Spicy Minds Ltd privacy policy

1. Summary

1.1 Engineered for trust: we have built privacy into the architecture itself rather than just adding policy layers.1.2 No humans can read your chats unless safeguarding concerns are raised.1.3 Clear user control: we give you full control over your data.1.4 Minimal data collection: we only collect what we absolutely need to support you.1.5 Your data is not for sale: we will never sell your data to third parties.1.6 Practical compliance: we are aligned with key standards (UK GDPR, NHS Digital DSPT, ISO 27001, DCB0129).1.7 Your conversations with our apps are confidential and can only be accessed by you, with the limited safeguarding exception described below.1.8 You choose what to share about your child. You can optionally add structured information about your child’s background, school, and support context to their profile. All sensitive fields are optional, each has a “Prefer not to say” option, and you give explicit consent before any sensitive information is saved.

2. Introduction

2.1 Our approach

2.1.1 Spicy Minds Ltd aims to go beyond the minimal legal requirements to respect the privacy of its customers, suppliers, and partners. We have designed a policy and technical architecture based on the high privacy, safety and security standards of ISO 27001, NHS Digital DSPT and DCB0129, Cyber Essentials, and the UK GDPR.

2.2 About the Sylva platform

2.2.1 Some features of the Sylva platform, specifically the Screening & Monitoring Module, which presents validated screening questionnaires and displays scored results against published clinical threshold bands, are regulated as a UKCA-marked Class I medical device under the Medical Devices Regulations 2002.2.2.2 The other Sylva features, including the AI Mentors, wellness questionnaires, the Barbara safeguarding monitoring system, fixed psychoeducation, crisis signposting and platform infrastructure, are wellness software and are not regulated as medical devices.2.2.3 Information about how each part of the platform processes your personal data is set out in this policy.

3. Definitions

3.1 The Controller

3.1.1 The party responsible for processing personal data (the “Controller”) is Sylva Minds Ltd, whose registered address is 17-18 Berkeley Square, Bristol, England, BS8 1HB, United Kingdom. The company’s registration number is 14719260.

3.2 Data Protection Officer

3.2.1 Our Data Protection Officer is Ben Cosh.3.2.2 Email: compliance@spicyminds.org.3.2.3 Postal: Sylva Minds Ltd, 17-18 Berkeley Square, Bristol, BS8 1HB, United Kingdom.

3.3 Defined terms

3.3.1 Data Protection Authority: the Information Commissioner’s Office (ICO), the UK’s data protection authority.3.3.2 Data Protection laws: for UK citizens or residents, the UK GDPR and the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). For EEA citizens or residents, the EU GDPR (Regulation (EU) 2016/679) and the EU e-Privacy Directive 2002.

4. Purposes and lawful bases

4.1 Spicy Minds processes personal data for one or more of the purposes set out in clauses 4.2 to 4.10 below. For each purpose we have identified the lawful basis under Article 6 of the UK GDPR, and where Special Category Data (such as health or wellbeing information) is involved, the additional condition under Article 9 and the Data Protection Act 2018 Schedule 1.

4.2 Customer, employee, contractor, partner or supplier management

4.2.1 Lawful basis: Article 6(1)(b), processing necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.4.2.2 For employees and contractors, also Article 6(1)(c): compliance with a legal obligation (for example, employment law, tax, right-to-work checks).4.2.3 Special Category Data condition (where applicable): Article 9(2)(b), processing necessary for the purposes of carrying out obligations in the field of employment and social security law.

4.3 Business and financial administration

4.3.1 Lawful basis: Article 6(1)(c) compliance with a legal obligation (for example, accounting, tax, anti-money-laundering requirements) and Article 6(1)(f) legitimate interests of Spicy Minds in operating and administering its business, where those interests are not overridden by your rights and freedoms.

4.4 Marketing

4.4.1 Lawful basis: Article 6(1)(f) legitimate interests of Spicy Minds in marketing our services, in reliance on the “soft opt-in” provisions of the Privacy and Electronic Communications Regulations 2003 (PECR Regulation 22(3)).4.4.2 When you provide your contact details in connection with subscribing to or using Sylva, we may send you marketing about similar products or services. You have the right to opt out at any time, including by replying STOP to any SMS, clicking the unsubscribe link in any email, or updating your preferences in the app.4.4.3 Where soft opt-in does not apply (for example, prospects who have not previously engaged with us), we rely on Article 6(1)(a) consent.4.4.4 We do not process Special Category Data for marketing purposes.

