Spicy Minds Ltd privacy policy

Summary

  • Engineered for trust - we’ve built privacy into the architecture itself rather than just adding policy layers. 

  • No humans can read your chats, unless there are safeguarding concerns raised.

  • Clear user control - we give you full control over your data.

  • Minimal data collection - we only collect what we absolutely need to support you.

  • Your data is not for sale - we will never sell your data to third parties.

  • Practical compliance - we are aligned with key standards (GDPR, NHS Digital, ISO27001).

  • Your conversations with our apps are confidential and can only be accessed by you.

Introduction

Spicy Minds Ltd aims to go beyond the minimal legal requirements to respect the privacy of its customers, suppliers, and partners. We have designed a policy and technical architecture based on high privacy, safety and security standards of ISO27001, HNS Digital DSPT & DCB0129, Cyber Essentials, as well as GDPR.

Definitions

The party responsible for processing personal data (the “Controller”) is Spicy Minds Ltd, whose registered address is 17-18 Berkeley Square, Bristol, England, BS8 1HB, United Kingdom. The company's registration number is 14719260. The Data Protection Officer can be reached at compliance@spicyminds.org. 


  • Data Protection Authority: The Data Protection Authority of the United Kingdom.

  • Data Protection laws: For European citizens or residents, the EU GDPR 2018; the EU e-privacy directive 2002;

  • For UK citizens or residents, the UK GDPR 2020 and the UK Data Protection Act 2018..


Purposes and lawful bases

Spicy Minds processes personal data for one or more of the following purposes. For each purpose, we have identified the lawful basis under Article 6 of UK GDPR, and where Special Category Data (such as health or wellbeing information) is involved, the additional condition under Article 9.

  • Customer, employee, contractor, partner or supplier management 

    • Lawful basis: Article 6(1)(b): processing necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.

    • For employees and contractors, also Article 6(1)(c): compliance with a legal obligation (e.g. employment law, tax, right to work checks). 

    • Special Category Data condition (where applicable): Article 9(2)(b): processing necessary for the purposes of carrying out obligations in the field of employment and social security law.

  • Business and financial administration 

    • Lawful basis: Article 6(1)(c): compliance with a legal obligation (e.g. accounting, tax, anti-money laundering requirements) and Article 6(1)(f): legitimate interests of Spicy Minds in operating and administering its business, where those interests are not overridden by your rights and freedoms.

  • Marketing 

    • Lawful basis: Article 6(1)(a): consent, where we send you direct marketing communications and you have opted in to receive them. 

    • For existing customers, we may also rely on Article 6(1)(f): legitimate interests, in accordance with the "soft opt-in" provisions of the Privacy and Electronic Communications Regulations 2003, where the marketing relates to similar products or services and you have not opted out. You have the right to withdraw consent or opt out of marketing at any time.

  • Delivery of services 

    • Lawful basis: Article 6(1)(b): processing necessary for the performance of a contract (your subscription or access to the Platform). 

    • Special Category Data condition: Article 9(2)(a): explicit consent. When you voluntarily share health, wellbeing, or other sensitive information through the Platform (including information about your child), you do so on the basis of your explicit consent, which you may withdraw at any time. Where safeguarding concerns arise, we may also process Special Category Data under Article 9(2)(c): protecting the vital interests of the data subject or another person where the data subject is incapable of giving consent, or under Article 9(2)(g): processing necessary for reasons of substantial public interest, in reliance on Schedule 1, Part 2, paragraph 18 of the Data Protection Act 2018 (safeguarding of children and individuals at risk).

  • Work planning 

    • Lawful basis: Article 6(1)(f): legitimate interests of Spicy Minds in planning and organising its operations effectively, where those interests are not overridden by your rights and freedoms.

  • Scientific research, clinical validation, service evaluation, and publication 

    • Lawful basis: Article 6(1)(f): legitimate interests of Spicy Minds in validating and improving its services through evidence-based research, and in pursuing its regulatory pathway. We have conducted a Legitimate Interest Assessment and concluded that these interests are not overridden by your rights and freedoms, particularly given the safeguards described below. 

    • Special Category Data condition: Article 9(2)(j): processing necessary for scientific research purposes, carried out in accordance with Article 89(1) of UK GDPR, subject to appropriate safeguards including data minimisation and, where feasible, anonymisation or pseudonymisation. Where research is conducted using fully anonymised data (from which no individual can reasonably be identified), such data falls outside the scope of UK GDPR and no lawful basis is required. Where pseudonymised data is used, the safeguards set out in the "Research, anonymised data and clinical validation" section of this Policy apply. Where identifiable data is required for a specific research project, we will seek your explicit consent under Article 6(1)(a) and Article 9(2)(a) before any such processing takes place.

Collection of data

  • Spicy Minds and its data processors will collect your personal data. 

  • Personal Data means any information relating to an identified or identifiable natural person (‘data subject’).

  • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to that natural person's physical, physiological, genetic, mental, economic, cultural, or social identity.


