Privacy Policy
SciPlug, LLC ("Marlow," "we," "us," or "our") operates the website at firststep.support and provides a text-based executive function support service for adults with ADHD (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.
By using the Service, you agree to the practices described here. If you do not agree, do not use the Service.
1. Who this applies to
This policy applies to (a) visitors to our website, (b) people who submit a referral code or join our waitlist, and (c) members of the Service who exchange messages with their coach. The Service is intended for adults 18 years or older. We do not knowingly collect information from children under 13, and the Service is not directed to minors.
2. Information we collect
Information you give us
- Account & intake information: name, email address, mobile phone number, time zone, referral code, and information you share during onboarding (e.g., goals, context, accommodations you've found helpful).
- Communications with your coach: the SMS / iMessage thread between you and your assigned coach. This includes everything you choose to share — tasks, schedule details, situational context, and personal reflections.
- Payment information: billing is processed entirely by Stripe. We never receive or store full credit-card numbers. We receive a confirmation that payment succeeded, the last four digits of your card, your billing email, and a Stripe customer ID.
- Support correspondence: emails or messages you send to hello@firststep.support.
Information collected automatically
- Server & device logs: when you visit the website, our hosting provider may log IP address, browser type, referring page, pages visited, and timestamps. These logs are used to operate the site and detect abuse.
- Cookies & similar technologies: We do not use advertising trackers or cross-site profiling pixels.
Information from third parties
- SMS / messaging carrier: our messaging provider Quo routes your messages and may share metadata (timestamps, delivery status, phone numbers) with us as part of providing the service.
- Payment processor: Stripe shares payment-status events with us via webhook.
3. What we do not collect or do
- We do not sell your personal information.
- We do not share your information with advertisers or data brokers.
- We do not use your communications to train machine-learning models without your written consent.
- We are not a healthcare provider and do not collect protected health information ("PHI") subject to HIPAA. Please do not share medical records, prescriptions, or clinical information through the Service.
4. How we use information
- To provide, operate, and improve the Service — including coaching you, responding to your messages, and personalizing the support you receive.
- To process payments, send receipts, and manage your subscription.
- To communicate with you about your account, schedule changes, and important Service updates.
- To respond to your questions and support requests.
- To detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service.
- To comply with legal obligations, court orders, or lawful government requests.
- With your separate, opt-in consent: occasional anonymized testimonials or product feedback.
5. Legal bases for processing
Where applicable law requires a legal basis (for example, the EU/UK GDPR), we rely on:
- Contract: processing necessary to deliver the Service you've signed up for.
- Legitimate interests: operating, securing, and improving the Service, provided your rights do not override these interests.
- Consent: for any optional uses (e.g., quoted testimonials), which you may withdraw at any time.
- Legal obligation: to comply with tax, accounting, or law-enforcement requirements.
6. Who we share information with
We share information only with service providers who help us run the Service, and only as needed for that purpose. Our current providers include:
- Stripe — payment processing.
- Quo — message delivery.
- Cloudflare — website hosting and logs.
- Google Workspace / Resend — transactional and support email.
Each provider is contractually bound to handle your information securely and only on our behalf. We may also disclose information (a) to comply with legal process, (b) to protect the rights, property, or safety of Marlow, our members, or others, or (c) in connection with a merger, acquisition, or sale of assets, in which case we will provide notice before your information becomes subject to a different privacy policy.
7. How long we keep information
- Active members: we retain your account information and message history for the duration of your subscription.
- After cancellation: message content is retained for 24 months in case you return, then deleted or anonymized. Billing records are retained for as long as required by tax law (typically 7 years in the United States).
- On request: you may ask us to delete your information at any time (see Section 9). We will honor the request unless we are legally required to retain certain records.
8. Security
We use reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These include encryption in transit for our website, access controls on our internal systems, and limiting access to a small number of authorized personnel.
However, no method of transmission or storage is 100 % secure, and we cannot guarantee absolute security. SMS / iMessage communications travel through third-party telecommunications networks that we do not control and that may not be encrypted end-to-end. By using the Service, you acknowledge and accept these inherent risks. You are responsible for keeping your devices, phone number, email account, and any access credentials secure.
9. Your rights and choices
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate information.
- Request deletion of your information.
- Request a portable copy of information you've provided to us.
- Object to or restrict certain processing.
- Withdraw consent for any processing based on consent.
- Lodge a complaint with a data protection authority (EU/UK residents).
To exercise any of these rights, email hello@firststep.support. We will respond within the time required by applicable law (generally 30 to 45 days). We may need to verify your identity before completing certain requests.
Cancellation and unsubscribe: you may cancel your subscription at any time by texting your coach. You may opt out of non-essential email by following the unsubscribe link in any such email.
10. California residents (CCPA / CPRA)
If you are a California resident, you have the rights described in Section 9 above, plus the right to know the categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it (all disclosed in this policy). We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We will not discriminate against you for exercising any of these rights.
11. International users
Marlow is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those of your jurisdiction. By using the Service, you consent to that transfer.
12. Not a substitute for clinical care
Marlow provides executive function coaching, not therapy, counseling, or any form of medical or mental-health treatment. Your coach is not a licensed clinician. The Service is not designed for crisis situations. If you are in a mental health crisis, contact a qualified professional or, in the United States, dial or text 988 for the Suicide & Crisis Lifeline.
You acknowledge that the Service is not a substitute for professional medical advice, diagnosis, or treatment, and that any decisions you make based on coaching are your own responsibility. See our Terms of Service and our Not therapy notice for further detail.
13. Disclaimers regarding information you share
You decide what to share with your coach. We encourage you to share only what is necessary for the coaching relationship and to avoid sharing sensitive information (medical records, government identifiers, financial account numbers other than what's required for billing through Stripe, passwords, or information about third parties who have not consented).
Information you choose to share is shared at your own risk. To the maximum extent permitted by law, Marlow is not liable for consequences arising from information that you elected to disclose, including disclosures involving third parties or sensitive categories of information that we did not request.
14. Data breach notification
If we become aware of a security incident that materially affects the confidentiality of your personal information, we will notify you and the appropriate authorities as required by applicable law, by email to the address on file, without unreasonable delay.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where legally required or operationally meaningful, notify you by email or in-Service message. Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.
16. Contact
Questions, requests, or complaints about this Privacy Policy or our data practices:
- Email: hello@firststep.support
- Mailing address: [INSERT BUSINESS MAILING ADDRESS]