Privacy Policy for App

Last updated: August 28, 2024

We are Spark Mail Limited ("we"), and we provide you services under the Terms of Service. In the Spark Application ("App" or "Spark") you can manage your email accounts, chats and conversations from one place ("Email Accounts").

We understand you care about your privacy, and we appreciate the trust you place in us. To justify your trust, we continuously embed the latest data security standards, improve our awareness of privacy matters, and comply with the EU General Data Protection Regulation (the “GDPR”) and other privacy laws.

This Privacy Policy describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Spark.

Please note that we do not collect, track, or store any personal data over what we need to provide and improve our product and services, perform our marketing campaigns as described in this Policy, and comply with our legal obligations.

Our Commitments

• we only collect and use your data where we have a legal basis to do so;
• we always are transparent and tell you about how we use your information;
• when we collect your data for a particular purpose, we do not use it for anything else without your consent, unless another legal basis applies or the purposes are compatible (in the meaning of the GDPR);
• we do not sell your data;
• we do not ask for additional data unless it is needed for the purposes of providing our services;
• we adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
• we observe and respect your rights by ensuring that queries relating to privacy issues are dealt with promptly and transparently;
• we keep our staff trained in privacy and security obligations;
• we ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;
• we also ensure that all of our data processors have appropriate security measures in place with contractual provisions requiring them to comply with our commitment;
• we do not use your data to make automated decisions that might have a legal or similarly adverse effect on your rights;
• we obtain your consent and ensure that appropriate safeguards are in place before personal data is transferred to other countries.
• we responsibly implement AI into our services, ensuring the protection of your personal data and providing you with control over all AI-powered features. 

For our Chinese Premium users: We may no longer provide the Spark +AI feature (including AI Writing Assistant, +AI Summary, Quick +AI Replies, Templates +AI) in mainland China because of the changes in the deep synthesis algorithm laws.

Please note: Spark’s website has its own Privacy Policy that covers any data flows via the Website.

Context:

• Our Commitment
• Definition of “User”
• Controller details
  • Controller
  • Processor
  • Contact Details of the DPO (Data Protection Officer)
• Applicability
• Legal Grounds of Processing
• Personal Data in Spark: What We Collect
  • Before we start
  • Data processed
• Age limitation
• Term of storage and Retention Periods
• Backup storage
• Data sharing with 3rd parties
• Data transfer outside the European Economic Area
• Security measures
• Privacy rights
• Region-specific legislation
  • California legislation
  • Virginia legislation
  • Colorado legislation
  • Delaware legislation
  • Nevada legislation
• Definitions

Definition of "User"

We divide App users into different categories depending on their access to our services as follows: Free User, Paying User, Enterprise, Partner, and Enterprise Member for privacy purposes.

You own and control the personal data we collect about you. You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it by changing your account’s settings (e.g., by revoking consent or opt-out checkboxes), via our email address dpo@sparkmailapp.com or by any means of communication available for you. Please be aware that you may not be able to enjoy some of Spark’s features in such a case.

Controller Details

Any organization that collects and processes data can play different roles depending on particular data processing operation. For example, Spark plays different roles depending on the feature you use. In this Section, we explain how Spark meets the role requirements.

Controller

We are the Controller of the personal data for the Users (Free), Users (Premium), Teams, Organizations, and Enterprises (representatives of Organizations or Enterprises) from the moment of the User’s consent to the Terms of Service.

This means we determine the amount, purpose, and means of personal data processing when you use the App.

Processor

Under the applicable privacy protection rules, we can also act as the data processor depending on the particular data protection operation. This is the case where Spark provides a self-help tool, product, or feature and does not use personal data without the user’s instruction. For example, Spark does not use the email addresses of the email senders for Spark’s marketing activities, but only to enable the User to receive and send emails via Spark Service.

We are processing data on behalf of Organizations or Enterprises (based on the agreed instructions provided in the Data Processing Agreement; you may request a copy of our Data Processing Agreement at dpo@sparkmailapp.com).

Example: Company A purchased 15 licenses for employees. The Сontroller of the employees’ data is Company A, while we are the processor concerning this processing activity (namely, where we provide them with Spark services at the expense of Company A). As a data processor, Spark does not use such data (e.g., email addresses of third parties) for our own purposes, for example, for cold calls marketing.

As a result, we are processors for all personal data of Users, employees, or contractors of the three categories: the Organization, the Enterprise, and the User (Free or Premium).

For more details about our role as a Controller and a personal data Processor, please contact us at dpo@sparkmailapp.com. Alternatively, you can also send us a letter.

Contact Details of the DPO (Data Protection Officer)

Company: Spark Mail Limited.
Address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland.

External Data Protection Officer: Privacity GmbH

Address: Neuer Wall 50, 20354 Hamburg, Germany

Email: dpo@sparkmailapp.com

If you have a particularly sensitive request, please contact us or our Data Protection Officer by postal mail at the above indicated address.

Applicability

This Privacy Policy applies to the desktop and mobile versions of Spark compatible with macOS, iOS, Android, and Windows, accessible for download through our website, App Store, Mac App Store, Microsoft Store, Huawei AppGallery, and Google Play.

Legal Grounds of Processing

We can process personal data based on the following legal bases:

• performance of the contract for processing that is strictly necessary for service provision as written in Terms of Service, such as technical and customer support;
• legitimate interest for processing that is reasonable for the User and required for the development of the service;
• consent for additional processing for specific purposes;
• legal obligation for the processing of data as required by applicable laws or if requested by a law enforcement agency, court, supervisory authority, or another state-authorized public body.

In particular, we rely on legitimate interests when we process your personal data for the following purposes:

• security of the App: preventing risk and fraud;
• support: answering questions or providing other types of support;
• business development: providing and improving our App;
• business intelligence: providing reporting and analytics to further enhance our App;
• quality assurance: testing out features or additional services;
• marketing: assisting with marketing, advertising, or other communications.

We rely on our legitimate interest only after a careful assessment of the balance of purpose, necessity, and proportionality, and in a manner that is expected and does not limit your rights.

Personal Data in Spark: What We Collect

This section explains our approach and practices for processing personal data at different features in the App.

Before we start

We process two categories of data: technical and personal data you provide to us. Some of it can be seen on the client-side (interface), and some are processed on the backend.

Client-Side is the part of the App displayed or takes place on the users’ devices.

Backend is an invisible crucial part of the App where algorithms operate on the variables and data points. In the majority of cases, it is crucial to process such data in order to provide our services to you. For example, we keep backend data taking into account organizational and technical measures to ensure the security of your data.

As defined, you may belong to one of the categories of Users:

1. Free User (Free)
2. Paying User (Premium)
3. Team
4. Organization
5. Enterprise

We collect your personal data according to this Privacy Policy when you use the App. When you use our Website, your personal data is processed in accordance with the Website’s Privacy Policy. Some of the data the App collects automatically, such as the country the App is used in: we get this data based on the IP address or from the App Store (we receive this information in a generalized form). Generally, all the data provided to us can either be linked to you or not (i.e., anonymized data).

We either create new personal data items or receive them from you. For example,

• data we create and assign will include userID, subscription expiration date, appToken, and
• data we collect from you or the third parties on your behalf would include payment history, requests, app usage data, account data, technical data.

Data Processed

We process some personal data for purely business purposes: to enable you to use our services, to notify you of our new products and features, to invite you to participate in our special programs and offers and beta testing programs, and to use parts of your data (usually pseudonymized) to monitor the trends and develop our product and business. We collect certain information about you when you provide it directly to us or use our App and Service. We only collect the information necessary to provide you with our services.

Unless we specify a particular legal basis, we process your personal data based on the contract (our Terms of Service) (Article 6(1)(b) of the GDPR: performance of contract).

Email address: As an email client, the core functionality of our Product is based on providing you with the ability to manage your email. For this reason, Spark services access your email account when you start using the App. Your email address is a unique identifier of you as a User within our system and allows us to secure your data. Your email address will also be used as a primary means of communication for us on anything related to changes to the App and Service, such as Privacy Policy, Terms of Service, Beta Tester Agreement or core functionality of our App or Service. We may also use your email to sync your data with your third-party accounts (if you request us to do so in the App), or occasionally contact you for marketing purposes (it will be in our legitimate interests to do so). You will always have a chance to opt-out of such sync or any marketing communications for similar products and/or services anytime. Please note that your email is safe with us, and we do not use it for profiling or targeting.

OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product will not be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.

Billing data. We may need to process your personal data to ensure the smooth operation of your subscription plan and comply with the applicable laws. We do not have access to your sensitive payment data (as the payment processor will only collect your personal data to process the payment), but we may store your payment processor id, payment status, and information about your subscription terms (such as type and duration).

Identity of a team you join: In order to make team collaboration within Spark possible, we allow you and your colleagues to create teams within the Service. It allows you to share information such as email conversations, shared email drafts, private discussions, or create links to a specific email message. Team identity is necessary to associate you with that specific team as well as secure your information from people who are not a part of your team. Our system creates a record about the team only when you create one.

Email content while using Spark Services: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space to share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. We may retain your email for some time (at your request) when you use the “Send later” feature. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates via email.

Input and output: When using Spark +AI, you can provide input (email text and prompt) for processing and receive generated output. We do not retain the content of your emails or prompts but only transmit them to the AI provider for processing. They do not use your data for model training and keep it no longer than 30 days. Read more about Spark +AI and its data processing practices in the ‘AI Providers Data’ section.

Email samples and writing style description: When you activate ‘My Writing Style’, we process your recently sent emails to analyze their length and other criteria and select appropriate samples (‘samples’). Further, we pass the selected samples to the AI provider for analyzing your writing style and getting the textual description of it. Your emails are analysed for the samples and writing style description only once unless you use the ‘Rescan email samples’ option in the ‘Settings’, change the samples manually, or delete them and reactivate the feature.

The samples are stored in your account as settings of the feature. You can review the samples in the ‘Settings’ and manually replace them with other examples if you wish. We also store the samples and your writing style description in our backend. 

To help you generate email with Spark +AI further, we will pass only your writing style description along with each request to the AI provider.

Spark will store the samples and your writing style description until you delete your account or until you delete all samples manually. Please note that when you delete all samples we automatically delete the writing style description.

Read more about ‘My writing style’ in the ‘AI Providers Data’ section.

IP address and settings: The core functionality of our Product is based on an Internet connection, that is why our App and Service will not properly function without it. Your IP address is a unique identifier that lets you connect to the Internet, and our service will log connections for security and troubleshooting purposes. We also retain information about your settings so you may ensure the synchronization of your choices and experience between your devices.

APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new emails or private team comments in your email inbox. You’re free to enable or disable them during the initial App setup or later using your device’s system preferences.

App token assigned by us: This token allows us to identify your device in our system and troubleshoot potential issues you might experience.

Device, App version, iOS version information: We need to have this information so the App functions properly on your specific device.

Statistical information with regards to App usage: In order to better understand general app usage patterns and improve the Product and its user experience, Spark collects general statistical information about the usage of the Product. Collecting such data helps us optimize the App in future updates, and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. You may read Amplitude’s Privacy Policy to learn more about their processing of personal data.

Recently accessed email messages, collaboration threads, and shared inboxes: We need this information to provide Spark Services to you and your teammates, such as private discussions around email, shared drafts, shared email conversations, and shared inboxes. By collecting and storing this data, we are able to present message discussion threads through your Spark App and provide a better communication experience with your team.

Some of your email contacts: Spark Smart Notifications will send you push notifications only for important messages from real people. To block push notifications for promotional newsletters and automatic emails, we need to keep the “whitelist” of senders for push notifications. We’ll sync this “whitelist” of contacts to our server to enable Smart Notifications. If you decide not to use Smart Notifications, we will never sync your email contacts.

Pixel data and link clicks information. We may use email and other marketing software to collect metrics on our marketing campaigns. Usually, pixels help their providers to collect technical data, such as the time when the image was loaded and the IP address, etc. For example, we may use the Braze service to see email opening rate, and then use this opening rate to enhance our emails and send our users a more helpful material or relevant offer in the future. Braze can also register that the link in the email was clicked on. You may disable pixels in your email service provider’s settings and avoid opening links, if you don’t want to participate in the collection of this statistics. In Spark, you should go to the “General” section of Settings page to disable loading the pixels.

Logs: Some information about your use of the Spark Mail services can be stored either by us or by your device. When we collect this information on our servers, we do so to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. The server that hosts the App may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App,to investigate possible security incidents, and to troubleshoot bugs and problems with the App reported by you. If you report an issue that prevents you from enjoying Spark, we may need the log data that is contained on your device to investigate the issue and troubleshoot. As we cannot obtain those logs without you sending them to us, we will rely on your consent.

Customer Support communication: Regarding the email: we save a record of communication, including attachments and information you voluntarily decide to share with us for troubleshooting purposes whenever you communicate with our support team.

To enhance your experience, we collect analytics on customer support requests to understand the most frequent inquiries and identify areas for improvement within the App. This analysis is conducted internally within Spark using secure, in-house technologies, including pre-trained machine learning models. Rest assured, we do not use your personal data to test or train these models.

Request a feature: When you contact us via the “Request a feature” form with your proposal for our product enhancement, we process your email address, type of device, your name (if you’re willing to share it), and any other additional information you may provide in the form. We process this data based on your consent. We automatically collect some technical information (platform, app version, date of installation, Spark ID and Braze ID) for a detailed analysis of your proposal. It is in our legitimate interest to do so. Also, we assign a unique identifier (token) for each form submission and collect the date and time of the submission.

We use Typeform to collect your request and Google Sheets to process it further. To know more of how your personal data is processed, you may read Typeform’s Privacy Policy and Google’s Privacy Policy.

We will use your data to prepare a proposal for our product development team and your email and name to contact you for more details (if needed) and notify you of the implemented features resulting from your request. We may keep and process this data for a few years but no longer than 6 years (as provided by the general statute of limitations in Ireland) and do not use your data for any other purposes except those mentioned in this section.

The “Request a feature” form is available in all Spark app versions except Spark Classic (Spark 2 on Mac).

Data from Microsoft Corporation: When you download and use Spark Mail from the Microsoft Store, we may occasionally receive data, including telemetry or crash data, from Microsoft Corporation. This data is used only to improve the App and to test or troubleshoot quality issues, such as bugs, in accordance with the Microsoft Store App Developer Agreement.

Your Feedback. We may publish your feedback, reviews and comments about your experience with our App ("Feedback") on our website, in the App or otherwise. This includes the Feedback you provide to us directly or via any platform, including but not limited to online distribution platforms, marketplaces, and social media. We process personal data in your Feedback, which may include your first and last name, username, the text of the Feedback and/or any other information contained in or related to the Feedback. We do not process personal data of children under the age of 16 and/or sensitive types of data in the Feedback. Under the GDPR, we rely on our legitimate interest as the legal basis for processing personal data in the Feedback if your Feedback was collected from the third-party platform (such as online distribution platforms, marketplaces, and social media), and we will ask for your consent to publish the Feedback that you provided to us directly. We use your Feedback to demonstrate the capabilities and features of the App, to share real user experiences with the App and to attract potential customers. For more information about your Feedback, please refer to the "Your Feedback" section of our Terms of Service.

To enhance the App experience, we collect analytics on the feedback to understand the most frequent inquiries and identify areas for improvement within the App. This analysis is conducted internally within Spark using secure, in-house technologies, including pre-trained machine learning models. Rest assured, we do not use your personal data to test or train these models.

Data processed during beta testing. If you choose to participate in our beta testing program as outlined in our Beta Tester Agreement, we will process the following data to provide you with the Service and manage your access to the beta testing:

• Personal Information: Email address, OAuth login credentials, or mail server credentials.
• Team Identity: The identity of the team you join.
• App Usage Data: Statistical information related to your usage of the App, including email content while using Spark Services, data from Microsoft Corporation.
• Device Information: IP address, device settings, device information, APNS device token, and an app token we assign to you.
• Interaction Data: Pixel data, link click information, recently accessed email messages, collaboration threads, and shared inboxes.
• Feedback and Support: If you submit customer support requests, feature requests, feedback, or log files during beta testing, we may process the associated data and files provided with such communications.

For specific features such as Spark +AI, My Writing Style, and Smart Notifications, we will process the corresponding data mentioned above.

Additionally, if you participate in the beta testing of the iOS version, we may receive data from Apple, including:

• Device Information: Device model, device ID, iOS, iPadOS, or macOS version, time zone, country and/or city, language, connection type, carrier, CPU type, free disk space, battery level, screen resolution, paired Apple Watch model (if applicable), and watchOS version.
• App Interaction Data: Information about your interaction with the App, such as invitation type, invitation status, App name and version, App uptime, number of installs, sessions, crashes, and symbolicated crash logs.
• Feedback: Screenshots and comments you share when providing feedback during beta testing. The processing of this data is based on our legitimate interest. If you choose to provide us with your name, we will process it based on your consent.

Other information you decide to provide us with: Based on your decision and consent, we may also process any other personal data provided by you (for example, the information in your email signature or the first couple of lines from the email to show you the push notification) to make your experience of using some of our features more pleasant and tailored to your purposes and needs.

Please note: some data (such as company data) can be treated as non-personal data when processed in the absence of context. However, if such data is collected and processed alongside other data points or data items (such as name, telephone number, email, etc.), it can identify a particular person and therefore constitutes personal data. You may check the official position of the EU by reading:

• Recital 26 of the GDPR,
• Article 4 of the GDPR,
• Opinion 4/2007 on the concept of personal data issued by the Working Party 29 (predecessor of the EDPB), and
• Guidelines 8/2020 on the targeting of social media users issued by the EDPB.

Please note that we do not store all the data we receive from you. Mainly, the data is stored locally on your device. This means we see pseudonymized or even anonymized data. For more information on retention periods of your personal data please see “Term of storage and retention periods" section of this Privacy Policy.

Google User Data

Spark's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. This section may be helpful for you if you use Spark in conjunction with your Gmail account.

Permissions. When seeking access to your Google user data, all permission requests are being sent by Spark Mail App. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need; we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.

Revoking access to Google User Data. You may revoke Spark’s access to your Gmail account by using Gmail settings: My Account -> Security tab -> Third-party apps with account access -> Manage third-party access -> Spark -> Remove access.

If you decide to do so, we will lose access to your Gmail account in Spark, and we will no longer be able to show you emails from it, and show and sync your Google Calendar. Upon your request (and when you delete your Spark account), we will delete all data collected from your Gmail account; however, in such a case, we may not be able to provide you with the ability to use Spark Mail features to work with your Gmail emails.

Types of data requested. We will list the types of data requested on the permission request webpage. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.

Request purpose. The purpose for which the App requests your user data is to enable you to use Spark Mail features when working with your Gmail account emails. Without access to the emails, we cannot provide you with the features that include assessing, using, writing, changing, deleting, storing, sharing, filtering, whitelisting, and other manipulations with the emails as described in this Data Processed (by feature) section that are performed on your behalf (in other words, pursuant to your instructions issued by manipulating the Spark’s interface). We do not use your Google User Data for any other purposes but to provide you with access and the ability to use the Spark Mail Service.

Disclaimer. We do not use Google User Data to display, sell, or distribute this data to any third party conducting surveillance. Spark Mail has no hidden features, services, or actions that are not mentioned in this Privacy Policy or the Terms of Service. Spark takes reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure. Spark Mail belongs to a Permitted Application Type as mentioned in the Google API Services User Data Policy (namely, an application that enhances the email experience for productivity purposes).

With regard to the access to Google User Data as specified above, we will:

• use access only to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows Users to compose, send, read, and process emails and will not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets;
• not use this Gmail data for serving advertisements, including retargeting, personalized, or interest-based advertising;
• not allow humans to read this data unless we have your affirmative agreement (consent) to view specific messages, doing so is necessary for security purposes such as investigating a bug or abuse, complying with applicable law, investigating an issue, and even then only when the data have been aggregated and anonymized;
• ensure that your employees, agents, contractors, and successors comply with this Google API Services: User Data Policy.

AI Providers Data

We use different AI Providers (Azure OpenAI Service by Microsoft Corporation, Open AI by Open AI LLC, Vertex AI by Google) to offer the Spark +AI feature, which is designed to help you create and edit emails with the help of machine learning algorithms. We may switch between the AI providers to provide a more secure and faster service, to run new versions of models, or for other commercially justifiable reasons. The switch between AI providers is manual, and we retain full control over it.

Please note that, in the event of a switch between AI Providers, the data processing rules and interaction protocols will remain the same as described below. We will not provide notification about such switches.

Applicability. This section of the Privacy Policy applies only to our Premium Users of Spark 3 who use the Spark +AI feature or Users who get access to it during the Trial period. By default, Spark +AI is switched off: you must opt in to enable the Spark +AI feature.

Permissions. We use the AI Providers' services and Spark +AI based on your consent. By using Spark +AI, you consent to the processing of your personal data by us as described in this Privacy Policy. If you do not consent to the use of the AI Providers' services, you should not switch on the Spark +AI feature that incorporates it. If you decide to withdraw your consent, you must switch off the Spark +AI feature.

Generation of Spark +AI data. Spark +AI helps you generate and edit email drafts. Spark +AI does not send emails on your behalf. You have full control over the generated content at all times, and you can review and edit it any time before sending. 

Use of Spark +AI data. Spark +AI is designed to protect your private data we obtain from you or about you. We do not store the contents of your emails and your requests for the Spark +AI feature. If you choose to use the Spark +AI feature, we will only transfer the textual context of your email to Microsoft to process your request and generate or edit email text based on that and additional context.

Model training. We do not use your private data to train Microsoft, OpenAI or any other machine learning model when you use the Spark +AI feature. Any information, including personal data, that you furnish while using the Spark +AI feature will be shared with the AI Providers solely for the purpose of functioning of the Spark +AI feature. We do not permit the AI Providers to use your personal data for any other purpose except for debugging in the event of a failure and to monitor the potential misuse or abuse of their services. According to the AI Providers' documentation, they do not use customer data to train, retrain, or improve the base models.

Security of Spark +AI data. Your email content and requests you make to Spark +AI are private and encrypted in accordance with our standard privacy and information security practices. We implement the latest commercially reasonable technical, administrative, and organizational measures to protect your personal data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We are not responsible for circumvention of any privacy settings or security measures contained in Spark, or third party services.

Input and Output. You may provide input (prompt) to be processed by Spark +AI (“Input”), and receive output generated and returned by Spark +AI based on the Input (“Output”). When you use Spark +AI, Input and Output are your customer data (“Customer Data”). You are solely responsible for the development, content, operation, maintenance, and use of your Customer Data.

‘My Writing Style’ feature. This is an AI-powered feature based on profiling. Profiling refers to the automated processing of personal data to assess specific aspects of a person. In this case, profiling does not result in any legal implications for you, nor does it significantly impact you in a similar manner. It analyzes a selection of your recently sent emails (referred to as ‘samples’) to learn and mimic your writing style. Subsequently, it applies your writing style and tone of voice to all new Spark +AI-generated email drafts. 

By default, the feature is turned off. You can activate or deactivate it within the ‘Writing Assistant’ of the ‘Spark+ AI’ section in your account settings.

When you turn on the feature, we automatically select samples that meet the length and other criteria from your recently sent emails and pass such samples to the AI provider to get the description of your writing style. The AI Provider will not have access to your other emails. Further, the description of your style will be sent to the AI provider along with each request when you draft new emails with Spark +AI.

Read more about samples, their review, and deletion in the ‘Email samples’ subsection of ‘Data Processed.’

Age Limitation

Please pay attention. We do not knowingly process the data from Users under the age of 16 without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at dpo@sparkmailapp.com.

Term of Storage and Retention Periods

The retention periods mentioned in this section have been calculated by taking into account the data minimization principle enshrined in the GDPR and applicable laws that affect the processing of personal data. We analyzed the processing of data on every step of data processing and calculated the shortest periods necessary to meet the purposes of data processing.

Please read this section together with the retention periods provided in the descriptions of the features.

In general, we store personal data for the following periods of time:

Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data.

Updates and marketing emails. We may send you emails describing our new updates, features, discounts or opportunities. Given that the major updates are rare and Spark works closely with the users’ requests for new features, we may keep your data for up to a few years (but no longer than 6 years after the User account is deemed abandoned) to keep you informed of new opportunities Spark offers. You will always have the option to unsubscribe using the link at the end of the email or contact us via email at dpo@sparkmailapp.com to opt out from receiving such emails.

Customer Support communication. We may retain the history of communication (including the contents of the communication, attached files, etc) between you and our Customer Support team for a few years but no longer than 6 years (as provided by the general statute of limitations in Ireland) to be able to respond to all your further questions and requests or inquiries of the entities that you authorize to act on your behalf, including those of legal nature. We apply necessary security measures to ensure that the communications and attachments are archived with access to them restricted.

Your Feedback. We will retain the Feedback which you provided to us directly for 5 years and the one which was collected from the third-party platform for 2 years, unless the law compels us to store it for longer in case of any procedures or actions. However, we reserve the right to delete your Feedback at any time at our sole discretion. You may also contact us at support@sparkmailapp.com to request that we refrain from or cease using your Feedback. 

Deletion. We will delete the data we process as a Controller under GDPR within one (1) month following the request. In case the request is complex or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. We will inform you of any such prolongation within one month of receipt of the request, together with the reasons for the delay in response.

We store your personal data either until you delete the Account or after a certain period depending on the data type. When a retention period expires, we either delete your personal data or anonymize it so that it cannot be restored.

Summary of Retention Details:

After the above respective periods expire, we delete your personal data. It may be stored for statistical and analytical purposes in anonymized form.

We process your personal data based on your consent during the provision of services, during the term of storage (as defined above), or until you withdraw your consent, depending on the Feature.

Backup Storage

We store your data in the backups of databases. We regularly back up our databases: at least once a day and usually store them for one (1) week.

We use Google Cloud SQL service for the backup purposes. You can learn more about the procedure in their guide here.

Data Sharing with Third Parties

We use your personal data based on the performance of the contract to provide services and communicate with the Users.

We may share personal data with our affiliates to the extent necessary to develop and/or support Spark. We share your personal data with our contractors to the extent necessary to provide services, technical and customer support. In addition, we can share your data on the following grounds: consent, compliance with the law (or legal obligation), and legitimate interest. Also, we have implemented organizational and technical measures to ensure the security of personal data during data transfer to third-party.

Details:

Consent. We share your personal data based on your explicit consent.

Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:

• to comply with a government request, court order, or applicable law;
• to prevent unlawful use of our App or violation of the Terms of Service and our policies;
• to protect against claims of third parties;
• to help prevent or investigate fraud.

Legitimate interest or performance of the contract. We may share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf.

Independent data controllers. We may sometimes receive your personal data from other, independent data controllers. We usually do so in one of two cases:

• the third-party data controller shares your personal data with us in response to your request (for example, when you sync Spark Mail with your account in another app); and/or
• an app store shares some data about on-market or in-app purchases, crash events, failed attempts to download or launch the app, or any other information that may affect your ability to buy, download, and use Spark Mail and its features on your device. For example, such independent data controllers can be Mac App Store, App Store, Microsoft Store, Google Play, and Huawei AppGallery depending on your choice and device.

We process these personal data only to enable you to use Spark Mail or its particular features (for example, to fix the bugs that do not allow your device to launch the app). We will not use your data received from these independent controllers to build any profile about you, or use it for any marketing or advertising purposes. We anonymize or aggregate these data where possible (such as where there is no request from you to our tech support to help fix the bug) before processing.

Subcontractors. We will ask for your consent unless data transfer is part of the contract performance. Here is the list of the third parties we may engage in the processing of personal data:

