spndly · privacy

privacy policy

// effective 2026-05-28 // last updated 2026-05-28 // contact aarnav@spndly.ai

Spndly (“Spndly,” “we,” “us”) is an operations engineering company building systems for healthcare and insurance operations. This page describes what data we handle and how. Questions: aarnav@spndly.ai.

a what this policy covers

This policy describes how Spndly collects, uses, and protects information across (a) our website spndly.ai, and (b) the automation services we deliver to our clients. It does not cover our clients’ own privacy practices, or third-party sites we link to.

b what we collect

We collect three kinds of information, each handled differently.

Website data

When you visit spndly.ai we collect standard server-side analytics: pages viewed, referrer URL, country derived from IP, timestamps. We do not use third-party advertising cookies or device fingerprinting.

Intake data

When you submit our “map a workflow” form, we collect your name, work email, business name, the tools you use, and any free-text you choose to share. We use this only to respond to your inquiry.

Operational data

When we deliver an automation for you, we may handle data that flows through the automation. The exact scope is named in the applicable engagement agreement, data processing terms, or Business Associate Agreement where one is required.

c healthcare data (PHI)

For healthcare workflows, Spndly handles Protected Health Information (“PHI”) only when the applicable agreement permits it and the required healthcare data terms are in place.

What we access

Clinical documentation, diagnoses, encounters, patient demographics, or related operational data — only the minimum necessary to deliver the contracted automation, and only when the provider has authorized the access.

How we access it

Read-only. Through standards-based APIs such as FHIR under explicit provider authorization, or via tools the provider has installed within their own environment.

What we do with it

We use it to generate the contracted output — for example, suggested billing codes derived from a completed SOAP note. The provider reviews and approves every output before it is acted upon. Spndly does not auto-submit claims, modify the chart, or take any clinical action.

Where it goes

Our infrastructure and the named subprocessors approved for the engagement. PHI is not used to train models without the provider’s explicit, informed, written consent.

Retention

Minimum necessary for the contracted purpose. Deletion and retention are handled according to the applicable agreement and legal retention requirements.

BAA

Spndly will not access PHI unless the required Business Associate Agreement or equivalent healthcare data terms are in place.

d insurance data

For insurance and claims-related workflows, Spndly may handle claim documentation, reports, photos, evidence files, and supporting operational data under the applicable engagement agreement or data processing terms. We do not train on client data without explicit consent.

e how we use data

We use the data we collect to:

  • deliver and operate the automation contracted by our clients
  • respond to inquiries and provide support
  • improve the specific automations we have built for a client
  • comply with our legal obligations

We do not sell data. We do not share data with third parties for advertising. We do not provide data to any party outside the subprocessors listed below.

f subprocessors

The following third parties may process data on our behalf:

  • Anthropic, PBC — model inference for automation outputs where approved for the engagement.
  • Vercel, Inc. — web hosting and edge delivery for spndly.ai and approved customer-facing endpoints.

We do not currently use a third-party website analytics provider. We will update this list as our subprocessors change.

g security

Spndly uses reasonable technical and organizational safeguards, including:

  • TLS for data in transit where Spndly controls the connection
  • encryption at rest where supported by the hosting or storage provider
  • Minimum-necessary access — staff have access only to the data they need
  • Access logging on PHI and other sensitive data
  • Regular review of access privileges

Spndly is not currently SOC 2 certified and does not claim a formal security certification. Security commitments for a specific engagement should be documented in that engagement’s agreement.

h your rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccuracies
  • Deletion — ask us to delete your data, subject to legal retention requirements

For patients of healthcare providers using Spndly: Spndly is a Business Associate, not a Covered Entity. Patient rights regarding clinical data are exercised through your provider, not directly with Spndly. We will support your provider in fulfilling any such request.

Send requests to aarnav@spndly.ai.

i children’s data

Spndly’s services are not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe we have collected such data, contact us and we will delete it.

j changes to this policy

We may update this policy from time to time. Updates will be posted at this URL with a new effective date. Material changes to how we handle data will be communicated directly to active clients.

k contact