Privacy Policy
Last updated: March 19, 2026
SpiderLabs is committed to protecting your privacy and ensuring the security of your data. This policy explains how we collect, use, and safeguard your information.
GDPR Compliant
EU data protection
CCPA Compliant
California privacy rights
HIPAA Ready
Healthcare compliance
1. Information We Collect
Business Information
- Business name, industry, and location
- Business hours and service offerings
- Phone numbers and contact information
- CRM integration credentials (encrypted)
Call Data
- Call recordings and transcripts
- Caller phone numbers and contact details
- AI-generated summaries and insights
- Tags, sentiment scores, and extracted data
Usage Information
- Dashboard activity and feature usage
- Device information and browser type
- IP addresses and geolocation data
- Performance metrics and error logs
2. How We Use Your Information
We use your information to:
- Provide AI receptionist services and call handling
- Generate transcripts, summaries, and insights
- Integrate with your CRM and business tools
- Send appointment confirmations and notifications
- Improve our AI models and service quality
- Detect fraud and ensure platform security
- Comply with legal obligations
3. Data Sharing and Third Parties
We work with trusted service providers to deliver our platform. Your data may be shared with:
Infrastructure Providers
- Twilio: Phone number provisioning and SMS (BAA signed for HIPAA)
- Retell AI: Voice processing and transcription (BAA signed for HIPAA)
- Supabase: Database hosting (encrypted at rest)
- Workflow infrastructure providers: Internal automation and background job processing
AI and Analytics
- OpenRouter/Gemini: AI analysis and summarization
- Merge.dev: CRM integrations (your CRM credentials stored encrypted)
Payment Processing
- Stripe: Payment processing (PCI-DSS Level 1 certified)
We never sell your data to third parties. All providers are contractually obligated to protect your data.
4. Data Security
We implement industry-standard security measures:
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Control: Multi-tenant architecture with Row Level Security (RLS)
- Authentication: Supabase Auth with email verification and session management
- Monitoring: Real-time security monitoring and anomaly detection
- Backups: Daily encrypted backups with 90-day retention
- Compliance: Regular security audits and penetration testing
5. Data Retention
- Call recordings: 90 days by default (configurable: 7 years for legal/medical)
- Transcripts: Retained as long as your account is active
- Contact data: Retained until you delete or request removal
- Account data: Deleted within 30 days of account closure
6. Your Privacy Rights
You have the right to:
Access Your Data
Request a copy of all data we have about you
Delete Your Data
Request permanent deletion of your account and data
Correct Your Data
Update inaccurate or incomplete information
Data Portability
Export your data in machine-readable format
To exercise your rights: Email privacy@spiderlabs.com or use the "Delete My Data" button in your dashboard settings.
7. Cookies and Tracking
We use cookies for authentication, preferences, and analytics. See our Cookie Policy for details.
- Essential cookies: Required for login and security (cannot be disabled)
- Functional cookies: Remember your preferences (theme, language)
- Analytics cookies: Help us improve the platform (optional)
8. Industry-Specific Compliance
Healthcare (HIPAA)
For dental and medical spa clients, we are HIPAA-compliant:
- Business Associate Agreements (BAAs) signed with Twilio and Retell AI
- Call recordings encrypted with AES-256
- Access logs maintained for all PHI (Protected Health Information)
- 7-year retention for medical records (configurable)
Payment Data (PCI-DSS)
For restaurants accepting phone payments:
- We never store credit card numbers (Twilio/Stripe handles all card data)
- PCI-DSS Level 1 compliance via Stripe and Twilio <Pay>
- Only last 4 digits and transaction status shown in dashboard
9. Children's Privacy
SpiderLabs is a business-to-business service. We do not knowingly collect information from children under 13. If a call is received from a minor, it is incidental to providing services to our business clients.
10. International Data Transfers
Your data is primarily stored in US data centers (AWS US-West-2 via Supabase). For EU clients, we ensure:
- Standard Contractual Clauses (SCCs) for EU-US data transfers
- GDPR-compliant data processing agreements
- Right to request EU-only data residency (Enterprise plan)
11. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be announced via:
- Email notification to your account email
- In-dashboard notification banner
- Updated "Last modified" date at the top of this page
Continued use of SpiderLabs after changes constitutes acceptance of the updated policy.
Contact Us
For privacy-related questions, data requests, or concerns:
Email: privacy@spiderlabs.com
Data Protection Officer: dpo@spiderlabs.com
Address: SpiderLabs Inc., 123 Main St, San Francisco, CA 94105