Privacy Policy

1. Who We Are

Tarantuverse is operated by Appalachian Tarantulas, LLC, a Tennessee limited liability company (“Appalachian Tarantulas,” “we,” “us,” or “our”). For purposes of the EU and UK General Data Protection Regulation, Appalachian Tarantulas, LLC is the “controller” of personal data collected through the Service.

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you use the Tarantuverse website, mobile applications, and related services (collectively, the “Service”). It should be read together with our Terms of Service.

Questions? Contact us at privacy@tarantuverse.com.

2. Information We Collect

2.1 Information You Provide

• Account information: email address, username, password (stored only as a bcrypt hash), display name.
• Profile information: bio, location (free-text, not precise geolocation), experience level, years keeping, specialties, social-media links, avatar image.
• Collection data: your tarantulas and enclosures, including names, species associations, photos, husbandry details, feeding logs, molt records, substrate changes, and any free-text notes you add.
• Breeding records: pairing information, egg-sac data, offspring records.
• Community content: forum posts, direct messages, comments, reactions, and photos you choose to share.
• Species submissions: if you submit species data to the community database.
• Support communications: the contents of messages you send us (email, contact form).
• Payment information: if and when we enable paid Subscriptions, card details are handled by our third-party payment processor; we receive limited billing metadata (such as last four digits, brand, and transaction IDs) but do not store full card numbers.

2.2 Information Collected Automatically

• Device and connection information: device type, operating system, app version, browser type, IP address, and approximate location derived from IP.
• Usage information: pages and screens you view, features you use, actions you take, timestamps, and referring URLs.
• Log data: server logs including request paths, status codes, and error traces, used for debugging, security, and abuse prevention.
• Push notification tokens: if you enable notifications on mobile, we store the Expo push token associated with your device so we can send notifications you’ve opted in to.

2.3 Information From Third Parties

If you sign in using an OAuth provider such as Google, Apple, or GitHub, we receive a limited profile payload from that provider (typically your name, email address, and profile picture). We do not receive passwords from these providers.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including creating and managing your account;
• Enable you to record and track husbandry data for animals in your care;
• Power community features (forums, profiles, follows, direct messages, activity feed);
• Generate algorithmic features such as premolt prediction and feeding reminders from your own logs;
• Send transactional and service-related communications (password resets, receipts, security alerts, reminders you opted in to);
• Process payments and manage Subscriptions;
• Respond to support requests and feedback;
• Measure and analyze usage to fix bugs, improve performance, and develop new features;
• Detect, investigate, and prevent abuse, fraud, and security incidents;
• Comply with legal obligations and enforce our Terms of Service.

4. Legal Bases for Processing (EU/UK Users)

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under GDPR/UK GDPR:

• Performance of a contract — to provide the Service you signed up for and fulfill our Terms.
• Legitimate interests — to operate, secure, and improve the Service, prevent abuse, and communicate with users about the Service, balanced against your rights.
• Consent — for optional features such as push notifications, marketing emails, or any future use of non-essential cookies. You can withdraw consent at any time.
• Legal obligation — to comply with applicable laws, respond to lawful requests, and meet regulatory requirements.

5. How We Share Information

5.1 We Do Not Sell Personal Information

We do not sell your personal information and we do not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).

5.2 When We Share

• Public profile content: if you set your collection to public, your profile, collection, and activity are visible to other users and may be indexed by search engines. You control this in Settings.
• Community features: forum posts, public comments, and community submissions are visible to other users. Direct messages are visible only to you and the recipient.
• Service providers: we use the vendors listed in Section 10 to host, store, secure, and operate the Service. They may process personal data on our behalf under written agreements limiting how they use it.
• Legal and safety: we may disclose information if we believe in good faith it is necessary to comply with law, legal process, or enforceable government request, to enforce our Terms, or to protect the rights, property, or safety of any person.
• Business transfers: if Appalachian Tarantulas, LLC is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction; we will provide notice before personal data becomes subject to a different privacy policy.
• With your consent: we may share information for any other purpose with your explicit consent.

5.3 What We Never Share

• Your email address with other users (kept private on your profile);
• Prices you paid for your animals;
• Private notes on your collection;
• Contents of your direct messages (beyond the intended recipient);
• Payment card numbers (handled directly by our payment processor).

6. Analytics and Cookies

We use cookies and similar technologies (such as local storage on the web and secure device storage on mobile) to keep you signed in, remember your preferences (for example, theme), and measure how the Service is used.