• Google Cloud (Google LLC, USA). Here we store our databases, logs, and backups. For more details, please refer to the Subcontractor’s Privacy Policy.
• Firebase Cloud Messaging (Google LLC, USA). We use it to process personal data to push messages to our Android Users. For more details, please refer to the Subcontractor’s Privacy Policy.
• Huawei Push Kit (Huawei Device Co., Ltd., China). We use it to process personal data to push messages to our Android users. For more details, please refer to the Subcontractor’s Privacy Policy.
• Stripe (Stripe Inc, USA). We transfer your data for payment processing on our behalf. For more details, please refer to the Subcontractor’s Privacy Policy.
• VAT Sense (Weio Ltd, UK). We use VAT Sense for VAT validation. For more details, please refer to the Subcontractor’s Privacy Policy.
• CampaignMonitor (Campaign Monitor Pty Ltd., USA). We send a list of all accounts there for statistics. For more details, please refer to the Subcontractor’s Privacy Policy.
• Postmark (Wildbit LLC, USA). This service is used to process your data for sending transactional emails. Transactional emails are emails about transactions, for example, the purchase of premium, about the start or the end of the trial. For more details, please refer to the Subcontractor’s Privacy Policy.
• Braze (Braze Inc, USA): This service is used to process your data for sending some marketing communications and analytics. For more details, please refer to the Subcontractor’s Privacy Policy.
• Calendly (Calendly LLC, USA): We use them to schedule calendar appointments with our customers. For more details, please refer to the Subcontractor’s Privacy Policy.
• Helpjuice (Helpjuice, Inc, USA) is a knowledge base software to help us provide you with the necessary customer support. For more details, please refer to the Subcontractor’s Privacy Policy.
• Google (Google LLC, USA). We use your data for the synchronization of accounts. For more details, please refer to the Subcontractor’s Privacy Policy.
• Apple Inc (Apple Inc, USA). We receive the personal data, technical data about the iOS systems and general statistics. For more details, please refer to the Subcontractor’s Privacy Policy.
• RevenueCat (RevenueCat, Inc., USA). We use them to monitor personal billing. For more details, please refer to the Subcontractor’s Privacy Policy.
• Amplitude (Amplitude, Inc., USA) is an analytics tool we use to understand how Users experience our App. For more details, please refer to the Subcontractor’s Privacy Policy.
• AppCenter (Microsoft-provided tool, USA): we use them to monitor crash logs. For more details, please refer to the Subcontractor’s Privacy Policy.
• AppsFlyer (AppsFlyer Ltd., USA) provides us with measurement, analytics, fraud protection, and engagement technologies. For more details, please refer to the Subcontractor’s Privacy Policy.
• Zoom (Zoom Video Communications, Inc., USA) is a video conferencing platform, which can be connected to Spark Calendar to help Users schedule video and audio meetings. For more details, please read their Privacy Policy.
• Azure OpenAI Service (Microsoft Corporation, USA). We use Azure OpenAI Service to provide you with Spark +AI, which is designed to help you create and edit emails using machine learning algorithms co-developed by Microsoft Corporation and OpenAI (OPENAI, LLC). For more details, please refer to their Privacy Statement.
• OpenAI API (OpenAI, L.L.C., USA). We use OpenAI API to provide you with the Spark +AI feature in specific cases described in this Policy. For more details, please refer to the ‘OpenAI Data’ subsection of this Policy and OpenAI Data Processing Addendum.
• Setapp (Setapp Ltd., Ireland). We collaborate with Setapp to offer you unique combinations of features and apps for your workload management. Your data will only be available to Setapp if you decide to download Spark through the Setapp service. For more details, please refer to their Privacy Policy.
• Zapier (Zapier, Inc., USA). We use Zapier to receive information about some of your financial transactions (such as a date of first payment or subscription cancellation). For more details, please, refer to their Privacy Policy.
• Airtable (Formagrid Inc, dba Airtable, USA). We use Airtable to manage subscriptions. For more details, please, refer to their Privacy Policy.
• Typeform (TYPEFORM SL, Barcelona (Spain)). We use Typeform to collect information from our users in embed forms. For more details, please refer to their Privacy Policy.

We may share your personal data with other Subcontractors, such as auditors, lawyers, accountants, software engineers, and other specialists and experts that we may engage on a contractual basis.

Data Transfer Outside the European Economic Area

The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.

The European Commission has recognised the United States (commercial organisations participating in the EU-US Data Privacy Framework) as providing adequate protection. In particular, Google LLC and its wholly-owned US subsidiaries (unless explicitly excluded), have certified that they adhere to the DPF Principles.

There is no adequate decision by the European Commission regarding Ukraine. Therefore, we have prepared a data processing agreement based on the standards of the Standard Contractual Clauses and carried out the legislation assessments for data protection during transfer and storage in third countries under the GDPR, such as Ukraine.

You can read detailed information on measures we take to protect your personal data here and, if signed, in our Data Processing Agreement with you. If you upload, send or create personal data of your clients or other data subjects via one of our Services, you may ask for a signed Data Processing Agreement by sending an email to dpo@sparkmailapp.com.

Security Measures

We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.

To be more specific, to protect your personal data, we use HTTPS and encryption, divided group and individual access (where appropriate), alarm systems, corporate VPN, written approved internal policies (like password policy and physical access policy).

Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.

Here you can find information about the steps we mentioned above:

Trained team

Our team is competent in the matter of your personal data protection. Company regularly performs training in order to ensure that every team member has enough knowledge to keep your data safe and protect it in accordance with the best practices prescribed by European and U.S. laws on data protection.

HTTPS and encryption

We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.

We currently use Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure your data safety.

• App Center. You can read more on the security measures via the link.
• Google. You can read more on the security measures via the link.

Security measures (detailed explanation):

1. Physical access control: group access and alarm system

We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.

An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.

2. System access control: individual access and password policy

Each employee has access to the systems/services only via their employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.

Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.

We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.

Passwords must meet specific requirements. It must be at least:

• 12 characters long
• 1 letter in upper-case
• 1 letter in lower-case
• 1 number
• 1 special symbol

Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.

3. Data access control: monitoring and physical access policy.

All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.

Due to the proximity of the employees, a visual inspection is possible at any time.

Locking and/or logging off when leaving work is prescribed and practiced.

4. Transfer control: contractual obligations and corporate VPN

Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.

Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.

Access to the systems outside the company network is possible only via secure VPN access.

5. Input control: general restriction

Our employees do not work directly at the database level but instead, use applications to access the data.

IT employees access the system via individual access and use a common login.

6. Availability control: backups and division

We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.

Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.

Our workstations are also protected with the usual measures. For example, virus scanners are installed, and laptops are encrypted.

We would like to specify that we use MDM-solution to protect employee devices with security settings.

7. Separation control: limited access.

We use logically separate databases to prevent unauthorized persons from accidentally reading data with limited access.

Access to the data is also restricted because employees use services (applications) that control access.

Privacy Rights

EU privacy rights

You, as subjects of personal data, have the following rights:

To exercise your rights, write us an email at dpo@sparkmailapp.com. If some data is being exchanged between Spark and your accounts in other services, you may also fulfill your rights (such as your right to withdraw your consent) by disabling the access of your Spark account to such third-party services or, alternatively, manage your privacy settings in your third-party service accounts that are linked with Spark and your Spark account.

Also, it is your right to lodge a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms. Please note that you can contact your local supervisory authority. Your local authority will then contact the Irish supervisory authority to communicate your complaint or request.

The USA citizens’ privacy rights.

