Spiralist Privacy Policy

Last updated: September 23, 2024

Welcome to Spiralist! This Privacy Policy applies to Spiralist, our iOS and Android mobile application (our “App”). This policy is intended to inform the users of our App about the nature, scope, and purpose of the collection and use of Personal Data by us in accordance with India`s Digital Personal Data Protection Act (“DPDPA”) and the Information Technology Act, 2000 (“IT Act”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) until the DPDPA’s enactment.

WHO IS RESPONSIBLE FOR DATA PROCESSING?

Responsible for data processing or the Data Fiduciary is Modularity Labs of Hyderabad, Telangana, India (“Modularity Labs”, “we”, “us”, “our”). If you have any questions about data protection at Modularity Labs in general or would like to discuss an issue with us, you can reach our Grievance Officer using privacy@spiralist.ai using Grievance Officer or Data Protection in the subject line of your email.

WHAT IS PERSONAL DATA?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute Personal Data.

WHAT IS PROCESSING?

”Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means. The term is broad and covers virtually any handling of data.

WHAT ARE THE LEGAL BASES FOR PROCESSING YOUR DATA?

The following informs you about the legal basis of us processing your data, and unless the legal basis is not specifically mentioned, the following applies:

• Legitimate Uses: This is where we have asked you to provide permission to process your data for a particular purpose, to provide you with the best services in the most secure and appropriate way, or to fulfill our contractual obligations towards you. Provided that you did not object or have revoked your permission.

• Legal Obligation: This is where we have a statutory or other legal obligation to process the information, such as for the investigation of crime.

WHAT PERSONAL DATA DO WE COLLECT FROM YOU?

We may collect and process the following Personal Data about you:

a) Personal Data that our App collects about you: The App can be downloaded from the “Google Playstore” a service offered by Google LLC, or the Apple App service “App Store” a service of Apple Inc., to install our App. Downloading it may require prior registration with the respective App store and/or installation of the respective App store software.

As far as we are aware, Google collects and processes the following data: License check, network access, network connection, WLAN connections, and location information. However, it cannot be ruled out that Google also transmits the information to a server in a third country. We cannot influence which Personal Data Google processes with your registration and the provision of downloads in the respective App store and Google Play Store software. The responsible party in this respect is solely Google as the operator of the Google Play Store.

As far as we are aware, Apple collects and processes the following data: device identifiers, IP addresses, location information, it cannot be excluded that Apple also transmits the information to a server in a third country. We cannot influence which Personal Data Apple processes with your registration and the provision of downloads in the respective App store and App Store software. The responsible party in this respect is solely Apple as the operator of the Apple App Store.

Google and Apple may collect information from and about the device(s) you use to access our App, including hardware and software information such as IP address, device ID and type, device-specific and App settings and properties, App crashes, advertising IDs (AAID), information about your wireless and mobile network connection, such as your service provider and signal strength; information about device sensors, such as an accelerometer, gyroscope, and compass.

We may request certain permissions when you access certain parts of our App’s functionality. This may include depending on how you use our App your Internet Connection, Network, Push Notifications, Gallery, Microphone, Speaker, Camera, Location and Device Storage etc.. You can deny access on your device via the Settings/Notifications options of your device; however, this means that our App may not function as intended.

When you use one of our location-enabled services, we may collect and process information about your location and the time the location information is recorded to provide the services with location-based information and features. Some of these services require your Personal Data for the feature to work and we may associate location data with your device ID and other information we hold about you. We keep this data for no longer than is reasonably necessary for providing services to you. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.

When you use our App, you will receive so-called push messages from us, even if you are not currently using our App. These are messages that we send you as part of the performance of the contract. You can adjust or stop receiving push messages at any time via the device settings of your device.

We use the Google Firebase developer App and related features and services provided by Google. By integrating Google services, Google may collect and process information (including Personal Data). It cannot be excluded that Google also transfers the information to a server in a third country. We cannot influence which data Google collects and processes. Firebase’s key security and privacy information can be found here.