4.5 Delivery of services, Class I Screening & Monitoring Module

4.5.1 The Sylva Screening & Monitoring Module is a UKCA-marked Class I medical device under the UK Medical Devices Regulations 2002. It presents validated screening questionnaires (including but not limited to M-CHAT-R/F, SDQ, PHQ-9, AQ-Adolescent), applies the published scoring algorithm, and displays your score against the instrument’s published threshold bands. It does not diagnose any condition.4.5.2 Lawful basis: Article 6(1)(b), processing necessary for the performance of a contract (your subscription to or use of the Module).4.5.3 Special Category Data condition: Article 9(2)(h), processing necessary for the purposes of the provision of health or social care or treatment, in reliance on Schedule 1, Part 1, paragraph 2(1) of the Data Protection Act 2018.4.5.4 Our Schedule 1 policy document is available on request from compliance@spicyminds.org.

4.6 Delivery of services, AI Mentors and wellness content

4.6.1 The AI Mentors and our other wellness content are designed to provide supportive psychoeducational and behaviour-change content to adult parents, carers and neurodivergent adults. They are wellness software and are not regulated as medical devices. They do not diagnose any condition, do not provide clinical decision support, do not provide acute-risk clinical management, and are not a substitute for clinician-delivered care.4.6.2 Lawful basis: Article 6(1)(b), processing necessary for the performance of a contract (your subscription or access to the Platform).4.6.3 Special Category Data condition: Article 9(2)(a), explicit consent. When you voluntarily share health, wellbeing, or other sensitive information through the AI Mentors (including information about your child), you do so on the basis of your explicit consent, which you may withdraw at any time. You can withdraw consent through the in-app settings or by emailing compliance@spicyminds.org. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.4.6.4 CYP profile enrichment. You may optionally provide structured information about your child on their family member profile, including their school, postcode, cultural and family context, SEN/EHCP status, and current professional support. These fields are available on the profile edit screen and are never required to use Sylva. The information you provide is used for four purposes: (a) personalising AI mentor responses and profile output to your child’s actual context; (b) enabling us to monitor and mitigate AI bias across ethnic, religious and linguistic groups; (c) supporting school-advocacy features such as school-facing profiles and locally-personalised guidance; and (d) providing structured context for our safeguarding team if a safeguarding review is triggered by an unrelated signal.4.6.5 Some of the CYP profile fields are Special Category Data under Article 9 of the UK GDPR: ethnicity, religion, disability, sexual orientation, household composition, and current treatment context (including named clinician, current medications, and engagement type). The lawful basis for processing these fields is:(a) Article 9(2)(a) explicit consent: obtained from you at the point of first save of any special category field on any child’s profile. The consent moment names the four purposes above and references the version of this Privacy Policy in force at that time. Your consent affirmation and timestamp are recorded. If you do not affirm, the entered value is discarded.(b) Article 9(2)(g) substantial public interest: for access by our Designated Safeguarding Lead to structured demographic fields when reviewing a safeguarding case triggered by an unrelated signal, in reliance on Schedule 1, Part 2, paragraph 18 of the Data Protection Act 2018. This access is on the safeguarding basis, not on your consent, and is logged in the safeguarding case audit trail.(c) Article 9(2)(j) scientific research: for downstream anonymised export of ethnicity, religion, disability and main language data for bias-monitoring analysis, subject to the minimum cohort size described in clause 9.3.4.6.6 You can withdraw your consent for any special category CYP profile field at any time by clearing the field, selecting “Prefer not to say”, or using the “clear all sensitive fields” control on the profile. Withdrawal removes the value from the active record and from any downstream AI mentor context within a defined time window (the next chat session or profile regeneration after the change). Safeguarding-case copies of the field values are retained on the separate safeguarding basis described in clause 4.7, and are not affected by your withdrawal of consent.