You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at dpo@sparkmailapp.com

Your rights vary depending on the laws that apply to you but may include:

• The right to be informed about the personal data we collect and/or process about you;
• The right to learn the source of personal data about you we process;
• The right to access, modify, and correct personal data about you;
• The right to know with whom we have shared your personal data, for what purposes, and what personal data has been shared (including whether personal data was disclosed to third parties for their direct marketing purposes);
• The right to withdraw your consent, where the processing of personal data is based on your consent; and
• The right to lodge a complaint with a supervisory authority located in the jurisdiction of your habitual residence, place of work, or where an alleged violation of law occurred.

Please see more detailed information about your state’s privacy data protection laws in a separate section; you can find it in the navigation on the right of the page.

What do these rights mean?

1. The right to access information. You can request an explanation of the processing of your personal data: what data exactly we process and how.
2. The right to withdraw consent. After you once give us any consent, you can withdraw it at any time without any consequences for you.
3. The right to portability. You can request all the data you provided to us and request to transfer data to another Controller in a machine-readable format.
4. The right to file complaints. If your request is not satisfied, you can file a complaint to the regulatory body. But please first contact us, and we will do our best to help you.
5. Right to erasure. You can send us a request to delete your personal data from our systems.

Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right for additional 30 days.

Privacy Policy Update

The GDPR regulates this Privacy Policy and the relationships falling under its effect. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Policy on our website.

If we make substantial changes to this Policy (or the App) that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask you to read it. We will notify you in advance, and if you continue using our Service after the changes come into effect, we will presume that you agree with the updated Privacy Policy.

Region Specific Data Privacy Law

California Legislation

For residents of California, we provide more information about the relevant legislation and your privacy rights granted by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act.

Opt out of disclosure for direct marketing purposes. California law allows residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at dpo@sparkmailapp.com.

Please be aware that this Opt-Out does not prohibit our disclosure of personal data for any purpose other than direct marketing.

Automatic gathering of information. We collect data you provide to us online and through unaffiliated third parties’ websites.

Automatic gathering of information by third parties. When you visit our websites, third parties can collect personal data about your online activities over time and across different websites on your visit to or use our and other websites.

Minors. A business shall not sell the customers’ personal information if the business has actual knowledge that the customer is a child under the age of 16. A business may process data of a child under the age of 16 only upon a parent or guardian’s request and only after verifying parent/guardian identity and authority to represent a child. A business that willfully disregards the customer’s age shall be deemed to have had actual knowledge of the customer’s age. This right may be referred to as the "right to opt-in."

A business that has not received consent to sell the minor customer’s personal information shall be prohibited from selling the personal information unless the customer subsequently provides express authorization.

Do-not-Track Requests

California residents using our App may request that we do not automatically gather and track information on their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently do not have the ability to honor these requests. We reserve the right to modify this Privacy Policy as our capabilities change.

California Residents’ Data Protection Rights

The California Consumer Privacy Act ("CCPA") and California Privacy Rights Act provide our Users who are California residents with the following additional rights:

• Right to Know: You have the right to request that we disclose certain information to you about the personal data we collected, used, disclosed, and sold about you in the past 12 months. This includes a request to know any or all of the following:
  • categories of personal data collected about you;
  • categories of sources from which we collected your personal data;
  • categories of personal data that we have sold or disclosed about you for a business purpose;
  • categories of third parties to whom your personal data was sold or disclosed for a business purpose;our business or commercial purpose for collecting or selling your personal data; and
  • specific pieces of personal data we have collected about you.
• Data Portability: You have the right to request a copy of personal data we have collected and maintained about you in the past 12 months.
• Right to Erasure: You have the right to request that we delete the personal data we collected from you and maintained, subject to certain exceptions. Please note that if you request erasure of your personal data, we may deny your request or may retain some aspects of your personal data if it is necessary for us or our service providers to:
  • complete the transaction for which the personal data was collected, provide goods or services requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between our business and you;
  • detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
  • debug to identify and repair errors that impair existing intended functionality;
  • exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
  • comply with the California Electronic Communications Privacy Act according to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code;
  • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research if you have provided informed consent;
  • enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • comply with a legal obligation;
  • otherwise, use the personal data internally in a lawful manner that is compatible with the context in which you provided the information.
• Right to Opt-Out/In: You have the right to opt out of the sale of your personal data. You also have the right to opt-in to the sale of personal data. However, we do not sell your personal data.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us to exercise your CCPA privacy rights. Unless permitted by the CCPA, we will not:
  • deny you goods or services;
  • charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • provide you a different level or quality of goods or services;
  • suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

You can exercise these rights any time by contacting us via email at dpo@sparkmailapp.com.

Notice, the CCPA envisages some specific requirements related to exercising these data protection rights. Considering them, we may:

• respond to your request within forty-five (45) days of receiving the request;
• provide you with personal data we collected about you no more than twice in a 12-months period (categories and specific pieces of collected personal data, business purpose and sources of collection, categories of third parties personal data is shared with);
• NOT provide you with personal data if we cannot verify your identity. You shall provide us with sufficient information to verify you as the person we collected personal data. However, we do consider requests made through your Account sufficiently verified;
• NOT transmit your personal data to another entity.

Also, please be aware that we are allowed to maintain personal data after erasure requests are received as permitted by the CCPA (for instance, for detection of security incidents, repair errors, compliance with legal obligations, and transaction completion).

We want to draw your particular attention that Spark does not sell, rent, or trade your personal data to anyone. We will not discriminate against you if you exercise your rights under the CCPA.

We are accessible to customers with disabilities. Consumers with disabilities may also contact us by emailing to request an alternative format of this Privacy Policy.

Virginia Legislation

For residents of Virginia, we provide more information about the relevant legislation and your privacy rights granted by Virginia’s Consumer Data Protection Act.

The VCDPA obliges some businesses to give consumers the ability to access and control personal data that the business collects about them.

Minors. Controllers and processors that comply with COPPA’s verifiable parental consent requirements shall be deemed compliant with any obligation to obtain parental consent under the CDPA.

A known child’s parent or legal guardian may invoke customer rights on behalf of the child regarding personal processing data belonging to the known child.

