Privacy Policy

Overview

Spinly ("we", "us") provides free random tools — spin the wheel, random picker, raffle, team generator, and random number generator — plus an optional real-time Live Mode, free user accounts, a public leaderboard, an optional paid subscription, and a developer API. We respect your privacy and aim to collect as little data as possible.

Data we store locally on your device

When you use the tools without signing in, the names, ticket counts, number ranges, saved templates, win history, and tool settings you enter are stored in your browser's localStorage. This data never leaves your device and is not transmitted to our servers. Clearing your browser data will remove it permanently.

We also generate a random browser identifier and store it locally. It is not linked to your real identity and is used to enforce per-room limits in Live Mode and to enforce site-wide moderation actions.

Accounts & profiles

Creating a Spinly account is optional. If you sign up, we store:

• Your email address and a hashed password (or, if you sign in with Google, the basic profile information that Google shares with us — typically email, name, and avatar).
• A public username (3–20 characters) and an optional display name and avatar image. These appear on the public leaderboard and in live sessions you join while signed in. Usernames can be changed once every 7 days.
• Your in-app preferences (theme, sound, motion, default name, host defaults for live rooms, etc.).
• Your saved templates and win/loss history, when you choose to sync them to your account.
• Aggregated game stats used to compute your leaderboard rank (total wins, total losses, win rate). Only signed-in users with at least 5 games and a username appear on the public leaderboard.

You can request deletion of your account at any time from the account menu. Deletion is scheduled for 30 days, can be cancelled within that window, and after processing removes your profile, preferences, templates, win history, leaderboard entries, API keys, and support conversations. Some moderation records (such as audit logs of admin actions taken against the account) may be retained for safety reasons.

Cloud sync between devices

When you are signed in, Spinly can sync your templates, preferences, and win/loss history to our backend so they follow your account across devices. When you sign in on a new device, your existing local data on that device is merged into your account once and the local copy is then refreshed from the cloud. Activity recorded after that point belongs to the currently signed-in account on that device.

Data we store when you use Live Mode

When a host enables Live Mode, or when a guest joins a live session at /join, the following information is sent to and stored on our backend so that everyone in the session sees the same roster in real time:

• The 6-digit join code and the tool being used (wheel, picker, team, raffle, or random number).
• Each guest's chosen display name, color swatch, and (for raffles) ticket count.
• The local browser identifier described above, used only to enforce the host's "entries per user" limit and to enforce site-wide moderation actions.
• A host token (stored locally on the host's browser) so the host can resume controlling the session after a refresh.
• If the host requires accounts to join, the user ID of each signed-in participant — so the host can see which account joined and so wins can be recorded against your stats.
• Winner records (who won, when, the result signature) for the host's history and, optionally, for the winning player's profile stats.

Live sessions are short-lived and automatically expire after 24 hours. Hosts can also end a session at any time, which deletes the session and all its entries.

Subscriptions & payments

Spinly offers an optional paid subscription that unlocks additional features. Payments are processed by a third-party payment provider; we never receive or store your full card number, CVV, or bank credentials. Our backend stores only the information needed to manage your subscription:

• A customer and subscription identifier issued by the payment provider.
• The product/price you purchased, the billing environment (sandbox or live), the current period start/end, and whether the subscription is set to cancel at period end.
• Subscription status updates that the payment provider sends us via signed webhooks.

For details on how the payment provider itself handles your data — including card details, fraud checks, and tax information — please refer to the payment provider's own privacy notice presented during checkout.

Developer API & API keys

If you generate a developer API key, we store the key's label, a one-way hash of the key, the last few characters of the key for display, your owner browser identifier (and account ID, if signed in), creation and last-used timestamps, and per-day request counts. We also store signed receipts of API picks (the selected item, the candidate list, a signature, and source) so that results can later be verified. We do not store the full plaintext API key after it is created — keep your own copy somewhere safe.

Support chat

If you contact us through the in-app support chat, we store the messages you send, your conversation status, and either your account ID (if signed in) or the name, email, and a local guest identifier you provide. This data is used only to respond to your inquiry and is visible to site administrators.

Site moderation & admin actions

To keep Spinly safe, the site administrator can take moderation actions against abusive participants or sessions. When this happens we may store and process:

• A list of banned 6-digit session codes so a banned room can't be re-created or rejoined.
• A list of banned browser identifiers. A browser ban prevents that browser from joining any live session site-wide and immediately removes any active entries it has in any live session.
• A list of normalized banned display names per session, used to block trivial bypasses (different capitalization, accents, leet substitutions, repeated letters).
• An audit log of admin actions (e.g. session ended, browser banned, setting toggled) along with a short label of the target — used only by the site administrator to review moderation decisions.

This data is used solely for site safety and abuse prevention. If you believe you've been banned in error, please reach out via our contact page.

Third-party advertising (Google AdSense)

We use Google AdSense to display advertisements. Google and its partners may use cookies and identifiers to serve ads based on your prior visits to this and other websites. Google's use of advertising cookies enables it and its partners to serve ads based on your visits.

• You can opt out of personalized advertising by visiting Google Ads Settings.
• Learn more at Google's advertising policies.
• Visit aboutads.info for more on interest-based advertising.

Paying subscribers may have ads suppressed or reduced as part of their subscription benefits.

Cookies

Spinly itself does not set tracking cookies. We use localStorage to remember your preferences, local data, signed-in session, and browser identifier on your device. Third-party services embedded on the site (such as Google AdSense and the payment provider's checkout) may set cookies as described above. You can disable cookies in your browser settings.

Data security

Account data is stored on managed infrastructure protected by row-level access controls, so each user's private profile, preferences, templates, win history, API keys, subscription, and support conversations are accessible only to that user (and to site administrators where strictly required). Passwords are never stored in plain text. Webhooks from external providers are verified with a signed secret before being processed.

Your rights

You can view and edit your profile and preferences at any time from the account menu, export or delete your saved templates and win history, revoke API keys, and request deletion of your entire account. Depending on where you live, you may also have the right to access, correct, or restrict processing of your personal data — contact us to exercise those rights.

Children

Spinly is a general-audience site and does not knowingly collect data from children under 13.

Changes to this policy

We may update this policy from time to time as Spinly evolves. Material changes will be reflected in the "Last updated" date above. Continued use of the site after an update means you accept the revised policy.

Contact

Questions about this policy? Visit our contact page.