Privacy Policy

This Privacy Policy is published by Spiral Health, Inc., a Delaware corporation (“Spiral,” “we,” “us,” or “our”). It governs the collection, use, storage, and disclosure of personal information we obtain through: (a) our marketing website located at talktospiral.com; (b) our web application located at app.talktospiral.com; and (c) our SMS text messaging service (collectively, the “Services”).

This policy applies to all individuals who interact with our Services, including end users (“Users”) who access the Spiral AI companion for personal wellness support, and licensed mental health professionals (“Therapists”) who create Care Blueprints and manage their accounts through the Spiral platform.

By accessing or using the Services, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Services.

We review and update this Privacy Policy at least once per calendar year. When we make material changes, we will notify affected users at least 30 days before the changes take effect.

We use the information we collect for the following purposes, matched to the data categories described in Section 2:

Service delivery. We use your account data, conversation data, and onboarding information to operate the Spiral platform—delivering AI companion responses, maintaining your conversation history, matching you to a Care Blueprint based on your profile, and enforcing subscription limits.

Personalization. After each AI interaction, Spiral performs an automated process called “memory extraction.” A separate AI call analyzes the conversation and extracts key facts, patterns, and themes about you (for example, your typical stressors, coping strategies, or stated preferences). These extracted facts are stored as “patient memory” and incorporated into future AI responses to create continuity across sessions.

AI and ML processing. We are transparent about how your data interacts with AI systems:

• Your messages are sent to Anthropic, Inc.’s API (Claude Haiku model) for the generation of AI responses. Anthropic processes these messages as a data processor on our behalf. Please refer to Anthropic’s privacy policy for information about their data handling practices.
• Your text is converted into mathematical vector representations called “embeddings” for the purpose of matching your profile to the most suitable Care Blueprint. This embedding process is performed entirely on our own infrastructure hosted on Railway. We never send your text to third-party embedding services such as OpenAI.
• Each AI response is assembled using a structured three-layer context: (1) a hardcoded system prompt that frames Spiral as a wellness tool for healthcare workers; (2) the matched Care Blueprint and any Therapist preference settings; (3) extracted patient memory facts and recent conversation history; and (4) your new message. No other information about you is included.

Safety. Every inbound message is scanned for indicators of suicidal ideation, self-harm, or imminent danger. If such indicators are detected, Spiral immediately surfaces crisis resources including the 988 Suicide & Crisis Lifeline, the Crisis Text Line (text HOME to 741741), and 911. In cases of apparent imminent danger, we may be required by law to disclose information to emergency services.

Service improvement. We use de-identified and aggregated analytics to understand how the Services are used, identify technical issues, and improve our product. Personal information is not used to train AI models without separate disclosure and consent.

Communications. We use your phone number to deliver SMS messages as part of the core service. We use your email address to send account notifications, billing confirmations, and security alerts. We do not send marketing emails without your explicit opt-in.

Billing and quota enforcement. We use your subscription status (received from Stripe) to enforce message quotas and gate access to premium features. Messages sent when you are over quota are responded to with an upgrade notice and do not count against your usage.

Legal compliance. We may process your information as necessary to comply with applicable laws, respond to lawful requests from government authorities, enforce our Terms of Service, or protect the rights and safety of Spiral, our users, and the public.

Spiral Health, Inc. is not a covered entity or business associate as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We do not operate as a healthcare provider, health plan, or healthcare clearinghouse. As a result, the information you share with Spiral is not protected health information (PHI) under HIPAA, and is not subject to the privacy and security requirements imposed by that law.

We voluntarily implement industry-standard technical and organizational security measures to protect the sensitive nature of the information you share with us, as described in Section 12. However, these measures do not create HIPAA obligations on our part and do not provide the legal protections that would apply in a covered entity context.

Conversations with Spiral’s AI companion are not therapy sessions and are not subject to therapist-patient privilege, physician-patient privilege, or any similar professional confidentiality protection. Spiral is a wellness and mental health support tool, not a licensed healthcare provider, and your interactions with it do not create a clinical relationship.

We strongly encourage you not to share information you would only share with a licensed healthcare provider in a protected clinical setting. If you have medical or psychiatric concerns that require professional evaluation, please consult a licensed provider.

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, “CCPA/CPRA”), gives you specific rights regarding your personal information. This section describes those rights and how to exercise them.

