Last updated: July 13, 2023
We are Spark Mail Limited ("we") and we provide you services under the Terms of Service. In the Spark Application ("App" or "Spark") you can manage your email accounts, chats and conversations from one place ("Email Accounts").
We understand you care about your privacy and we appreciate the trust you place in us. To justify your trust, we continuously embed the latest data security standards, improve our awareness of privacy matters, and comply with the EU General Data Protection Regulation (the “GDPR”) and other privacy laws.
This Privacy Policy describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Spark.
Please note that we do not collect, track, or store any personal data over what we need to provide and improve our product and services, perform our marketing campaigns as described in this Policy, and comply with our legal obligations.
DISCLAIMER! We inform you that different versions of Spark or different platforms may have no feature parity. Thus, be aware that the user experience of Spark via macOS, Windows, iOS, or Android may vary, and some versions or platforms may lack particular features present in others.
10/04/2022 : Spark 3 version for Desktop (Windows, macOS) will lack Templates, Integrations, Shared Inboxes, Calendar, the Send Large Attachments feature. We may also add new features from time to time, and we will keep you updated on them.
Spark reserves the right to add/remove/rename its features and update this disclaimer as soon as any changes occur.
All features you, as our current User, had in the previous Spark Mail version free of charge remain free and accessible as long as you hold your Spark Account.
DISCLAIMER! We inform you that different versions of Spark or different platforms may have no feature parity. Thus, be aware that the user experience of Spark via macOS, Windows, iOS, or Android) may vary, and some versions or platforms may lack particular features present in others.
14/09/2022 : Spark 3 version for Desktop (Windows, macOS) will lack Templates, Integrations, Shared Inboxes, Calendar, the Send Large Attachments feature. We may also add new features from time to time, and we will keep you updated on them.
Spark reserves the right to add/remove/rename its features and update this disclaimer as soon as any changes occur.
All features you, as our current User, had in the previous Spark Mail version free of charge remain free and accessible as long as you hold your Spark Account.
Please note: Spark’s website has its own Privacy Policy that covers any data flows via the Website.
We divide App users into different categories depending on their access to our services as follows: Free User, Paying User, Enterprise, Partner, and Enterprise Member for privacy purposes.
User (Free) | Any natural person that uses the App free of charge. |
User (Premium) | The natural person that subscribed to one of Spark Mail’s premium plans. User (Premium) can be an employee or other person who uses the App on behalf of or at the expense of an Organization or Enterprise. |
Team | Two or more Users (Free or Premium) that use the Team-specific features (e.g., Team billing, Assignments/Delegation, Shared inboxes, etc.). |
Organization | Legal entity that purchased a subscription to the Spark Mail Premium plan. |
Enterprise | Legal entity that purchased a personalized subscription plan. |
You own and control the personal data we collect about you. You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it by changing your account’s settings (e.g., by revoking consent or opt-out checkboxes), via our email address dpo@sparkmailapp.com or by any means of communication available for you. Please be aware that you may not be able to enjoy some of Spark’s features in such a case.
Any organization that collects and processes data can play different roles depending on particular data processing operation. For example, Spark plays different roles depending on the feature you use. In this Section, we explain how Spark meets the role requirements.
We are the Controller of the personal data for the Users (Free), Users (Premium), Teams, Organizations, and Enterprises (representatives of Organizations or Enterprises) from the moment of the User’s consent to the Terms of Service.
This means we determine the amount, purpose, and means of personal data processing when you use the App.
Under the applicable privacy protection rules, we can also act as the data processor depending on the particular data protection operation. This is the case where Spark provides a self-help tool, product, or feature and does not use personal data without the user’s instruction. For example, Spark does not use the email addresses of the email senders for Spark’s marketing activities, but only to enable the User to receive and send emails via Spark Service.
We are processing data on behalf of Organizations or Enterprises (based on the agreed instructions provided in the Data Processing Agreement; you may request a copy of our Data Processing Agreement at dpo@sparkmailapp.com).
Example: Company A purchased 15 licenses for employees. The Сontroller of the employees’ data is Company A, while we are the processor concerning this processing activity (namely, where we provide them with Spark services at the expense of Company A). As a data processor, Spark does not use such data (e.g., email addresses of third parties) for our own purposes, for example, for cold calls marketing.
As a result, we are processors for all personal data of Users, employees, or contractors of the three categories: the Organization, the Enterprise, and the User (Free or Premium).
For more details about our role as a Controller and a personal data Processor, please contact us at dpo@sparkmailapp.com. Alternatively, you can also send us a letter.
Company: Spark Mail Limited.
Address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland.
External Data Protection Officer: Legal IT Group LLC
Address: Office 1, 38 Volodymyrska Str., 01050 Kyiv, Ukraine
Email: dpo@sparkmailapp.com
If you have a particularly sensitive request, please contact us or our Data Protection Officer by postal mail at the above indicated address.
This Privacy Policy applies to the desktop and mobile versions of Spark compatible with macOS, iOS, Android, and Windows, accessible for download through our website, App Store, Microsoft Store, Huawei AppGallery, and Google Play.
We can process personal data based on the following legal bases:
In particular, we rely on legitimate interests when we process your personal data for the following purposes:
We rely on our legitimate interest only after a careful assessment of the balance of purpose, necessity, and proportionality, and in a manner that is expected and does not limit your rights.
Examples of consent:
"Spark" Would Like to Send You Notifications
Notifications may include alerts, sounds, and icon badges. These can be configured in Settings.
Don’t Allow / Allow
“Spark” Would Like to Access Your Photos
Access to photos will let you attach photos:
Select Photos… / Allow Access to All Photos / Don’t Allow
Example of legitimate interest:
We collect the history of your requests made on the App in order to customize services we propose to you. Sometimes, we will write emails to our registered Users to inform them of our new features and products.
This section explains our approach and practices for processing personal data at different features in the App.
We process two categories of data: technical and personal data you provide to us. Some of it can be seen on the client-side (interface), and some are processed on the backend.
Client-Side is the part of the App displayed or takes place on the users’ devices.
Backend is an invisible crucial part of the App where algorithms operate on the variables and data points. In the majority of cases, it is crucial to process such data in order to provide our services to you. For example, we keep backend data taking into account organizational and technical measures to ensure the security of your data.
As defined, you may belong to one of the categories of Users:
We collect your personal data according to this Privacy Policy when you use the App. When you use our Website, your personal data is processed in accordance with the Website’s Privacy Policy. Some of the data the App collects automatically, such as the country the App is used in: we get this data based on the IP address or from the App Store (we receive this information in a generalized form). Generally, all the data provided to us can either be linked to you or not (i.e., anonymized data).
We either create new personal data items or receive them from you. For example,
We process some personal data for purely business purposes: to enable you to use our services, to notify you of our new products and features, to invite you to participate in our special programs and offers, and to use parts of your data (usually pseudonymized) to monitor the trends and develop our product and business. We collect certain information about you when you provide it directly to us or use our App and Service. We only collect the information necessary to provide you with our services.
Unless we specify a particular legal basis, we process your personal data based on the contract (our Terms of Service) (Article 6(1)(b) of the GDPR: performance of contract).
Email address: As an email client, the core functionality of our Product is based on providing you with the ability to manage your email. For this reason, Spark services access your email account when you start using the App. Your email address is a unique identifier of you as a User within our system and allows us to secure your data. Your email address will also be used as a primary means of communication for us on anything related to changes to the App and Service, such as Privacy Policy, Terms of Service, or core functionality of our App or Service. We may also use your email to sync your data with your third-party accounts (if you request us to do so in the App), or occasionally contact you for marketing purposes (it will be in our legitimate interests to do so). You will always have a chance to opt-out of such sync or any marketing communications for similar products and/or services anytime. Please note that your email is safe with us, and we do not use it for profiling or targeting.
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product will not be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
Billing data. We may need to process your personal data to ensure the smooth operation of your subscription plan and comply with the applicable laws. We do not have access to your sensitive payment data (as the payment processor will only collect your personal data to process the payment), but we may store your payment processor id, payment status, and information about your subscription terms (such as type and duration).
Identity of a team you join: In order to make team collaboration within Spark possible, we allow you and your colleagues to create teams within the Service. It allows you to share information such as email conversations, shared email drafts, private discussions, or create links to a specific email message. Team identity is necessary to associate you with that specific team as well as secure your information from people who are not a part of your team. Our system creates a record about the team only when you create one.
Email content while using Spark Services: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space to share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. We may retain your email for some time (at your request) when you use the “Send later” feature. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates via email.
IP address and settings: The core functionality of our Product is based on an Internet connection, that is why our App and Service will not properly function without it. Your IP address is a unique identifier that lets you connect to the Internet, and our service will log connections for security and troubleshooting purposes. We also retain information about your settings so you may ensure the synchronization of your choices and experience between your devices.
APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new emails or private team comments in your email inbox. You’re free to enable or disable them during the initial App setup or later using your device’s system preferences.
App token assigned by us: This token allows us to identify your device in our system and troubleshoot potential issues you might experience.
Device, App version, iOS version information: We need to have this information so the App functions properly on your specific device.
Statistical information with regards to App usage: In order to better understand general app usage patterns and improve the Product and its user experience, Spark collects general statistical information about the usage of the Product. Collecting such data helps us optimize the App in future updates, and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. You may read Amplitude’s Privacy Policy to learn more about their processing of personal data.
Recently accessed email messages, collaboration threads, and shared inboxes: We need this information to provide Spark Services to you and your teammates, such as private discussions around email, shared drafts, shared email conversations, and shared inboxes. By collecting and storing this data, we are able to present message discussion threads through your Spark App and provide better a communication experience with your team.
Some of your email contacts: Spark Smart Notifications will send you push notifications only for important messages from real people. To block push notifications for promotional newsletters and automatic emails, we need to keep the “whitelist” of senders for push notifications. We’ll sync this “whitelist” of contacts to our server to enable Smart Notifications. If you decide not to use Smart Notifications, we will never sync your email contacts.
Logs: Some information about your use of the Spark Mail services can be stored either by us or by your device. When we collect this information on our servers, we do so to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. The server that hosts the App may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App,to investigate possible security incidents, and to troubleshoot bugs and problems with the App reported by you. If you report an issue that prevents you from enjoying Spark, we may need the log data that is contained on your device to investigate the issue and troubleshoot. As we cannot obtain those logs without you sending them to us, we will rely on your consent.
Customer Support communication: Regarding the email: we save a record of communication, including attachments and information you voluntarily decide to share with us for troubleshooting purposes whenever you communicate with our support team.
Data from Microsoft Corporation: When you download and use Spark Mail from the Microsoft Store, we may occasionally receive data, including telemetry or crash data, from Microsoft Corporation. This data is used only to improve the App and to test or troubleshoot quality issues, such as bugs, in accordance with the Microsoft Store App Developer Agreement.
Your Feedback. We may publish your feedback, reviews and comments about your experience with our App ("Feedback") on our website, in the App or otherwise. This includes the Feedback you provide to us directly or via any platform, including but not limited to online distribution platforms, marketplaces, and social media. We process personal data in your Feedback, which may include your first and last name, username, the text of the Feedback and/or any other information contained in or related to the Feedback. We do not process personal data of children under the age of 16 and/or sensitive types of data in the Feedback. Under the GDPR, we rely on our legitimate interest as the legal basis for processing personal data in the Feedback if your Feedback was collected from the third-party platform (such as online distribution platforms, marketplaces, and social media), and we will ask for your consent to publish the Feedback that you provided to us directly. We use your Feedback to demonstrate the capabilities and features of the App, to share real user experiences with the App and to attract potential customers. For more information about your Feedback, please refer to the "Your Feedback" section of our Terms of Service.
Other information you decide to provide us with: Based on your decision and consent, we may also process any other personal data provided by you (for example, the information in your email signature or the first couple of lines from the email to show you the push notification) to make your experience of using some of our features more pleasant and tailored to your purposes and needs.
Please note: some data (such as company data) can be treated as non-personal data when processed in the absence of context. However, if such data is collected and processed alongside other data points or data items (such as name, telephone number, email, etc.), it can identify a particular person and therefore constitutes personal data. You may check the official position of the EU by reading:
Please note that we do not store all the data we receive from you. Mainly, the data is stored locally on your device. This means we see pseudonymized or even anonymized data. For more information on retention periods of your personal data please see “Term of storage and retention periods" section of this Privacy Policy.