By using our services, you are giving your consent to receiving services and system notifications and messages per email. Those typically include general, profile, and content information in relation to your use of our App. Our system notifications are designed to enhance your experience or to confirm your login and sign up. Our service providers used in this context are SendGrid (Twilio) and Substack.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose including improving our App and Services. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this privacy policy.

b) Personal Data that you give us: This is information about you that you give to us. It may include, for example, your name, email address, and phone number when you contact us.

We also process the Personal Data when you create an account in order to be able to provide you access to our services. The Personal Data you submit typically includes your name, email address, and password.

Alternatively, you are able to sign up using the convenience login and sign up from Google. For convenience login and sign up, you will be asked to provide your basic information (i.e., name, email address, and display picture) linked to your account. When registering via convenience functions, you agree to the relevant terms and conditions and consent to certain data from your Google profile being transferred to us.

As a registered user, you have the opportunity to create a user profile with just a few clicks and details, and the relevant profile data you provide will be posted on your profile. Of course, you can change or remove the information or delete your profile at any time via the settings in your profile. You have choices about the information on your profile. Please do not post or add Personal Data to your profile that you would not want to be available. The legal basis for the processing of your Personal Data is the establishment and implementation of the user contract for the use of our services.

If you wish to use our App and its features, we process the Personal Data and Content you voluntarily provide for the purpose of providing your App. Depending on how you use our App, you may upload Content (“Content”) such as notes, tasks, goals, bookmarks, reminders, documents, etc. and provide Personal Data (“Personal Data”) and both collectively “Service Data”).

Content Data includes photos, videos, text messages, video calls, or other digital content you create, broadcast, perform, or upload on our App and information about the content you create, broadcast, perform, or upload, including metadata that is provided with that content. Please remember that Content Data that you transmit may reveal Personal Data about yourself.

Personal Data you provide may be considered “special” or “sensitive”. This includes Personal Data concerning for example your racial or ethnic origins, sexual orientation, sexual preferences and gender. By choosing to provide this data, you consent to our processing of that data. You have choices about the data you provide and how you share it. You don’t have to provide Personal Data or Special Category Data. It’s your choice whether to include Personal Data or Special Category Data and to make that information available to us. Please do not share information that you would not want to be available.

In terms of your Service Data, all Service Data processed by us will be processed on your behalf, and we become your Data Processor. Doing so we provide you complete control of your Service Data by providing you the ability to (i) access your Service Data, (ii) share your Service Data through supported third-party integrations, and (iii) request export or deletion of your Service Data and take appropriate legal precautions and corresponding technical and organizational measures to ensure the protection of your Service Data.

Lastly, and if you take out a subscription, your payment data will be processed via our payment service provider. Payment data will solely be processed through the by you selected payment service provider and we have no access to any payment data you may submit.

c) Customer Relationship Management and Administration For support, we may store the data related to our customers (for example, your name, e-mail address, telephone number) in our proprietary customer relationship management system.

We process data in the context of administrative tasks as well as organization of our business and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services.

If you create a support ticket, we will request Personal Data and, where applicable, non-Personal Data in accordance with your request; this may include your name, email address, and other order related data you voluntarily provide. If you submit a support ticket, we process the data for the purpose of processing and handling your ticket.

Our employees will also have access to data that you knowingly share with us for technical support or to import data into our services. We communicate our privacy and security guidelines to our employees and enforce privacy safeguards strictly.

CHANGE OF PURPOSE

We will only use your Personal Data for the purposes for which we collected it as detailed above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you.

STORAGE AND RETENTION

Your Personal Data will remain with us until the purpose for processing the data no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your Personal Data (e.g., retention periods under tax or commercial law); in the latter case, the data will be deleted once these reasons no longer apply.

WHEN DO WE DISCLOSE YOUR PERSONAL DATA?