4.7 Safeguarding

4.7.1 Lawful basis: Article 6(1)(c) compliance with a legal obligation (where one applies, including obligations under the Children Act 2004 and equivalent statutory frameworks); or Article 6(1)(f) legitimate interests in protecting children and individuals at risk from harm.4.7.2 Special Category Data condition: Article 9(2)(g), processing necessary for reasons of substantial public interest, in reliance on Schedule 1, Part 2, paragraph 18 of the Data Protection Act 2018 (safeguarding of children and individuals at risk).4.7.3 In life-threatening situations where the data subject is incapable of giving consent, we may also rely on Article 9(2)(c) protecting the vital interests of the data subject or another person.4.7.4 Where a safeguarding review is triggered and the child’s family member profile contains structured demographic fields (entered by you under clause 4.6.4), our Designated Safeguarding Lead may access those fields to inform the review. This access is on the safeguarding basis described in clause 4.7.2, not on your consent. The access event is logged in the safeguarding case audit trail.

4.8 Work planning

4.8.1 Lawful basis: Article 6(1)(f) legitimate interests of Spicy Minds in planning and organising its operations effectively, where those interests are not overridden by your rights and freedoms.

4.9 Scientific research, clinical investigation, service evaluation, and publication

4.9.1 Lawful basis (anonymous and aggregated data): no personal data is processed; UK GDPR does not apply.4.9.2 Lawful basis (pseudonymised research data): Article 6(1)(f) legitimate interests of Spicy Minds in validating and improving its services through evidence-based research, supported by a Legitimate Interests Assessment, with safeguards under Article 89(1).4.9.3 Lawful basis (identifiable personal data, including formal clinical investigations): Article 6(1)(a) explicit consent of the participant; Article 9(2)(j) processing necessary for scientific research purposes; and Schedule 1, Part 1, paragraph 4 of the Data Protection Act 2018 (research), with the appropriate policy document held by the DPO.4.9.4 Where research involves a clinical investigation under the Medical Devices Regulations 2002, the lawful basis is supplemented by approval of the relevant Research Ethics Committee and a Clinical Investigation Plan governed by ISO 14155.

4.10 Automated decision-making

4.10.1 Sylva does not make decisions about you based solely on automated processing that produce legal effects or similarly significantly affect you.4.10.2 The safeguarding classifier flags conversations for human review by our Designated Safeguarding Lead; the human review is the decision point, not the classifier.4.10.3 The AI Mentors do not diagnose, do not triage, and do not make clinical decisions or recommendations.4.10.4 The Class I Screening & Monitoring Module presents your score against the instrument’s published threshold band; clinical interpretation requires a qualified clinician.

5. Collection of data

5.1 What we collect

5.1.1 Spicy Minds and its data processors will collect your personal data.

5.2 What “personal data” means

5.2.1 Personal Data means any information relating to an identified or identifiable natural person (“data subject”).5.2.2 An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

6. How we collect, store or otherwise process your data

6.1 The following business processes describe how we may collect, store or otherwise process the types of personal information:6.1.1 collection of cookies, subscription to newsletter, or filling out the contact form on the website(s);6.1.2 analysis of trends in our legitimate interest to enhance, modify, personalise and improve our services and communications for the benefit of our customers;6.1.3 processing and responding to support requests, enquiries and complaints received from you;6.1.4 providing services requested or purchased by you and communicating with you about such services. We do this as necessary in order to carry out a contract with you and in accordance with our legitimate interest in operating a business;6.1.5 carrying out administrative activities such as invoicing and collecting payments;6.1.6 storing and exchanging personal information contained in documents through email and cloud services;6.1.7 marketing and customer acquisition through email, SMS or cloud services, in accordance with the lawful basis described in clause 4.4.

7. Sharing data with third parties

7.1 We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.

7.2 Service providers (subprocessors)

7.2.1 Spicy Minds may engage third parties to act as our service providers and perform certain tasks on our behalf, such as processing or storing data, including personal data, in connection with your use of our services and delivering products to customers.7.2.2 Our service providers are obligated to handle personal data consistent with this Privacy Policy and according to our instructions under written data processing agreements. They cannot use the personal data we share for their own purposes and must delete or return the personal data once they have fulfilled our request.7.2.3 Our current list of subprocessors is available by emailing compliance@spicyminds.org and updated when subprocessors are added, removed or changed. Where the change is material, we will notify users in advance in accordance with applicable law.