Spark's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. This section may be helpful for you if you use Spark in conjunction with your Gmail account.
Permissions. When seeking access to your Google user data, all permission requests are being sent by Spark Mail App. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need; we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.
Revoking access to Google User Data. You may revoke Spark’s access to your Gmail account by using Gmail settings: My Account -> Security tab -> Third-party apps with account access -> Manage third-party access -> Spark -> Remove access.
If you decide to do so, we will lose access to your Gmail account in Spark, and we will no longer be able to show you emails from it, and show and sync your Google Calendar. Upon your request (and when you delete your Spark account), we will delete all data collected from your Gmail account; however, in such a case, we may not be able to provide you with the ability to use Spark Mail features to work with your Gmail emails.
Types of data requested. We will list the types of data requested on the permission request webpage. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.
Request purpose. The purpose for which the App requests your user data is to enable you to use Spark Mail features when working with your Gmail account emails. Without access to the emails, we cannot provide you with the features that include assessing, using, writing, changing, deleting, storing, sharing, filtering, whitelisting, and other manipulations with the emails as described in this Data Processed (by feature) section that are performed on your behalf (in other words, pursuant to your instructions issued by manipulating the Spark’s interface). We do not use your Google User Data for any other purposes but to provide you with access and the ability to use the Spark Mail Service.
Disclaimer. We do not use Google User Data to display, sell, or distribute this data to any third party conducting surveillance. Spark Mail has no hidden features, services, or actions that are not mentioned in this Privacy Policy or the Terms of Service. Spark takes reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure. Spark Mail belongs to a Permitted Application Type as mentioned in the Google API Services User Data Policy (namely, an application that enhances the email experience for productivity purposes).
With regard to the access to Google User Data as specified above, we will:
We use the Azure OpenAI Service to provide you with the Spark +AI feature, which is designed to help you create and edit emails with the help of machine learning algorithms. In order to use the Azure OpenAI Service, we need to collect, process, and transfer data, including personal data, the processes which are subject to this Privacy Policy.
Spark +AI feature is exclusively available to our Premium Users of Spark 3 only, and may also be offered during the Trial period.
Applicability. This section of the Privacy Policy applies only to our Premium Users of Spark 3 who use the Spark +AI feature or Users who get access to it during the Trial period. By default, Spark +AI is switched off: you must opt in to enable the Spark +AI feature.
Permissions. We use the Azure OpenAI Service and Spark +AI based on your consent. By using Spark +AI, you consent to the processing of your personal data by us as described in this Privacy Policy. If you do not consent to the use of the Azure OpenAI Service, you should not switch on the Spark +AI feature that incorporates the Azure OpenAI Service.
Generation of Spark +AI data. Spark +AI helps you generate and edit email drafts. Spark +AI does not send emails on your behalf. You have full control over the generated content at all times, and can review and edit it any time before sending.
Use of Spark +AI data. Spark +AI is designed to protect your private data we obtain from you or about you. We do not store the contents of your emails and your requests for the Spark +AI feature. If you choose to use the Spark +AI feature, we will only transfer the textual context of your email to Microsoft to process your request and generate or edit email text based on that and additional context.
Model training. We do not use your private data to train Microsoft, OpenAI or any other machine learning model when you use the Spark +AI feature. Any information, including personal data, that you furnish while using the Spark +AI feature will be shared with Microsoft solely for the purpose of functioning of the Spark +AI feature. We do not permit our partners at OpenAI to use your personal data for any other purpose except for debugging in the event of a failure and to monitor the potential misuse or abuse of the Azure OpenAI Service.
Security of Spark +AI data. Your email content and requests you make to Spark +AI are private and encrypted in accordance with our standard privacy and information security practices. We implement the latest commercially reasonable technical, administrative, and organizational measures to protect your personal data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.
Input and Output. You may provide input (prompt) to be processed by Spark +AI (“Input”), and receive output generated and returned by Spark +AI based on the Input (“Output”). When you use Spark +AI, Input and Output are your customer data (“Customer Data”). You are solely responsible for the development, content, operation, maintenance, and use of your Customer Data.
