Privacy Policy
SplineAI DrSpline Platform
This Privacy Policy explains how SplineAI Tech Private Ltd ("SplineAI," "we," "us," or "our") collects, uses, discloses, and protects Personal Data when you access or use DrSpline Platform (the "Service"), including when the Service is acquired or deployed via Microsoft Azure Marketplace / Microsoft Marketplace and related provisioning experiences (collectively, the "Marketplace").
Quick Navigation
1) Scope and application
This Privacy Policy applies to:
- End users, administrators, and other authorized users of the Service ("Users").
- Customer representatives who interact with us through the Marketplace, sales, onboarding, support, or account management.
This Privacy Policy does not apply to:
- Microsoft's processing of Personal Data as an independent controller (see Microsoft's privacy statement).
- Customer's own processing practices within their organization.
2) Definitions
- "Personal Data" means information that identifies or can reasonably be linked to an individual (directly or indirectly).
- "Customer Data" means data and content that Customers or Users submit to the Service, including text, files, images, and other inputs, and outputs generated from such inputs.
- "Customer" means the entity (e.g., company/hospital/clinic) that purchases, subscribes to, or deploys the Service.
3) Roles: Controller vs. Processor
Depending on how the Service is used:
- Customer as Controller / SplineAI as Processor: Where the Customer provides Customer Data to the Service (e.g., uploads content, configures integrations, submits end-user inputs), the Customer is typically the controller and SplineAI acts as a processor on the Customer's behalf.
- SplineAI as Controller: We act as controller for account/admin information, billing/contact details, Marketplace lead information, and Service telemetry/security logs that we process for our own legitimate business purposes.
If you require a Data Processing Addendum (DPA) or similar contractual terms, contact us at mabdur@spline.ai.
4) Personal Data we collect
We collect Personal Data from (a) Customers/Users, (b) Marketplace/Microsoft systems (as applicable), and (c) automatically from devices/browsers when you use the Service.
A. Account, identity, and contact data
- Name, work email, phone number, job title, organization name
- User IDs and roles in the Service (administrator/user)
- Authentication identifiers (e.g., enterprise SSO identifiers), as applicable
B. Marketplace and commercial data
- Marketplace lead/contact details, deployment signals, and subscription/plan metadata that Microsoft shares with publishers for offer operations (as applicable)
- Billing and transaction-related records (invoices/receipts may be handled by Microsoft or payment processors depending on your commercial setup)
C. Service usage and technical data (telemetry/logs)
- IP address, device/browser type, operating system, user agent
- Usage events (feature usage, timestamps), diagnostic logs, crash reports
- Security logs (authentication events, administrative actions)
- Approximate location inferred from IP (country/region-level)
D. Customer Data (content submitted to the Service)
Depending on what features your deployment enables, Customer Data may include:
- Text inputs, documents, datasets, configuration parameters
- Images/files uploaded for analysis
- Outputs generated by the Service based on Customer Data (e.g., structured results, reports, recommendations)
Important: The Service may be used in contexts where Customer Data includes sensitive or special-category data (e.g., health-related data). Customers control what they submit and are responsible for ensuring they have appropriate legal basis and notices for such submissions.
E. Support and communications
- Support tickets, chat/email correspondence, call recordings (if you enable and notify), troubleshooting files you provide
- Feedback, survey responses
5) How we use Personal Data
We use Personal Data for the following purposes:
- 1. Provide and operate the Service - Provision and configure the Service, authenticate users, deliver core functionality, generate outputs from inputs.
- 2. Security, integrity, and fraud prevention - Monitor, detect, prevent, and respond to security incidents, abuse, and suspicious activity.
- 3. Service improvement and analytics - Diagnose problems, perform performance analysis, improve usability and reliability.
- 4. Support and customer success - Respond to inquiries, provide technical support, manage onboarding, and fulfill service requests.
- 5. Commercial and administrative purposes - Account management, subscription administration, compliance, audits, billing support, and recordkeeping.
- 6. Legal compliance - Meet applicable legal obligations and enforce our terms.
