Spicy Corp Privacy Policy
Last Updated: January 15, 2026
Introduction
Spicy Corp (“we,” “us,” or “our”) is committed to protecting your privacy. As a company focused on security products—including hardened phones, mobile applications, and specialized hardware devices—we take data minimization seriously.
Our Philosophy: We strive to collect the minimum data necessary to provide our products and services. Where possible, we design our products to function without sending data back to our servers.
Products Covered
This policy covers three categories of Spicy Corp products:
- Secure Phones – Hardened mobile devices running SovereignOS
- Mobile Applications – Apps published under Spicy Corp (e.g., Soaq, ATAK Plugins)
- Hardware Devices – Specialized widgets, microcontrollers, and signals collection equipment
1. Secure Phones (SovereignOS Devices)
Our Commitment
Our secure phones are designed with privacy as the primary feature. We do not install tracking software, telemetry, or “phone home” capabilities on these devices.
What We DO NOT Collect
- Device location
- Usage patterns or app activity
- Contacts, messages, or call logs
- Device identifiers
- Any data from your device during normal operation
What We MAY Collect
When you interact with our website or support services for phone-related activities (such as flashing firmware, downloading updates, or requesting support):
- IP Address – Logged temporarily for security and debugging purposes
- Browser User Agent – Collected to ensure compatibility and diagnose issues
- Download timestamps – To track firmware version distribution
- Support ticket information – If you contact us for help
This data is collected through our web infrastructure, not from the device itself.
Data Retention
Web server logs containing IP addresses and user agents are retained for up to 90 days for debugging purposes, then automatically deleted.
2. Mobile Applications
General Approach
We strive to build apps with zero tracking. However, some of our consumer-facing apps include third-party libraries and services that have their own data collection practices. We are transparent about what each app collects.
Soaq – Hot Springs Discovery App
Data We Collect Directly:
- Location Data – Used locally on your device to show nearby hot springs and calculate distances. Your precise location is NOT sent to our servers.
- Subscription Status – Managed through RevenueCat to process payments.
Data We DO NOT Collect:
- Personal identity information
- Usage analytics or behavior tracking
- Search history or viewed springs
- Photos or media from your device
Third-Party Services in Soaq:
| Service | Purpose | Their Data Practices |
|---|---|---|
| RevenueCat | Subscription management | Collects anonymous purchase data, device identifiers for subscription validation. Privacy Policy |
| Mapbox | Map display | May collect anonymized location data for map improvements. Privacy Policy |
| Apple/Google | App distribution & payments | Subject to Apple App Store / Google Play privacy policies |
| Expo/React Native | App framework | May collect crash reports and anonymized diagnostics |
Your Choices:
- Location permission can be denied (app will function with reduced features)
- You can use the app without creating an account
- Subscription is optional; free tier available
μcontrol (SpicyController) – ATAK USB Controller Plugin
Data We Collect Directly:
- Location Data – Inherited from ATAK; used for map marker placement when sharing your position with other ATAK users via CoT messaging. Location is NOT sent to Spicy Corp servers.
- USB Device Information – Device identifiers for connected serial devices, stored locally for connection management.
- Command History – Serial commands sent to microcontrollers, stored locally on your device only.
Data We DO NOT Collect:
- Personal identity information
- Usage analytics or behavior tracking
- Telemetry or crash reports sent to Spicy Corp
- Any data transmitted to Spicy Corp servers
Third-Party Services in μcontrol:
| Service | Purpose | Their Data Practices |
|---|---|---|
| ATAK (Android Team Awareness Kit) | Host application platform | Subject to ATAK’s privacy policy; plugin inherits ATAK’s permissions |
| TAK Server (user-configured) | CoT message routing | Managed by your organization; Spicy Corp does not operate TAK servers |
| Google Play | App distribution | Subject to Google Play privacy policy |
CoT (Cursor on Target) Messaging:
When you use μcontrol’s remote command features, the following data may be transmitted to other ATAK users through your configured TAK server:
- Your device callsign and UID
- Your location (if sharing is enabled in ATAK)
- Command messages you choose to send
Note: This data flows through your organization’s TAK server infrastructure, not Spicy Corp servers. We have no access to your CoT traffic.
Your Choices:
- USB permission can be denied (app will not function without it)
- Location sharing is controlled through ATAK settings
- Remote command features can be disabled
- No account or registration required
3. Hardware Devices (Widgets & Signals Collection Equipment)
Our Approach
Our specialized hardware devices are designed for security-conscious users. We minimize data collection and avoid persistent connections to external servers where possible.
What We MAY Collect
During device setup, firmware updates, or when using companion software:
- IP Address – For download/update requests
- Browser User Agent – When accessing web-based configuration interfaces
- Device Serial Numbers – For warranty and support purposes
- Firmware Version – To provide appropriate updates
Third-Party Components
Some hardware devices integrate third-party chipsets, radios, or software libraries that may have their own data practices. We select components from privacy-respecting vendors, but cannot guarantee zero data collection from all integrated components.
What We DO NOT Collect
- Data captured or processed by the device
- Your operational usage patterns
- Network traffic passing through devices
- Location of deployed devices
4. Website & E-Commerce (spicycorp.com)
Information We Collect
- Account Information – Email, name, shipping address (for orders)
- Payment Information – Processed securely through our payment processor; we do not store full credit card numbers
- Order History – To fulfill orders and provide support
- IP Address & Browser Information – Standard web server logs
- Cookies – For shopping cart functionality and website operation
Cookies We Use
- Essential Cookies – Required for cart and checkout functionality
- Authentication Cookies – To keep you logged in (if you choose)
We do not use advertising cookies or third-party tracking pixels.
5. How We Share Information
We do not sell your personal information.
We may share information only in these limited circumstances:
- Service Providers – Third parties that help us operate (payment processors, shipping carriers, cloud hosting) under strict confidentiality agreements
- Legal Requirements – When required by law, court order, or government request
- Business Transfers – In the event of a merger or acquisition (you would be notified)
- With Your Consent – When you explicitly authorize sharing
6. Data Security
We implement appropriate technical and organizational measures to protect your information:
- Encrypted connections (HTTPS/TLS) for all web services
- Secure payment processing (PCI-DSS compliant processors)
- Limited employee access to customer data
- Regular security assessments
7. Data Retention
- Order Information – Retained for 7 years for legal/tax purposes
- Account Information – Retained until you request deletion
- Server Logs – Automatically deleted after 90 days
- Support Tickets – Retained for 2 years after resolution
8. Your Rights
Depending on your location, you may have the right to:
- Access – Request a copy of your personal data
- Correction – Update inaccurate information
- Deletion – Request removal of your data
- Portability – Receive your data in a machine-readable format
- Opt-Out – Unsubscribe from marketing communications
To exercise these rights, contact us at: privacy@spicycorp.com
9. Children’s Privacy
Our products and services are not directed at children under 13. We do not knowingly collect personal information from children.
10. California Privacy Rights (CCPA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we do not sell data)
- Right to non-discrimination for exercising privacy rights