We use product-analytics tooling (currently PostHog) to understand aggregate usage and improve the Service. Where required by law, we will request your consent before loading non-essential analytics or cookies. You can generally block or delete cookies through your browser settings; doing so may affect core Service functionality such as staying signed in.

We do not currently respond to Do Not Track (DNT) signals because there is no industry consensus on how to interpret them. We do honor applicable Global Privacy Control (GPC) signals as opt-out-of-sale requests.

7. Data Security

We use commercially reasonable technical and organizational measures to protect personal information, including:

• Passwords stored as bcrypt hashes, never in plaintext;
• JWT authentication with short token lifetimes and server-side revocation on logout;
• HTTPS/TLS in transit;
• Rate limiting, input validation, and content-type verification on uploads;
• Managed cloud infrastructure with ongoing security updates;
• Role-based access controls for administrative functions.

No method of transmission or storage is perfectly secure. While we work to protect your information, we cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify you as required by applicable law.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. If you delete your account through /delete-account, we permanently remove your personal data within thirty (30) days, except where we are required to keep it longer to comply with legal, tax, regulatory, or security obligations, to resolve disputes, or to enforce our agreements.

Aggregated or de-identified information that can no longer reasonably be linked to you may be retained and used indefinitely. Log data and backups are rotated on normal operational schedules.

9. International Data Transfers

Appalachian Tarantulas, LLC is based in the United States and our infrastructure is primarily located in the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S. and other countries where our service providers operate. Where required, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) for cross-border transfers of personal data from the EEA, UK, or Switzerland.

10. Third-Party Service Providers

We rely on the following categories of service providers. Each processes only the personal data needed to perform its function and is bound by contractual confidentiality obligations.

• Hosting and compute: Render (API hosting), Vercel (web hosting).
• Database: Neon (PostgreSQL).
• Object storage / CDN: Cloudflare R2 (photos, thumbnails, file storage).
• Email delivery: Resend (password resets, notifications, transactional email).
• Push notifications: Expo Push Notification Service (mobile notifications).
• OAuth providers: Google, Apple, GitHub (optional sign-in).
• Product analytics: PostHog.
• Payment processing: to be announced when paid Subscriptions launch; updates will be reflected in this policy.

These providers have their own privacy policies governing how they process information on their infrastructure. We are not responsible for their acts or omissions.

11. Your Choices and Rights

You can exercise many rights directly in the Service:

• Access and portability: download your data from Settings → Data Export in JSON, CSV, or a full ZIP including photos.
• Correction: edit your profile, tarantulas, logs, and other records from the dashboard.
• Deletion: permanently delete your account and personal data at /delete-account.
• Visibility: set your collection to private or public in Settings.
• Notifications: manage push, email, and in-app notifications from Settings → Notifications.
• Marketing email: you can opt out of promotional messages using the unsubscribe link in any marketing email; transactional messages (security, account, billing) will continue to be sent.

You can also email privacy@tarantuverse.com to exercise any privacy right. We will respond within the timeframes required by applicable law.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, the sources and purposes of collection, and the categories of third parties we share it with;
• Request a copy of the specific pieces of personal information we hold about you;
• Request correction of inaccurate personal information;
• Request deletion of your personal information, subject to certain exceptions;
• Limit the use and disclosure of “sensitive personal information,” although we do not use such information for any purpose beyond what is permitted without the right to limit;
• Opt out of the “sale” or “sharing” of personal information — we do not sell or share personal information for cross-context behavioral advertising;
• Be free from retaliation for exercising your rights.

To exercise these rights, email privacy@tarantuverse.com. You may designate an authorized agent to act on your behalf; we will verify the agent’s authority before processing the request.

13. EEA / UK / Swiss Privacy Rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR and UK GDPR:

• Right of access to your personal data;
• Right to rectification of inaccurate data;
• Right to erasure (“right to be forgotten”);
• Right to restrict processing;
• Right to data portability;
• Right to object to processing based on legitimate interests;
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• Right to lodge a complaint with your local supervisory authority.

Email privacy@tarantuverse.com to exercise any of these rights.

14. Children’s Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Users between 13 and the age of majority in their jurisdiction may use the Service only with the involvement and consent of a parent or legal guardian. If you believe a child under 13 has provided personal information to us, please contact privacy@tarantuverse.com and we will delete the information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top. For material changes that affect your rights, we will provide additional notice such as an in-app alert or email to the address associated with your account. Your continued use of the Service after the changes take effect means you accept the updated policy. If you do not agree to the updated policy, you should stop using the Service and may delete your account.

16. Contact Us

For privacy questions, complaints, or to exercise your rights, contact us at: