Spicy Minds Ltd Privacy Policy

Introduction

Spicy Minds Ltd aims to go beyond the minimal legal requirements to respect the privacy of its customers, suppliers, and partners. We have, therefore, formulated and implemented a policy and technical architecture based on higher security and privacy standards. 

Definitions

The party responsible for processing personal data (the “Controller”) is Spicy Minds Ltd, whose registered address is 17-18 Berkeley Square, Bristol, England, BS8 1HB, United Kingdom. The company's registration number is 14719260. The data protection officer can be reached at compliance@spicyminds.org. 

  • Data Protection Authority: The Data Protection Authority of the United Kingdom.

  • Data Protection laws: For European citizens or residents, the EU GDPR 2018; the EU e-privacy directive 2002;

  • For UK citizens or residents, the UK GDPR 2020 and the UK Data Protection Act 2018

and the national laws of the countries where we operate.

Purposes

Spicy Minds processes personal data for one or more of the following purposes:

  • Customer, employee, contractor, partner or supplier management

  • Business and financial administration

  • Marketing

  • To enhance, modify, personalise and improve our services and communications for the benefit of our customers

  • Delivery of services

  • Work planning

Collection of data

  • Spicy Minds and its data processors will collect your personal data. 

  • Personal data means any information relating to an identified or identifiable natural person (‘data subject’).

  • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, email, location data, an online identifier, or to one or more factors specific to that natural person's physical, physiological, genetic, mental, economic, cultural, or social identity.

How we collect, store or otherwise process your data:

The following business processes describe how we may collect, store or otherwise process the types of personal information:

  • Collection of cookies, subscription to a newsletter or filling out the contact form on the website(s);

  • Analyse trends in for our legitimate interest to aim to enhance, modify, personalise and improve our services and communications for the benefit of our customers;

  • Process and respond to support requests, enquiries and complaints received from you;

  • Provide services requested and/or purchased by you and communicate with you about such services. We do this as necessary in order to carry out a contract with you and in accordance with our legitimate interest in operating a business;

  • Carry out administrative activities such as invoicing and collecting payments;

  • Store and exchange personal information contained in documents through email and cloud services;

  • Marketing and customer acquisition through email or using cloud services.

Sharing data with third parties

We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal data outside the United Kingdom. If we do, you can expect a similar degree of protection in respect of your personal data. We will share your personal data with third parties in accordance with the GDPR and as outlined in the legal justification table above.

  • Service providers: Spicy Minds may engage third parties to act as our service providers and perform certain tasks on our behalf, such as processing or storing data, including personal data, in connection with your use of our services and delivering products to customers. Spicy Minds service providers are obligated to handle personal data in a manner consistent with this privacy policy and according to our instructions. They cannot use the personal data we share for their own purposes and must delete or return the personal data once they’ve fulfilled our request. 

  • Others: Spicy Minds may share personal data with others at your direction or with your consent. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary and appropriate. We may also disclose information about you where there is a lawful basis for doing so, if we determine that disclosure is reasonably necessary to enforce our terms and conditions or to protect our operations or users, or in the event of a reorganisation, merger, or sale. 

The types of personal data we may process through third-party data processors:

In our apps: Customers may enter goal and progress tracking information about their well-being while using our apps. While chatting with our apps, customers can enter any data they wish, including Special Category Personal Data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation), and, as such, all data entered through chatting is treated as Special Category Data (see below - technical security measures). 

Revenue management: Transaction information related to the customer’s activities with respect to the apps may include: last seen time that the customer used the app, the Apple receipt file; and/or the Google purchase token.

Marketing information: Customer information entered on our website: email address, first name, background information, data subject consent. Information about your web visit or app usage, which may include the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page. Technical information, which may include the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, operating system and platform.

Storage and protection of data

Spicy Minds and its processors protect your data in accordance with all legal requirements set by the relevant data processing laws and seek compliance with the relevant security standards. Spicy Minds has taken technical and organisational security measures to protect your data and requires its data processors to meet the same requirements. Spicy Minds has signed processing agreements with its processors to ensure an adequate level of data protection.