Your Rights Under CCPA/CPRA:

• Right to Know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties to whom we have disclosed personal information.
• Right to Delete: you may request that we delete personal information we have collected about you, subject to certain exceptions (such as legal obligations to retain records).
• Right to Correct: you may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: we do not sell personal information and we do not share personal information for cross-context behavioral advertising. There is nothing to opt out of for these purposes; however, you may submit a request to confirm our practices.
• Right to Limit Use of Sensitive Personal Information: you may request that we limit our use of sensitive personal information (as defined in Section 2d) to the purposes permitted by the CPRA. We already limit our use of sensitive PI to what is necessary to deliver the Services.
• Right to Non-Discrimination: we will not discriminate against you for exercising any of your privacy rights. You will not receive a degraded level of service or be charged a different price for exercising your rights.
• Right to Information About Automated Decision-Making (ADMT): Spiral uses automated processing and AI for two significant functions: (1) generating AI responses to your messages via Anthropic’s API; and (2) matching your profile to a Care Blueprint using vector similarity computation. You may request information about the logic involved in these processes and how they affect you by contacting privacy@talktospiral.com.

How to Submit a Request. You may submit a rights request by emailing privacy@talktospiral.com. We will respond within 45 days of receiving your request. If we need additional time, we will notify you and may take up to an additional 45 days (90 days total). We will verify your identity before processing any request using the email address or phone number associated with your account.

Authorized Agents. You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide a written authorization signed by you, and we may also require you to verify your identity directly with us.

Global Privacy Control. We detect and honor Global Privacy Control (GPC) signals transmitted by your browser. If we receive a valid GPC signal from your browser, we will treat it as a request to opt out of any sale or sharing of personal information associated with your browser session.

No Sale. No Sharing for Advertising. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. These are not activities we engage in.

If you are a Washington State resident, the Washington My Health My Data Act (“MHMD Act”) grants you specific rights with respect to consumer health data. Because Spiral collects and processes information related to your mental health and wellness, portions of your data may constitute “consumer health data” as defined by the MHMD Act.

Separate Consent. Under the MHMD Act, we are required to obtain your consent separately for the collection of consumer health data and for any sharing of that data with third parties. Your consent to our Terms of Service covers our collection of health-adjacent data for the core purpose of delivering the AI companion service. Any sharing with third parties for research or licensing purposes (described in Section 4c) requires a separate, explicit opt-in from you.

Your Rights Under the MHMD Act:

• Right to Access: you may request a list of all consumer health data we hold about you, and a list of all third parties with whom we have shared that data.
• Right to Withdraw Consent: you may withdraw your consent to our collection or sharing of your consumer health data at any time. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.
• Right to Delete: you may request deletion of your consumer health data, subject to legal retention obligations.

To exercise any of your rights under the MHMD Act, please contact us at privacy@talktospiral.com. We will respond within 45 days.

Several additional states have enacted comprehensive consumer privacy laws that may apply to you. Here is a brief summary:

Nevada (SB 220). Nevada residents have the right to opt out of the sale of their covered information. We do not sell personal information; however, Nevada residents may submit a verified opt-out request to privacy@talktospiral.com.

Connecticut (CTDPA) and Colorado (CPA). Residents of Connecticut and Colorado have rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the sale of personal data, targeted advertising, and certain profiling. We do not engage in the sale of personal data or targeted advertising. To exercise your access, correction, deletion, or portability rights, please contact privacy@talktospiral.com.

We comply with all applicable state privacy laws. If you reside in a state with a consumer privacy law not specifically mentioned here, you may still submit a request to privacy@talktospiral.com and we will evaluate it under applicable law.

The Spiral platform is designed exclusively for adults who are employed as healthcare workers. Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from anyone under the age of 18. We do not knowingly collect personal information from children under the age of 13, in compliance with the Children’s Online Privacy Protection Act (COPPA).

If we become aware that we have inadvertently collected personal information from a person under the age of 18, we will take immediate steps to delete that information from our records. If you believe we may have collected information from a minor, please contact us immediately at privacy@talktospiral.com.

We use a limited set of cookies and similar technologies to operate and improve the Services. We do not use advertising cookies, tracking pixels, or third-party marketing technologies.

Strictly Necessary Cookies. These cookies are required for the Services to function and cannot be disabled. They include session management cookies that keep you logged in, authentication tokens issued by Supabase, and security cookies that protect against cross-site request forgery (CSRF). Without these cookies, we cannot provide the Services.

