Spiral

Features

Learn

Pricing

Book a demo

Log in

Start for free

Spiral Privacy Policy


Last updated: August 27, 2025


This Privacy Policy explains how Spiral Ad, Inc. collects, uses, shares, and protects personal data when you visit spiral.ad or use our products and services. If you do not agree, please do not use the services. Capitalized terms not defined here have the meanings in our Terms of Use, available at spiral.ad/legal/terms.

1. Who we are and scope


This Policy applies to website visitors and to all users of our products, including Growth self serve and Enterprise. If this Policy conflicts with a signed MSA or DPA for an Enterprise customer, that agreement controls for that customer.


Roles. When we handle Customer Personal Data to provide the services to your workspace, we act as your processor. When we handle Service or Usage Data such as telemetry, logs, and security signals to operate, secure, and improve the services, we act as an independent controller.

2. What we collect


Account and billing data. Name, email, team or workspace info, plan tier, settings. Payments are processed by our payment service provider.


Customer Data and Outputs. Assets, prompts, references, and other content you submit, and the creatives and other outputs the services generate for you.


Service and Usage Data. Events, device and browser data, IP address, timestamps, performance metrics, error logs, security and fraud signals, and feature usage.


Cookies and similar tech. Pixels, SDKs, and cookies for analytics, security, product features, and where permitted marketing and retargeting.


Meta Ads account integration. When you connect your Meta Ads account, we collect:
• OAuth access tokens and refresh tokens
• Meta Ads account information and settings
• Campaign performance data and metrics
• Ad creative data and performance history
• Audience and targeting information
• Spend and billing information from your Meta Ads account.

We request only the scopes needed to analyze performance and to publish ads you approve. These may include ads_read, ads_management, business_management, pages_show_list, and pages_read_engagement. The exact scopes are shown on the Meta consent screen and can be revoked in Meta Business Integrations.

3. How we use data and legal bases


We use data to:

  • Provide the services, including creative generation, workspace management, support, and billing. Legal bases are contract and legitimate interests.

  • Operate and secure the services, including fraud prevention, abuse detection, incident response, diagnostics, and availability. Legal bases are legitimate interests and legal obligation.

  • Improve and test the services, including quality, safety, and reliability, and to run product analytics. Legal basis is legitimate interests.

  • Communicate with you about service messages and product updates. Legal bases are contract and legitimate interests.

  • Run marketing where allowed. Legal bases are consent and legitimate interests

  • Use of Meta data. We use your Meta Ads data to deliver the services you request, including analyzing performance to generate optimized creatives for your campaigns.


Model training.

  • Growth. Spiral may use Customer Data and Outputs to operate and improve the services, including to train, fine tune, evaluate, and safety test models and features, and to develop aggregated insights. Growth does not offer a model training opt out. We do not intentionally include your Customer Data in outputs for other customers.

  • Enterprise. Training use is governed by your signed MSA or DPA, which may provide different options

.

De identified and aggregated data. We may create, use, and retain de identified or aggregated data for security, analytics, benchmarking, and improving the services. We will not attempt to re identify such data.

4. Sharing and disclosure


We share personal data with:

  • Service providers that act as subprocessors for hosting, storage, analytics, support, messaging, and payments. We maintain a live subprocessor list and update it when providers change.

  • Advertising and retargeting partners for sharing for targeted advertising as described in Section 6 and Section 7.

  • Platform providers when you connect integrations and as you direct.

  • Legal or safety recipients when required by law or to protect rights, safety, and security.

  • Parties to a business transfer such as a merger or acquisition.

  • Meta platform access. We access and process data from Meta advertising platforms through official APIs to provide our services. We are not affiliated with or endorsed by Meta. Your Meta data remains under your control.


We do not sell personal data for money. Some United States laws define sharing for targeted advertising, and we may share personal information for that purpose as described below.

5. International data transfers


We operate globally. When personal data is transferred internationally we use approved safeguards such as the EU Standard Contractual Clauses, the UK Addendum, and the Swiss Addendum. Spiral is not currently enrolled in the EU United States Data Privacy Framework.

6. Cookies, analytics, and ads


We use cookies and similar technologies for essential functions, analytics, security, and where permitted marketing and retargeting.


Consent in the EEA, the UK, and Switzerland. We ask for consent for non essential cookies in these regions. You can change your choices at any time using the Manage Cookies control in the product.


Global Privacy Control. We honor Global Privacy Control signals where applicable.

7. Your privacy choices and rights


This section also serves as our Do Not Sell or Share My Personal Information notice for United States visitors.


Targeted advertising and sharing. We may share personal information such as online identifiers and page views with advertising partners for targeted ads. You can opt out at any time by emailing support@spiral.ad with the subject line Do Not Sell or Share. We also honor Global Privacy Control signals where applicable.

Revoke Meta access. You may revoke Spiral access at any time through Meta Business Integrations. After revocation we stop syncing new data and follow our deletion timelines for any cached data.


Marketing emails. You can opt out of marketing emails through unsubscribe links or in your account settings. We will still send service and transactional emails.


Region specific rights.

  • GDPR, UK, and Swiss rights where applicable you can request access, correction, deletion, portability, and restriction or objection, and you may lodge a complaint with a supervisory authority.

  • United States state rights where applicable you can request access, deletion, correction, portability, and opt out of sale or sharing or targeted advertising.

Submit requests through the Privacy Choices control in the product or by emailing support@spiral.ad. We may need to verify your identity. For some states we accept authorized agent requests.

8. Data retention


Customer Data and Outputs. When you delete them or close your account, we delete from active systems within 30 days and from backups within 90 days, unless we must retain for legal, security, or billing reasons.

Meta Ads data. Meta Ads data is retained for as long as your account is active and for up to 30 days after account termination for billing verification, consistent with the general retention timelines in this Policy.

Service and Usage Data and security logs. Retained for 180 days, or longer if needed for security or incidents, then deleted or de identified. We may keep de identified or aggregated data.

9. Security and incidents


We use industry standard technical and organizational measures, including encryption in transit and at rest, access controls, logging and monitoring, backups, and a secure development life cycle. If we confirm a data breach that is likely to pose a risk to individuals, we will notify affected users within 72 hours and will cooperate with required notifications.


We use secure handling for Meta Ads API tokens and credentials, including encrypted storage and restricted access.

10. Children


The services are not for individuals under 18. We do not knowingly collect children’s data.

11. Subprocessors


We maintain a public live subprocessor list that includes purpose and location. We will update the list as providers change and will provide advance notice where required. The list is available at spiral.ad/legal/subprocessors.

12. Data Processing Addendum


When we process Customer Personal Data on your behalf, the Spiral DPA applies and is incorporated by reference.


For Growth, the DPA is accepted during sign up by click through or is available at spiral.ad/legal/dpa.


For Enterprise, your signed MSA or DPA govearns and controls in case of conflict.

13. Changes to this Policy


If we make material changes that reduce your rights, we will provide advance notice, for example 30 days, by email or in product. Your continued use after changes take effect means you accept the updated Policy.

14. Contact us

Spiral Ad, Inc.
Website: spiral.ad
Email: support@spiral.ad
Address: 1111B South Governors Ave STE 37149, Dover, DE 19904, USA. 

Spiral

Company

Privacy Policy

Terms of Use

Social

LinkedIn

X (Twitter)

1111b South Governors Ave STE 37149

Dover, DE 19904

United States

founders@spiral.ad