Legal

Privacy Policy

Last updated June 4, 2026 · SpiralDeck, a product of MicroPyramid

SpiralDeck is project management and a desktop work tracker built by MicroPyramid. This policy explains what we collect, why, how we protect it, and the control you have over it — in plain language, without the legalese theatre.

Who we are

SpiralDeck is a multi-tenant software-as-a-service product operated by MicroPyramid. MicroPyramid built SpiralDeck for its own teams over several years before releasing it publicly, so much of what this policy describes is how we already run our own work.

This policy covers the SpiralDeck websites, the web application at app.spiraldeck.com, and the SpiralDeck desktop work tracker. When a customer organisation uses SpiralDeck, that organisation decides what to put into its workspace and who can see it — for that workspace content, the organisation is in control and we act on its behalf. For our own websites and account signups, we are the ones deciding how data is handled.

What we collect

We collect only what we need to run the product and keep it secure.

  • Account information — your name, email address, and the workspaces you belong to. We use passwordless sign-in (a one-time link or code), so we don't store a password for you.
  • Workspace content — the projects, tasks, comments, documents, chat messages, time logs, files and HR records you and your team create. This is your data; we store and process it to provide the service.
  • Usage and device data — basic technical information such as browser type, approximate region, and the actions you take in the app, used to keep it working, secure and fast.
  • Work-tracker signals — if your workspace enables the desktop work tracker, anonymized activity signals and any opt-in screenshots, described in detail below.
  • Payment information — handled by our payment processor. Card numbers never reach our servers; we keep only a billing reference and your plan details.
  • Messages to us — anything you send when you contact support, sales or security.

The desktop work tracker

The desktop work tracker is the part of SpiralDeck people care most about, so we hold it to a strict standard. It is opt-in and its status is always visible while it runs.

  • It records anonymized signals — activity counts and application or window titles — to ground time and reporting in what actually happened.
  • It never captures raw keystrokes, clipboard contents, file contents, full URL paths, or the contents of your screen's documents. There is no code path that reads them.
  • Screenshots are only captured when a workspace explicitly turns them on, and they are encrypted before storage.
  • You can review your own captured data, and an administrator cannot silently enable capture for past periods.

Read the desktop work tracker and security pages for how this is enforced in the architecture.

How we use information

We use the information above to:

  • provide, maintain and improve the product and its features;
  • authenticate you and keep accounts and workspaces secure;
  • generate the reports, time logs and insights you ask the product to produce;
  • respond to your support, sales and security requests;
  • detect, prevent and investigate abuse, fraud and security incidents;
  • send you essential service messages, and product updates you can opt out of.

We do not sell your personal information, and we do not show third-party advertising in the product.

How we share information

We share data only in these limited situations:

  • Service providers — vetted infrastructure, hosting, payment and communication providers that process data on our behalf, under contract, only to run the service. We keep this set small and deliberate.
  • Within your organisation — workspace content is visible to the members and administrators your organisation authorises.
  • Legal and safety — when we are required by valid legal process, or to protect the rights, safety and security of users, the public or SpiralDeck.
  • Business changes — if MicroPyramid is involved in a merger, acquisition or asset sale, data may transfer as part of that transaction, subject to this policy.

How long we keep it

We keep workspace content for as long as your workspace is active, and for a bounded, documented window afterwards so you can recover from mistakes. Work-tracker data has configurable retention set by your workspace. When you delete data, the deletion propagates to backups within the documented window. Account records tied to billing or legal obligations may be kept longer where we are required to.

How we protect it

Security is built into the architecture, not bolted on. In short: every tenant's data is isolated in the database with row-level security that fails closed; every request re-checks who you are, your role and your access; the desktop app is treated as untrusted and validated on the server; and captured screenshots and activity data are encrypted at rest with per-tenant keys, stored apart from their metadata. The full model is on the security page.

Your choices & controls

Whoever you are and wherever you are, you can:

  • Access the personal data we hold about you;
  • Correct information that is wrong or out of date;
  • Export your data in a portable format;
  • Delete your account and request erasure of your personal data;
  • Object to or limit certain processing, and opt out of non-essential email.

Much of this is self-serve in the app's admin surface. For anything else, email hi@spiraldeck.com and we'll help. If your data lives in a workspace run by your employer or client, we may direct your request to them, since they control that workspace.

Where your data lives

SpiralDeck runs on cloud infrastructure, and your data may be processed in regions where we or our providers operate. When data moves across borders, we rely on appropriate, recognised safeguards to protect it. Workspace data residency options are available as the product reaches general availability.

AI and your data

AI-assisted features are deferred to a later release and are not part of the current product. When they arrive, the commitment holds: we do not train shared models on your data. Any per-tenant model adapters, if ever introduced, stay isolated to that tenant.

Children

SpiralDeck is a workplace tool intended for people aged 16 and older. It is not directed at children, and we don't knowingly collect data from them.

Changes

As the product grows we'll update this policy. When changes are material, we'll update the date above and let you know in the product or by email before they take effect. Continuing to use SpiralDeck after a change means you accept the updated policy.

Contact

Questions, requests or concerns about privacy? Email hi@spiraldeck.com and a human will answer. See also our Terms of Service and Data Processing Addendum.

More legal documents

PrivacyTermsData Processing Addendum

Questions about any of this? Email hi@spiraldeck.com and a human will answer.