Privacy notice.
In plain English.

This privacy notice covers this website (thespine.tech and its subdomains) and the identity graph we operate behind the customer login at app.thespine.tech. The two surfaces have different data-handling rules; both are covered here.

Data controller for site visitors: thespine.tech. Data processor for customer identity data inside the graph: thespine.tech, operating under each customer's Data Processing Addendum.

When you visit this site, we collect:

• Server logs — IP address, user-agent, timestamp, requested page. Standard for any web server. Retained 30 days.
• First-party cookies — to remember your session, your consent choices, and which page sent you to which destination.
• Analytics cookies — first-party and third-party identifiers that let us see which pages convert and where the funnel drops. We use a small number of analytics and attribution providers (subprocessors listed in the DPA).
• Marketing automation pixels — when we run paid campaigns, attribution pixels fire on landing pages so we can measure campaign return.
• Form submissions — Request access, Contact, and similar forms collect name, work email, company, role, and the context you write. This routes to our CRM and our sales team.

Browser signal. If your browser sends Global Privacy Control or Do Not Track, we treat it as a signal to suppress non-essential analytics and attribution. Standard browser cookie controls also work to clear or block site cookies.

Cookie banner. When the cookie banner is present, you can accept or reject non-essential cookies through it and revisit your choice any time. (We're rolling out the banner as part of the consent stack; until then, browser-level controls and the GPC/DNT signals above are honored.)

Email us. For deletion of any data you've submitted (form fills, conversations), email privacy@thespine.tech. We action within seventy-two hours.

Inside the graph (app.thespine.tech), we process customer identity data — emails, phones, addresses, hashed identifiers, ad-tech IDs — on behalf of each customer under a signed Data Processing Addendum.

Each customer's data is logically isolated. Encryption at rest (AES-256) and in transit (TLS 1.3). Regional data residency available on request. SOC 2 Type II report under our standard NDA.

End-user rights (your customer's customers — the individuals whose identity sits in the graph): right of access, correction, deletion, and objection. Requests route through the customer (data controller); we provide tooling to action them.

A right-to-be-forgotten request resolves the identifier (email, phone, hashed ID) to its entity, then removes the entity and every edge it touches in the same transaction. There is no separate "deletion list" — the entity is gone, and the next continual refresh treats the source records as if they were never there.

We produce an audit trail showing what was removed, when, and by whose authority. Your DPO can hand the trail to a regulator without translation.

We use subprocessors in the following categories: cloud hosting (AWS), edge delivery (CloudFront), privacy-respecting analytics, ads attribution, CRM & sales workflow, email + transactional messaging, and error monitoring. The current named list and any changes (with thirty days' notice) are in our DPA. Email trust@thespine.tech for the named list under NDA.

California (CCPA / CPRA). You have the right to know, delete, correct, and limit use of sensitive personal information. You also have the right to opt out of "sale" and "sharing" of personal information. We do not sell personal information for money, and we do not share it for cross-context behavioral advertising in the way the statute defines "sharing." If you want to confirm, exercise, or appeal: Do Not Sell or Share My Personal Information.

EU / UK (GDPR + UK GDPR). Legal bases we rely on: legitimate interests (operating + improving the website, security, fraud prevention), consent (analytics + marketing cookies where required), contract (responding to access requests and customer onboarding), and legal obligation (tax, audit, regulator response). You have the rights to access, rectification, erasure, restriction, portability, and objection (Articles 15–22). EU/UK residents may lodge a complaint with their supervisory authority.

Cross-border transfers. When data moves out of the EEA, UK, or Switzerland, we use Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum. Customer-tier transfers are addressed in the DPA.

Retention. Server logs: 30 days. Form submissions: until the conversation ends + 12 months for sales follow-up, or 72 hours after deletion request. Cookies: per the cookie type (session vs. persistent up to 13 months max). Analytics aggregates: 26 months. Customer identity data inside the graph: per the customer's DPA and customer-set retention rules.

Children & sensitive categories. The website and TheSPINE application are not directed at children under 16. Sensitive personal data (special categories under GDPR; SPI under CCPA) is not knowingly processed on the marketing surface. Customer-tier handling of sensitive categories is governed by the DPA and is a customer-configuration decision.

privacy@thespine.tech — site visitor data requests, opt-outs, deletion of forms and conversations.

trust@thespine.tech — security questionnaires, DPA requests, subprocessor list, SOC 2 letter, vendor due diligence.

hello@thespine.tech — everything else.