7.3 International transfers

7.3.1 In principle, all data is hosted within the UK or EEA.7.3.2 Where data is transferred to a country without a UK adequacy decision, we rely on either:(a) the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”) where the recipient is certified under that framework; or(b) the International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK International Data Transfer Addendum, with appropriate supplementary technical and organisational measures (which may include encryption, access controls, and contractual restrictions on government-access requests).7.3.3 Where possible, we select service providers that are SOC 2 or ISO 27001 compliant.

7.4 Partner organisations

7.4.1 Some users access Sylva through partnerships with third-party organisations (for example, by entering a referral code provided by a partner).7.4.2 Where this is the case, we may share with the partner aggregate, anonymous information about the use of Sylva by their referred cohort, subject to a minimum cohort size of 20 users (and 20 users in any sub-cohort) to prevent re-identification.7.4.3 We do not share identifiable information about partner-referred users with the partner unless the user has separately and explicitly consented to that sharing.

7.5 Research partners

7.5.1 Spicy Minds may share anonymised and aggregated data with academic institutions, clinical researchers, and NHS bodies for the purposes of scientific research, clinical validation, and service evaluation.7.5.2 Such sharing is governed by data sharing agreements and conducted in accordance with the safeguards described in section 9 of this Policy.7.5.3 Anonymisation is conducted in accordance with our internal Anonymisation Procedure (SOP-RES-001), which applies the Information Commissioner’s Office “motivated intruder” standard.

7.6 Other disclosures

7.6.1 Spicy Minds may share personal data with others at your direction or with your consent.7.6.2 We may also disclose information about you if we determine that for purposes of national security, law enforcement, safeguarding or other issues of public importance, disclosure is necessary or appropriate.7.6.3 We may also disclose information about you where there is a lawful basis for doing so, if we determine that disclosure is reasonably necessary to enforce our terms and conditions, to protect our operations or users, or in the event of a reorganisation, merger, or sale.

8. The types of personal data we may process

8.1 In our apps

8.1.1 We collect different types of information:(a) Account information: phone number, email address, first name, subscription details.(b) Test answers and profiles: your responses to validated screening instruments and wellness questionnaires; your scored results.(c) Chat data: conversations with our AI assistants. Chat history is stored unredacted on your device, not on our servers (see clause 10.3).(d) Usage analytics: anonymous information about how you use our apps.(e) Special Category Data: health and wellbeing information you choose to share, which may include data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, data concerning health, or data concerning a person’s sex life or sexual orientation. This includes Special Category Data you voluntarily disclose in conversations with the AI Mentors, and Special Category Data you optionally enter on your family member profile(s) under clause 4.6.4, specifically: ethnicity (ONS 2021 census categories), religion (ONS 2021 census categories), disability (ONS / Equality Act categories), sexual orientation (ONS categories), household composition, and current treatment context (named clinician, current medications, and engagement type). Every special category field on the child’s profile has a “Prefer not to say” option, which is a first-class state distinct from leaving the field blank. We do not prompt you to complete fields you have chosen not to fill in.(f) Structured CYP profile data: where you choose to provide it, information about your child entered on their family member profile: school or educational establishment, full UK postcode, national identity or country of birth, main language spoken at home, EHCP/SEN status and plan stage, premature birth flag (for children under 2), and the special category fields listed in paragraph (e) above. All of these fields are optional. None are required to use Sylva. None appear on the sign-up or onboarding screens.

