Privacy Policy

1. Introduction

1.1 This policy describes what information we collect when you use Spill’s sites, services, therapy, and content (“Services”). It also provides information about how we store, transfer, use, and delete that information, and what choices you have with respect to the information. This policy is designed to ensure that we safely handle your personal data in accordance with relevant regulations and legislation such as the EU General Data Protection Regulations 2018 (“GDPR”). These privacy rules explain what data we may collect from you, what we will do with that data.

1.2 This policy applies to Spill’s main website, Spill’s content portals, and other Spill websites (collectively “the Websites”), as well as other interactions you may have with Spill (e.g. customer support conversations etc).

1.3 This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy.

1.4 In this policy, "we", "us" and "our" refer to Spill App Limited. Further details about us can be found below, in section 10 of this Privacy Policy.

2. How we collect, process and store information

2.1 We in Spill are committed to safeguarding the privacy of our users. Our business model is to provide a service to users who need to access mental health support that is paid for by their employer. Therefore, our business model does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service.

2.2 We may collect, store and process various kinds of data, with different legal grounds, as listed below. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. In the rest of this section, we will set out: the general categories of personal data that we may process; the purposes for which we may process personal data; and the legal basis of the processing in each case.

2.3 The following is a list of data we collect, process or store, with the purpose and legal ground listed for each item or group of items having the same purpose and legal ground:

i) User account information. If you choose to book therapy on Spill, you will have to provide your name and pronoun, a valid email address and phone number, your age, your business role, and (optionally) your post code or the area where you live. During the process of booking a therapy session, we also ask for a bit of information about you, such as what brought you to Spill, what you expect from your therapist, what you think your Counsellor needs to know about you or your past that would allow them to help you most effectively and whether you have any experience of therapy. This information helps our Counsellors prepare for the session, so as to make the session as helpful to you as possible. Thus, we require this information in order to deliver the Service to you as user. Processing this information is required for fulfilling the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b.

ii) User transaction data. This is the information we collect when you book a therapy session that you pay for yourself. The transaction data may include your contact details, your credit or debit card details, your billing email, your billing address, and the transaction details. The transaction data may be processed for the purpose of supplying therapy sessions and keeping proper records of those transactions. Processing this information is required for fulfilling the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b. Additionally, this information needs to be retained in order to comply with accounting and tax regulation cf. GDPR art. 6 (1) item c.

iii) User analytics. Like most digital services, our systems automatically collect information about how you use the Spill Platform. This may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use of the Spill Platform. The source of the usage data is our analytics tracking system or the technical log data. We require this information in order to analyse the way people use the Spill Platform and in order to build aggregate quantitative usage reports for the company that paid for your access to the service (e.g. “15 people have used Spill this month”). You cannot be identified from this information. The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) item f, namely using this data for the purpose of ensuring the proper administration of our website and business, analyzing the use of the website and services, monitoring and improving our website and services, improving the user experience, preventing abuse, and assisting users with support inquiries.

iv) User enquiry data. This is information you give us when you submit an enquiry or other customer support request at regarding the Spill Platform. Processing this information it is required for performing the contract we entered into with you, at your request (our Terms of Service), as well as our legitimate interest of handling your requests cf. GDPR art. 6 (1) item f.

v) User personal information. This is information you give us during your use of the Spill Platform. Personal Information may include Ask a Therapist questions, personal details, the details of your employment, relationships, health or personal matters, or the search queries you use on the Spill Platform. We do not store any of your personal information. Our Counsellors have been told not to record or take notes of your personal information, except with your express permission (which you do not have to give). Even if you choose to give permission to record personal information, you have a right to ask for it to be erased at any time (except where such information must be retained for legal reasons). All of our Counsellors are bound by UK law and work in compliance with GDPR and the BACP Ethical Guidelines regarding client confidentiality. Processing this information it is required for performing the contract we entered into with you, at your request (our Terms of Service), as well as our legitimate interest of handling your requests cf. GDPR art. 6 (1) item f.

vi) User service and transactional notifications. Sometimes we’ll send you emails about your account, service changes, or new policies. For example, we will send you a confirmation email containing the details of your therapy session. You can’t opt out of this type of “service or transactional” emails (unless you delete your account) as they are necessary information for the Services. The legal grounds for processing this information is that it is required for performing our commitment about communicating changes in plans and pricing to you in the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) item b, and our legitimate interest of communicating important information about your account to you, cf. GDPR art. 6 (1) item f.

vii) If you choose to enable the feature which makes Spill proactive, then we will give you the option to connect Spill to your Google calendar in order to make it easier for you to select the meeting which you wish to link to Spill. Spill will read a list of meetings from your Google Calendar in order to show these to you as options to choose from, but Spill does not store information about these events. If you select a meeting, Spill will use the video link URL for that event in order to generate a Spill checkin URL. Spill will only process the data you ask us to process and do this as a Processor, enabling Spill proactive on behalf of you, who is the Controller.

2.4 We may process any of your personal data identified in this policy where necessary for administrative purposes including in the exercise or defence of legal claims. The legal basis for this processing is our legitimate interests, namely for administrative record keeping, processing transactions and maintaining business records or for the protection and assertion of our legal rights.

