Spoons — Privacy Policy

Effective date: April, 2nd, 2026


Contact: privacy@getspoons.app or hello@getspoons.app

Estimated read time: 25 minutes. If you need this document in a different format, see Section 18 or email privacy@getspoons.app.

Read This First (Quick Summary)

In the app: We collect nothing. Your energy logs live on your phone. Even if we wanted to see them, we couldn't. There's no servers.

The app never connects to our servers — since we have none. The only network activity is Apple/Google verifying your subscription status and delivering updates. Your energy logs and personal data are never transmitted to us or anyone else.

On the website: Your email (only if you join the waitlist or contact us). That's it.

No tracking/marketing cookies, but one essential security cookie. No sneaky data collection. No tracking which pages you visit. This keeps the website fast and secure.

We never: Sell your data. Show ads. Track you.

You can:

Questions? privacy@getspoons.app

A note on “we” vs “I”: Spoons is built and run by one person. This policy uses “we” because that’s legal convention, but in sections about personal commitments (like the no-sale promise and privacy architecture), I use “I” because those are my promises. Same person either way.

The summary above covers everything that matters. The sections below are the legal details — read them when you have the energy.

1) Overview

There is no data to handle. It never reaches us and we never see it.

In the app: Zero data collection. Your energy logs live on your device. The app updates through app stores but has no internet connection.

The Spoons app has no servers and makes zero network connections. It does not transmit your logs or any data to us or anyone.

The only network activity related to Spoons happens at the operating system level: Apple or Google verifying your subscription status and delivering app updates. This happens outside the app itself — Spoons never initiates, controls, or sees any of it.

Your logs stay on your device. Even if your phone is offline for months, the app continues to work normally. Subscription verification happens the next time your device connects — your existing logs and functionality are never interrupted by being offline.

Even if we wanted to see your logs, we couldn't. They don't exist on our end.

On the website: No tracking or marketing cookies. Only an essential security cookie for site security (see Section 10).

Just your email for two things:

  1. Waitlist (one email when Spoons launches)
  2. Optional blog updates (energy tracking tips, burnout posts - you choose, unsubscribe anytime)

Nothing else.

If you don’t join the waitlist or email us, we don’t know who you are and we don’t collect personal information from you directly.

Our website hosting/security providers may process limited technical data (like IP address) to keep the site secure, but we don’t use it to identify you.

Why trust us? This policy is a commitment we operate under. If we ever change what we collect or how we use it, we will update this policy and provide advance notice.

Our website already has 0 trackers and will always remain that way. We built the app with no server connection. Adding one would mean changing the fundamental architecture of the app — something we will never do.

You don’t have to take our word for it. The app makes no network connections. If you’re technically inclined, you can verify this yourself using your phone’s network monitor or any packet inspection tool. We invite the scrutiny.

Why We Built It This Way

Other autism apps have neurotypical assumptions baked in from day one. Sketchy data collection. Strongly steered toward parents of autistic children. NOTHING for us.

We built Spoons specifically for autistic adults to be completely reliable and work at 0 energy.

Our first decisions:

Offline-first. No server connection. Your data never leaves your device.

Usable in under 8 seconds. To avoid meltdowns and shutdowns like most apps cause. We minimized friction entirely to work in crisis moments at 0 energy.

We didn't want to promise to protect your data.

We wanted to make it impossible for us to access it in the first place.

Other apps make vague promises about data protection. Professional wording disguised as lying.

This isn't a promise. It's how we built the app.

A note on discretion: We understand that in some regions and situations, an autism-related app on your phone could create real risk — from stigma, from employers, from family. Spoons has no visible branding in your notification tray (because we don’t send notifications), no account that links to your identity, and no data that leaves your device. Your use of Spoons is between you and your phone. That’s by design, not by accident.

2) What Data We Collect

A) In the Spoons App: ZERO

We do NOT collect:

Note: Apple and Google may collect their own app analytics (crash reports, session data) through their platforms. We have disabled all optional analytics collection in both App Store Connect and Google Play Console. We don’t request, access, or use any platform-level analytics data. See their privacy policies for details on what they collect independently.

The app works completely offline and never sends data to any server. As stated in Section 1: even if we wanted to access your logs, we couldn’t. They don’t exist on our end.

B) On the Website: Minimal

1. Email Address (Optional - Waitlist Only)

When: If you sign up for the waitlist at getspoons.app

What we collect:

How we use it:

Where stored: Mailchimp

Mailchimp is owned by Intuit. We use Mailchimp exclusively for waitlist emails. Your email address in Mailchimp is not connected to any other Intuit products, services, or advertising platforms. We do not share additional data with Intuit beyond what Mailchimp requires to deliver your emails.

