Privacy Policy

Effective date: 5 May 2026. Last updated: 5 May 2026.

Spotline is operated by SPOTMIND HK Limited (Business Registration No: XXXX), a company incorporated in the Hong Kong Special Administrative Region ("Spotline", "we", "us"). This Privacy Policy describes the personal data we process and the rights available to you under the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (the "PDPO").

Spotline does not log the websites you visit, the IP addresses you connect to, the contents of your DNS queries, or the contents of any network traffic transiting our service. We do not maintain per-connection logs that map a user account to a destination address.

We may retain minimal connection metadata — connection start timestamp, the gateway region used, and aggregate byte counts — for up to 30 days for the purposes of fraud prevention, network capacity planning, and lawful compliance. This metadata does not contain destination addresses, URLs, DNS query content, or payload content.

Account data: email address; password hash; country of registration; subscription tier.

Payment data (processed by our payment processors): card last-four digits; mobile-wallet identifiers; transaction reference; billing country; transaction amount.

Device data: a Spotline-generated device identifier; operating system and version; client application version; the gateway region you have selected.

Diagnostic data: aggregate connection counts and bytes per billing period, used to enforce fair-use limits described in our pricing.

We respond to lawful requests from courts and regulatory authorities of the Hong Kong Special Administrative Region in accordance with applicable law. We do not voluntarily share user data with foreign governments. We are not subject to discovery orders, subpoenas, or production orders issued by jurisdictions outside Hong Kong unless given binding effect under Hong Kong law.

Airwallex (Hong Kong) — payment processing.

Paddle (United Kingdom) — backup merchant of record for selected regions.

Supabase (Singapore region) — authentication and account database.

Amazon Web Services / AWS Lightsail (Hong Kong, Tokyo, Singapore, US-West) — gateway and account-data hosting.

Vercel (United States) — website hosting.

Each processor operates under its own privacy policy. Each is bound by a data-processing agreement with Spotline. Spotline is not liable for breaches caused by a third-party processor in violation of its own obligations.

By using the service you explicitly consent to the transfer and processing of your data in AWS data centres in Hong Kong, Tokyo, Singapore, and US-West, and to the regions in which the processors listed above operate, for the purpose of providing the service.

Spotline does not sell or rent personal data to any third party. We do not share data with advertising networks. We do not build cross-site advertising profiles.

Our website uses a small set of strictly necessary cookies for session management. Analytics is opt-in only; declining cookies does not impair full website functionality. Where applied, our analytics provider is configured not to set advertising cookies and not to build cross-site profiles.

Account data: retained while the account is active. Following account closure, account records are soft-deleted for up to 90 days to permit recovery, and permanently deleted or anonymised within 365 days of account closure.

Connection metadata (per Section 1): up to 30 days.

Payment, tax, and accounting records: retained for the period required by Hong Kong tax and corporate law.

In the event of a confirmed personal-data breach affecting you, we will notify the affected users within 72 hours, in accordance with the PDPO and best industry practice. The notification will describe the nature of the breach, the categories of data affected, and the steps we have taken in response.

You may request access to the personal data we hold about you, request correction of inaccurate data, request deletion or anonymisation of your data, or request export of your account data. We will respond to verified requests within 30 days. Requests must be made from the email address registered to the account, to support@spotline.space.

The service is not directed at and is not for use by persons under 18 years of age. If we discover that an account has been created by a minor, we will immediately terminate the account and delete the data.

We may modify this Privacy Policy from time to time. Material modifications will be notified by email at least 30 days before the effective date. Continued use of the service after the effective date constitutes acceptance of the modification.

We collect and process the following data for abuse prevention and fraud detection: browser and device fingerprint hashes; IP address, geolocation, and ASN; email and phone hashes for duplicate-signup detection; Apple ID and Google Play ID hashes (mobile only); behavioural metadata such as signup velocity, captcha scores and fraud-risk scores.

We share the necessary subset with third-party processors: IPQualityScore (United States) — fraud-risk scoring; Twilio Lookup (United States) — phone-number carrier validation; Google reCAPTCHA / Cloudflare Turnstile — bot detection. Each processor is bound by its own privacy policy. Anti-abuse data is retained for 12 months for pattern analysis.

We measure aggregate bandwidth consumption per account and per region for the purposes of: enforcing fair-use caps described in our Acceptable Use Policy; capacity planning; detecting abuse patterns.

We do NOT inspect, log, or store the content of your network traffic, the addresses you connect to, the contents of your DNS queries, or any browsing history. Bandwidth telemetry consists solely of byte counts and timestamps.

Registered office: SPOTMIND HK Limited, Hong Kong SAR.

Privacy queries and rights requests: support@spotline.space.