SpicyIoT Privacy Policy

1. Introduction

We respect your privacy. This policy explains what personal data we collect, how we use it, and how we keep it secure. By using SpicyIoT (the website and/or the Android app), you agree to the practices described here.

2. Who We Are

SpicyIoT is an Internet of Things (IoT) monitoring platform operated by Stay Spicy Ltd ("we", "our", "us"). We operate the spicyiot.com website and the SpicyIoT Android app. We are responsible for how we process your personal data and comply with applicable data protection laws, including the UK GDPR and EU GDPR.

3. Data We Collect

  • Account Information: Name, email address, and any details provided during registration.
  • IoT Sensor Data: Readings submitted by your connected devices (e.g. temperature, humidity, pH). This data is stored solely for your use and is not shared with third parties.
  • Device Metadata: Device identifiers, sensor names, and configuration you create within the platform.
  • Communication Data: Any information you share when contacting us for support.
  • Technical Data: Log files, IP addresses, browser type, device type, and other details used for analytics and security.
  • Payment Data: If you subscribe to a paid plan, payment is processed by our third-party payment provider. We do not store your full card details.

4. Mobile App

The SpicyIoT Android app connects to your SpicyIoT account to display sensor data, dashboards, and alerts on your phone.

  • Authentication: The app stores an API token on your device to keep you signed in. You can revoke this token at any time from spicyiot.com or by disconnecting within the app.
  • Push notifications: If you allow notifications, the app registers a Firebase Cloud Messaging (FCM) token with our servers so we can send you sensor alerts. Your device name (manufacturer and model) is stored alongside the token so you can identify it. You can turn notifications off in your phone's settings at any time.
  • Local storage: Sensor data and settings are cached on your device for faster loading and limited offline access. This data syncs when you are back online.
  • Network access: The app requires an internet connection to fetch sensor data, receive alerts, and sync with your account. No data is collected or sent beyond what is needed to provide the service.

The app does not access your camera, contacts, location, files, or any other device features beyond those listed above.

5. How We Use Your Data

  • Service Delivery: To provide and maintain the IoT monitoring functionality, including dashboards, alerts, reports, and API access.
  • Communication: To respond to support queries, send important service updates, or notify you of changes to your account.
  • Security & Fraud Prevention: To protect our platform and your data against unauthorised access, abuse, or misuse.
  • Improvement & Analytics: To analyse aggregated, anonymised usage trends and improve our services. We do not use your sensor data for analytics or profiling.

6. What We Do NOT Do With Your Data

  • We never sell your personal data or sensor data to third parties.
  • We never use your sensor data for advertising, profiling, or any purpose other than providing the service to you.
  • We never share your sensor data with other users unless you explicitly enable public dashboards or sharing features.
  • We do not train AI or machine learning models on your data for purposes outside of your account (e.g. anomaly detection operates only within your own data).

7. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract: Processing necessary to provide you with the SpicyIoT service.
  • Consent: Where you have given explicit consent (e.g. marketing communications).
  • Legitimate Interest: To maintain the security of the platform, prevent fraud, and improve our services.
  • Legal Obligation: Where required by law.

8. Data Sharing

We do not sell your data. We only share personal data when needed for:

  • Service Providers: Trusted partners who help us run our platform (e.g. hosting, email delivery, payment processing). These providers are bound by data processing agreements.
  • Legal Compliance: If required by law, regulation, or to protect our legal rights.

9. Data Storage & Security

Your data is stored on secure servers. We implement industry-standard security measures including encrypted connections (TLS/SSL), secure authentication, and access controls to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

API authentication uses token-based access. Webhook payloads are signed with HMAC-SHA256 to ensure integrity.

10. Data Retention

We store your data only as long as it is necessary for the purposes outlined here, or as required by your subscription plan. Sensor data retention periods are defined by your plan tier. When you delete your account or specific data, it is permanently removed from our systems within 30 days.

11. Data Export & Portability

You can export your sensor data at any time via the platform or API. We do not use proprietary data formats - your data is always accessible in standard formats (CSV, JSON). There is no vendor lock-in.

12. Your Rights

Subject to applicable law (including UK GDPR and EU GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Object to or restrict how your data is processed.
  • Portability: Receive your data in a structured, machine-readable format.
  • Withdraw Consent: At any time, where processing is based on consent.
  • Complaint: Lodge a complaint with the relevant data protection authority (e.g. the UK ICO).

13. Cookies

We use essential cookies required for the platform to function (e.g. session management, authentication). We do not use third-party advertising or tracking cookies. You can manage cookie preferences in your browser settings.

14. Children's Privacy

SpicyIoT is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Changes to This Policy

We may update this policy from time to time. If changes are significant, we will notify you via email or a prominent notice on the platform. The "Last Updated" date below will always reflect the most recent revision.

16. Contact Us

For questions about this policy, to exercise your data rights, or to raise a privacy concern, please contact us.

Last Updated: 11th March 2026