Privacy Policy
Last updated: June 2026
This Policy explains how Spodus Studios, operated by Olum LLC, handles your personal data. For any questions or requests, please contact us.
1. What we collect
- Account data, email and authentication details.
- Purchase data, products, licenses, and order history.
- Support & inquiries, messages you send us.
- Usage data, basic, privacy-friendly analytics (Plausible, cookieless).
2. How we use it
To provide your account, deliver products and licenses, send receipts and important notices, respond to support, and improve our services.
3. Processors we use
- Authentication & database: self-hosted PostgreSQL (better-auth), on infrastructure we operate
- Payments: Stripe
- Email: a transactional email provider
- Hosting: Hetzner (EU)
We don’t sell your personal data.
4. Hosted service: data we process on your behalf
If you use our Hosted plan, you (the customer) store your own business records in your hosted CRM instance, contacts, leads, deals, notes, files, and similar content (“Customer Data”), which may include personal data about your customers and contacts. For that Customer Data:
- You are the data controller and decide what to collect and why; we act as a data processor, handling it only to provide, secure, back up, and support the Hosted service on your instructions.
- Hosted instances are logically separated per customer (multi-tenant), and we do not use your Customer Data for any purpose other than running the service for you.
- You can export your Customer Data at any time, and on cancellation we retain it for a limited window to allow export, after which it is deleted per our retention schedule.
Account, billing, and login data for the Hosted service is handled as described elsewhere in this Policy (where we act as controller). For more on how we protect Customer Data, see our Security page.
5. Data Processing Agreement & sub-processors
Where we process Customer Data on your behalf (Hosted plan), that processing is governed by a Data Processing Agreement (DPA) that supplements our Terms. The DPA covers the subject-matter, duration, nature and purpose of processing, the types of data and categories of data subjects, confidentiality, security measures, breach notification, sub-processor terms, and assistance with data-subject requests and deletion/return on termination. To request the current DPA, please contact us.
We use the following sub-processors to deliver the Hosted service. Each is engaged under terms requiring appropriate safeguards, and we remain responsible for their handling of Customer Data:
- Payments: Stripe, Inc. (subscription billing and payment details; we do not store full card numbers).
- Hosting & infrastructure: Hetzner, EU (compute, database, and backup storage where Customer Data resides).
- Transactional email: a transactional email provider (receipts, security and account notices).
- Analytics: Plausible (privacy-friendly, cookieless).
We’ll post material changes to this sub-processor list here and, for Hosted customers, give notice as set out in the DPA so you can object before a new sub-processor begins handling Customer Data.
6. Cookies
We use essential cookies for sign-in/session handling. Our analytics (Plausible) is cookieless, so we don’t set analytics or marketing cookies. Manage cookies in your browser settings.
7. Data retention
We keep account and purchase records for as long as your account is active and as required for legal and accounting purposes, after which they are deleted or anonymized.
8. Your rights
Depending on where you live, you may have rights to access, correct, delete, or export your data (e.g., under GDPR/CCPA). To exercise them, please contact usand we’ll respond as required by applicable law.
9. Changes
We’ll post updates here with a new “last updated” date.
10. Contact
Contact us with any privacy questions.