We may share your Personal Data with organizations that help us provide the services described in this policy and who may process such data on our behalf and in accordance with this policy to support our App and our services. If you wish to learn more about how the relevant provider processes your Personal Data, please follow the links embedded in the above-mentioned provider’s name.

Typically and unless otherwise stated in this policy, data may be shared on the basis of our contractual and pre-contractual obligations. Equally, if you have consented to it, or where we have a legal obligation to do so (e.g., when using agents, hosting providers, tax, business and legal advisor’s, accounting, and similar services that allow us to perform our contractual obligations, administrative tasks, and duties efficiently and effectively).

We may also disclose information in other circumstances, such as when you agree to it or if the law, a court order, a legal obligation, or a regulatory authority asks us to. If the purpose is the prevention of fraud or crime or if it is necessary to protect and defend our rights, property, or personal safety of our staff, the App and its users.

EMAIL MARKETING

Insofar as you have given us your consent to process your Personal Data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to. Our marketing generally takes the form of email but may also include other less traditional or emerging channels. These forms of contact will be managed by us or by our contracted service providers. Every directly addressed marketing sent by us or on our behalf will include a means by which you may unsubscribe or opt out.

HOW WE SECURE YOUR PERSONAL DATA

Our App uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as login data or contact requests that you send to us. We have also implemented numerous security measures (“technical and organizational measures”) for example encryption or need-to-know access, to ensure the most complete protection of Personal Data processed through our App.

DATA BREACHES AND NOTIFICATION

Databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, we will notify the relevant data protection supervisory authority and all affected individuals whose Personal Data may have been compromised, and the notice will be accompanied by a description of the action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after which the breach was discovered.

YOUR RIGHTS AND PRIVILEGES

a) Privacy rights You can exercise the following rights:

• Access: The right to access your Personal Data
• Erasure: The right to have your Personal Data erased
• Correction: The right to correct your Personal Data
• Notice: The right to receive notice before consent is sought
• Grievance redressal: The right to a tiered redressal process if you have a grievance

b) Update your information and withdraw your consent If you believe that the information we hold about you is inaccurate or request its rectification, deletion, or object to legitimate interest processing, please do so by contacting us.

c) Access Request In the event you want to make a Data Subject Access Request, please contact us. We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days, we will tell you why and when we will be able to respond to your request. If we are unable to provide you with any Personal Data or to make a correction requested by you, we will tell you why.

d) Complain to our Grievance Officer If you have any questions about data protection at Modularity Labs in general or would like to discuss an issue with us, you can reach our Grievance Officer using privacy@spiralist.ai using Grievance Officer or Data Protection in the subject line of your email.

e) Complain to a supervisory authority If you believe that the processing of your Personal Data is not lawful, you can lodge a complaint with a data protection supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach any supervisory authority.

f) What we do not do

• We do not request Personal Data from minors and children;
• We do not process special category data without obtaining prior specific consent; and
• We do not use automated decision-making, including profiling.

USA SPECIFIC PROVISIONS

The following applies to users located in the United States. While we understand and appreciate that privacy and consumer data protection laws differ as they are subject to each state’s legislature, we are committed to follow and apply the for your state relevant privacy rules and regulations.

As of the day of drafting, the following states had enacted privacy and consumer data protection laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Under consideration of the similarities of the above provisions, no conflict should arise pursuing a uniform approach in granting all users in the USA the below rights: However, should ambiguity occur, the most stringent provision is chosen to ensure the most comprehensive approach when it comes to protecting your Personal Data.

