Privacy Policy

Sprig collects the data needed to run a developer community: your account, the content you post, the people you follow, and a small amount of usage data to make discovery work. We don't sell your data. We don't run third-party ad networks on the site. We use a handful of named processors (Supabase, Stripe, Resend) to actually operate the platform, and we tell you below exactly what each one sees.

Account data. Email address, username, password hash, and the auth provider you used (email/password or OAuth, if we've enabled it).

Profile data. Your display name, bio, avatar, banner, links, location string, skills, education, awards, tools, and anything else you put in your profile. Profile content is public unless you mark it private.

Content you post. Projects, devlogs, comments, discussions, jam entries, open-call posts, applications, media uploads, messages, and notes. Most of this is public by design (it's why people use Sprig); private notes and direct messages are visible only to the people you share them with.

Subscription data. If you subscribe to Sprig+, Stripe processes the payment and we store the resulting subscription state (active / past_due / canceled, tier, current period end). We never see or store your card number.

Usage data. Project page view counts (aggregated per day), top-viewed-project rankings, devlog read counts, and an anonymous per-session heatmap of which sections of a project page visitors scroll to. The heatmap stores no user identifier (only project ID, section name, and timestamp) and is retained for up to 90 days before rollup or deletion.

Moderation data. Reports you submit and moderation actions taken on your content (warnings, removals, suspensions) are retained as part of our safety log. These are visible to admins, not the public.

Device data. A small amount of standard server log data (IP address, user-agent, timestamps) is kept for security, rate-limiting, and abuse investigation. We don't build advertising profiles from it.

We use cookies that are necessary to run the site:

• Auth cookies. Set by Supabase Auth to keep you signed in across pages.
• Theme cookie. Stores whether you prefer dark or light mode so we don't flash the wrong theme on load.
• Session storage. Used to deduplicate things like heatmap pings within a single visit, so we don't over-count.

We do not run third-party advertising cookies, third-party analytics trackers, or social-network pixel trackers on Sprig.

We use what you give us to:

• Run your account and the workspace.
• Show your public content to other people on Sprig (projects to followers, open calls to people browsing, profile to anyone with the link).
• Send you transactional email: sign-up confirmation, password reset, notifications you've opted into (devlogs from followed projects, application replies, mentions), and the Monday devlog digest if you subscribed.
• Bill your subscription (via Stripe) and send receipts.
• Aggregate views for analytics that we show the project owner, never the individual visitor identities.
• Investigate abuse, enforce the Terms of Service, and respond to legal requests.

We never sell your personal data, and we don't share it for third-party advertising.

These are the third-party services Sprig uses to operate. Each is a data processor acting on our behalf, with a contractual obligation to handle your data securely.

• Supabase: hosts the database and runs auth. Sees all stored data (account, content, subscriptions).
• Stripe: processes payments and runs Stripe Tax where required. Sees billing-name, billing-address, and your card details (we don't).
• Resend: sends email on our behalf (notifications, digests, password resets). Sees your email address and the message content we generate.
• Vercel: hosts the application and serves it from edge regions. Standard server logs.

If you connect optional third-party integrations from your workspace, those services receive the data needed to perform the integration:

• Steam (Steamworks Web API): receives the Steam App ID you connect; we receive back the public app metadata, screenshots, review score, and player count.
• Bluesky / Mastodon: if you connect an account for devlog cross-posting, your post (a link and a snippet) is sent to that service when you publish a public devlog.
• GitHub: if you install the Sprig GitHub App on a repository, GitHub sends us webhooks for push and pull request events on that repo so we can show them in your activity feed. You can uninstall the app at any time from GitHub.

Each integration is opt-in and disconnectable from your workspace settings.

Most of what you create on Sprig is public on purpose. A project marked public, a profile, an open-call post, and a published devlog are all designed to be discovered and read. Don't put anything in those surfaces you wouldn't want a search engine to see.

Content that is private by default:

• Personal notes (you only).
• Direct messages (you and the recipients).
• Open-call applications (you and the project owner).
• Playtest feedback submissions (the project owner only).
• Private projects, internal devlogs, and team-only discussions (members of that project).
• Your email address and billing info (you only).

Depending on where you live, you may have rights under GDPR, the CCPA, or similar laws. You can exercise these regardless of whether the law strictly requires us to honour them. We'll do our best:

• Access. Email privacy@sprig.gg for a copy of the data we hold about you.
• Correction. You can edit most data directly from settings. For anything you can't edit yourself, email us.
• Deletion. Delete your account from settings. Public content tied to your profile is removed from public surfaces within a reasonable period. Some data (moderation logs, billing records, backups) is retained briefly for safety and legal compliance.
• Portability. Email us to request your data in a machine-readable format.
• Objection. You can unsubscribe from any notification email from the link in the email or from settings. Transactional email (password resets, billing receipts, important account notices) can't be turned off without closing the account.

Sprig is not directed at children under 13, and we don't knowingly collect personal data from them. If you believe a child under 13 has created a Sprig account, email privacy@sprig.gg and we'll remove it.

We use industry-standard practices to protect your data: encrypted connections (TLS) everywhere, hashed passwords, row-level security on the database, and signed-token auth. No system is bulletproof. If we ever discover a breach that affects your personal data, we'll notify the affected users in line with applicable law.

Sprig is operated from, and its data is stored in, regions hosted by Supabase and Vercel. If you access Sprig from a country other than where our infrastructure runs, your data is transferred to that infrastructure to be served back to you. By using Sprig you consent to that transfer.

We may update this policy as the service evolves. The "Last updated" date at the top of the page reflects the most recent meaningful change. If a change materially affects how we use your data, we'll let you know before it takes effect, by email, an in-app banner, or a notice on this page.

Privacy questions and rights requests go to privacy@sprig.gg. For acceptable-use complaints, use the flag button on the relevant content.