You will ensure that your use of Spark +AI and Customer Data will not (i) violate any applicable law; (ii) violate these Spark Terms or Service; or (iii) infringe, violate, or misappropriate any of our rights or the rights of any third party. You acknowledge that due to the nature of machine learning and the technology powering Spark +AI features, Output may occasionally be inaccurate. For this reason, it is your responsibility to carefully review the output text generated by the Spark +AI feature, edit it, if necessary, and independently verify the accuracy of the generated information against your purposes. In addition, we are not responsible for circumvention of any privacy settings or security measures contained in Spark, or third party services.
Third Party Provider Policies. If you choose to use the Spark +AI, you may not use its features in a manner that violates any Microsoft policy, including their Code of conduct for Azure OpenAI Service.
Please pay attention. We do not knowingly process the data from Users under the age of 16 without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at dpo@sparkmailapp.com.
The retention periods mentioned in this section have been calculated by taking into account the data minimization principle enshrined in the GDPR and applicable laws that affect the processing of personal data. We analyzed the processing of data on every step of data processing and calculated the shortest periods necessary to meet the purposes of data processing.
Please read this section together with the retention periods provided in the descriptions of the features.
In general, we store personal data for the following periods of time:
User (Free) | User (Premium) and representatives of Organizations and Enterprises | Teams (Free and Premium) |
---|---|---|
Processing and retention: duration of the contract (Terms of Service). If the User is inactive for 36 months, Spark will send two reminder emails notifying that the Account will be suspended (and personal data deleted) unless the User logs in. The User will then have some time (“renewal period”) to log in to the Account and renew their Free Subscription. Otherwise, the Account will be deleted upon the expiry of the renewal period. At the User’s request, their Account can be retrieved after the deletion but not later than after 12 months after the User refused to activate the Account or ignored the reminder emails. |
Processing and retention: duration of the contract (Terms of Service or personalized service contract for Enterprise(s)). If the charges cannot be withdrawn from the User, their Account then downgrades to the Free User subscription terms. The retention period is triggered on the day when the subscription plan changes, Spark will send two reminder emails after 36 months of inactivity, as described in the column on the left. The retention and archiving periods are aligned with the service contract terms. |
Processing and retention: duration of the contract (the Terms of Service). If the last remaining Team member is inactive for 36 months (if they were using Free Subscription), Spark will send to the last remaining User the reminder that the Team data will be deleted unless the User logs in during the renewal period outlined in the reminder emails. Intra-Team communications that contain personal data will be retained as long as the Team owner remains an active Premium User. At the User’s request, their Account can be retrieved after the deletion but not later than after 36 months after the User refused to activate the Account or ignored the reminder emails. |
Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data.
Updates and marketing emails. We may send you emails describing our new updates, features, discounts or opportunities. Given that the major updates are rare and Spark works closely with the users’ requests for new features, we may keep your data for up to a few years (but no longer than 3 years after the User account is deemed abandoned) to keep you informed of new opportunities Spark offers. You will always have the option to unsubscribe using the link at the end of the email or contact us via email at dpo@sparkmailapp.com to opt out from receiving such emails.
Customer Support communication. We may retain the history of communication (including the contents of the communication, attached files, etc) between you and our Customer Support team for a few years but no longer than 6 years (as provided by the general statute of limitations in Ireland) to be able to respond to all your further questions and requests or inquiries of the entities that you authorize to act on your behalf, including those of legal nature. We apply necessary security measures to ensure that the communications and attachments are archived with access to them restricted.
Your Feedback. We will retain the Feedback which you provided to us directly for 5 years and the one which was collected from the third-party platform for 2 years, unless the law compels us to store it for longer in case of any procedures or actions. However, we reserve the right to delete your Feedback at any time at our sole discretion. You may also contact us at support@sparkmailapp.com to request that we refrain from or cease using your Feedback.
Deletion. We will delete the data we process as a Controller under GDPR within one (1) month following the request. In case the request is complex or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. We will inform you of any such prolongation within one month of receipt of the request, together with the reasons for the delay in response.
We store your personal data either until you delete the Account or after a certain period depending on the data type. When a retention period expires, we either delete your personal data or anonymize it so that it cannot be restored.
