Does Spiral sell my advertising data or creative assets to third parties?

No. Spiral Ad, Inc. explicitly states it does not sell personal data for money. Customer Data including creative assets and ad outputs is used only to provide services to your workspace. Spiral may share data with advertising partners for targeted advertising purposes as permitted and disclosed under applicable US state privacy laws, but this is distinct from selling data and carries opt-out rights in states like California, Colorado, Virginia, and Connecticut.

Can Spiral use my ad creatives to train its AI models?

Spiral may use Customer Data and Outputs in aggregated or de-identified form for internal model training and improvement. The policy expressly states this use is internal to Spiral only, and that Spiral will not intentionally include your identifiable Customer Data in outputs generated for other customers. This means your unreleased campaign concepts and brand assets are not fed into outputs served to competitors using the same platform.

Is connecting a Meta Ads or Google Ads account required to use Spiral?

No. Connecting an advertising account is entirely optional. Spiral recommends the integration to maximize platform value — enabling performance analysis and direct ad publishing — but the core creative generation product operates independently without any ad platform connection. This means you can use Spiral to generate and evaluate ad creatives before deciding whether to grant any platform access.

What legal bases does Spiral use to process data under GDPR?

Spiral uses three primary GDPR legal bases: contract performance (delivering purchased services and billing), legitimate interests (security operations, fraud prevention, product improvement, and service communications), and consent (marketing activities and certain cookie categories). For legal obligations such as responding to law enforcement requests, Spiral relies on legal obligation as the basis. Scale customers with signed DPAs may negotiate additional or modified terms.

How does Spiral handle payment data security?

Spiral delegates all payment processing to Stripe, a PCI DSS Level 1 certified payment service provider. This architecture means Spiral's own servers do not receive, store, or process raw payment card data. Stripe's infrastructure handles card tokenization and transaction processing, significantly reducing payment data risk exposure on Spiral's side. This is consistent with best-practice SaaS payment security architecture.

Where can I find Spiral's list of data subprocessors?

Spiral's subprocessor list is available on request by emailing support@spiral.ad. Subprocessors include vendors handling hosting, storage, analytics, customer support, messaging, and payments. For enterprise Scale customers with signed Data Processing Agreements, subprocessor notification and approval processes may be defined in that agreement. GDPR-regulated organizations should request this list as part of their vendor due diligence process.

Does Spiral's Privacy Policy apply differently to enterprise Scale customers?

Yes. Where a Scale customer has a signed Master Service Agreement (MSA) or Data Processing Agreement (DPA) with Spiral Ad, Inc., that negotiated agreement controls and takes precedence over this general Privacy Policy for that customer. This is standard enterprise SaaS practice and allows larger organizations to negotiate custom data handling terms, EU Standard Contractual Clauses, specific subprocessor approval rights, and tailored data retention periods.

What data does Spiral collect when I use cookies and tracking technologies on spiral.ad?

Spiral uses cookies, pixels, and SDKs for four purposes: essential site functions, analytics, security, and where you have given permission, marketing and retargeting. Essential and security cookies operate without consent. Analytics and marketing cookies require consent in jurisdictions covered by the ePrivacy Directive and similar laws. You can manage cookie preferences through Spiral's consent mechanism. Marketing and retargeting cookies may involve sharing data with advertising and analytics partners.

Quick Answer: Spiral Ad, Inc. implements a dual-role data governance architecture — processor for Customer Personal Data, independent controller for operational telemetry — with minimum-scope OAuth for ad platform ...

Privacy Policy

Spiral Ad, Inc. implements a dual-role data governance architecture — processor for Customer Personal Data, independent controller for operational telemetry — with minimum-scope OAuth for ad platform integrations, Stripe-delegated PCI compliance, internal-only AI training on de-identified data, and state-law-aware targeted advertising disclosures covering CPRA, VCDPA, CPA, and CTDPA opt-out rights.