Your control: Click "unsubscribe" in any email or email privacy@getspoons.app

2. Search Performance Data (Google Search Console)

When: People find your site through Google search

What we collect: We use Google Search Console to see how people find us through search. This shows us:

This is search performance data, not on-site tracking. We see what brought you here from Google, but not what you do once you're on the site.

What we DON'T collect:❌ Your IP address (We have disabled Webflow’s built-in site analytics. Our hosting provider can serve the website without tracking your behavior on it.)❌ Which pages you visit once you're on the site❌ How long you stay❌ Where you click❌ Personal identifiers❌ Cross-site tracking❌ Advertising profiles

How we use it: See which blog posts attract search traffic. Understand what autistic adults are searching for. That's it.

Provider: Google Search Console - Privacy: https://policies.google.com/privacy

3. Support Emails

When: If you email hello@getspoons.app or privacy@getspoons.app

What we collect:

How we use it:

Where stored: Proton Mail (privacy-focused email provider with encryption at rest)

Retention: 2 years, then deleted

4. Subscription Data: We Don't Collect It

Billing is handled by Apple and Google:

For Apple's privacy: https://www.apple.com/legal/privacy/
For Google's privacy: https://policies.google.com/privacy

5. Diagnosis Fund Page
The Spoons Diagnosis Fund helps autistic adults access funded diagnosis assessments. The program is not yet accepting

applications. When it launches in 2027, this section will be updated with the full operational details. Here is the framework we are building to.

What we will collect from applicants:

- Full legal name (required for bank/tax compliance when paying clinics)

- Email address (for communication about their application only)

- Country of residence

- Official clinic quote or invoice upload (must show: clinic letterhead,

patient name, service description, total cost)

- Clinic contact information (website, phone, email)

- Consent to contact the clinic to verify the invoice

- Financial need statement (self-attestation in early years; spot-check 10% with documentation Year 3+)

What we will NEVER collect from applicants:

❌ Full medical history

❌ Therapy records

❌ Detailed financial records (bank statements, tax returns)

❌ Information about family members

❌ Anything beyond what is needed to verify the clinic,

confirm eligibility, and process payment

How applicant data will be handled:

- Stored in Airtable (encrypted at rest, SOC 2 compliant)

- Access limited to Omari only (Year 1-4), then Omari + Executive Director (Year 5+)

- Partner organizations see only: applicant first name, region, application status, and diagnosis outcome (confirmed/pending)

- Partners never see financial need statements

- Clinic receives only: applicant name and Spoons as payer

- Retention: Approved applications — data retained for 3 years after diagnosis completion for impact reporting, then deleted. Denied or withdrawn applications — data deleted within 90 days of denial or withdrawal, unless the applicant requests immediate deletion. We do not retain records of people we couldn’t help longer than necessary to close their case.

- Applicants can request deletion at any time by emailing privacy@getspoons.app

Diagnosis outcome data (anonymized and aggregated) may be

shared in annual impact reports. No individual applicant will be identifiable in public reporting without their explicit written consent.

Important: This does not change the app. The Spoons app still collects zero data and your logs still stay on your device.

3) How We Use Your Data

Email addresses:

Website analytics:

We will NEVER:

4) How We Protect Your Data

In the app:

Email & website:

What we can't protect:

5) Third-Party Services

App Distribution:

Website & Email:

Diagnosis Fund Operations (launching 2027):

Bill.com (invoice processing and clinic payments) - Privacy: https://www.bill.com/privacy

Wise (international payments to clinics) - Privacy: https://wise.com/us/legal/global-privacy-statement

These services process clinic payment information only. They never see applicant energy logs, medical details, or financial need statements. They see only what is required to send payment to a clinic: clinic name, invoice amount, and payment destination.

Important: These services have their own policies. None of them see your energy logs (because we don't have them either).

6) Your Rights

Access Your Data

Email privacy@getspoons.app  with subject: "Data Access Request"

We'll send you:

Note: Your energy logs aren't included because we don't have them

Delete Your Data

No rush. Email whenever you have the energy.

Timeline: Within 30 days (usually 48 hours)

If you request deletion, we delete your data immediately — we don’t wait for the standard retention period to expire. The retention periods in Section 7 are maximums for when you DON’T request deletion, not minimums we force you to wait through.