8.2 Information about children

8.2.1 While our services are designed for adult users (parents, teachers, carers, neurodivergent adults), we understand that conversations may include information about children.8.2.2 We treat all such information as Special Category Data and apply enhanced protections including local-device storage of chat content and anonymisation in any research outputs.8.2.3 When a parent shares information about their child through Sylva, the parent is the primary data subject (with respect to their account, communications and consent) and the child is a secondary data subject (with respect to information about the child). Both sets of rights apply.8.2.4 The parent exercises rights on the child’s behalf as the holder of parental responsibility. Where research processing is involved, this distinction is explained in more detail in our research consent forms.8.2.5 Children are not direct users of Sylva. The lower bound of our intended user population is 18 years of age.8.2.6 Where you enter structured information about your child on their family member profile (clause 4.6.4), you are consenting on your child’s behalf as the holder of parental responsibility. This is consistent with the UK GDPR’s recognition that holders of parental responsibility exercise data subject rights on behalf of children who lack the maturity to consent independently. The explicit consent moment described in clause 4.6.5(a) is the parent consenting on the child’s behalf.8.2.7 The highest-sensitivity field in the child’s profile is sexual orientation. We recognise that a parent may record a sexual orientation that does not match their child’s self-identification, that the child may not yet be out, or that disclosure could be sensitive in some family contexts. For this reason, the field is optional, defaults to “Prefer not to say”, and the “why we ask” explanation in the app makes the bias-monitoring purpose explicit so you can make an informed choice about whether to record it.

8.3 Revenue management

8.3.1 Transaction information related to your activity with our apps may include: last seen time that you used the app; the Apple receipt file; and the Google purchase token.

8.4 Marketing information

8.4.1 Customer information entered on our website: phone number or email address, first name, background information, marketing preferences.8.4.2 Information about your web visit or app usage, which may include the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (scrolling, clicks, mouse-overs), and methods used to browse away from the page.8.4.3 Technical information may include the Internet Protocol (IP) address used to connect your device to the internet, your login information, browser type and version, time-zone setting, operating system and platform.

9. Research, anonymised data and clinical investigation

9.1 Purposes

9.1.1 Spicy Minds may use data collected through the Platform for the purposes of scientific research, clinical investigation, service evaluation, and academic publication.9.1.2 This supports our commitment to evidence-based service improvement and our regulatory pathway.

9.2 Anonymised data

9.2.1 Where we conduct research, we will do so using anonymised or aggregated data wherever possible.9.2.2 Anonymised data is data from which you cannot reasonably be identified, either on its own or in combination with other information.9.2.3 Truly anonymised data falls outside the scope of data protection legislation, and we may use and share it without restriction.

9.3 Pseudonymised data

9.3.1 Where research requires pseudonymised data (data from which direct identifiers have been removed but which could theoretically be re-identified), we process this under Article 6(1)(f) of UK GDPR (legitimate interests) and Article 9(2)(j) (processing necessary for scientific research purposes), subject to appropriate safeguards including technical and organisational measures to ensure data minimisation and the principle of purpose limitation.9.3.2 Where pseudonymised data is used for bias-monitoring analysis (for example, to measure whether AI mentor responses differ across ethnic, religious or linguistic groups), we enforce a minimum cohort size of 20 users in any group or sub-group before analysis is conducted. This prevents re-identification of individuals from small-group analysis. The bias-monitoring methodology is maintained by our Clinical Safety Officer.

9.4 Research governance

9.4.1 Spicy Minds conducts all research activities in accordance with the UK Research and Innovation (UKRI) guidelines, including the Concordat to Support Research Integrity and the UKRI Framework for Research Ethics.9.4.2 Where research involves collaboration with academic institutions or is intended for peer-reviewed publication, we ensure that appropriate ethical review is obtained and that research protocols comply with the requirements of the relevant institutional ethics committees.9.4.3 We maintain records of ethical approvals and research governance decisions as part of our quality management system.

9.5 Sharing for research

9.5.1 We may share anonymised and aggregated data with third-party researchers, academic institutions, NHS bodies, and clinical partners for the purposes described in clause 9.1.9.5.2 Any such sharing is subject to data sharing agreements that require the recipient to maintain appropriate security measures and to use the data solely for the agreed research purposes.

9.6 Identifiable data for research

9.6.1 Where we wish to use identifiable personal data for research, we will seek your explicit consent in advance.9.6.2 You will have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.9.6.3 We will not share identifiable personal data with third parties for research purposes without your explicit consent.

9.7 Children in research

9.7.1 Where research involves data relating to children (including information you have shared about your child through the Platform), we apply additional safeguards, including enhanced anonymisation techniques and ethical review, to ensure that no child can be identified from published research outputs.9.7.2 The data subject distinction described in clause 8.2 applies to research outputs: the parent and the child have distinct rights, and consent is sought from the holder of parental responsibility.