Type of information | Term of storage |
---|---|
Email address, email content, mail server credentials, APNS device token, appToken assigned by us, device info | During the services provision period services + archive time If you delete Spark Account: 3 months after deletion of your Spark Account. If you request the data erasure: we will erase your data within 30 days of your request. In case the request is complex, or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. After we delete your data, it will be stored for 1 week in our backups. |
Recent messages from your inbox | Deleted after 4 hours |
Emails pending in the Send Later feature, IP addresses | Deleted once the message is sent |
Emails of Shared Inboxes | Stored during the provision of the services and deleted once the Shared Inboxes are deleted. |
After the above respective periods expire, we delete your personal data. It may be stored for statistical and analytical purposes in anonymized form.
We process your personal data based on your consent during the provision of services, during the term of storage (as defined above), or until you withdraw your consent, depending on the Feature.
We store your data in the backups of databases. We regularly back up our databases: at least once a day and usually store them for one (1) week.
We use Google Cloud SQL service for the backup purposes. You can learn more about the procedure in their guide here.
We use your personal data based on the performance of the contract to provide services and communicate with the Users.
We may share personal data with our affiliates to the extent necessary to develop and/or support Spark. We share your personal data with our contractors to the extent necessary to provide services, technical and customer support. In addition, we can share your data on the following grounds: consent, compliance with the law (or legal obligation), and legitimate interest. Also, we have implemented organizational and technical measures to ensure the security of personal data during data transfer to third-party.
Details:
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
Legitimate interest or performance of the contract. We may share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf.
Independent data controllers. We may sometimes receive your personal data from other, independent data controllers. We usually do so in one of two cases:
We process these personal data only to enable you to use Spark Mail or its particular features (for example, to fix the bugs that do not allow your device to launch the app). We will not use your data received from these independent controllers to build any profile about you, or use it for any marketing or advertising purposes. We anonymize or aggregate these data where possible (such as where there is no request from you to our tech support to help fix the bug) before processing.
Subcontractors. We will ask for your consent unless data transfer is part of the contract performance. Here is the list of the third parties we may engage in the processing of personal data:
We may share your personal data with other Subcontractors, such as auditors, lawyers, accountants, software engineers, and other specialists and experts that we may engage on a contractual basis.
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.
There is no adequate decision by the European Commission regarding neither the USA nor Ukraine. Therefore, we have prepared a data processing agreement based on the standards of the Standard Contractual Clauses and carried out the legislation assessments for data protection during transfer and storage in third countries under the GDPR, such as the USA and Ukraine.
You can read detailed information on measures we take to protect your personal data here and, if signed, in our Data Processing Agreement with you. If you upload, send or create personal data of your clients or other data subjects via one of our Services, you may ask for a signed Data Processing Agreement by sending an email to dpo@sparkmailapp.com.
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data, we use HTTPS and encryption, divided group and individual access (where appropriate), alarm systems, corporate VPN, written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
Our team is competent in the matter of your personal data protection. Company regularly performs training in order to ensure that every team member has enough knowledge to keep your data safe and protect it in accordance with the best practices prescribed by European and U.S. laws on data protection.
We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.
We currently use Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure your data safety.
1. Physical access control: group access and alarm system
We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.
An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
2. System access control: individual access and password policy
Each employee has access to the systems/services only via their employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet specific requirements. It must be at least:
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Data access control: monitoring and physical access policy.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and practiced.
4. Transfer control: contractual obligations and corporate VPN
Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.
Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.
Access to the systems outside the company network is possible only via secure VPN access.
5. Input control: general restriction
Our employees do not work directly at the database level but instead, use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Availability control: backups and division
We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.
Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, and laptops are encrypted.
We would like to specify that we use MDM-solution to protect employee devices with security settings.
7. Separation control: limited access.
We use logically separate databases to prevent unauthorized persons from accidentally reading data with limited access.
Access to the data is also restricted because employees use services (applications) that control access.