ADD THIS (new text)

If you shared something in a support email you didn’t mean to:

We understand that burnout, meltdowns, and executive function crashes can affect what you write. If you emailed us during a difficult moment and shared more personal information than you intended, email privacy@getspoons.app and ask us to delete specific emails or portions of emails. We’ll do it, no questions asked. We only retain what’s necessary to resolve your technical issue — nothing more.

Export Your Data

Regional Rights

European Union / UK (GDPR):

California (CCPA):

Brazil (LGPD):

Australia:

India (DPDP Act 2023):

Right to access and correct personal data

Contact privacy@getspoons.app to exercise these rights

All regions:

7) Data Retention

Energy logs: On your device until you delete them

Email addresses: Until you unsubscribe (then deleted within 30 days)

Support emails: 2 years, then deleted

Website analytics: Aggregate data for 2 years (no personal identifiers)

If Spoons closes or I'm unable to run it:

I will never sell Spoons to another company. This is a personal commitment, not a business strategy.

To make this commitment durable beyond personal intent:

If Spoons must shut down (death, disability, or unforeseen circumstances):

- All waitlist subscribers will be emailed 90 days before shutdown (or as soon as legally possible)

- All email addresses will be permanently deleted within 30 days

- Support emails will be deleted within 30 days  

- There will be no voluntary sale or acquisition. In extreme circumstances (estate transfer, legal incapacity), any successor must honor these exact privacy commitments — or all data is deleted before transfer and the code is released under AGPL-3.0. See our Terms of Service, Section 18, for the full enforcement mechanism.

- Your energy logs remain unaffected (they're only on your device)

In the unlikely event of forced company transfer (legal judgment, estate issues):

- The acquiring party must agree to these exact privacy terms OR all data is deleted before transfer

- You will be notified with maximum advance notice

- You will have the option to delete your email from our list before any transfer

This is legally binding.

Diagnosis Fund data if Spoons shuts down:

- In-progress applications: All active applications will be completed before shutdown. No applicant will be abandoned mid-process. If completion is impossible, applicants will be connected directly with the partner organization to continue through an alternative path.

- Completed records: Anonymized impact data (number of diagnoses funded, regions served) may be transferred to the successor foundation or published in a final transparency report. All personally identifiable applicant data will be deleted within 90 days of shutdown.

- Lifetime access codes: All issued codes remain valid. If the app code is released under AGPL-3.0, community maintainers will receive the validation system to honor existing codes.

- Partner organization records: Partners will be notified 90 days in advance and given the option to request immediate deletion of shared data.

8) Children's Privacy

Age requirement: 13+

We don't knowingly collect data from children under 13.

If we discover a child under 13 provided data, we delete it immediately.

Parents: Contact privacy@getspoons.app if concerned.

Note: Spoons is designed for autistic adults, but teens 13+ can use it. If you're under 18, consider discussing the app with a parent or trusted adult - they might find it helpful to understand how your energy works.

9) International Users

Where your data lives:

If you're in the EU or UK:

If you're in another country:

10) Cookies

In the app: No cookies

On website: One essential security cookie only.

We use Cloudflare (through Webflow hosting) for site security and DDoS protection. Cloudflare sets one cookie:

_cfuvid (Cloudflare security cookie)

We will never add:❌ Advertising cookies❌ Tracking cookies❌ Analytics cookies❌ Third-party marketing cookies

You can disable cookies in browser settings, but site security features may not work properly.

11) Security Incidents

If there's a data breach:

  1. We investigate immediately
  2. Notify you within 72 hours
  3. Report to authorities as required
  4. Fix the issue

How we notify:

Note: We cannot directly notify app users because Spoons has no accounts and no communication channel. Website announcements are the only way to reach the broader user base.

Good news: Your energy logs are on your device, so they can't be breached through our systems.

Partner organization notification:

If a breach involves data shared through the Diagnosis Fund or partnership operations, affected partner organizations will be notified directly within 24 hours via their designated contact email. This notification will include:

This 24-hour direct notification is separate from and faster than public disclosure. Partner organizations need time to notify their own community members and fulfill their own privacy obligations.

If a partner organization experiences a breach:

Our partnership agreements require partner organizations to notify us within 24 hours of discovering any breach that may affect shared data (referral information, applicant details). Upon receiving such notification, we will:

- Assess which Spoons applicants may be affected

- Notify affected applicants within 48 hours of our learning about the breach

- Work with the partner to contain the impact

- Document the incident in our annual transparency report

Partner organizations are independent data controllers. We cannot prevent breaches on their systems, but we can ensure you’re informed quickly if one affects your data.