Key Facts

OAuth ad platform integrations request only the minimum permission scopes required for performance analysis and user-approved ad publishing, implementing GDPR Article 5(1)(c) data minimization at the API authorization layer — a meaningful security architecture distinction from broad-scope integrations common in marketing technology stacks.
The policy's acknowledgment that US state privacy laws including California's CPRA may characterize targeted advertising data sharing as a regulated sale reflects current enforcement posture from the California Privacy Protection Agency and aligns Spiral's disclosures with the opt-out right requirements under regulations that took effect in 2023-2024.

Who Spiral Is and What This Policy Covers

Spiral Ad, Inc. operates spiral.ad, a creative advertising platform purpose-built for mobile app marketers who need to produce, test, and publish high-performing ad creatives at scale. This Privacy Policy governs every interaction with spiral.ad — from anonymous visitors browsing the homepage to paying workspace administrators managing live campaigns. The policy covers self-serve tiers (Launch and Grow) and the enterprise Scale tier. Critically, where a Scale customer has signed a Master Service Agreement (MSA) or Data Processing Agreement (DPA), that negotiated contract takes precedence over this general policy, a provision that mirrors standard enterprise SaaS practice seen at platforms like Salesforce, HubSpot, and Adobe Experience Cloud. The scope clarification matters for mobile app marketers evaluating Spiral against competitors. Enterprise-grade DPA flexibility signals that Spiral is architected for teams with legal and compliance requirements, not just growth-stage startups. The policy's effective date of February 20, 2026 reflects an up-to-date compliance posture relative to evolving global privacy regulations including the EU AI Act, which introduces additional transparency obligations for AI-generated content — a category squarely applicable to Spiral's core product.

The Processor vs. Controller Distinction: Why It Matters for Advertisers

Spiral formally separates its legal roles under data protection law into two tracks, a structural approach that protects both the platform and its customers. When Spiral processes Customer Personal Data — your uploaded creative assets, prompts, audience briefs, and generated ad outputs — it acts as a data processor under your instructions. This means Spiral cannot use that data for its own purposes outside the scope of delivering the service to your workspace. When Spiral processes Service and Usage Data — telemetry, device signals, IP addresses, error logs, and security events — it acts as an independent controller, determining its own purposes for that data. This dual-role framework is now standard among sophisticated SaaS platforms. Competitors including Smartly.io, Celtra, and Creatopy face the same structural question, and the clearest policies explicitly separate these roles as Spiral does. For mobile app marketers operating under Apple's App Tracking Transparency (ATT) framework or Google's Privacy Sandbox transition, understanding exactly which data Spiral controls versus processes is essential for maintaining accurate Records of Processing Activities (RoPAs) under GDPR Article 30. Teams using Meta Ads Manager, Google Ads, TikTok for Business, or Apple Search Ads integrations should pay particular attention to this distinction when completing vendor risk assessments.

Data Collection Across Five Distinct Categories

Spiral collects data across five clearly delineated categories, each with a distinct purpose and risk profile for mobile app marketers. Understanding each category is essential for teams conducting privacy impact assessments. **Account and Billing Data** includes name, email, workspace configuration, plan tier, and settings. Payments are processed exclusively through Stripe, a PCI DSS Level 1 certified payment processor, meaning Spiral's servers never receive raw card data. This is a security architecture advantage compared to platforms that handle payment data in-house. **Customer Data and Outputs** encompasses the creative assets, text prompts, reference images, and AI-generated ad creatives produced within the platform. This is the most commercially sensitive category for most users, as it may contain unreleased campaign concepts, brand assets, and competitive messaging strategies. **Service and Usage Data** covers events, browser and device fingerprints, IP addresses, timestamps, performance metrics, and error logs. This operational telemetry is common across SaaS platforms and is primarily used for reliability, fraud prevention, and product improvement. **Cookies and Similar Technologies** include pixels, SDKs, and cookies serving four purposes: essential functions, analytics, security, and where consented, marketing and retargeting. The conditional language around marketing cookies reflects compliance with ePrivacy Directive requirements applicable in EU/EEA markets. **Ad Platform Data** is the most distinctive category for an advertising-focused tool. When users optionally connect accounts such as Meta Ads, Spiral collects OAuth access tokens, campaign settings, performance metrics, creative data, audience and targeting parameters, and spend data. Spiral explicitly states it requests only the minimum OAuth scopes needed — a principle of data minimization consistent with GDPR Article 5(1)(c). No equivalent advertising platform data category exists in the privacy policies of general-purpose design tools like Figma or Canva, underscoring Spiral's specialization.