You, as subjects of personal data, have the following rights:
Right | Description |
---|---|
Right to access | You can request an explanation of the processing of your personal data. |
Right to rectification | You can change the information if it is inaccurate or incomplete. |
Right to erasure | You can send us a request to delete your personal data from our systems. |
Right to data portability | You can request all the data that you provided to us, as well as request to transfer data to another Controller. |
Right to object | You can object to the processing of your data. |
Right to restriction | You may partially or wholly prohibit us from processing your personal data. |
Right to withdraw consent | You can withdraw your consent at any time. |
Right to lodge a complaint | If your request is not satisfied, you can file a complaint to the regulatory body. |
To exercise your rights, write us an email at dpo@sparkmailapp.com. If some data is being exchanged between Spark and your accounts in other services, you may also fulfill your rights (such as your right to withdraw your consent) by disabling the access of your Spark account to such third-party services or, alternatively, manage your privacy settings in your third-party service accounts that are linked with Spark and your Spark account.
Also, it is your right to lodge a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms. Please note that you can contact your local supervisory authority. Your local authority will then contact the Irish supervisory authority to communicate your complaint or request.
You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at dpo@sparkmailapp.com
Your rights vary depending on the laws that apply to you but may include:
Please see more detailed information about your state’s privacy data protection laws in a separate section; you can find it in the navigation on the right of the page.
Virginia’s Consumer Data Protection Act | Consumer Privacy Act and California Privacy Rights Act | Colorado Privacy Act | Nevada Privacy Law | Delaware Online Privacy and Protection Act |
---|---|---|---|---|
Right to Know whether the Controller is processing a customer’s personal data. | Right to Know what personal information is collected and Right to Access personal information. | Right to Access Information. | Right to Know whether the Controller is processing the customer’s personal data. | Right to Access Information. |
Right to Access personal data processed by the Controller. | Right to Know if Personal Information is Sold. | Right to confirm the processing of personal data. | Right to opt out of Sale. | Right to withdraw consent. |
Right to Correct. Right to Erasure. Right to Data Portability. Right to opt out of targeted advertising, the sale of personal data, or profiling. |
Right to Erasure. Subject to certain exceptions. Right to Data Portability. Right to Correct. Right to opt out of Sale. Right to Limit Use and Disclosure of Sensitive Personal Information. |
Right to Access information. Right to Correct. Right to Erasure. Right to Data Portability. Right to opt out of targeted advertising, the sale of personal data, or profiling via a universal opt out mechanism. |
Right to Correct. | Right to Correct. Right for "do not track" request Right to opt out of Sale. |
What do these rights mean?
Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right for additional 30 days.
The GDPR regulates this Privacy Policy and the relationships falling under its effect. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Policy on our website.
If we make substantial changes to this Policy (or the App) that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask you to read it. We will notify you in advance, and if you continue using our Service after the changes come into effect, we will presume that you agree with the updated Privacy Policy.
For residents of California, we provide more information about the relevant legislation and your privacy rights granted by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act.
Opt out of disclosure for direct marketing purposes. California law allows residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at dpo@sparkmailapp.com.
Please be aware that this Opt-Out does not prohibit our disclosure of personal data for any purpose other than direct marketing.
Automatic gathering of information. We collect data you provide to us online and through unaffiliated third parties’ websites.
Automatic gathering of information by third parties. When you visit our websites, third parties can collect personal data about your online activities over time and across different websites on your visit to or use our and other websites.
Minors. A business shall not sell the customers’ personal information if the business has actual knowledge that the customer is a child under the age of 16. A business may process data of a child under the age of 16 only upon a parent or guardian’s request and only after verifying parent/guardian identity and authority to represent a child. A business that willfully disregards the customer’s age shall be deemed to have had actual knowledge of the customer’s age. This right may be referred to as the "right to opt-in."
A business that has not received consent to sell the minor customer’s personal information shall be prohibited from selling the personal information unless the customer subsequently provides express authorization.
California residents using our App may request that we do not automatically gather and track information on their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently do not have the ability to honor these requests. We reserve the right to modify this Privacy Policy as our capabilities change.
The California Consumer Privacy Act ("CCPA") and California Privacy Rights Act provide our Users who are California residents with the following additional rights:
You can exercise these rights any time by contacting us via email at dpo@sparkmailapp.com.
Notice, the CCPA envisages some specific requirements related to exercising these data protection rights. Considering them, we may:
Also, please be aware that we are allowed to maintain personal data after erasure requests are received as permitted by the CCPA (for instance, for detection of security incidents, repair errors, compliance with legal obligations, and transaction completion).