How we collect, store or otherwise process your data:

The following business processes describe how we may collect, store or otherwise process the types of personal information:

  • Collection of cookies, subscription to newsletter or filling out the contact form on the website(s);

  • Analyse trends for our legitimate interest to aim to enhance, modify, personalise and improve our services and communications for the benefit of our customers;

  • Process and respond to support requests, enquiries and complaints received from you;;

  • Provide services requested and/or purchased by you and communicate with you about such services. We do this as necessary in order to carry out a contract with you and in accordance with our legitimate interest in operating a business;

  • Carry out administrative activities such as invoicing and collecting payments;

  • Store and exchange personal information contained in documents through email and cloud services;

  • Marketing and customer acquisition through email or using cloud services.


Sharing data with third parties

We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your Personal Data outside the United Kingdom. If we do, you can expect a similar degree of protection in respect of your Personal Data. We will share your Personal Data with third parties in accordance with the GDPR and as outlined in the legal justification table above.

  • Service Providers. Spicy Minds may engage third parties to act as our service providers and perform certain tasks on our behalf, such as processing or storing data, including personal data, in connection with your use of our services and delivering products to customers. Spicy Minds service providers are obligated to handle personal data consistent with this Privacy Policy and according to our instructions. They cannot use the personal data we share for their own purposes and must delete or return the personal data once they’ve fulfilled our request. 

  • Others. Spicy Mind may share personal data with others at your direction or with your consent. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate. We may also disclose information about you where there is a lawful basis for doing so, if we determine that disclosure is reasonably necessary to enforce our terms and conditions or to protect our operations or users, or in the event of a reorganization, merger, or sale. 

  • Research Partners. Spicy Minds may share anonymised and aggregated data with academic institutions, clinical researchers, and NHS bodies for the purposes of scientific research, clinical validation, and service evaluation. Such sharing will be governed by data sharing agreements and conducted in accordance with the safeguards described in the 'Research, anonymised data and clinical validation' section of this Policy.

The types of personal data we may process through third-party data processors:

In our apps: 

We collect different types of information:

- Account information: phone number, email address, first name, subscription details

- Test answers & profiles

- Chat data: conversations with our AI assistants (stored locally on your device)

- Usage analytics: anonymous information about how you use our apps

- Special Category Data: health and wellbeing information you choose to share (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation). 

- Information About Children. While our services are designed for adult users (parents, teachers, carers), we understand that conversations may include information about children. We treat all such information as Special Category Data.

Revenue management: Transaction information related to the customer’s activities with respect to the apps may include: last seen time that the customer used the app, the Apple receipt file; and/or the Google purchase token.

Marketing information: Customer information entered on our website: phone number/email address, first name, background information, data subject consent. Information about your web visit or app usage, which may include the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page. Technical information, which may include the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, operating system and platform.


Research, anonymised data and clinical validation

Spicy Minds may use data collected through the Platform for the purposes of scientific research, clinical validation, service evaluation, and academic publication. This supports our commitment to evidence-based service improvement and our regulatory pathway.

Where we conduct research, we will do so using anonymised or aggregated data wherever possible. Anonymised data is data from which you cannot reasonably be identified, either on its own or in combination with other information. Truly anonymised data falls outside the scope of data protection legislation, and we may use and share it without restriction.

Where research requires pseudonymised data (data from which direct identifiers have been removed but which could theoretically be re-identified), we process this under Article 6(1)(f) of UK GDPR (legitimate interests) and Article 9(2)(j) (processing necessary for scientific research purposes), subject to appropriate safeguards including technical and organisational measures to ensure data minimisation and the principle of purpose limitation.

Spicy Minds conducts all research activities in accordance with the UK Research and Innovation (UKRI) guidelines, including the Concordat to Support Research Integrity and the UKRI Framework for Research Ethics. Where research involves collaboration with academic institutions or is intended for peer-reviewed publication, we ensure that appropriate ethical review is obtained and that research protocols comply with the requirements of the relevant institutional ethics committees. We maintain records of ethical approvals and research governance decisions as part of our quality management system.

We may share anonymised and aggregated data with third-party researchers, academic institutions, NHS bodies, and clinical partners for the purposes described above. Any such sharing will be subject to data sharing agreements that require the recipient to maintain appropriate security measures and to use the data solely for the agreed research purposes.

Where we wish to use identifiable personal data for research, we will seek your explicit consent in advance. You will have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We will not share identifiable personal data with third parties for research purposes without your explicit consent.

Where research involves data relating to children (including information you have shared about your child through the Platform), we apply additional safeguards, including enhanced anonymisation techniques and ethical review, to ensure that no child can be identified from published research outputs.

Storage and protection of data

Spicy Minds and its processors protect your data in accordance with all legal requirements set by the relevant data processing laws and seek compliance with the relevant security standards. Spicy Minds has taken technical and organisational security measures to protect your data and requires its data processors to meet the same requirements. Spicy Minds has signed processing agreements with its processors to ensure an adequate level of data protection.

In principle, all data is hosted within the UK or EEA. Exceptionally, we may use third-party sub-processors whose headquarters are located in the US to process data. In this case, the third party relies on the US-UK Data Bridge and takes adequate precautions to ensure the security and privacy of data, including, but not limited to, encryption. 