Legal Bases and Purposes: How Spiral Justifies Each Use

Spiral maps each processing purpose to a specific legal basis, a requirement under GDPR that many US-headquartered SaaS companies handle inconsistently. Spiral's policy identifies six distinct processing purposes with corresponding legal bases, providing a level of transparency that supports due diligence for EU and UK-based advertisers. Service delivery relies on contract performance and legitimate interests. Security operations — including fraud prevention, abuse detection, and incident response — rely on legitimate interests and legal obligation. Product improvement through quality monitoring and analytics relies on legitimate interests. Communications about service updates rely on contract and legitimate interests. Marketing relies on consent and legitimate interests depending on jurisdiction and channel. The most strategically significant purpose is **model training**. Spiral states it may use Customer Data and Outputs in aggregated or de-identified form to develop, train, and improve its own AI models. This use is explicitly restricted to internal Spiral purposes. The policy commits that Spiral will not intentionally include identifiable customer data in outputs generated for other customers — a critical assurance for advertisers concerned about competitive creative leakage. This stance is more conservative than some competing generative AI platforms, where training data use has been a source of significant advertiser concern. For comparison, Adobe Firefly's enterprise terms and Getty Images-partnered tools have faced scrutiny over similar provisions, making Spiral's explicit internal-only restriction a meaningful differentiator.

Data Sharing: Subprocessors, Ad Partners, and Business Transfers

Spiral shares personal data with five categories of recipients. The policy's transparency here is above average for a startup-stage advertising technology platform. First, service providers acting as subprocessors handle hosting, storage, analytics, support, messaging, and payments. The complete subprocessor list is available on request at support@spiral.ad. By comparison, GDPR Article 28 requires subprocessor transparency, and many platforms provide a public subprocessor page — Spiral's request-based approach is compliant but less proactive than the public lists maintained by platforms like Notion, Intercom, or Twilio. Second, advertising and analytics partners receive data for targeted advertising where permitted. Third, platform providers receive data when users connect integrations — such as Meta Business Suite, Google Ads API, or TikTok Marketing API — as directed by the user. Fourth, legal or safety recipients may receive data when required by law, court order, or to protect rights and security. Fifth, parties to a business transfer such as a merger, acquisition, or asset sale may receive data, with standard continuity protections implied. Significantly, Spiral explicitly states it does not sell personal data for money. The policy acknowledges, however, that certain US state privacy laws — including California's CPRA, Colorado's CPA, Virginia's VCDPA, and Connecticut's CTDPA — define sharing data for targeted advertising purposes as a form of sale or sharing requiring opt-out rights. Section 7 of the full policy addresses these state-specific rights. This nuanced acknowledgment reflects legal sophistication appropriate for a platform operating in the US advertising technology sector.

Ad Platform Integrations: OAuth Security and Data Minimization

Spiral's handling of ad platform integrations is the most technically distinctive section of this privacy policy and deserves careful attention from mobile app marketers. When connecting an advertising account — Meta Ads being the explicit example, though the framework applies to any supported integration — Spiral collects OAuth access tokens, account and campaign settings, performance data, creative data, audience and targeting information, and spend data. Three security principles govern this collection. First, connection is entirely optional — the core creative generation product functions without any platform integration. Second, Spiral requests only the OAuth permission scopes strictly necessary to analyze performance and publish ads approved by the user. Third, the data collected is used to serve the user's specific workspace, not pooled for cross-customer analysis in identifiable form. For mobile app marketers specifically, this framework is relevant because mobile advertising integrations often touch sensitive data. Audience segments built for mobile app install campaigns or in-app purchase retargeting may contain data about user behaviors that carry heightened sensitivity under frameworks like Apple's ATT, Google's Limited Ads policy, or Meta's Sensitive Categories policy. Spiral's minimum-scope OAuth approach reduces the surface area of data exposure compared to integrations that request broad account permissions. Teams integrating Spiral with AppsFlyer, Adjust, or similar mobile measurement partners should review data flows holistically alongside this policy.