In principle, all data is hosted within the UK or the EEA. We may use third-party applications whose headquarters are located in the US to process data. In this case, the third party relies on the US-UK Data Bridge and takes adequate precautions to ensure the security and privacy of data, including, but not limited to, encryption. 

The following security measures are taken by Spicy Minds to protect your personal data in the course of the listed business processes:

Organisational security measures

Data hosting

As a rule, our data is hosted within countries and areas that provide a substantially similar level of protection as data subjects have under the GDPR. To ensure this, we rely on Adequacy Decisions as a legal basis for our international data transfers. In exceptional circumstances, where data is transferred to a country or area not subject to an Adequacy Decision, we rely on Standard Contractual Clauses with the recipient and take supplementary security measures to secure this data transfer, such as anonymisation. Where possible, we select service providers that are SOC or ISO27001 compliant.

Staff

Spicy Minds staff members are required to conduct themselves in a manner consistent with Spicy Minds’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.

Access controls

Spicy Minds maintains your data privacy by allowing only authorised individuals access to information when it is critical to complete tasks for you. Spicy Minds staff members will not process customer data without authorisation.

Technical security measures

Respect for your privacy is coded deep into our architecture. Your chat history is treated as Special Category Personal Data and is stored unredacted on your device, not our servers or service providers’ servers. The servers can only process this unredacted data when you are logged on, and the transmission between devices and servers is encrypted. When we analyse trends to improve our services, any personally identifiable information is automatically redacted in ways aligned with GDPR and HIPAA. Unredacted chat history is accessed only when legally required, such as escalating to government services if a person's life is at risk.

All our devices used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption, and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited. We carry out regular vulnerability scanning of our website and have engaged credentialed external auditors to verify the adequacy of our safeguarding, security and privacy measures.

Data breach

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. However in the unlikely event of a data breach, we will endeavour to notify you as soon as possible providing a brief description of the breach, a description of the types of information that were involved, steps affected individuals can take to protect themselves, what we are doing to investigate the breach, mitigate further harm and prevent future breaches. By using our services, you agree to be notified of any data breach. And that you continue to be reachable via the contact information you provide unless you request for your contact information to be updated.

However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our services is at your own risk. You should only access the services within a secure environment.

Your rights regarding information

Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of their personal data, as well as the right to object to the processing and the right to data portability. You also have the right to request that you are not made subject to decision-making based solely on automated processes, including profiling, if these decisions would have a significant effect on you.

You can exercise these rights by contacting us at compliance@spicyminds.org. Please write “PRIVACY” in the subject line and include proof of identification. 

Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature.

Depending on the complexity and the number of requests this period may be extended to two months.

Marketing

You may receive commercial offers from Spicy Minds. If you do not wish to receive them (anymore), please unsubscribe or send us an email to the following address: compliance@spicyminds.org and ensure that you write “PRIVACY” in the subject line of your email.

Your personal data will not be used by our service providers or partners for their commercial purposes.

If you encounter any personal data from other data subjects, you are to refrain from collecting, unauthorised use, or engaging in any other act that constitutes an infringement of the privacy of the data subject(s) in question. The collector is not responsible in these circumstances.

Data retention

Spicy Minds retains personal data only for so long as necessary to fulfil the purposes for which it was collected, including as described in this privacy policy or as required by law. When assessing retention periods, we first carefully examine whether it is necessary to retain the personal data collected and, if retention is required, work to retain the personal data for the shortest possible period permissible under law.  You may, at any time, request your data to be deleted from any Spicy Minds account, system or other data processing medium in accordance with the process described above.

Applicable law

These conditions are governed by the laws and regulations of the UK, where we are headquartered. If any dispute regarding these conditions arises, the court in the district where we are headquartered has the sole jurisdiction, save when a legal exception applies.

Contact

If you have questions about this privacy policy, product information, or the website itself, please email compliance@spicyminds.org and ensure that you write “PRIVACY” in the subject line of your email.

Version:12/8/24