Spicy Minds Ltd privacy policy

Summary

  • Engineered for trust - we’ve built privacy into the architecture itself rather than just adding policy layers. 

  • Clear user control - we give you full control over your data.

  • Minimal data collection - we only collect what we absolutely need to support you.

  • Your data is not for sale - we will never sell your data to third parties.

  • Practical compliance - we are aligned with key standards (GDPR, NHS Digital, ISO27001).

  • Your conversations with our apps are confidential and can only be accessed by you. 

Introduction

Spicy Minds Ltd goes beyond the minimal legal requirements of GDPR to respect the privacy of its customers, suppliers, and partners. We have formulated and implemented a policy and technical architecture based on high security and privacy standards. 

Definitions

The party responsible for processing personal data (the “Controller”) is Spicy Minds Ltd, whose registered address is 17-18 Berkeley Square, Bristol, England, BS8 1HB, United Kingdom. The company's registration number is 14719260. The data protection officer can be reached at compliance@spicyminds.org. 

  • Data Protection Authority: The Data Protection Authority of the United Kingdom.

  • Data Protection laws: For European citizens or residents, the EU GDPR 2018; the EU e-privacy directive 2002;

  • For UK citizens or residents, the UK GDPR 2020 and the UK Data Protection Act 2018

Processing of data: In the General Data Protection Regulation (GDPR), "processing" is any operation performed on personal data. This includes collecting, storing, using, and destroying personal data. Processing can be done manually or automatically.

Redaction: Censoring, obscuring or anonymising of text for legal or security purposes.

Purposes

Spicy Minds processes personal data for one or more of the following purposes:

  • Customer, employee, contractor, partner or supplier management

  • Business and financial administration

  • Marketing

  • To enhance, modify, personalise and improve our services and communications for the benefit of our customers

  • Delivery of services

  • Work planning

Collection of data

  • Spicy Minds and its data processors will collect your personal data. 

  • Personal data means any information relating to an identified or identifiable natural person (‘data subject’).

  • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, email, location data, an online identifier, or to one or more factors specific to that natural person's physical, physiological, genetic, mental, economic, cultural, or social identity.

How we collect, store or otherwise process your data:

The following business processes describe how we may collect, store or otherwise process the types of personal information:

  • Collection of cookies, subscription to a newsletter or filling out the contact form on the website(s);

  • Analyse trends in for our legitimate interest to aim to enhance, modify, personalise and improve our services and communications for the benefit of our customers;

  • Process and respond to support requests, enquiries and complaints received from you;

  • Provide services requested and/or purchased by you and communicate with you about such services. We do this as necessary in order to carry out a contract with you and in accordance with our legitimate interest in operating a business;

  • Carry out administrative activities such as invoicing and collecting payments;

  • Store and exchange personal information contained in documents through email and cloud services;

  • Marketing and customer acquisition through email or using cloud services.

Sharing data with third parties

We may have to share your data with third parties, including third-party service providers, but we will never sell your data. We require third parties to respect the security of your data and to treat it in accordance with the law. We may transfer your personal data outside the United Kingdom. If we do, you can expect a similar degree of protection in respect of your personal data. We will share your personal data with third parties in accordance with the GDPR and as outlined in the legal justification table above.

  • Service providers: Spicy Minds may engage third parties to act as our service providers and perform certain tasks on our behalf, such as processing or storing data, including personal data, in connection with your use of our services and delivering products to customers. Our service providers are obligated to handle personal data in a manner consistent with this privacy policy and according to our instructions. They cannot use the personal data we share for their own purposes and must delete or return the personal data once they’ve fulfilled our request. 

  • Others: Spicy Minds may share personal data with others at your direction or with your consent. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary and appropriate. We may also disclose information about you where there is a lawful basis for doing so, if we determine that disclosure is reasonably necessary to enforce our terms and conditions or to protect our operations or users, or in the event of a reorganisation, merger, or sale. 

The types of personal data we may process through third-party data processors:

In our apps: Customers may enter email, first name, goals and progress tracking information about their wellbeing while using our apps. While chatting with our apps, customers can enter any data they wish, including Special Category Personal Data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation), and, as such, all data entered through chatting is treated as Special Category Data (see below - technical security measures)

Revenue management: Transaction information related to the customer’s activities with respect to the apps may include: last seen time that the customer used the app, the Apple receipt file; and/or the Google purchase token.

Marketing information: Customer information entered on our website: email address, first name, background information, data subject consent. Information about your web visit or app usage, which may include the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page. Technical information, which may include the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, operating system and platform.

Storage and protection of data

Spicy Minds and its processors protect your data in accordance with all legal requirements set by the relevant data processing laws and seek compliance with the relevant security standards. Spicy Minds has taken technical and organisational security measures to protect your data and requires its data processors to meet the same requirements. Spicy Minds has signed processing agreements with its processors to ensure an adequate level of data protection.