2.5 If you supply any other person's personal data to us, you must do so only if you have the authority of such person to do so and you must comply with any obligations imposed upon you under the Data Protection Regulations.

3. Providing your personal data to others

3.1 We may share information about you with third parties in some circumstances, including:
(1) with your consent;
(2) to a service provider who meets our data protection standards;
(3) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process;
(4) to protect the vital interest of others, when we have reason to believe that doing so will prevent harm to someone or illegal activities.

Our categories of service providers are:
- Hosting/infrastructure/storage providers
- Booking tools providers
- Payment processors
- Analysis tools providers
- Customer Support tools providers
- Internal communication tools providers

Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We share transaction data with our payment services provider to the extent necessary for the purposes of processing your payments, processing refunds, and dealing with complaints and queries relating to such payments and refunds. You can read Stripe’s Privacy Policy here.

In the case where we are involved in a merger, acquisition, bankruptcy, reorganisation or sale of assets such that your information would be transferred or become subject to a different privacy policy, we will notify you in advance and give you the option to delete your data before the transfer.

In addition to the specific disclosures of personal data set out in this Section 3, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation.

4. International transfers of your personal data

4.1 Since Spill may use third-party software provided by companies based outside of the EU, such as the United States, we may store or transfer data we collect about you to countries outside the European Economic Area (“EEA”), where GDPR does not apply. However, if this happens, we will comply with GDPR requirements for the safe transfer of data to countries outside the EEA and outside the United Kingdom. This means we will only only transfer your personal data if we have put in place appropriate safeguards in respect of the transfer, for example by putting an explicit clause into our contract with the recipient.

You will still be able to request your data to be deleted, in accordance with GDPR, even if your data is stored outside of the EEA.

5. Retaining and deleting personal data

5.1 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

5.2 Transaction information will be retained for a minimum period of 5 years following date of the transaction, and for a maximum period of 10 years following the date of the transaction.

5.3 Personal data that we process for the purpose of booking and scheduling therapy sessions for a minimum of 7 years following the date of the session, and for a maximum period of 10 years following the date of the session. This is based based on our requirements for proper record keeping and accounting and legal purposes.

5.4 In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:Account information will be retained until you decide to delete your Spill account.The period of retention of usage information will be determined based on the need for historical data to determine statistical validity and relevance for product decisions and technical monitoring.

5.5 Regardless of the provisions above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

6. Amendments

6.1 We may update this policy from time to time, to reflect changes in legal requirements or changes in the way the Platform works. If we do, we will publish a new version on our website.

We may notify you of changes to this policy by email, if we have your email.

7. Your rights

7.1 As an individual you are granted rights according to the applicable data protection law, listed below. The rights are not absolute, and you may read more about your rights in the EU general data protection regulation Chapter III, or here.
- The right to access to your personal data
- The right to data portability
- The right to rectification of your personal data
- The right to completion of your personal data
- The right to be forgotten; erasure of your data
- The right to restrict processing of your personal data
- The right to object to processing of your personal data
- The right to complain to a supervisory authority
- The right to withdraw consent

7.2 If you have provided your consent to your processing of personal data, you may also withdraw your consent at any time, by emailing We reply within one working day.

7.3 To exercise your rights or if you otherwise have any questions regarding our processing of your personal data, please contact us at We reply within one working day.

7.4 We hereby notify you that, should you have any, you may raise complaints to a Data Protection Authority. As a UK-based company, Spill uses the Information Commissioner’s Office ICO as a supervising Data Protection Authority. Our ICO registration number is ZA459842. You may contact your national or state supervisory authority, but Spill will retain the UK Data Protection Authority as our lead supervisory authority.

8. About cookies

8.1 A cookie is a small text file with an identifier sent by us to your computer or mobile device, and stored in your browser. “Session-based” cookies last only while your browser is open and are then deleted. “Persistent” cookies last until you or your browser deletes them, or they expire. Cookies do not typically contain any personally identifiable information, but may be linked to personal information we store about you.

9. Cookies that we use

9.1 We use cookies to help us analyze the usage patterns and performance of our website and services. We use the service from Google Analytics for this purpose.

9.2 We use cookies to enable easy payment processing and to detect fraud through our payment processor Stripe Payments Europe, Ltd. (“Stripe”).

9.3 You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of our services.

9.4 We use necessary cookies for the prevention of fraudulent activities and for security purposes.

10. Our details

10.1 This website is owned and operated by Spill App Limited.

We are registered in England and Wales under registration number 10602161, and our registered office is at 9th Floor 107 Cheapside, London, United Kingdom, EC2V 6DN.

Our principal place of business is at Spill, Ministry of Startups, 38 Turner St, Whitechapel, London E1 2AS.

10.4 You can contact us:by post, at 9th Floor 107 Cheapside, London, United Kingdom, EC2V 6DN; orby email, at

10.5 If you wish to contact us to exercise your data rights, ask about Spill's data processing, or submit a query on any other data related matter (including commercial) you may do so by contacting our DPO at

If you’re based in the EU/EEA and are an EU data subject wishing to raise questions about your personal data, you can do so via our GDPR Representative, DataRep: