Trust Center

Safety & Security at SpinOfLuck

SpinOfLuck is a browser-based tool with no downloads and no account required. Here is exactly how it is built to be safe: your wheel data stays on your device, the site is served over HTTPS with strict security headers, and we collect only the minimum anonymous signal needed to understand usage.

Security practices

SpinOfLuck applies defence-in-depth at the transport, application, and browser layers. The six properties below are always in effect — they are architectural, not optional settings.

HTTPS encryption

Every page, asset, and API call is served over TLS; HTTP Strict Transport Security (HSTS) instructs browsers to reject any unencrypted connection to the site.

Browser-based operation

The wheel engine, entry editing, and spin logic all execute inside your browser tab — no data is sent to a server during normal use.

Local data storage

Wheel entries, colors, settings, and spin history are saved to browser localStorage on your device and never transmitted to any server unless you explicitly join a multiplayer room.

No malware

SpinOfLuck is a server-rendered web application with no downloadable executables, installers, or browser extensions — there is nothing to run outside the browser.

No downloads required

The site works entirely in your browser from the first page load; no download, install, or update prompt will ever be presented by this site.

No phishing

SpinOfLuck does not ask for your email, password, payment details, or any personal information — there is nothing to phish.

What information we collect

To understand how the service is used and to detect abuse, we store one anonymous usage record per browser in Google Cloud Firestore. It contains exactly four fields:

  • A random anonymous browser ID (generated locally, not linked to any identity)
  • Your country at country-level only (e.g. "US" or "IN") — derived from request headers, not stored as an IP address
  • A counter of how many times the wheel has been spun from your browser
  • A timestamp of your most recent visit

This record is created the first time you visit and updated on subsequent visits. It contains no name, email, device identifier, or precise location.

What information we do NOT collect

We designed the data model to be minimal by default. The following are explicitly not collected, not stored, and not accessible to us:

  • Your wheel entries or names
  • Winners from your spins
  • Your email address or real name
  • Precise IP address or GPS location
  • Browsing or navigation history
  • Device fingerprints
  • Advertising IDs or cross-site tracking identifiers

We do not sell your data, share it with advertisers, or use it for any purpose other than understanding aggregate usage patterns of SpinOfLuck.

Security headers

Every response from SpinOfLuck includes a set of HTTP security headers that instruct your browser how to handle the page safely. Below is what each one does in plain language:

  • Content-Security-Policy (CSP) — tells the browser which origins are allowed to load scripts, styles, and other resources, blocking injected or third-party scripts from running unexpectedly.
  • Strict-Transport-Security (HSTS) — instructs browsers to always use HTTPS for this domain and to refuse any downgrade to HTTP.
  • X-Frame-Options — prevents the site from being embedded inside an <iframe> on another domain, which protects against clickjacking attacks.
  • X-Content-Type-Options: nosniff — stops browsers from guessing the MIME type of a response, preventing certain content-type confusion exploits.
  • Referrer-Policy — limits how much of the current URL is shared with third parties when a link is followed, reducing information leakage.
  • Permissions-Policy — explicitly disables browser features the site does not need — including microphone, camera, and geolocation — so they cannot be activated even if a script attempted to request them.

Reporting a security issue

If you discover a security vulnerability in SpinOfLuck, please report it responsibly. Send a description of the issue, steps to reproduce, and any supporting detail to hello@spinofluck.com. We ask that you allow us a reasonable period to investigate and address the issue before publishing any details publicly.

For general privacy questions, see our Privacy Policy. For other enquiries, visit the Contact page.

Frequently asked questions

Is SpinOfLuck safe to use?
Yes. SpinOfLuck runs entirely in your browser — there is nothing to download or install, no account is required, and your wheel entries never leave your device unless you explicitly use a multiplayer room. The site is served over HTTPS and applies a strict set of security response headers.
Does SpinOfLuck use HTTPS?
Yes. Every page and asset is served over HTTPS with HTTP Strict Transport Security (HSTS) enforced, so your browser will refuse to load the site over an unencrypted connection.
Do I need to download anything?
No. SpinOfLuck is a web application — it runs directly in your browser. No installer, no extension, no app store download is needed or offered.
Does it contain malware or viruses?
No. SpinOfLuck is a static Next.js web application with no executable downloads. We do not distribute installers, browser extensions, or any binary files. If you encounter a page claiming otherwise, it is not the genuine site.
Can SpinOfLuck see the names on my wheel?
No. Wheel entries, names, colors, and spin history are stored exclusively in your browser's localStorage. They are never transmitted to any server, and we have no visibility into what you put on your wheel.
Do you store my IP address?
No. We derive your country from request headers at the time of first visit (country-level only — for example "US" or "IN") and store only that country code, not your IP address, in our database. We do not store precise location, city, region, or GPS data.
Do you sell my data?
No. We do not sell, rent, or share your data with advertisers or data brokers. The minimal anonymous usage data we collect (a random browser ID, country code, spin count, and last-seen timestamp) is used only to understand how the service is used and to improve it.
Is it safe on a school or work device?
SpinOfLuck requires no downloads, creates no accounts, and stores all content locally in the browser. It applies strict security headers including a Content-Security-Policy and Permissions-Policy that disable microphone, camera, and geolocation access. These properties make it suitable for use on managed school or work devices, though your institution's acceptable-use policy is the authoritative guide.
What data is stored if I use multiplayer rooms?
Multiplayer rooms are strictly opt-in. When you host or join a room, the wheel entries, settings, your chosen display name, your anonymous browser ID, and spin events are temporarily written to Google Cloud Firestore so participants can share the same wheel. Rooms auto-delete 24 hours after the host's last activity. No multiplayer data is stored unless you explicitly create or join a room.
How do I report a security vulnerability?
Please email us at hello@spinofluck.com with a description of the issue, the steps to reproduce it, and any relevant context. We treat security disclosures as a priority and aim to acknowledge reports promptly. We request responsible disclosure — please allow us reasonable time to investigate and address the issue before publishing details.
Is my data encrypted?
Data in transit is encrypted via TLS (HTTPS). Data at rest in Google Cloud Firestore (the minimal anonymous usage record) is encrypted by Google at rest by default. Your localStorage data is stored by your browser on your device and is subject to your device's own storage security.
Can I delete my data?
Your wheel entries, history, and settings are stored only in your browser — you can clear them at any time by clearing your browser's site data or localStorage. This also resets your anonymous browser ID. If you want your anonymous Firestore usage record deleted, contact us at hello@spinofluck.com and we will remove it.