springli

Privacy Policy

Last updated: April 15, 2026

1. Purpose and scope

At Springli ("Springli," "we," "us," or "our"), based in Zürich, Switzerland, we are committed to protecting your personal data and safeguarding your privacy.

This Privacy Policy explains how we collect, use, store, and protect personal data when you visit our website at springli.com (the "Website"), use our patient communication platform (the "Service"), or otherwise interact with us.

This policy covers the processing of personal data where Springli acts as a data controller (e.g., Website visitors, prospective customers, job applicants). For data processing activities where Springli acts as a data processor on behalf of healthcare practices (i.e., patient data processed through the Service), a separate Data Processing Agreement (DPA) governs the relationship.

This Privacy Policy, together with our Terms and Conditions, governs your use of the Website and the Service.

2. Data controller

Springli

Zürich, Switzerland

Contact: hello@springli.com

Data protection inquiries: hello@springli.com

3. Applicable law

We process personal data in accordance with:

  • The Swiss Federal Act on Data Protection (FADP/nDSG, SR 235.1), effective September 1, 2023, and the associated Data Protection Ordinance (DPO/DSV)
  • The EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), to the extent it applies to individuals in the EU/EEA
  • The EU AI Act (Regulation (EU) 2024/1689), regarding transparency obligations for AI systems

Where differences exist between the FADP and the GDPR, we apply the stricter standard.

4. What personal data we collect

Depending on your interaction with us, we may collect the following categories of personal data:

4.1 Website visitors

  • Technical data: IP address (anonymized where possible), browser type, operating system, device type, referring URL, pages visited, time and date of visit
  • Cookie data: Strictly necessary cookies for website functionality. Analytics cookies only with your consent. See Section 11 (Cookies) for details.

4.2 Prospective customers and early access applicants

  • Identity data: Name, role/title
  • Contact data: Email address, phone number
  • Practice data: Practice name, location, practice type, number of providers and staff, PMS system used, patient languages spoken
  • Communication data: Content of messages you send to us via forms, email, or other channels

4.3 Customers (healthcare practices)

  • Account data: Practice name, billing address, contact person(s), login credentials
  • Usage data: Feature usage, configuration preferences, message volumes, login activity
  • Financial data: Payment method, billing history (processed via third-party payment provider; Springli does not store credit card numbers)

4.4 Patient data (processed as data processor)

When healthcare practices use the Service, Springli processes patient data on behalf of the practice. This data may include:

  • Patient name, contact details (phone number, email)
  • Appointment details (date, time, type, provider)
  • Language preference
  • Communication history (messages sent and received through the Service)
  • Lab/test result availability status (not the results themselves)
  • Screening and recall eligibility
  • Billing and payment reminder status

Health-adjacent data: While Springli does not process clinical health data (diagnoses, treatment records, or test results), appointment and communication metadata related to healthcare visits (e.g., appointment type, specialty, screening eligibility) may constitute health-related data requiring heightened protection under the FADP (Art. 5 lit. c: "data concerning health") and the GDPR (Art. 9: "special categories of personal data"). All such data is processed with the safeguards appropriate to sensitive personal data, including encryption, strict access controls, and data minimization.

Springli is the data processor for patient data. The healthcare practice is the data controller. The practice is responsible for obtaining any required patient consent and ensuring a lawful basis for processing. Patient data processing is governed by a separate Data Processing Agreement (DPA) between Springli and the practice.

Springli does not use patient data for AI model training. Patient data is processed solely for the purpose of providing the Service.

4.5 Job applicants

  • Identity data: Name
  • Contact data: Email address, LinkedIn profile, personal website or portfolio
  • Qualification data: CV/resume, cover letter, qualifications, employment history

5. How we collect personal data

We collect personal data through:

  • Directly from you: When you fill out forms on our Website (including the early access form), send us an email, register for an account, or apply for a job
  • Automatically: When you visit our Website, through cookies and similar technologies (see Section 11)
  • From third parties: From practice management systems (PMS) when a healthcare practice connects their PMS to the Service, and from payment processors for billing purposes

Providing personal data is voluntary. However, without certain data (e.g., contact information), we may be unable to provide the Service or respond to your inquiries.

6. How we use your personal data

We process personal data only when we have a lawful basis to do so. The legal bases we rely on are:

6.3 Specific purposes

We use personal data for the following purposes:

  • Providing and operating the Website and Service
  • Responding to inquiries and requests
  • Processing early access applications
  • Managing customer accounts and subscriptions
  • Processing payments and billing
  • Communicating about service updates, changes to terms, and security notices
  • Improving the Service through usage analytics and aggregated data
  • Ensuring the security and integrity of the Service
  • Complying with legal and regulatory obligations
  • Evaluating job applications

7. Aggregated and de-identified data

We may use aggregated, anonymized, and de-identified data derived from the use of the Service for the purposes of improving the Service, conducting research, and generating benchmarks. Such data does not identify any individual patient or practice and is not considered personal data under the FADP (Art. 2) or the GDPR (Recital 26).

8. Data sharing and recipients

We do not sell personal data. We share personal data only as described below:

8.1 Service providers (subprocessors)

We engage third-party service providers who process data on our behalf, including:

  • Cloud hosting: Swiss and/or EU-based data centers
  • Communication channels: WhatsApp Business API (Meta Platforms), SMS providers, email services
  • Payment processing: For subscription billing
  • Analytics: Website analytics (with consent only)
  • AI services: Large language model providers for communication generation

All subprocessors are bound by data processing agreements and are required to implement appropriate technical and organizational security measures. A list of current subprocessors is available on request by contacting hello@springli.com.

8.2 Healthcare practices (as data controllers)

When we process patient data on behalf of a healthcare practice, we share relevant communication data (e.g., delivery status, patient responses) with the practice through the Service dashboard.

8.4 Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy. We will notify affected individuals in advance of any such transfer.

9. International data transfers

All personal data, including patient data, is hosted exclusively in Swiss and/or EU data centers.

We do not transfer personal data to countries outside Switzerland or the EU/EEA unless:

  • The destination country has been recognized as providing an adequate level of data protection by the Swiss Federal Council (Art. 16 FADP) or the European Commission (Art. 45 GDPR)
  • Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or the Swiss Federal Data Protection and Information Commissioner (FDPIC)

Where subprocessors are based outside Switzerland/EU (e.g., US-based AI model providers), data is processed through European endpoints only, and appropriate safeguards (SCCs, supplementary measures) are in place.

10. Data retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Website visitor data: Deleted or anonymized within 12 months
  • Prospective customer / early access data: Retained for up to 24 months after last interaction, then deleted
  • Customer account data: Retained for the duration of the subscription and for up to 36 months thereafter for legal and accounting purposes
  • Patient data (as processor): Retained only for the duration of the service agreement. Upon termination, data is available for export for 30 days, then permanently deleted within a further 30 days. Encrypted backup copies may be retained for up to 7 additional days following permanent deletion, after which they are automatically purged.
  • Job applicant data: Retained for up to 6 months after the recruitment process concludes, unless consent is given for longer retention
  • Aggregated/anonymized data: May be retained indefinitely as it no longer constitutes personal data

Certain data may be retained longer where required by law (e.g., Swiss tax retention requirements of 10 years under the Swiss Code of Obligations Art. 958f).

11. Cookies and tracking

11.1 Under the FADP

The FADP follows an opt-out approach for most cookies. This means we may use cookies for website functionality and analytics without prior consent, provided we inform you and give you the ability to object. However, for cross-site tracking, profiling, and personalized advertising, explicit consent is required (per FDPIC guidelines updated October 2025).

11.2 Under the GDPR (for EU/EEA visitors)

For visitors from the EU/EEA, we apply the stricter opt-in approach required by the ePrivacy Directive and GDPR. Non-essential cookies (analytics, marketing) are only placed with your prior consent.

11.3 Cookie categories

  • Strictly necessary cookies: Required for the Website to function. No consent required.
  • Analytics cookies: Used to understand how visitors interact with the Website. Placed only with consent.
  • Marketing cookies: Not currently used. If introduced, will require prior consent.

Details on the specific cookies used, their purpose, and duration are provided below.

CookieTypePurposeDuration
To be populated once the website is live.

You can manage your cookie preferences through your browser settings or through the cookie consent mechanism on our Website.

12. Artificial intelligence

The Service uses artificial intelligence, including large language models (LLMs), to generate, translate, and personalize patient communications.

  • AI is used for communication purposes only, never for clinical decision-making, diagnosis, triage, or treatment recommendations
  • Patient data is not used for AI model training. Data is processed in real-time for message generation and is not stored for training purposes.
  • In accordance with the EU AI Act (Art. 50), patients receiving communications through the Service are informed that they are interacting with an AI-powered assistant
  • Healthcare practices retain full control over the configuration, tone, and scope of AI-generated communications and may review, approve, or override any communication

13. Your rights

13.1 Under the FADP (Swiss residents)

Under the FADP, you have the right to:

  • Access your personal data (Art. 25 FADP)
  • Rectify inaccurate data (Art. 32 FADP)
  • Delete your data (Art. 32 FADP)
  • Data portability in electronic format (Art. 28 FADP)
  • Object to data processing
  • Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal

Requests are free of charge and will be responded to within 30 days.

13.2 Under the GDPR (EU/EEA residents)

Under the GDPR, you additionally have the right to:

  • Restriction of processing (Art. 18 GDPR)
  • Object to automated decision-making and profiling (Art. 22 GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR). The relevant Swiss authority is the Federal Data Protection and Information Commissioner (FDPIC). EU/EEA residents may contact their national data protection authority.

13.3 How to exercise your rights

To exercise any of the above rights, contact us at:

We may need to verify your identity before processing your request.

14. Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data at rest and in transit (TLS 1.2+)
  • Access controls based on the principle of least privilege
  • Regular security assessments
  • Employee training on data protection and security
  • Incident response procedures

No system is completely secure. If we become aware of a security breach affecting personal data, we will notify the relevant supervisory authority (FDPIC and/or applicable EU authority) and affected individuals in accordance with Art. 24 FADP and Art. 33–34 GDPR.

15. Children's data

The Service is intended for healthcare providers and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

Patient data processed through the Service may include data relating to minors (e.g., pediatric appointment reminders). In such cases, the healthcare practice (as data controller) is responsible for ensuring a lawful basis for processing and for obtaining any required parental or guardian consent.

17. Changes to this privacy policy

We may update this Privacy Policy from time to time. When changes are made, we will publish the updated version on the Website and, where appropriate, notify you by email. The date of the latest update will be indicated at the top of this policy.

Your continued use of the Website or Service after changes constitutes acceptance of the updated Privacy Policy.

18. Contact

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is handled, please contact us:

Springli
hello@springli.com
Zürich, Switzerland

We would appreciate the opportunity to address your concerns before you contact a regulatory authority.

Supervisory authorities:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch
  • EU/EEA: Contact your national data protection authority