12) Law Enforcement & Legal Requests

If law enforcement or a government authority requests user data:

For app data: We cannot provide energy logs, usage patterns, or any in-app data because we don’t have access to it. The app has no servers and we have no way to retrieve data from your device. We will clearly explain this to any requesting authority.

For email/website data: If we receive a valid legal order (subpoena, court order, or equivalent in your jurisdiction) for waitlist emails or support correspondence, we will:

- Carefully review the request for legal validity

- Narrow our response to the minimum data legally required

- Notify you that a request was made, unless we are legally prohibited from doing so

- Never voluntarily provide data beyond what is legally compelled

We have received zero law enforcement requests to date. If this changes, we will publish an annual transparency note in our transparency reports (beginning 2027) stating the number of requests received and how they were handled, without identifying affected users.

We will never build backdoors, add surveillance capabilities, or modify the app architecture in response to government pressure. If any authority attempts to compel this, we will disclose it publicly and, if necessary, trigger the open-source release described in our Terms of Service (Section 18).

13) Our Privacy Commitment

The Spoons app will ALWAYS be:

Zero-data-collection in the app
Your logs stay on your device only
No tracking or analytics in the app
No ads, ever

We will NEVER:

❌ Add cloud syncing that reads your logs without your explicit, opt-in consent (and even then, we'll never have access to unencrypted data)
❌ Add analytics that track your usage in the app
❌ Add ads or third-party trackers to the app
❌ Sell your data or share it with third parties (except service providers listed in Section 5)
❌ Change the app architecture to collect data

What this means:

App updates may add features, but will never change our zero-knowledge architecture. We will never have access to your energy logs.

Your energy logs stay on your device only. We don’t collect them, so we can’t access them or give them to anyone.

If we ever consider changes to this core commitment:

  1. We will announce 90 days in advance
  2. Explain exactly why and what would change
  3. Give you the option to export all data and stay on the old version
  4. Never force you to update to a version that violates this commitment

A note about phone permissions: Future iOS or Android updates may change what permissions apps must declare. If your phone ever shows a network permission request for Spoons, that’s your operating system’s requirement, not ours. The app itself will never use network access to transmit your data. If an OS update fundamentally conflicts with our zero-data architecture, we will communicate clearly about what changed, why, and what it means for your privacy.

This is my personal commitment.

Your privacy is sacred. We will never break your trust.

14) Changes to This Policy

Current version: 1.0 (April 2, 2026)

We may update this policy.

When we do:

Material changes:

Your options:

We’ll always give you enough time and information to make an informed choice about staying.

Changelog:
All material changes to this policy will be logged here with the date, version number, and a plain-language summary of what changed.

We won't assume silence means agreement. But legally, continued use after changes take effect constitutes acceptance. We'd rather you actively choose to stay.

15) Contact

Privacy questions:

Response time: Within 30 days (usually 48 hours)

Mailing address: 4030 Wake Forest Road Ste 349, Raleigh, NC 27609

16) What Makes Spoons Privacy-First

Zero data collection in the app
Your logs never leave your device
No tracking, no ads, no analytics in app
Minimal website data (email + basic stats only)
Export anytime, delete anytime
No data selling, ever

Privacy isn't a feature - it's how we built Spoons.

17) Partner Organization Data

This section is primarily relevant to partner organizations, but we include it here because you deserve to see how we handle data at every level — not just your data, but the data that flows through the systems your subscription supports.

Spoons partners with autism advocacy organizations to operate the Diagnosis Fund. This section covers how we handle data shared between Spoons and partner organizations.

What partner organizations share with us:

What we share with partner organizations:

How partner data is handled:

If a partnership ends:

Partner organizations are independent data controllers for their own records. We do not access, manage, or take responsibility for how partners store information on their end. Each partnership agreement specifies mutual data handling obligations.

Diagnosis fund and partnership inquiries: parternships@getspoons.app

18) Data Processing Agreements

This section is for partner organizations reviewing our data handling practices, but we keep it visible because transparency means showing the full picture.

Partner organizations that share personal data with Spoons may require a Data Processing Agreement (DPA). We support this.

Our standard DPA covers:

For UK/EU partners: Our DPA includes Standard Contractual Clauses (SCCs) for international data transfers and complies with GDPR Article 28 requirements.

To request our DPA template or discuss data processing terms: privacy@getspoons.app

We will execute a DPA with any partner organization before any personal data is shared. No exceptions.

10) Accessibility

This privacy policy is designed for cognitive accessibility.

What we've done:

Alternative formats available on request:

If any part of this policy is unclear or difficult to process, email privacy@getspoons.app and we will explain it in whatever format works for you.

Accessibility is not an add-on. It is how we write everything.