10. Storage and protection of data

10.1 General

10.1.1 Spicy Minds and its processors protect your data in accordance with all legal requirements set by the relevant data protection laws and seek compliance with the relevant security standards.10.1.2 Spicy Minds has taken technical and organisational security measures to protect your data and requires its data processors to meet the same requirements.10.1.3 Spicy Minds has signed data processing agreements with its processors to ensure an adequate level of data protection.10.1.4 In principle, all data is hosted within the UK or EEA. International transfers are governed by the mechanisms described in clause 7.3.

10.2 Organisational security measures

10.2.1 Data hosting. As a rule, data is hosted within countries and areas that provide a substantially similar level of protection as data subjects benefit from under the UK GDPR. To ensure this, we rely on Adequacy Decisions as a legal basis for our international data transfers. In exceptional circumstances, where data is transferred to a country or area not subject to an Adequacy Decision, we rely on the IDTA or Standard Contractual Clauses with the UK Addendum and take supplementary security measures to secure that data transfer, such as encryption and anonymisation. Where possible, we select service providers that are SOC 2 or ISO 27001 compliant.10.2.2 Staff. Spicy Minds staff members are required to conduct themselves in a manner consistent with our guidelines on confidentiality, business ethics, appropriate usage, and professional standards. We train staff members on best security practices, including how to identify social engineering, phishing scams, and other attacks. We have safer-recruitment practices in place to help make sure the people we employ are appropriately skilled and suitable for the role.10.2.3 Access controls. Spicy Minds maintains your data privacy by allowing only authorised individuals access to information when it is critical to complete tasks for you. Spicy Minds staff members will not process customer data without authorisation.

10.3 Technical security measures

10.3.1 Respect for your privacy is coded deep into our architecture. Your chat history is treated as Special Category Personal Data and is stored unredacted on your device, not on our servers. Even our system administrators cannot see your unredacted chat history.10.3.2 The only time Spicy Minds will ever access a conversation is if a safeguarding risk has been identified by our AI, so that our safeguarding and welfare team can review the quality of the responses given by our apps and make improvements if necessary.10.3.3 In rare cases, we may provide information to law-enforcement authorities when legally required. This typically involves situations such as protecting children from harm or preventing death.10.3.4 To improve the service we provide, we may also review anonymous metadata associated with user conversations so that we can see the shape and pattern of them. This includes: the themes discussed, how often a user returns to our apps, how long each session lasts, and how many times the user replies to the AI within one conversation. We cannot see the chat conversation itself.10.3.5 All employee devices used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption, and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited. We carry out regular vulnerability scanning and penetration testing and have engaged credentialed external auditors to verify the adequacy of our safeguarding, security and privacy measures.10.3.6 Where specific research projects require access to your conversation data or other information stored locally on your device, we will seek your separate, informed consent through the Platform before accessing or transferring any such data.

10.4 Data breach

10.4.1 We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process.10.4.2 In the unlikely event of a data breach we will notify the Information Commissioner’s Office where required to do so within 72 hours of becoming aware, and will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.10.4.3 Notifications will provide a brief description of the breach, a description of the types of information involved, steps affected individuals can take to protect themselves, and what we are doing to investigate the breach, mitigate further harm and prevent future breaches.10.4.4 We cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our services is at your own risk. You should only access the services within a secure environment.

11. Your rights regarding information

11.1 Your rights

11.1.1 Each data subject has the right of access to, and rectification, erasure and restriction of processing of, their personal data, as well as the right to object to processing and the right to data portability.11.1.2 You also have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.

11.2 How to exercise your rights

11.2.1 You can exercise these rights by contacting us at compliance@spicyminds.org. Please write “PRIVACY” in the subject line and include proof of identification.11.2.2 Within one month of the submitted request, you will receive an answer from us.11.2.3 We will not charge you for submitting your request unless the request is manifestly unfounded or excessive.11.2.4 Depending on the complexity and number of requests, this period may be extended by up to two further months; we will notify you of any such extension within the first month.

11.3 Right to lodge a complaint with the ICO

11.3.1 If you are not satisfied with our handling of your request or our processing of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office:(a) Website: https://ico.org.uk/make-a-complaint/(b) Helpline: 0303 123 1113(c) Postal: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.11.3.2 We would, however, appreciate the chance to address your concerns before you approach the ICO, so please consider contacting us first at compliance@spicyminds.org.

