top of page

Privacy Policy — Spool

Effective Date: March 6, 2026 Last Updated: March 6, 2026

 

The Short Version

Spool handles your personal information the way we'd want our own handled: you control what's kept, we use what we collect only for disclosed purposes, and we never access your data without a reason we'd be comfortable telling you about.

 

1. Introduction

Spool ("Spool," "we," "us," or "our") is an agentic AI execution platform that acts on behalf of verified human users to complete real-world tasks — including making phone calls, scheduling, coordination, and life administration. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our website, mobile application, and platform services (collectively, the "Services").

Please read this policy carefully. By using our Services, you agree to the practices described here. If you do not agree, please do not use our Services.

Legal Notice: This Privacy Policy has been prepared to reflect Spool's current practices and applicable law. It is not legal advice. Spool recommends consulting qualified legal counsel before relying on this document for compliance purposes.

 

2. Age Restriction

Spool is not intended for use by children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you are under 13, you may not create an account or use our Services.

If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete that information. If you believe we may have inadvertently collected information from a child under 13, please contact us at privacy@tryspool.com.

 

3. Information We Collect

Account Registration & Identity Verification

Because Spool initiates calls and messages on your behalf, we verify your identity before activating telephony features. We collect:

  • Your full legal name

  • Verified email address

  • Verified callback phone number

  • Billing address and payment information (processed via our payment provider — we do not store raw card numbers you provide for your Spool subscription)

  • Government-issued identity information where required for verification

Waitlist Submissions

If you submitted your email to our beta access list, it will be used solely to notify you of beta access opportunities. If you submitted to our newsletter list, it will be used solely to send our newsletter. We will not use waitlist email addresses for any purpose other than the one you specifically opted into, and we will not sell, share, or cross-use them without your separate, express consent.

Task Instructions & Interactions

When you use Spool to execute tasks, we collect the instructions you provide, including task descriptions, recipient contact information you supply, and any context you share to help us complete your tasks.

Communications with Spool

If you contact our support team, submit feedback, or interact with us through any channel, we collect the content of those communications.

Information Collected Automatically

When you use our Services, we automatically collect:

  • Usage data — features accessed, tasks initiated, task completion events, session duration, and interaction logs

  • Device and technical data — IP address, browser type and version, operating system, device identifiers, and referral URLs

  • Log data — server logs, error reports, and performance data

Information Generated by Your Use of the Platform

Call and message records. Every AI-assisted call and message is logged and linked to your verified user ID. Logs include recipient number, timestamp, task mandate, call duration, and confirmation that the required AI identification disclosure was delivered.

Consent affirmation records. When you affirm that a recipient has consented to be contacted on your behalf, we record the timestamp, your user ID, the recipient number, and the exact affirmation text presented to you. These records are retained as the legal basis for subsequent contacts to that number.

Opt-out and suppression records. When a recipient requests that contact cease, we log the trigger phrase, timestamp, scope of suppression applied, and the user-recipient pair affected.

Your context layer. To personalize task execution without requiring you to re-explain yourself each time, Spool maintains a Personal Context Graph associated with your account. See Section 5 for details on how this works and how you control it.

Information from Third Parties

We may receive information from identity verification providers, payment processors, telephony infrastructure partners, and, where you authorize it, third-party services or integrations you connect to your Spool account.

 

4. How We Use Your Information

We use the information we collect to:

  • Create and maintain your account (contract performance)

  • Verify your identity (legal obligation; legitimate interests)

  • Execute tasks on your behalf (contract performance)

  • Maintain compliance logs for calls, consent, and opt-outs (legal obligation; legitimate interests)

  • Improve routing efficiency and task execution quality (legitimate interests)

  • Send transactional communications such as task summaries and account alerts (contract performance)

  • Send marketing communications where you have opted in (consent)

  • Prevent fraud and ensure platform security (legitimate interests; legal obligation)

  • Respond to legal requests (legal obligation)

  • Develop and improve our Services (legitimate interests)

  • Comply with TCPA, FCC, and applicable telephony regulations (legal obligation)

We do not use your personal information to train third-party AI models, sell to data brokers, or engage in behavioral advertising. Full stop.

 

5. Your Context Layer

Your context layer is a curated set of preferences and information Spool has learned about you — things like how you like to communicate, recurring contacts, or standing instructions. It's what allows Spool to act on your behalf without you re-explaining yourself every time.

Your control. Your context layer is visible to you at any time and fully editable. You can add, correct, or remove anything in it. Your context layer persists independently of your conversation logs — deleting a conversation does not delete context extracted from it, but you can manage your context layer directly. Private threads do not write to your context layer, and deleting a private thread permanently deletes information aside from that which we are required to retain for legal, regulatory, or operational purposes.

