Privacy Policy

Spike Labs, Inc. is the data controller for personal information processed through the Services. You can contact us about this policy at legal@spikelabsinc.com.

Account information. When you create an account we collect your email address, name, and the authentication identifiers issued by our identity provider (Clerk).

Third-party service data via OAuth. When you connect a third-party service (for example, your Google Calendar) to one of our applications, you authorize us to access specific data from that service via OAuth. The exact data depends on the scopes you approve at the consent screen (see “Scopes we request” below).

Usage and device information. We collect standard application logs (request paths, response codes, IP addresses, user agents) for security, debugging, and abuse prevention.

When you connect a Google account, we request only the minimum scopes required to provide the feature you are enabling:

• Google Calendar (.../auth/calendar.readonly, .../auth/calendar.events) — to read and create calendar events on your behalf so our agent can show your schedule and add events you ask for.
• Gmail (.../auth/gmail.readonly, .../auth/gmail.modify) — to read messages you ask the agent about and to draft or send messages on your explicit instruction.
• Google Drive (.../auth/drive.readonly) — to find and reference files you ask the agent to look up.

Spike Labs’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features that are prominent in the requesting application’s user interface, and only with your explicit consent or as required by law. We do not use Google user data for serving advertisements, including remarketing, personalized, or interest-based advertising. We do not allow humans to read Google user data unless we have your explicit consent for specific messages, we are doing so for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.

• To provide the features you request in our applications.
• To send service-related communications (e.g., account or security notifications).
• To detect, prevent, and respond to security incidents, fraud, and abuse.
• To comply with legal obligations.

We do not sell personal information, and we do not use Google user data for advertising, model training, or any purpose unrelated to providing the requested feature.

We share personal information only with infrastructure providers that process data on our behalf under written data processing agreements:

• Nango — orchestrates OAuth flows and stores refresh and access tokens for your connected services.
• Amazon Web Services (AWS) — hosts our application infrastructure (EKS, RDS, S3) in the United States.
• Vercel — hosts our customer-facing web properties.
• Clerk — provides user authentication and session management.
• Neon — provides our managed PostgreSQL databases.

We may also disclose information to comply with valid legal process, to enforce our terms, or to protect the rights, safety, or property of Spike Labs, our users, or others.

Account information is retained for as long as your account is active. Data accessed via a third-party connection is retained only for as long as the connection is active. When you disconnect an integration in one of our applications, we delete the cached data and the OAuth tokens associated with that connection within 30 days.

You can revoke our access to your Google account at any time via Google’s third-party access page. You can request deletion of your Spike Labs account by emailing legal@spikelabsinc.com; we will delete your personal information within 30 days, subject to legal retention obligations.

Data is encrypted in transit (TLS 1.2+) and at rest. OAuth refresh and access tokens are stored by our integration provider (Nango) and are accessible to our backend services via short-lived API credentials. We restrict employee access to production data and audit access logs.

Depending on where you live, you may have the right to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise any of these rights, email legal@spikelabsinc.com.

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. SchoolHand may be deployed in school settings under separate contracts that govern student data; in those cases the school district is the data controller for student information.

We may update this policy from time to time. When we do, we’ll update the “Effective” date above and, for material changes, notify users in-app or by email.

Spike Labs, Inc.
Email: legal@spikelabsinc.com