In principle, all data is hosted within the UK or the European Economic Area. We may use third-party applications whose headquarters are located in the US to process data. In this case, the third party relies on the US-UK Data Bridge and takes adequate precautions to ensure the security and privacy of data, including, but not limited to, encryption. 

The following security measures are taken by Spicy Minds to protect your personal data in the course of the listed business processes:

Organisational security measures

Data hosting

As a rule, our data is hosted within countries and areas that provide a substantially similar level of protection as data subjects benefit from under the GDPR. To ensure this, we rely on Adequacy Decisions as a legal basis for our international data transfers. In exceptional circumstances, where data is transferred to a country or area not subject to an Adequacy Decision, we rely on Standard Contractual Clauses with the recipient and take supplementary security measures to secure this data transfer, such as anonymisation. Where possible, we select service providers that are SOC or ISO27001 compliant.

Staff

Spicy Minds staff members are required to conduct themselves in a manner consistent with Spicy Minds’ guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. We train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers. We have ‘safer recruitment’ practices in place to help make sure the people we employ are appropriately skilled and suitable for the role. 

Access controls

Spicy Minds maintains your data privacy by allowing only authorised individuals access to information when it is critical to complete tasks for you. Spicy Minds staff members will not process customer data without authorisation.

Technical security measures

Respect for your privacy is coded deep into our architecture. Your chat history is treated as Special Category Personal Data and is stored unredacted on your device, not on our servers. Even our system admin cannot see your unredacted chat history.

The only time Spicy Minds will ever access a conversation is if a safeguarding risk has been identified by our AI, so our safeguarding and welfare team can review the quality of Rowan’s conversation and make improvements if necessary. The conversation will always be automatically anonymised and redacted, using GPDR and HIPAA-compliant processes. Personally identifiable information will automatically be removed: see Appendix 1 for more information on how we do this. This helps us to ensure the AI is handling safeguarding issues sensitively and appropriately. In rare cases, we may provide information to law enforcement authorities when legally required. This typically involves situations such as protecting children from harm or preventing death.

To improve the service we provide, we may also review the metadata associated with user conversations so that we can see the shape and pattern of them. This includes: how often a user returns to our apps, how long each session lasts and how many times the user replies to the AI within one conversation. We cannot see the content of the conversations themselves. 

Our processes are aligned to GDPR, Cyber Essentials, NHS Security Standards and ISO27001. All employees’ devices used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption, and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited. We carry out regular vulnerability scanning and penetration testing and have engaged credentialed external auditors to verify the adequacy of our safeguarding, security and privacy measures.

Data breach

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. The Spicy Minds apps follow NHS security protocols. The architecture is designed to be inherently secure so conversations should not leak back into the Large Language Models (LLM) that run the AI.

However, in the unlikely event of a data breach, we will endeavour to notify you as soon as possible, providing a brief description of the breach, a description of the types of information that were involved, steps affected individuals can take to protect themselves, what we are doing to investigate the breach, mitigate further harm and prevent future breaches. By using our services, you agree to be notified of any data breach. And that you continue to be reachable via the contact information you provide unless you request for your contact information to be updated.

Please remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our services is at your own risk. You should only access the services within a secure environment.

Your rights regarding information

Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of their personal data, as well as the right to object to the processing and the right to data portability. You also have the right to request that we don’t make decisions about you that are based solely on automated processes, including profiling, if these decisions would have a significant effect on you.

You can exercise these rights by contacting us at compliance@spicyminds.org. Please write “PRIVACY” in the subject line and include proof of identification. 

Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature.

Depending on the complexity and the number of requests, this period may be extended to two months.

Marketing

You may receive updates and offers from Spicy Minds. If you do not wish to receive them (anymore), please unsubscribe.

Your personal data will not be used by our service providers or partners for their commercial purposes.

If you encounter any personal data from other data subjects, you are to refrain from collecting, unauthorised use, or engaging in any other act that constitutes an infringement of the privacy of the data subject(s) in question. The collector is not responsible in these circumstances.

Data retention

Spicy Minds retains personal data only for so long as necessary to fulfil the purposes for which it was collected, including as described in this privacy policy or as required by law. When assessing retention periods, we first carefully examine whether it is necessary to retain the personal data collected and, if retention is required, work to retain the personal data for the shortest possible period permissible under law.  You may, at any time, request your data to be deleted from any Spicy Minds account, system or other data processing medium in accordance with the process described above.

Applicable law

These conditions are governed by the laws and regulations of the UK, where we are headquartered. If any dispute regarding these conditions arises, the court in the district where we are headquartered has the sole jurisdiction, save when a legal exception applies.

Contact

If you have questions about this privacy policy, product information, or the website itself, please email compliance@spicyminds.org and ensure that you write “PRIVACY” in the subject line of your email.

