resend, Google Gemini) operate in the United States. Such transfers are made under the European Commission's Standard Contractual Clauses (SCC).
No External Tracking or Analytics Tools: Spotix does not use Google Analytics, Hotjar, Facebook Pixel, or any similar third-party tracking tools.
7. Artificial Intelligence (AI) Usage
Tour creators may use a built-in AI assistant for automatic content translation (Hebrew to English, Arabic, and more) and for content creation assistance.
Opt-In: Use of the AI assistant is entirely at the creator's discretion. It can be skipped entirely in favor of manual content management.
What Is Sent: When the creator clicks "Translate," only the content text is sent to the Google Gemini API. The following are not sent: player names, visitor details, images, or any personal information.
Data Use by Google: Our use of Gemini is via the paid API tier. According to Google's Terms of Service, data sent through the paid API tier is not used to train models, unlike the free version.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Team and player gameplay data | Until activity deletion by the creator |
| Media files in gallery | Indefinitely (share link expires after 7 days) |
| Registered creator account data | For the duration of account use |
| Daily backups | 60 days |
Creator Account Deletion: To delete a creator account and associated data, contact [email protected]. Requests will be processed within 30 days in accordance with GDPR Article 17.
9. Backups and Technical Security
Backups: Automated daily database backup (pg_dump) via GitHub Actions, stored in Cloudflare R2 for 60 days.
Encryption at Rest and in Transit: All data is transmitted under HTTPS/TLS. Creator passwords are encrypted using bcrypt via Supabase Auth.
10. Cookies and Local Storage
We are committed to privacy minimalism and do not use cookies for advertising, tracking, or analytics purposes. There is no cookie consent banner on our website.
Essential Functional Cookies Only:
- spotix-rt (30 days): Maintains creator login session
- i18n_locale (session cookie, deleted on browser close): Stores interface language preference
- spotix-remember-email (90 days): For creators who selected "Remember me"
Infrastructure Security Cookies:
- __cf_bm (Cloudflare, automatic): Bot protection and attack prevention
Local Storage: We use localStorage, IndexedDB, and Service Worker Cache solely to enable the game to run in offline mode. Without these, the game cannot function without an internet connection.
11. User Rights (Under GDPR, CCPA, and Israeli Privacy Law)
Anonymous Players: Since we do not collect personally identifiable information, we cannot link data to a specific person. Deletion of player data is possible only by the tour creator through their management interface.
Registered Creators: Are entitled to contact us at any time for:
- Access to information stored about them (GDPR Article 15 / CCPA right to know)
- Correction of inaccurate information (GDPR Article 16)
- Account and data deletion (GDPR Article 17 / CCPA right to delete)
- Data portability in a machine-readable format (GDPR Article 20)
- Objection to processing for certain purposes (GDPR Article 21)
- Opt-out of the sale of personal information (CCPA: we do not sell data, but this right is provided as a matter of principle)
Requests will be processed within 30 days in accordance with applicable law.
12. Data Processing Agreement (DPA)
Institutions, large organizations, and museums required to sign a standard DPA for GDPR compliance or internal requirements can access our Data Processing Agreement or contact us for a customized version.
For inquiries: [email protected]
13. Information Security and Incident Response
We employ reasonable technical and organizational measures to protect information. However, we cannot guarantee absolute immunity from unauthorized access or security breaches.
Security Incident: In the event of a significant security incident that may affect user data, we will act in accordance with the notification obligations under GDPR Articles 33-34 and Israel's Privacy Protection Law (Amendment 13), and will notify potentially affected users within 72 hours.
14. Children's Privacy (COPPA)
We do not knowingly collect personal information from children under the age of 13 in the United States. The platform does not require registration of personal data from players, and gameplay is anonymous. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will take appropriate measures.
15. Changes to This Policy
We may update this policy from time to time, in accordance with legal, technological, or operational requirements. Significant changes will be posted on the site, and registered subscribers will receive email notification. Continued use of the platform after an update constitutes acceptance of the updated version.
16. Contact
For privacy inquiries:
Email: [email protected]
Phone: +972-52-4673663