What we send to third-party tools. When completing a task, we send each tool or AI model only the specific context it needs for that request — not your full context layer or history.

 

6. Conversation Log Retention

When you delete a conversation, we run a brief extraction pass to surface any context worth preserving, unless the thread is marked as private. Conversations are deleted within 24 hours of your deletion to allow this step to complete.

Deleting a conversation deletes its content. Compliance and operational records associated with that conversation — call metadata, consent logs, opt-out records, task success — are retained separately per legal requirements and are not affected by conversation deletion.

 

7. Call Transparency and TCPA Compliance

Spool operates as a technology conduit — we act on your behalf, not independently. Every AI-assisted call discloses at the outset that it is a digital assistant calling on behalf of your verified name. This disclosure is hard-coded and cannot be disabled. All AI-assisted calls to residential landlines are restricted to 9:00 AM – 8:00 PM in the recipient's local time zone. Spool maintains a public Call Recipient Portal that allows anyone who has received a Spool-assisted call to look up who initiated that contact and manage opt-outs.

Looking up a call. To retrieve information about a call you received, you will need to provide:

  • The phone number that was called

  • The Spool number that called you

  • The timestamp of the call

  • A one-time verification code sent by SMS to your number

The SMS step confirms you control the number in question — not just that you know it. This information is used solely to retrieve your call record and is not retained by the portal.

Managing opt-outs. Once verified, you can request that a specific Spool user not contact you again through the platform, or opt out of all Spool-assisted contact entirely. Opt-out requests take effect immediately and are permanent until you affirmatively reverse them through the portal. All opt-out records are retained indefinitely to ensure suppression remains honored.

Reporting a concern. If you believe a Spool-assisted call violated our policies, you can file a report through the portal or contact us directly at compliance@tryspool.com.

All compliance-relevant records are retained for a minimum of four years.

 

8. How We Share Your Information

We do not sell your personal information.

Service providers. We share information with vendors and partners who help us operate the Services, including telephony infrastructure providers, cloud hosting providers, payment processors, identity verification providers, and analytics services. All service providers are bound by data processing agreements and may only use your information to provide services to Spool.

At your direction. When you instruct Spool to contact a third party or complete a task on your behalf, you are directing us to share the information necessary to complete that task with that third party. You can control which information is used to complete tasks in your Memory Manager.

Legal process. We do not share your data with law enforcement or government agencies unless we are legally required to do so by a valid and binding legal demand — such as a court order, subpoena, or warrant. We do not voluntarily cooperate with law enforcement requests that lack legal compulsion. Where we are legally permitted to notify you before producing records, we will.

Business transfers. If Spool is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice and, where required, seek consent before your information is transferred and becomes subject to a different privacy policy.

Aggregate and de-identified data. We may share aggregated or de-identified information that cannot reasonably be used to identify you, for research, analytics, or business purposes.

 

9. When Humans Might See Your Data

We don't make a promise that no human will ever see your conversations — because that promise is both unkeepable and, in some cases, the wrong goal. What we commit to instead is that human access to your data happens only under three circumstances, each disclosed here.

1. You reported an issue. If you flag a problem with a task, we may need to review the relevant conversation to understand what went wrong. We will not access your conversation without your indication that there is a problem.

2. A safety flag was triggered. Certain interactions trigger automatic flags for review by our trust and safety team. The specific behaviors that trigger a flag are:

  • Requests to impersonate a government agency, medical professional, legal professional, or financial institution

  • Requests to facilitate wire fraud, money laundering, or other financial crimes

  • Requests to coordinate the purchase, sale, or distribution of controlled substances

  • Requests to knowingly place calls or send messages to a contact who has opted out, via any channel or through any workaround

  • Requests involving threatening, harassing, or stalking language directed at a specific individual

  • Bulk or automated outreach attempts in violation of TCPA

When a flag is triggered, review is scoped to the flagged interaction and directly relevant context — not your full history. You will receive a notification when your account is flagged. If a flag is determined to be a false positive, it is removed from your record.

3. Legal process. We do not share your data with law enforcement or government agencies unless we are legally required to do so by a valid and binding legal demand — such as a court order, subpoena, or warrant. We do not voluntarily cooperate with law enforcement requests that lack legal compulsion. Where we are legally permitted to notify you before producing records, we will.

 

10. Data Retention

Data Type

Retention Period

Account and KYC records

Duration of account + 5 years after closure

Call, message, and task logs

Minimum 4 years (TCPA)

Consent affirmation records

Minimum 4 years

Opt-out and suppression records

Indefinite

Conversation logs

User-controlled (see Section 6)

Personal Context Graph

Duration of account; deleted upon account deletion

Waitlist email addresses

Until waitlist purpose is fulfilled or you unsubscribe

Payment records

As required by applicable financial regulations

Where retention is required by law, including TCPA record-keeping obligations, we will retain data for the legally mandated period regardless of account closure or user preference.

