Mindful Productivity Lab Logo

Mindful Productivity Lab Privacy Policy

Last updated: Sept 23, 2025

Welcome to Mindful Productivity Lab (“MP Lab”). This Privacy Policy explains how we collect, use, and share personal data when you use:

  • our websites and marketing pages, including mindfulproductivity.io, mpl.is, spiralist.ai, and related sub-pages (the “Sites”); and
  • our software and mobile applications, including the Spiralist app for Android and iOS (the “Apps”).

We follow India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) and, until fully in force, the Information Technology Act, 2000 and the SPDI Rules, 2011. Regional add-ons for other countries appear later in this policy.

Who is responsible for your data?

Modularity Labs, Hyderabad, Telangana, India (“Modularity Labs,” “we,” “us,” “our”) is the data fiduciary. Questions or requests: contact our Grievance Officer at privacy@spiralist.ai (use “Grievance Officer” or “Data Protection” in the subject).

What counts as personal data?

“Personal data” means any information that identifies you or can reasonably be linked to you.

What does “processing” mean?

“Processing” covers any use of personal data—collecting, storing, using, sharing, or deleting it.

  • Consent: where you choose to allow specific processing (e.g., marketing cookies).
  • Contract: to provide the Apps/Sites you requested.
  • Legal obligation: where laws require us to keep or disclose data.
  • Legitimate interests: to run, secure, and improve our services (balanced against your rights).

Data we collect

1) Data you provide

  • Account & profile: name, email, password (stored hashed), and any profile details you add.
  • Service Data in Apps: notes, tasks, reminders, bookmarks, documents, files, tags, and related metadata you choose to store. You control what you add and share.
  • Support: information you provide in emails, forms, or tickets.

2) Data we collect automatically

  • Device & usage: IP address, device type/OS, app version, pages/screens viewed, time stamps, crash logs, diagnostics, and basic analytics events.
  • App permissions (if you enable them): notifications, microphone, camera, photos, location, and storage—only to deliver the feature you chose. You can revoke in your device settings.
  • Location (optional): if you turn on location features, we process location/time to provide those features; you can turn this off anytime.

3) Data from platforms & providers

  • App Stores (Google Play, Apple App Store) may process device identifiers, IP, and crash/diagnostic data under their own policies.
  • Firebase (Google) helps us with authentication, analytics/crash reporting, push notifications, and storage; Google may process data as described in their policies.
  • Email & messaging: we use providers such as SendGrid (Twilio) and Substack to send system messages and newsletters (only with your consent where required).

4) Aggregated data

We create aggregated or de-identified statistics to understand usage and improve services. We do not attempt to re-identify aggregated data.

Web & marketing technologies on our Sites

  • Cookies/SDKs: we use cookies and similar tech for essential operations, analytics, and (with consent where required) advertising.
  • Analytics: we may use tools such as Microsoft Clarity and PostHog (and, if added, Google Analytics) to understand site usage (e.g., session replay/heatmaps, page metrics).
  • Meta Pixel & Conversions API (with consent where required): we use the Meta Pixel to measure ad performance and build audiences. If Automatic Advanced Matching is enabled, identifiers you enter (e.g., email or phone) may be hashed in your browser and sent to Meta to improve matching and attribution. We only do this where consent applies (e.g., EU/EEA) and as disclosed here.

Your choices:

  • Our cookie banner lets you Accept or Reject non-essential cookies. We only load analytics/advertising tags (including Meta Pixel/AAM) after consent where law requires it.
  • You can change your preferences anytime via “Cookie settings” on our Sites or your browser controls.

How we use personal data

  • Provide and secure the Apps/Sites (authentication, customer support, debugging).
  • Sync, store, and display your Service Data at your direction.
  • Improve features, performance, and reliability.
  • Send service messages (e.g., account, security, transactional).
  • With your consent where required: send newsletters or marketing; measure and improve ads.

How we share personal data

We share data with service providers (processors) who help us run the Apps/Sites (hosting, storage, analytics, customer support, email delivery, payments). They must follow our instructions and protect your data. We may also share data:

  • with your direction (e.g., integrations you choose),
  • to comply with law, prevent fraud/security incidents, or protect rights,
  • in a merger, acquisition, or asset transfer (with notice where appropriate).

We do not sell your personal data.

Service Data in Spiralist (your content)

When you add content to the Spiralist app, we process it on your behalf and give you tools to:

  • access and export your data,
  • share via integrations you choose, and
  • request deletion. Avoid adding sensitive content you don’t want stored; if you do, you consent to that processing.

Storage & retention

We keep personal data only as long as needed for the purpose collected, to provide the service, or to meet legal/record-keeping duties. When no longer needed, we delete or de-identify it.

Security

We use TLS encryption in transit and apply technical and organizational measures (access controls, least-privilege, logging, backups) to protect data. No method is 100% secure; we work to continually improve.

Data breaches

If a breach occurs that is likely to result in harm, we will notify affected users and, where required, the relevant authority—promptly and with details of our response.

Your rights

Subject to law, you may have rights to access, correct, delete, object/opt-out, withdraw consent, and complain. We will respond within a reasonable time; if we need more than 30 days, we’ll let you know why.

How to exercise your rights: email privacy@spiralist.ai.

Region-specific information

United States

We aim to apply a consistent baseline aligned with state privacy laws (e.g., CA, CO, CT, DE, FL, IN, IA, MT, OR, TN, TX, UT, VA). US users may have rights to know/access, delete, correct, non-discrimination, and, for sensitive data, to limit use/disclosure.

  • Shine the Light (CA): request our practices about sharing with third parties for their direct marketing.
  • COPPA: we do not market to children under 13.
  • CAN-SPAM/TCPA: opt-out of emails/SMS anytime.

Canada & Mexico

We follow PIPEDA (Canada) and LFPDPPP (Mexico). Users may withdraw consent, request access/correction/deletion/deactivation, or submit a complaint to their privacy authority.

Australia

We align with the Privacy Act and Australian Privacy Principles. You may request access, correction, deletion, portability, objection, and withdrawal of consent, and complain to OAIC.

Children

Our services are not directed to children, and we do not knowingly collect personal data from children.

Changes to this policy

If we change this policy, we’ll update the “Last updated” date and post the new version here.

Contact & grievance redressal

If you have questions or concerns, contact our Grievance Officer: privacy@spiralist.ai (use “Grievance Officer” or “Data Protection” in the subject).