Last updated: 6 May 2026
This Privacy Policy explains how Spradley ApS ("Spradley", "we", "us") collects, uses, and protects personal information when you or your organisation use the Spradley platform (the "Service"). We are committed to handling personal data in line with the EU General Data Protection Regulation (GDPR), the EU AI Act, and the Danish Data Protection Act.
Customer means the organisation (typically the employer) that subscribes to the Service. Administrator means a user invited by the Customer to manage conversations, employees, or reports. Respondent means an employee of the Customer who participates in a conversation through the Service. Visitor means anyone who visits our public website without logging in.
The Service is designed for use in employment contexts and is not directed at people under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will delete it.
(a) Generally. When you interact with the Service we collect technical information such as IP address on authentication events, browser metadata, and in-product activity needed to operate and secure the Service.
(b) Administrators. Name, work email, role, departments you have access to, and (optionally) a Slack identifier if your organisation enables Slack integration.
(c) Respondents. Name, work email, department, position, and employment metadata supplied by your employer, together with an optional identifier for any messaging integrations your organisation enables. When you participate in a conversation we collect your responses, derived classification metadata used to build aggregate reports, and basic interaction signals such as time spent. Magic-link tokens are random single-use identifiers and are automatically purged on expiry.
(d) Audit log. We record privacy-relevant events together with the actor, target, and IP address. IP addresses in this log are nullified after 90 days.
(e) Visitors. Authentication and session cookies only. We do not use third-party analytics or tracking pixels at this time.
For Administrators and Respondents, your organisation (the Customer) is the data controller of your personal information. Spradley acts as the data processor, handling personal data on the Customer's behalf in accordance with our Data Processing Agreement.
For your own account-creation data, billing details, and any direct communications you send us, Spradley is the data controller. Spradley is also the controller for Visitors to our public website.
(a) Security. We apply appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, automated redaction of personal identifiers before AI analysis, and regular review of our security posture.
(b) Where personal data is located. We operate the Service with EU/EEA data residency wherever supported by our sub-processors. Some sub-processors may process data outside the EEA; see Section 7.
(c) International transfers.Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.
(a) Operating the Service. We use personal data to deliver conversations, generate AI-assisted reports, send transactional communications such as conversation invitations and notifications, and to ensure security, troubleshoot, and prevent abuse.
(b) Legal basis (Art. 6 GDPR). For Administrators we rely on performance of a contract (Art. 6(1)(b)). For Respondents we rely on the legitimate interests of the employer in measuring and improving the work environment (Art. 6(1)(f)) together with explicit consent captured before each conversation (Art. 6(1)(a)). You can decline consent and the conversation will not begin. You can withdraw consent at any time by contacting us, without affecting the lawfulness of processing already carried out.
(c) Special-category data (Art. 9 GDPR). Free-text responses can include sensitive information such as health, religion, or trade-union membership. We do not request such data, and our automated PII-stripping pipeline minimises exposure, but if you choose to include it you provide explicit consent for its processing under Art. 9(2)(a).
(d) Confidentiality of responses. The Customer can see that you participated in a conversation, but never your individual answers. Reports describe patterns at the team or department level and do not quote individual responses. Department-level reports are gated by a k-anonymity threshold of five respondents: we do not produce a department narrative if fewer than five people responded. After analysis we sever the link between processed content and individual identity.
We do not sell personal data. We share personal data only with vetted sub-processors necessary to operate the Service, under written data-processing terms. Our current sub-processors include providers for application hosting, database hosting, transactional email, AI tracing (metadata only), and AI model inference. The full, current list with purpose and location is published at /sub-processors. We may also disclose personal data when required by law or to protect our rights and the safety of others.
(a) How Spradley uses AI. Our AI generates the live follow-up questions in a conversation, classifies responses by sentiment, theme, and signal type, and writes narrative summaries at the team or department level. The Service is built around AI: you will be informed when interacting with it.
(b) Models and providers. We use leading commercial AI providers under standard inference terms. We do not permit any provider to use Customer or Respondent data to train or fine-tune their models. Where supported, we select EU regions for inference. The current list of AI sub-processors is published at /sub-processors.
(c) Privacy safeguards specific to AI processing. Before content is sent to a model for analysis, an automated pipeline redacts personal identifiers such as email addresses, phone numbers, government identifiers, and names. Our observability tooling receives only metadata about model calls and never the prompt or response content.
(d) AI does not make employment decisions. The Service does not generate per-employee scores, risk flags, or automated triggers. It does not make or recommend hiring, promotion, performance, or disciplinary decisions. All AI output is aggregated and narrative; a human reviewer at the Customer makes any decision derived from it. We have designed the Service to avoid the high-risk AI categories listed in Annex III of the EU AI Act for the workplace.
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time. For Respondent data, requests are typically routed through your employer (the controller) and we support them in fulfilling your request. For account-holder data, you can export your organisation's data through the in-product GDPR tools, request account deletion (which begins a 30-day soft-delete grace period before permanent erasure), or contact us at privacy@spradley.io for any other request.
We retain account data for the duration of the Customer's subscription and as required by law. Conversation responses are retained as configured by the Customer; by default this is the duration of the subscription. When an account is deleted we apply a 30-day soft-delete grace period and then permanently erase the data via an automated cron job. Audit-log IP addresses are nullified after 90 days. Magic-link tokens are purged on expiry.
When an individual employee record is deleted, identifiers such as name and email are removed but the redacted, anonymised text of past responses is retained for the organisation's aggregate analytics. We disclose this plainly so that erasure expectations are clear.
If you have a privacy concern, please contact us first at privacy@spradley.io so we can address it. You also have the right to lodge a complaint with the Danish supervisory authority, Datatilsynet (Borgergade 28, 5., 1300 København K, Denmark; +45 33 19 32 00; dt@datatilsynet.dk), or with the supervisory authority in your EU country of residence.
(a) Sensitive personal data. See Section 6(c). We do not request special-category data; if you submit it voluntarily in a free-text response you provide explicit consent for its processing.
(b) Cookies. We use essential cookies for authentication and session management. We do not currently use analytics or marketing cookies. If we introduce non-essential cookies in the future, we will update this policy and present a consent mechanism before any such cookie is set.
(c) Links to other websites. The Service may link to third-party sites we do not control. Their privacy practices are governed by their own policies.
(d) Changes to this Policy.We may update this Privacy Policy from time to time. We will notify Customers and Administrators of material changes by email. The "Last updated" date at the top of this page reflects the most recent revision.
Spradley is operated by Spradley ApS, registered in Denmark. For privacy enquiries, including requests to exercise your GDPR rights, contact privacy@spradley.io. This mailbox is monitored by our leadership team. Spradley has not formally designated a Data Protection Officer at this time; we will update this policy if that changes.