12. Marketing

12.1 Receiving updates

12.1.1 You may receive updates from Spicy Minds on the basis described in clause 4.4.

12.2 Opting out

12.2.1 You can opt out of marketing communications at any time, by any of the following methods:(a) reply STOP to any SMS message;(b) click the unsubscribe link in any email;(c) update your preferences in the Sylva app under Settings → Communication preferences;(d) email compliance@spicyminds.org.

12.3 Use by partners

12.3.1 Your personal data will not be used by our partners for their own commercial purposes.

12.4 Other people’s personal data

12.4.1 If you encounter any personal data from other data subjects, you should refrain from collecting, unauthorised use, or any other act that constitutes an infringement of the privacy of the data subject(s) in question.

13. Cookies

13.1 What we collect

13.1.1 We may collect information about your device, including (where available) your IP address, operating system, browser type and screen size, for use in system administration, to tailor your experience, provide you with customer support and to report aggregate information internally.

13.2 Use of cookies

13.2.1 We may obtain information about your service usage by using a cookie file which is stored on your device.13.2.2 Cookies help us to give you a smooth user experience, improve the service and deliver a better and more personalised service. They enable us:(a) to recognise you when you return;(b) to maintain the data you have entered;(c) to estimate our audience size and usage pattern;(d) to store information about your preferences;(e) to customise our service according to your individual interests.

13.3 Managing cookies

13.3.1 You can manage cookies in our cookie banner when you first visit the site, and at any time afterwards by clicking the cookie preferences link in the website footer.13.3.2 You can also refuse or delete cookies through your browser settings.

13.4 Advertising cookies

13.4.1 Both Spicy Minds and our service providers may use first-party cookies to inform, optimise, and serve advertisements based on your past visits to the website, on sites across the internet (also known as “remarketing”).13.4.2 Where this involves non-essential cookies, we will only do so with your consent given through the cookie banner.

14. Data retention

14.1 General principle

14.1.1 Spicy Minds retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including as described in this Privacy Policy or as required by law.14.1.2 When assessing retention periods, we first carefully examine whether it is necessary to retain the personal data collected and, if retention is required, work to retain the personal data for the shortest possible period permissible under law.14.1.3 You may, at any time, request your data to be deleted from any Spicy Minds account, system or other data processing medium in accordance with the process described in section 11.

14.2 Specific retention periods

14.2.1 Account and payment data: retained for six years from the end of the customer relationship, to comply with HMRC and fraud-prevention requirements.14.2.2 Chat data and test results: retained for two years after the end of the customer relationship, unless you request earlier deletion.14.2.3 Safeguarding case records: retained for six years after closure, to comply with safeguarding frameworks and limitation periods for legal claims.14.2.4 Anonymised usage analytics: retained indefinitely (no longer personal data).14.2.5 Anonymised research data: retained indefinitely.14.2.6 Pseudonymised research data: retained only for as long as necessary to complete the relevant research project, after which it is either deleted or further anonymised.14.2.7 CYP profile enrichment fields: retained for the lifetime of the child’s family member profile. Deleted when you delete the child’s profile, delete your account, or exercise your right to erasure under section 11. If you withdraw consent for a special category field (by clearing it or selecting “Prefer not to say”), the value is removed from the active record and from downstream AI mentor context. Copies of the field values in safeguarding case records follow the safeguarding retention period in clause 14.2.3. Copies in pseudonymised bias-monitoring datasets follow the research retention period in clause 14.2.6.

15. Applicable law

15.1 These conditions are governed by the laws and regulations of the United Kingdom.15.2 If any dispute regarding these conditions arises, the courts of England and Wales have jurisdiction, save where a legal exception applies.

16. Contact

16.1 If you have questions about this Privacy Policy, our products, or this website, please email compliance@spicyminds.org.16.2 Data Protection Officer: Ben Cosh.16.3 Email: compliance@spicyminds.org.16.4 Postal: Spicy Minds Ltd, 17-18 Berkeley Square, Bristol, England, BS8 1HB, United Kingdom.Sylva Minds Ltd Privacy Policy