6) Legal bases for processing (where applicable)
Where GDPR/UK GDPR or similar laws apply, we rely on:
- Contract necessity (to provide the Service and support)
- Legitimate interests (security, service improvement, communications with business customers)
- Compliance with legal obligations
- Consent (where required, e.g., optional marketing communications or certain cookies)
7) How we share Personal Data
We share Personal Data only as needed and consistent with this Privacy Policy:
A. Service providers ("Subprocessors")
We may share Personal Data with vendors who help us deliver the Service, such as:
- Cloud hosting and infrastructure providers (e.g., Microsoft Azure)
- Monitoring, logging, and analytics providers
- Customer support tooling providers
- Email/communications providers
- Security vendors
We require these providers to protect Personal Data through contractual obligations.
B. Microsoft Marketplace / Microsoft systems
If you acquire or deploy the Service via the Marketplace, relevant information may flow between Microsoft and SplineAI for provisioning, administration, compliance, and support. Publishers are responsible for their own privacy practices for Customer Data they receive or process. Microsoft Learn
C. Legal, compliance, and safety
We may disclose information if we believe in good faith that disclosure is necessary to:
- Comply with law, regulation, legal process, or governmental request
- Protect the rights, property, or safety of SplineAI, our Customers/Users, or the public
- Enforce agreements and investigate potential violations
D. Business transfers
If we undergo a merger, acquisition, reorganization, or sale of assets, Personal Data may be transferred as part of that transaction, subject to appropriate protections.
8) International data transfers
Your Personal Data may be processed in countries other than where you reside, depending on your deployment and our vendors' locations. Where required, we implement appropriate safeguards (such as contractual protections) for international transfers.
9) Data retention
We retain Personal Data only as long as necessary for the purposes described above, including:
- Customer Data: retained for the duration of the Customer subscription/contract and as configured by the Customer, then deleted or returned per contract and technical feasibility.
- Telemetry and security logs: retained for 30–180 days unless needed longer for security investigations or legal compliance.
- Support records: retained for 24 months or as needed to resolve issues and meet legal obligations.
- Commercial records: retained as required by applicable accounting/tax laws.
10) Security measures
We implement administrative, technical, and organizational measures designed to protect Personal Data, such as:
- Encryption in transit (TLS) and encryption at rest where supported
- Role-based access control and least-privilege access
- Logging and monitoring for security events
- Secure development and vulnerability management practices
No method of transmission or storage is 100% secure; however, we work to maintain safeguards appropriate to the risk.
11) Your choices and rights
Depending on your location, you may have rights such as:
- Access, correction, deletion, portability
- Restriction or objection to certain processing
- Withdrawal of consent (where processing is based on consent)
- Lodging a complaint with a supervisory authority
How to exercise rights: Contact mabdur@spline.ai with the subject "Privacy Request – DrSpline Platform". We may need to verify your identity. If SplineAI is acting as a processor for Customer Data, we may direct you to your organization (the Customer) to submit the request, or we may assist the Customer in responding as required.
12) Cookies and similar technologies
If the Service includes a web interface, we may use cookies/local storage and similar technologies:
- Strictly necessary: authentication, session management
- Functional: preferences and settings
- Analytics: usage measurement to improve performance (optional where required)
You can control cookies via browser settings.
13) Children's privacy
The Service is intended for business/enterprise use and is not directed to children. We do not knowingly collect Personal Data from children under the age of 16 (or the minimum age required by local law).
14) Third-party links and integrations
The Service may connect to third-party services or Customer-managed systems (e.g., identity providers, storage, EHR/clinical systems, analytics). This Privacy Policy does not cover those third parties' practices. Customers are responsible for configuring integrations and ensuring lawful data sharing.
15) Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date above indicates when changes were made. If changes are material, we will provide notice through the Service or other appropriate means.
16) Contact us
Data Controller: SplineAI Tech Private Ltd
Address: #301/10, Rogers Road, Richards Town, Bangalore, 560005, India
Privacy email: hsyed@spline.ai
Support email: hamza@spline.ai
DPA / legal contact: mabdur@spline.ai
For more information about SplineAI's privacy practices, please visit our website or contact us using the information provided in Section 16 above.