Analytics Cookies. We use first-party analytics to understand how users interact with our marketing website and application. This data is used to identify usability issues and improve the product. Analytics cookies collect usage patterns but do not track you across other websites or build advertising profiles.

No Advertising Cookies. We do not use cookies or tracking technologies for advertising, retargeting, or cross-site behavioral tracking. We have no advertising relationships that require data about your behavior.

Managing Cookies. You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking strictly necessary cookies will prevent you from using features that require authentication. Consult your browser’s help documentation for instructions on managing cookie settings.

We retain personal information only for as long as necessary to deliver the Services, fulfill the purposes described in this policy, and comply with our legal obligations. The following table summarizes our retention periods by data category:

When you request deletion of your account, we begin processing the deletion within 30 days. Some data may be retained beyond these periods if required by law (for example, payment records for tax purposes) or if there is an active legal hold or dispute.

We implement industry-standard technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption in transit: all communications between your device and our servers use TLS (Transport Layer Security) encryption.
• Encryption at rest: data stored in our database is encrypted at rest by our infrastructure providers.
• Access controls: access to production systems and personal data is restricted to personnel who require it to perform their job functions and is protected by multi-factor authentication.
• Row Level Security: our database enforces Row Level Security (RLS) policies that ensure each user can only access their own data at the database level, not merely at the application layer.
• Credential security: passwords are hashed and salted before storage. We never store plaintext passwords or credit card numbers.

We do not guarantee that our security measures are impenetrable. No method of electronic transmission or storage is 100% secure. If you discover a potential security vulnerability, please report it promptly to privacy@talktospiral.com.

Breach Notification. In the event of a data breach that affects your personal information, we will notify affected users and applicable regulators as required by law. Where required, we will provide notification within 72 hours of becoming aware of the breach.

Spiral Health, Inc. is based in the United States, and our Services are operated from servers located in the United States. If you access the Services from outside the United States, your personal information will be transferred to, stored in, and processed in the United States. The privacy laws of the United States may not be as protective as those in your home country.

By using the Services, you consent to the transfer of your personal information to the United States under the conditions described in this Privacy Policy.

Our SMS text messaging program is called Spiral AI Companion. This section provides disclosures required by mobile carrier guidelines and applicable telecommunications regulations.

Program name: Spiral AI Companion.

Data collected via SMS. When you use the SMS service, we collect your phone number, the content of messages you send and receive, message timestamps, and delivery status information. This information is used to deliver the AI companion service, maintain conversation continuity, and detect and respond to crisis situations.

How SMS data is used. Message content is processed to generate AI responses as described in Section 3. Your phone number is used solely for delivering the SMS service and is not shared with any third party except Telnyx (our SMS delivery provider) as described in Section 4a. Your phone number and SMS data are never shared for marketing purposes or sold to any third party.

Opt-out. You may opt out of the SMS program at any time by texting STOP to your Spiral number. You will receive a single confirmation message and no further messages will be sent. To re-enroll, text START.

Help. For assistance with the SMS program, text HELP to your Spiral number or contact us at privacy@talktospiral.com.

Message and data rates. Message and data rates may apply depending on your mobile carrier plan. Spiral does not charge for messages, but your carrier’s standard messaging and data rates will apply.

Message frequency. Message frequency varies based on your engagement with the service and your subscription tier. You will only receive messages in response to messages you initiate.

Carrier liability. Mobile carriers are not liable for delayed or undelivered messages.

Supported carriers. The Spiral AI Companion SMS program is supported by all major U.S. carriers, including but not limited to AT&T, T-Mobile, Verizon, and regional and smaller carriers. Carrier support is subject to change.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services. The “Last updated” date at the top of this page reflects when the policy was most recently revised.

For material changes to this policy—meaning changes that significantly affect how we use your personal information or your rights—we will provide at least 30 days’ advance notice by sending an email to the address associated with your account before the changes take effect. For changes that are not material (such as typographical corrections, clarifications, or additions of new legal disclosures required by law), we may update the policy without advance notice.

Your continued use of the Services after the effective date of the revised policy constitutes your acceptance of the updated terms. If a material change requires renewed consent under applicable law, we will request your re-consent before the change takes effect.

We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. We will respond to your inquiry within 45 days.

Spiral Health, Inc.
Privacy Team
[Address to be added]
privacy@talktospiral.com

For requests related to your privacy rights (access, deletion, correction, opt-out), please email privacy@talktospiral.com with the subject line “Privacy Rights Request” and include the email address or phone number associated with your account so we can verify your identity.