Spiral Ad, Inc. does not sell personal data for money — and its optional ad platform integration model means mobile app marketers control exactly how much account access they grant, with OAuth scopes limited strictly to what's needed to analyze performance and publish approved ads.

By formally separating its processor role for Customer Data from its controller role for operational telemetry, Spiral provides the dual-role transparency that GDPR-compliant mobile app marketing teams need to maintain accurate Records of Processing Activities.

Spiral's commitment to internal-only model training — never intentionally including identifiable customer creatives in outputs for other users — addresses the competitive leakage concern that has made generative AI adoption cautious among performance marketing teams.

With payments handled by Stripe and ad platform connections governed by minimum-scope OAuth, Spiral's data architecture reflects the principle of minimization at every layer — collecting only what is necessary to deliver a high-performance creative platform for mobile app marketers.

FAQ

Does Spiral sell my advertising data or creative assets to third parties?: No. Spiral Ad, Inc. explicitly states it does not sell personal data for money. Customer Data including creative assets and ad outputs is used only to provide services to your workspace. Spiral may share data with advertising partners for targeted advertising purposes as permitted and disclosed under applicable US state privacy laws, but this is distinct from selling data and carries opt-out rights in states like California, Colorado, Virginia, and Connecticut.
Can Spiral use my ad creatives to train its AI models?: Spiral may use Customer Data and Outputs in aggregated or de-identified form for internal model training and improvement. The policy expressly states this use is internal to Spiral only, and that Spiral will not intentionally include your identifiable Customer Data in outputs generated for other customers. This means your unreleased campaign concepts and brand assets are not fed into outputs served to competitors using the same platform.
Is connecting a Meta Ads or Google Ads account required to use Spiral?: No. Connecting an advertising account is entirely optional. Spiral recommends the integration to maximize platform value — enabling performance analysis and direct ad publishing — but the core creative generation product operates independently without any ad platform connection. This means you can use Spiral to generate and evaluate ad creatives before deciding whether to grant any platform access.
What legal bases does Spiral use to process data under GDPR?: Spiral uses three primary GDPR legal bases: contract performance (delivering purchased services and billing), legitimate interests (security operations, fraud prevention, product improvement, and service communications), and consent (marketing activities and certain cookie categories). For legal obligations such as responding to law enforcement requests, Spiral relies on legal obligation as the basis. Scale customers with signed DPAs may negotiate additional or modified terms.
How does Spiral handle payment data security?: Spiral delegates all payment processing to Stripe, a PCI DSS Level 1 certified payment service provider. This architecture means Spiral's own servers do not receive, store, or process raw payment card data. Stripe's infrastructure handles card tokenization and transaction processing, significantly reducing payment data risk exposure on Spiral's side. This is consistent with best-practice SaaS payment security architecture.
Where can I find Spiral's list of data subprocessors?: Spiral's subprocessor list is available on request by emailing support@spiral.ad. Subprocessors include vendors handling hosting, storage, analytics, customer support, messaging, and payments. For enterprise Scale customers with signed Data Processing Agreements, subprocessor notification and approval processes may be defined in that agreement. GDPR-regulated organizations should request this list as part of their vendor due diligence process.
Does Spiral's Privacy Policy apply differently to enterprise Scale customers?: Yes. Where a Scale customer has a signed Master Service Agreement (MSA) or Data Processing Agreement (DPA) with Spiral Ad, Inc., that negotiated agreement controls and takes precedence over this general Privacy Policy for that customer. This is standard enterprise SaaS practice and allows larger organizations to negotiate custom data handling terms, EU Standard Contractual Clauses, specific subprocessor approval rights, and tailored data retention periods.
What data does Spiral collect when I use cookies and tracking technologies on spiral.ad?: Spiral uses cookies, pixels, and SDKs for four purposes: essential site functions, analytics, security, and where you have given permission, marketing and retargeting. Essential and security cookies operate without consent. Analytics and marketing cookies require consent in jurisdictions covered by the ePrivacy Directive and similar laws. You can manage cookie preferences through Spiral's consent mechanism. Marketing and retargeting cookies may involve sharing data with advertising and analytics partners.