 

11. Data Security

We take security seriously. We implement and maintain administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These include:

  • Encryption of data in transit and at rest

  • Access controls and authentication requirements

  • Tamper-evident audit logging of all compliance-relevant events and all internal access to user data

  • Vendor security assessments — we evaluate third-party infrastructure partners against our security standards before use and do not work with partners who cannot meet those standards

  • Incident response procedures

No security system is impenetrable. In the event of a data breach that triggers notification obligations under applicable law, we will notify affected users and relevant authorities as required.

 

12. Analytics and Cookies

We use Fathom Analytics on our website — a privacy-first analytics tool that does not use cookies, does not track users across sites, and does not collect personally identifiable information. Fathom is GDPR, CCPA, and PECR compliant by design. We do not use marketing cookies or engage in cross-site behavioral tracking.

Our Services use strictly necessary cookies required for core functionality (authentication, security, session management). You can manage these through your browser settings, though doing so may affect the functionality of our Services.

 

13. What We Don't Do

We don't sell your data. We don't share your data with third parties except where operationally necessary to run the product (for example, storing data on cloud infrastructure) or to complete a task you've asked us to perform (for example, passing relevant context from a conversation or your context layer to an AI model to write an email on your behalf) — in both cases, data shared is limited to what's needed for that specific purpose, is encrypted in transit and at rest, and flows only to partners who meet our privacy and security standards.

 

14. Your Rights

Rights for All Users

Regardless of where you live, you may:

  • View and edit your context layer

  • Delete individual conversations

  • Request a copy of the compliance records associated with your account

  • Request access to the personal information we hold about you

  • Request correction of inaccurate information

  • Withdraw consent where processing is based on consent

  • Close your account and request deletion of all data subject to legal retention requirements

  • Lodge a complaint with a relevant supervisory authority

To exercise any of these rights, contact us at privacy@tryspool.com.

California Residents (CCPA / CPRA)

If you are a California resident, you have the:

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected, the sources, our business purposes, and the categories of third parties with whom we share it

  • Right to delete — request deletion of your personal information, subject to exceptions including our legal obligation to retain telephony compliance records

  • Right to correct inaccurate personal information

  • Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising — no opt-out action is required

  • Right to limit use of sensitive personal information — we use it only as necessary to provide our Services and comply with legal obligations

  • Right to non-discrimination for exercising any of these rights

To exercise these rights, contact us at privacy@tryspool.com or through the in-app privacy request portal. We will respond within 45 days and will verify your identity before processing any request. California residents may also designate an authorized agent to submit requests on their behalf.

California "Shine the Light" Law (Cal. Civil Code § 1798.83): We do not share personal information with third parties for their direct marketing purposes.

EEA, UK, and Swiss Residents (GDPR and UK GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the:

  • Right of access (Article 15 GDPR)

  • Right to rectification (Article 16 GDPR)

  • Right to erasure (Article 17 GDPR) — note that we may be unable to delete data we are legally required to retain, including TCPA compliance records

  • Right to restriction of processing (Article 18 GDPR)

  • Right to data portability (Article 20 GDPR)

  • Right to object (Article 21 GDPR)

  • Rights related to automated decision-making (Article 22 GDPR)

Legal bases for processing. We process personal data only where we have a valid legal basis as described in Section 4. Where we rely on legitimate interests, those interests are operating and improving our Services, preventing fraud, ensuring platform security, and fulfilling our TCPA compliance obligations.

International data transfers. Spool is based in the United States. If you are located outside the United States, your information may be transferred to and processed in the U.S. and other countries. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable.

Data Protection Officer. For GDPR-related inquiries, contact our privacy team at privacy@tryspool.com. EEA and UK residents also have the right to lodge a complaint with their local supervisory authority (e.g., in the UK, the Information Commissioner's Office).

 

15. Third-Party Links and Integrations

Our Services may contain links to third-party websites or allow you to connect third-party services to your Spool account. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you connect or visit.

 

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy with a new effective date and, where required by law, by providing direct notice via email or in-app notification. We will not apply new data practices to existing data retroactively.

 

17. Contact Us

Purpose

General support ---------------------

Compliance and opt-out matters -

Legal notices ------------------------

Mailing address ---------------------

Address

support@tryspool.com

compliance@tryspool.com

legal@tryspool.com

Spool 

9854 National Blvd. #1416 

Los Angeles, CA 90034

bottom of page