This is the privacy policy for Spring, a feelings card deck and emotional self-reflection app. Because Spring asks you to record and reflect on your emotions, the data you create in Spring is what most privacy laws classify as mental-health data (GDPR Art. 9 special-category data; CCPA/CPRA sensitive personal information; Washington Consumer Health Data under MHMDA). Sensitive purposes that involve your mental-health data are subject to explicit, separately-collected consent before they are activated. The Terms of Use and EULA also apply.
Spring is not a medical device, not a substitute for professional mental-health care, and not for use in a crisis. If you are in crisis, contact your local emergency services or a mental-health helpline.
Who we are
Spring is operated by Chai Magal, sole proprietor, Shani 4, Modiin, Israel. We are the data controller. For privacy questions, including consent withdrawal for mental-health data uses, write to support@chaimagal.com.
What we may collect
| Category | Includes |
|---|---|
| Account | Email, hashed password, sign-in tokens, sign-up time |
| Journal entries (mental-health data) | Feeling, classification, category, optional note, drawn-at timestamp; responses to prompted emotion questions |
| Reflection content (mental-health data) | Free-text notes, prompts you respond to, tags you select |
| Communications | Support emails, in-app feedback, ratings |
| Usage | Feature interactions, session timing, errors, device/OS, language, time zone |
| Purchase status | Store receipt ID, product ID, subscription state |
| Inferred data | Mood patterns, segments, propensities derived from the above |
Mental-health data
Spring asks you to record how you feel — and that information is mental-health data. We process mental-health data only for the purposes you have explicitly consented to in the app or in this policy. Sensitive purposes — using mental-health data for AI training, advertising targeting, sharing with non-essential third parties, or selling — require separate, granular, affirmative opt-in and can be revoked at any time in Settings. The strictly-necessary purpose of operating the journal and card features you use does not require a separate opt-in beyond your use of the app.
Why we use it
We may process personal data for any of the following purposes (sensitive purposes applied to mental-health data require separate explicit consent, as described in section 3):
- Operating the app and the journal/card/reflection features you use; cross-device sync.
- Detecting and preventing abuse, fraud, scraping, and security incidents.
- Customer support and product feedback.
- Marketing communications where you opt in or where we have a legitimate interest balanced against your rights.
- Personalization, recommendations, and contextual content.
- Analytics, A/B testing, performance, error reporting, and user research.
- Building, training, fine-tuning, evaluating, and improving artificial-intelligence and machine-learning models — own and third-party — including via human review of representative samples (sensitive-purpose, requires explicit opt-in for mental-health data).
- Serving, measuring, and personalizing advertising and marketing, including for cross-context behavioral advertising (sensitive-purpose for mental-health data; requires explicit opt-in).
- Sharing with affiliates, present or future, and with successors in mergers, acquisitions, financing, asset sales, restructurings, or insolvency.
- Generating de-identified, aggregated, or anonymized data, which we may use, disclose, license, or sell for any purpose without further restriction.
- Compliance with law, including tax, accounting, regulator response, and breach notification.
- Any other purpose disclosed at the point of collection or to which you consent.
AI and machine learning
Today, the in-app suggestion and any on-device summary is produced by Gemma 3 270M-IT, a small language model by Google running on your phone. Nothing about the prompt or reply leaves the device for those features. The Gemma model is provided under Google's Gemma Terms of Use at ai.google.dev/gemma/terms.
We may add cloud-based AI features and may use the content you provide — prompts, outputs, journal entries, mood data, reflections — to train, fine-tune, evaluate, and improve our and third-party AI/ML models, including via human review of representative samples by our personnel or contractors under confidentiality. Categories of AI providers we may engage are listed below; specific providers may change over time. Use of your mental-health data for AI training is a sensitive purpose and requires explicit, separately-collected opt-in consent that you can revoke at any time.
Where your data lives
Today, account and journal data live on Supabase (Ireland / EU) — Postgres database with row-level security keying every row to your user id. TLS in transit and encryption at rest. We may add or change cloud providers; categories of recipients are listed below.
Who we may share with
We may disclose personal data, in the categories above, to:
- Cloud, hosting, content-delivery, storage, backup, email, customer-support, and similar infrastructure providers (today: Supabase).
- Apple and Google — app distribution and in-app purchase processing.
- Analytics, error-reporting, observability, and product-research providers.
- Artificial-intelligence and machine-learning model providers, prompt-evaluation services, and human-review contractors (mental-health-data sharing requires explicit opt-in).