The following security measures are taken by Spicy Minds to protect your personal data in the course of the listed business processes:

Organisational security measures

Data hosting

As a rule, data is hosted within countries and areas that provide a substantially similar level of protection as data subjects benefit from under the GDPR. To ensure this, we rely on Adequacy Decisions as a legal basis for our international data transfers. In exceptional circumstances, where data is transferred to a country or area not subject to an Adequacy Decision, we rely on Standard Contractual Clauses with the recipient and take supplementary security measures to secure this data transfer, such as anonymisation. Where possible, we select service providers that are SOC or ISO27001 compliant.

Staff

Spicy Minds staff members are required to conduct themselves in a manner consistent with Spicy Minds’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. We train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers. We have ‘safer recruitment’ practices in place to help make sure the people we employ are appropriately skilled and suitable for the role.

Access controls

Spicy Minds maintains your data privacy by allowing only authorised individuals access to information when it is critical to complete tasks for you. Spicy Minds staff members will not process customer data without authorisation.

Technical security measures

Respect for your privacy is coded deep into our architecture. Your chat history is treated as Special Category Personal Data and is stored unredacted on your device not on our servers. Even our system admin cannot see your unredacted chat history.

The only time Spicy Minds will ever access a conversation is if a safeguarding risk has been identified by our AI, so our safeguarding and welfare team can review the quality of the responses given by our apps and make improvements if necessary. 

In rare cases, we may provide information to law enforcement authorities when legally required. This typically involves situations such as protecting children from harm or preventing death.

To improve the service we provide, we may also review anonymous metadata associated with user conversations so that we can see the shape and pattern of them. This includes: the themes discussed, how often a user returns to our apps, how long each session lasts and how many times the user replies to the AI within one conversation. We cannot see the chat conversation itself. 

All employees’ devices used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption, and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited. We carry out regular vulnerability scanning and penetration testing and have engaged credentialed external auditors to verify the adequacy of our safeguarding, security and privacy measures.

Where specific research projects require access to your conversation data or other information stored locally on your device, we will seek your separate, informed consent through the Platform before accessing or transferring any such data.


Data breach

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. However in the unlikely event of a data breach, we will endeavour to notify you as soon as possible providing a brief description of the breach, a description of the types of information that were involved, steps affected individuals can take to protect themselves, what we are doing to investigate the breach, mitigate further harm and prevent future breaches. By using our services, you agree to be notified of any data breach. And that you continue to be reachable via the contact information you provide unless you request for your contact information to be updated.

Please remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our services is at your own risk. You should only access the services within a secure environment.

Your rights regarding information

Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of their personal data, as well as the right to object to the processing and the right to data portability. You also have the right to request that you are not made subject to decision-making based solely on automated processes, including profiling, if these decisions would have a significant effect on you.

You can exercise these rights by contacting us at compliance@spicyminds.org. Please write “PRIVACY” in the subject line and include proof of identification. 

Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature.

Depending on the complexity and the number of requests this period may be extended to two months.

Marketing

You may receive updates from Spicy Minds. If you do not wish to receive them (anymore), please unsubscribe.

Your personal data will not be used by our partners for commercial purposes.

If you encounter any personal data from other data subjects, you are to refrain from collecting, unauthorised use, or engaging in any other act that constitutes an infringement of the privacy of the data subject(s) in question. The collector is not responsible in these circumstances.

Cookies

We may collect information about your device, including where available your IP address, operating system, browser type and screen size for use in system administration, to tailor your experience, provide you with customer support and to report aggregate information internally.

For the same reason, we may obtain information about your service usage by using a cookie file which is stored on your device. Cookies help us to give you a smooth user experience, improve the service and deliver a better and more personalized service. They enable us: to recognize you when you return, to maintain the data you have entered, to estimate our audience size and usage pattern, to store information about your preferences, and so allow us to customize our service according to your individual interests.

Both Spicy Minds and service providers may use first-party cookies to inform, optimize, and serve ads based on your past visits to the website on sites across the Internet (also known as ‘remarketing’). If you would like to opt out of this, you can do so via their Preferences Manager.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. Unless you have adjusted your browser setting so that it will refuse cookies, our service will issue cookies when you visit the website and app.

Data retention

Spicy Minds retains personal data only for so long as necessary to fulfil the purposes for which it was collected, including as described in this Privacy Policy or as required by law. When assessing retention periods, we first carefully examine whether it is necessary to retain the personal data collected and, if retention is required, work to retain the personal data for the shortest possible period permissible under law.  You may, at any time, request your data to be deleted from any Spicy Minds account, system or other data processing medium in accordance with the process described above.


Anonymised data used for research purposes may be retained indefinitely, as it cannot be used to identify you. Pseudonymised research data will be retained only for so long as necessary to complete the relevant research project, after which it will be either deleted or further anonymised.

Applicable law

These conditions are governed by the laws and regulations of the UK, where we are headquartered. If any dispute regarding these conditions arises, the court in the district where we are headquartered has the sole jurisdiction, save when a legal exception applies.

Contact

If you have questions about this privacy policy, product information, or the website itself, please email compliance@spicyminds.org.