Skip to main content
spine.co
Skip to content

Privacy Policy

How spine.co collects, uses, and protects your information. Last updated: May 2026.

What we collect

We collect only what is necessary to operate the directory and improve it.

  • ·Account information. Email address and password hash when you create an account. No payment information is stored on spine.co — payments are handled by Stripe.
  • ·Search and navigation. Provider searches, condition pages visited, and guide steps completed. This data is used to improve search relevance and is not sold.
  • ·NPI lookups. When you search for a provider by NPI number, the NPI is logged to power our verification pipeline. No PHI is stored.
  • ·Device and browser. IP address, browser type, and operating system — collected automatically by our hosting provider (Vercel) and used for security and abuse prevention.

How we use it

  • ·Provider directory. Matching your search criteria to spine care providers in our database.
  • ·Guide personalization. Saving your position in the spine care guide so you can resume where you left off.
  • ·Product improvement. Understanding which conditions and cities have the most demand so we can prioritize content.
  • ·Security. Detecting and blocking abusive requests, unauthorized access attempts, and scraping.

Cookies & local storage

  • ·Session cookie (Supabase). A secure, HTTP-only cookie that keeps you signed in. Expires when your session ends or after 7 days of inactivity.
  • ·preferred_country cookie. Remembers which country version of the directory you prefer (e.g. /us/). No personal data.
  • ·text-scale (localStorage). Stores your font size preference (compact / default / comfortable). Stays in your browser; never sent to our servers.

Third-party services

We use a small number of infrastructure providers. Each processes only the data necessary for their function.

  • ·Supabase. Hosts our database and authentication system. Data is stored in the United States. See supabase.com/privacy.
  • ·Vercel. Hosts and serves spine.co. Logs IP addresses and request metadata for CDN and security purposes. See vercel.com/legal/privacy-policy.
  • ·Google Analytics. Anonymized page-view analytics with IP anonymization enabled. No cross-site tracking. You can opt out via browser extensions.

We do not sell your data to third parties. We do not share your data with advertisers.

Data retention

  • ·Account data. Retained while your account is active. Deleted within 30 days of account deletion.
  • ·Anonymous analytics. Retained for 26 months, then automatically purged.
  • ·Server logs. Retained by Vercel for up to 30 days for security monitoring.

Your rights

You have the right to access, correct, export, or delete the personal data we hold about you. To exercise any of these rights, email us at admin@spine.co with the subject line “Privacy request”. We will respond within 30 days.

If you are a California resident, you have additional rights under the CCPA, including the right to know what personal information is collected and the right to opt out of the sale of personal information (we do not sell personal information).

This policy may be updated periodically. Material changes will be noted at the top of this page. Continued use of spine.co after changes constitutes acceptance.