- Advertising networks, ad-measurement, attribution, retargeting, and marketing-automation providers, including for cross-context behavioral advertising (mental-health-data sharing requires explicit opt-in).
- Marketing-list providers, customer-data platforms, and email-delivery services.
- Push-notification gateways and consent-management platforms.
- Professional advisors — lawyers, accountants, auditors, insurers, consultants.
- Authorities, regulators, courts, and law enforcement, where we are legally compelled or where, in good faith, we believe disclosure is necessary to comply with legal process or to protect rights, property, or safety.
- Affiliates, present or future, and successors in mergers, acquisitions, financing, asset sales, restructurings, or insolvency proceedings.
- Other recipients to whom you direct us to share or to whom you consent.
Subscriptions and payments
Spring is free to install. Paid features may be offered as a one-time purchase or recurring subscription processed exclusively through the App Store or Google Play. We do not see or store card or bank details. Subscriptions auto-renew under the store's terms; you cancel in your Apple ID or Google account. Statutory withdrawal and cancellation rights (the EU 14-day right of withdrawal, the UK Consumer Contracts Regulations 2013, the Israeli Consumer Protection Law 5741-1981, California's Automatic Renewal Law, and Australian Consumer Law guarantees) are unaffected.
Advertising
Spring may, now or in the future, display advertising. Where ads are enabled we may work with third-party ad networks, ad-measurement, attribution, retargeting, and marketing partners, including for cross-context behavioral advertising as defined under California privacy law. We do not permit ad partners to target ads to you based on sensitive categories (mental-health, health, religion, political views, sexual orientation, precise geolocation) derivable from Spring. Use of mental-health data for advertising requires explicit opt-in. Users in the EU, EEA, UK, and Brazil will see an in-app consent prompt before non-essential ad tracking. Users in California and similar US states have a "Do Not Sell or Share My Personal Information" control in Settings; we honor Global Privacy Control (GPC) signals.
International transfers
Account and journal data are stored in the European Union. The European Commission has recognized Israel as providing an adequate level of data protection. Transfers outside the EU/EEA and Israel (for example, to a US-based AI provider) are covered by an adequacy decision where one applies, or by the European Commission's 2021 Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards.
Retention and deletion
Journal entries and reflections live until you delete them. Delete your account in Settings and every record is removed within 30 days. Backups containing your data roll off on their own lifecycle (up to 35 days). We may retain limited records as required for tax, accounting, fraud prevention, or defense of legal claims (typically up to seven years from last activity), and we may keep de-identified or aggregated data indefinitely.
Your rights
Subject to applicable law you have the right to access, rectify, delete, port, restrict, and object to processing of your personal data; to withdraw consent (without affecting processing already done); and to lodge a complaint with a supervisory authority. Most rights can be exercised in-app; for the rest, email support@chaimagal.com. We respond within 30 days under GDPR (extendable to 60 with notice); 45 days under CCPA (extendable once).
California rights and consumer health data
California residents have additional rights under CCPA/CPRA: access, deletion, correction, opt-out of "sale" or "sharing," limit use of sensitive personal information (including mental-health data), and non-discrimination. We honor Global Privacy Control (GPC) signals. To opt out by email, write to support@chaimagal.com with the subject "Do Not Sell or Share."
Washington residents (and others covered by My Health My Data Act) have rights to access, delete, withdraw consent for, and receive notice about our processing of consumer health data, including mental-health data. Sales of consumer health data require separate, signed valid authorization; we do not sell consumer health data.
Minors
Spring is intended for users 13 and older. Where the age of digital consent in your jurisdiction is higher (e.g. 16 in Germany, Ireland, the Netherlands, Poland, and several other EU member states), users below that age need parental consent. In California, users between 13 and 15 must opt in to "sale" or "sharing" rather than opt out. We do not knowingly collect personal data from children under 13.
What we will not do
We will not:
- Sell raw, identifiable personal data — including consumer health data and mental-health data — to data brokers (we may sell de-identified or aggregated data).
- Share personal data with insurers, employers, or law enforcement absent valid legal process or your consent.
- Use personal data for political-advertising targeting.
Security and changes
TLS in transit, short-lived rotating tokens, row-level security at the database, encryption at rest. If we become aware of a breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours where required and notify you without undue delay.
We may update this policy. The "Updated" date at the top reflects the latest revision. For material changes we will notify you in-app and, where we hold a verified email, by email, before the change takes effect.