No Discrimination. A Controller cannot process personal data in violation of state and federal customer anti-discrimination laws or discriminate against a customer for exercising rights under the CDPA.

Access Requests. Controllers are required to establish and describe in a Privacy Policy one or more secure and reliable means for customers to submit a request to exercise their rights. The method used needs to consider how customers normally interact with the Controller, the need for secure and reliable communication of such requests, and the ability of the Controller to authenticate the requests.

Controllers are prohibited from requiring a customer to create a new account to exercise their customer rights but may require a customer to use an existing account.

Response time. Controllers are required to respond to customer requests within forty-five (45) days. This period may be extended once by forty-five (45) additional days if certain requirements are met.

No charge for the information. Controllers must provide information in response to a customer request free of charge, up to twice annually per customer. The Controller may charge the customer a reasonable fee or decline to act on the request if requests are manifestly unfounded, excessive, or repetitive, but the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request is on the controller.

Right to Opt-Out. Virginia residents visiting our websites may request to opt out of targeted advertising, the sale of personal data, or profiling. Virginia laws allow its residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at dpo@sparkmailapp.com.

Colorado Legislation

For residents of Colorado, we provide more information about the relevant legislation and your privacy rights granted by the Colorado Privacy Act.

Minors. A Controller shall not process the personal data of a known child without first obtaining consent from the child’s parent or lawful guardian.

Access Requests. Consumers may exercise their rights by submitting a request using a method specified by the Controller in the required Privacy Policy.

The method you must take into account:

• how customers normally interact with the Controller;
• the need for secure and reliable communication relating to the request; and
• the ability of the Controller to authenticate the identity of the customer making the request.

Controllers shall not require a customer to create a new account to exercise customer rights. However, the Controller may require a customer to use an existing account.

Response time. 45 days to respond. The Controller shall inform a customer of any action taken on a request within 45 days. In certain circumstances, this 45-day window to respond may be extended by an additional 45 days.

No charge for the information. Controllers must provide the information requested free of charge once per year. The Controller may charge an additional amount for additional requests within 12 months.

Justification for failure to act. If a Controller does not take action as requested by a customer, the Controller shall inform the customer within 45 days after receipt of the request of the reasons for not taking action and instructions for how to appeal the decision.

Denial of requests. The Controller is not required to comply with a request to exercise any of the customer’s rights if the Controller cannot authenticate the request using commercially reasonable efforts and may request the provision of additional information reasonably necessary to authenticate the request.

Right to appeal. The Controller shall establish an internal process whereby customers may appeal a refusal to take action on a customer request. They must do so within a reasonable period after the Controller notifies them that the Controller denies the request. The appeal process must be conspicuously available and easy to use.

Responding to an appeal. The Controller shall inform the customer of the result of the appeal and provide a written explanation of the reasons in support of the outcome within 45 days of receipt of the appeal. These 45 days may be extended by an additional 60 days in certain circumstances.

Delaware legislation

For residents of Delaware, we provide more information about the relevant legislation and your privacy rights granted by the Delaware Online Privacy and Protection Act.

Advertising to children. DOPPA regulates operators only as far as they provide services or platforms that are 'targeted or intended to reach an audience composed predominantly of children'. However, this does not include services or platforms that merely refer or link to another service or platform directed at children.

Operators can also be liable under DOPPA if, despite not directing their services or platforms to children, they have actual knowledge that children are accessing the services or platforms. In such an event, an operator cannot knowingly use, disclose, or compile that child’s personal information, nor can an operator allow another to do the same. An operator that provides a covered service or platform cannot advertise or market content inappropriate for children. In this regard, DOPPA provides an enumerated list of prohibited content, including alcohol, tobacco, firearms, fireworks, tanning equipment and facilities, lotteries and gambling, tattoos, drug paraphernalia, and pornography. You should note that an operator need not monitor the preceding if it uses an advertising service and ensures that it complies with DOPPA.

Do-not-track requests. Delaware residents visiting our websites may request that we do not automatically gather and track information about their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently cannot honor these requests. We may modify this Policy as our abilities change.

Nevada Legislation

For residents of Nevada, we provide more information about the relevant legislation and your privacy rights granted by the Nevada privacy law ​​Senate Bill 220.

Opt-Out of the sale. Nevada allows consumers to opt out of the sale of "covered information" collected through a website or online service. Under the law, "covered information" includes:

• first and last name;
• home or other physical address, which includes the name of a street and the name of a city or town;
• electronic mail (email) address;
• telephone number;
• social security number;
• identifier that allows a specific person to be contacted either physically or online;
• other information concerning a person is collected from the person through the operator’s Internet website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

Do-not-sell request. Nevada does not require entities to include a "Do Not Sell My Personal Information" button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified Opt-Out requests.

Response time. Upon receiving a "verified consumer request," a business has 45 days, with a possible 90-day extension when "reasonably necessary" and by providing notice to the consumer, for a total of 135 days.

Definitions

Here you can find the definitions of the terms used throughout the Privacy Policy.

“Spark”, “Spark Mail”, “we”, “our”, “us”: Spark Mail Limited, an Ireland-based technology company that maintains and operates Spark Mail App (“App”).

“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and how any personal data is processed. In the CCPA, the term “business” refers to the person performing similar functions.

“Data protection officer”, “DPO”: an employee or a contractor who is designated by Spark Mail Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at dpo@sparkmailapp.com.

“Data subject”: a natural person about whom Spark holds personal data (an identified or identifiable natural person).

“GDPR”: European Union’s General Data Protection Regulation.

“Personal data”: any information relating to you and helping identify you (directly or indirectly), such as your name, last name, email, location data, etc.

“Processing”: any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller. In the CCPA, the term “service provider” can be used in the context of delegating some parts of data processing to another person under the business’ instruction.

“Services”, “Spark Mail Services” (either capitalized or not): the Spark Mail App and the features available through the use of the Spark Mail App, either Basic or Premium, together or separately.

“Subprocessor”: anyone other than us who we have appointed to process the personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the Spark Mail App). Examples include our data hosting providers and payment processors.

“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.