Appendix 1

Spicy Minds Ltd redaction for safeguarding 

Our AI is trained to identify and flag safeguarding risks. Conversations that do flag risks will be reviewed by a member of the Spicy Minds team to ensure the AI is handling the situation sensitively and appropriately and signposting to the right support. 

These conversations are automatically anonymised and redacted, using GPDR and HIPAA-compliant processes, which means we cannot read conversations in full or link anything back to you. 

This is an automated process performed by AI and 54 types of Personally Identifiable Information (PII) are removed before conversations that we access for safeguarding purposes are seen by a human:

  1. Address example: “123 High Street, London NW1 6XE”

  2. Age example: “42 years old”

  3. Bank account example: “Barclays current account #12345678”

  4. Blood type example: “O‐negative”

  5. Geographic location (village, town, city, county, region) example: “Manchester,” “Kent,” “Cotswolds,” “Edinburgh,” “Yorkshire” 

  6. Condition (medical) example: “asthma,” “diabetes”

  7. Coordinates example: “51.5074° N, 0.1278° W”

  8. Country example: “England,” “Wales,” “Scotland,” “Northern Ireland”

  9. Credit card example: “Mastercard 5404‐1234‐5678‐9010”

  10. Credit card expiration example: “Exp 09/28”

  11. CVV example: “123”

  12. Date (any format) example: “15 January 2025”

  13. Date interval example: “15–20 January 2025”

  14. Date of birth example: “5 March 1988”

  15. Dose example: “200 mg”

  16. Driving licence example: “AB12 3CD4 5678 9AB” (typical UK format)

  17. Drug example: “paracetamol,” “ibuprofen”

  18. Email address example: “jane.smith@example.co.uk”

  19. Event example: “London Tech Expo 2025”

  20. Family name example: “Smith”

  21. Filename example: “tax_returns_2024.xlsx”

  22. Gender example: “male,” “female,” “nonbinary” etc

  23. Sex example: “male,” “female,” “intersex” etc

  24. Sexuality example: “heterosexual,” “bisexual,” “gay,” “asexual” etc

  25. Given name example: “John,” “Elizabeth”

  26. NHS number example: “485 777 3456” (typical 10‐digit NHS format)

  27. Injury example: “sprained ankle”

  28. IP address example: “192.168.0.1”

  29. Language example: “English,” “Welsh,” “French” etc

  30. Marital status example: “married,” “separated,” “single” etc

  31. Medical process example: “physiotherapy,” “MRI Scan”

  32. Money example: “£250,” “€300” etc

  33. Name (full names or partial identifying names) example: “John Doe”

  34. Numerical Personally Identifiable Information (standalone IDs, partial codes) example: “123456”

  35. Occupation example: “solicitor,” “accountant” etc

  36. Organisation example: “NHS England,” “Tesco,” “BBC” etc

  37. Origin example: “originally from Liverpool,” “born in Paris”

  38. Passport number example: “539871234 (UK passport)”

  39. Password example: “myP@ssw0rd!”

  40. Phone number example: “+44 7700 900123,” “020 7946 0123”

  41. Physical attribute example: “height: 5’11,” “blond hair”

  42. Political affiliation example: “Labour,” “Conservative,” “Green Party” 

  43. Pronoun example: “he,” “she,” “they,” “them”

  44. Religion example: “Christian,” “Muslim,” “Hindu,” “Sikh” etc

  45. Relationship example: “wife,” “husband,” “partner,” “aunt” etc

  46. Sort code (UK routing) example: “20‐00‐00”

  47. National Insurance number example: “AB 12 34 56 C”

  48. Statistics example: “average sales: 400 units/month”

  49. Time example: “10:30 am,” “23:15”

  50. URL example: “https://www.example.co.uk”

  51. Username example: “janedoe93,” “london_lad88”

  52. Vehicle ID example: “VIN SJNFCAJ11U1001234,” “registration plate AB12 CDE”

  53. Postcode example: “SW1A 1AA,” “M1 1AE”

  54. Zodiac sign example: “Leo,” “Virgo,” “Capricorn” etc

For each of these categories, any occurrence (including synonyms or unclear/partial references) is removed and replaced with a bracketed placeholder.

Redaction example

"On 15/01/2023, John Doe (NHS Number 485 777 3456) visited a GP clinic in Leeds.

He mentioned that his NI Number is AB 12 34 56 C and called from +44 7700 900123

to share details of his new password 'mySecretP@ssw0rd!'."

Redacted output:

"On [REDACTED DATE], [REDACTED NAME] ([REDACTED NHS NUMBER]) visited a [REDACTED MEDICAL PROCESS] clinic in [REDACTED GEOGRAPHIC LOCATION]. [REDACTED PRONOUN] mentioned that [REDACTED PRONOUN] NI Number is [REDACTED NATIONAL INSURANCE NUMBER] and called from [REDACTED PHONE NUMBER]

to share details of [REDACTED PRONOUN] new password '[REDACTED PASSWORD]'."

Version: 27/2/25