Spiro Privacy Policy

Last updated: 3 June 2025

This Privacy Policy explains how Spiro ("Spiro", "we", "us", or "our"), a service operated by Medthrive Ltd, collects, uses, shares, and safeguards your personal data when you use our websites, mobile or web applications, products, and related services (collectively, the “Services”). It also outlines your rights under the UK General Data Protection Regulation (UK GDPR) and other applicable UK data‑protection laws.

Medthrive Ltd is the data controller responsible for the processing described in this Policy. Registered address: 65 Holmewood Gardens, London, SW2 3NB, United Kingdom.

If you have any questions about this Policy or your personal data, please contact us at hello@spirosen.com

1. Who this Policy applies to

This Policy applies to you when you:

  • visit our websites or interact with us online;
  • create or use a Spiro account;
  • communicate with us by email, phone, or video call;
  • receive marketing or product‑related communications from us; or
  • otherwise provide personal data to us in connection with the Services.

Children’s data: Spiro is not directed at children under 16. We do not knowingly collect personal data about children. If you believe a child has provided us with personal data, please contact us so we can delete it.

2. The personal data we collect

Depending on how you interact with Spiro, we may collect:

CategoryExamples
Identity dataName, title, organisation, role, date of birth.
Contact dataEmail address, phone number, postal address.
Account dataUsername, password, authentication tokens, preferences.
Usage dataLog files, device identifiers, IP address, browser type, pages visited, time spent, clickstream data.
Communication dataMessages, emails or call recordings you send to us, including video‑call content if you consent to recording.
Marketing dataYour marketing preferences, feedback, survey responses.

We collect data:

  • Directly from you (e.g. forms, emails, video calls).
  • Automatically through cookies and similar technologies when you use the Services (see Section 9).

3. Legal bases for processing

Under the UK GDPR, we must have a lawful basis to process your personal data. We rely on:

  1. Performance of a contract – to provide and manage the Services you have requested.
  2. Legitimate interests – to improve and secure our Services, communicate with you, and run our business, provided those interests are not overridden by your rights.
  3. Consent – for optional activities such as direct marketing, where you have given clear consent (which you can withdraw at any time).
  4. Legal obligation – where processing is necessary for compliance with a UK legal requirement.

4. How we use your personal data

We use your data to:

  • Register and administer your Spiro account;
  • Provide, maintain, and improve our Services;
  • Respond to your enquiries and support requests;
  • Send transactional messages (e.g. service notifications, security alerts);
  • Conduct research, analytics and service development;
  • Detect, prevent and address security or technical issues;
  • Send marketing communications (with your consent);
  • Comply with legal or regulatory obligations.

We do not use your data for decisions based solely on automated processing that have legal or similarly significant effects.

5. Sharing your personal data

We do not sell your personal data and we have no subsidiaries with which we share data. We only disclose personal data:

  • To service providers acting under our instruction – currently limited to Google Cloud (see Section 6);
  • Where required by law, court order, or to exercise or defend legal claims;
  • With your consent – in any other situation, we will only share data if you agree.

6. Third‑party service providers

ProviderPurposeSafeguards
Google Cloud PlatformEmail hosting (Gmail), productivity (Docs, Sheets, Slides), and Google Meet video callsData stored in UK data centres; protected by Google Cloud’s ISO 27001 certification, encryption in transit and at rest, strict access controls.

We have concluded appropriate data‑processing agreements with Google Cloud to ensure your data is protected in line with UK GDPR.

7. International data transfers

All personal data we control is stored exclusively on servers located in the United Kingdom. We do not transfer your data outside the UK.

8. Data retention

We keep personal data only for as long as necessary to fulfil the purposes described in this Policy or as required by law (e.g. accounting rules). After that, we securely delete or anonymise the data. Key retention periods include:

  • Account data: retained for the life of your account and up to 12 months after closure.
  • Communications: retained for up to 24 months.
  • Marketing preferences: retained until you withdraw consent or 24 months after last interaction.

9. Cookies and similar technologies

We use essential and analytical cookies to operate and improve our websites. Where required, we will ask for your consent to non‑essential cookies. For details, see our Cookie Policy.

10. Keeping your data secure

We implement appropriate technical and organisational measures, including:

  • Encryption (TLS) for data in transit and AES‑256 for data at rest;
  • Role‑based access controls;
  • Regular security audits, penetration testing and staff training;
  • Secure development practices and vulnerability management;

11. Your rights under UK GDPR

You have the right to:

  1. Access – obtain a copy of your personal data.
  2. Rectification – correct inaccurate or incomplete data.
  3. Erasure – request deletion of your data ("right to be forgotten").
  4. Restriction – pause processing in certain circumstances.
  5. Data portability – receive data in a structured, machine‑readable format.
  6. Object – object to processing based on legitimate interests or direct marketing.
  7. Withdraw consent – where processing relies on consent.

You can exercise these rights by contacting us using the details below. We will respond within one month.

12. Contact, complaints, and the ICO

If you have questions about this Policy or wish to exercise your rights, contact our Data Protection Officer at hello@spirosen.com or write to Medthrive Ltd, 65 Holmewood Gardens, London, SW2 3NB.

If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (ico.org.uk).

13. Changes to this Privacy Policy

We may update this Policy from time to time. The latest version will always be posted on our website with the “Last updated” date at the top. If changes are material, we will notify you through the Services or by other appropriate means.