• Right to Know/Access
• Right to Delete
• Right to Non-Discrimination
• Right to Rectification
• Right to Limit Use and Disclosure of Sensitive Personal Information

Further, the following also apply

i) “Shine the Light”

“Shine the Light” law (Civil Code Section 1798.83) requires us to respond to requests from California asking about the business’s practices related to disclosing Personal Data to third parties for the third parties’ direct marketing purposes. You may make a request about our collection and disclosure of your Personal Data using the contact details provided.

ii) COPPA (Children Online Privacy Protection Act)

When it comes to the collection of Personal Data from children under the age of 13 years old, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States’ consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online. We do not specifically market to children under the age of 13 years old.

iii) CAN SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations. To be in accordance with CAN SPAM, we agree to the following: If at any time you would like to unsubscribe from receiving future emails, you can email us, and we will promptly remove you from ALL correspondence.

iv) Telephone Consumer Protection Act (TCPA)

If we process your Personal Data for the purpose of sending you SMS marketing communications, you may manage your receipt of marketing and non-transactional communications from us by replying or texting ‘STOP’ if you receive our SMS communications. In this respect, the data processing is carried out solely on the basis of our consent in personalized direct advertising per SMS.

v) Controls For Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (‘DNT’) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, our App does not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this policy.

vi) Right to complain

Finally, and in regard to the right to complain to a supervisory authority. You have the right to lodge a complaint about our processing of Personal Data with a supervisory authority responsible for data protection. Users based in the above mentioned States may lodge a complaint with the relevant district attorney or attorney general office. However, we would appreciate the opportunity to address your concerns before you contact any supervisory authority.

CANADA AND MEXICO SPECIFIC PROVISIONS

Both Canada and Mexico have introduced data protection laws, namely Federal Law for the Protection of Personal Data in the Possession of Private Parties (“LFPDPPP”) supplemented by the Rules of the Federal Law for the Protection of Personal Data in the Possession of Private Parties in Mexico and the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in Canada.

Under consideration of the above, no conflict should arise pursuing a uniform approach in granting all users in Mexico or Canada the following rights and privileges. However, should ambiguity occur, the most stringent provision is chosen to ensure the most comprehensive approach when it comes to protecting your Personal Data.

• Right to withdraw consent: You have the right to withdraw your consent at any time, subject to legal and contractual restrictions. Note that your withdrawal of such consent may limit your ability to obtain certain products and services.
• Right of access, correction, deactivation, or deletion of accounts: You have the right to request access to and obtain a copy of any of your Personal Data that we may hold, to request correction of any inaccurate information relating to you, and to request the deactivation or deletion of your accounts under certain circumstances.
• Right to submit a privacy complaint: You have the right to submit a complaint with the Privacy Commissioner in the jurisdiction of your residence if you consider that our management of your Personal Data infringes applicable laws.

In terms of your right to complain, Canada’s national supervisory authority is the Office of the Privacy Commissioner (www.priv.gc.ca) and the National Institute of Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (“INAI”) is the national supervisory authority in Mexico (www.ifai.org.mx).

AUSTRALIA SPECIFIC PROVISIONS

Akin to the above, no conflict should arise in pursuing a uniform approach in terms of Australia’s Privacy Act and the 13 Privacy Principles (“APA”) and in granting all users in Australia the following rights and privileges. However, should ambiguity occur, the most stringent provision is chosen to ensure the most comprehensive approach when it comes to protecting your Personal Data.

• Right to information
• Right to rectification
• Right to deletion
• Right to data portability
• Right of objection
• Right to withdraw consent
• Right to complain to a supervisory authority
• Right not to be subject to a decision based solely on automated processing.

Furthermore, you have the right to lodge a complaint with your local or the for us, relevant data protection supervisory authority. In Australia, this is the Office of the Australian Information Commissioner (“OAIC”) (www.oaic.gov.au). We would, however, appreciate the chance to deal with your concerns before you approach a data protection supervisory authority.

HELP AND COMPLAINTS

If you have any questions about data protection at Modularity Labs in general or would like to discuss an issue with us, you can reach our Grievance Officer using privacy@spiralist.ai using Grievance Officer or Data Protection in the subject line of your email.

CHANGES

The first version of this policy was issued on Tuesday, 22nd of October, 2024, and is the current version. Any prior versions are invalid, and if we make changes to this policy, we will revise the effective date.