We want to draw your particular attention that Spark does not sell, rent, or trade your personal data to anyone. We will not discriminate against you if you exercise your rights under the CCPA.
We are accessible to customers with disabilities. Consumers with disabilities may also contact us by emailing to request an alternative format of this Privacy Policy.
For residents of Virginia, we provide more information about the relevant legislation and your privacy rights granted by Virginia’s Consumer Data Protection Act.
The VCDPA obliges some businesses to give consumers the ability to access and control personal data that the business collects about them.
Minors. Controllers and processors that comply with COPPA’s verifiable parental consent requirements shall be deemed compliant with any obligation to obtain parental consent under the CDPA.
A known child’s parent or legal guardian may invoke customer rights on behalf of the child regarding personal processing data belonging to the known child.
No Discrimination. A Controller cannot process personal data in violation of state and federal customer anti-discrimination laws or discriminate against a customer for exercising rights under the CDPA.
Access Requests. Controllers are required to establish and describe in a Privacy Policy one or more secure and reliable means for customers to submit a request to exercise their rights. The method used needs to consider how customers normally interact with the Controller, the need for secure and reliable communication of such requests, and the ability of the Controller to authenticate the requests.
Controllers are prohibited from requiring a customer to create a new account to exercise their customer rights but may require a customer to use an existing account.
Response time. Controllers are required to respond to customer requests within forty-five (45) days. This period may be extended once by forty-five (45) additional days if certain requirements are met.
No charge for the information. Controllers must provide information in response to a customer request free of charge, up to twice annually per customer. The Controller may charge the customer a reasonable fee or decline to act on the request if requests are manifestly unfounded, excessive, or repetitive, but the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request is on the controller.
Right to Opt-Out. Virginia residents visiting our websites may request to opt out of targeted advertising, the sale of personal data, or profiling. Virginia laws allow its residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at dpo@sparkmailapp.com.
For residents of Colorado, we provide more information about the relevant legislation and your privacy rights granted by the Colorado Privacy Act.
Minors. A Controller shall not process the personal data of a known child without first obtaining consent from the child’s parent or lawful guardian.
Access Requests. Consumers may exercise their rights by submitting a request using a method specified by the Controller in the required Privacy Policy.
The method you must take into account:
Controllers shall not require a customer to create a new account to exercise customer rights. However, the Controller may require a customer to use an existing account.
Response time. 45 days to respond. The Controller shall inform a customer of any action taken on a request within 45 days. In certain circumstances, this 45-day window to respond may be extended by an additional 45 days.
No charge for the information. Controllers must provide the information requested free of charge once per year. The Controller may charge an additional amount for additional requests within 12 months.
Justification for failure to act. If a Controller does not take action as requested by a customer, the Controller shall inform the customer within 45 days after receipt of the request of the reasons for not taking action and instructions for how to appeal the decision.
Denial of requests. The Controller is not required to comply with a request to exercise any of the customer’s rights if the Controller cannot authenticate the request using commercially reasonable efforts and may request the provision of additional information reasonably necessary to authenticate the request.
Right to appeal. The Controller shall establish an internal process whereby customers may appeal a refusal to take action on a customer request. They must do so within a reasonable period after the Controller notifies them that the Controller denies the request. The appeal process must be conspicuously available and easy to use.
Responding to an appeal. The Controller shall inform the customer of the result of the appeal and provide a written explanation of the reasons in support of the outcome within 45 days of receipt of the appeal. These 45 days may be extended by an additional 60 days in certain circumstances.
For residents of Delaware, we provide more information about the relevant legislation and your privacy rights granted by the Delaware Online Privacy and Protection Act.
Advertising to children. DOPPA regulates operators only as far as they provide services or platforms that are 'targeted or intended to reach an audience composed predominantly of children. However, this does not include services or platforms that merely refer or link to another service or platform directed at children.
Operators can also be liable under DOPPA if, despite not directing their services or platforms to children, they have actual knowledge that children are accessing the services or platforms. In such an event, an operator cannot knowingly use, disclose, or compile that child’s personal information, nor can an operator allow another to do the same. An operator that provides a covered service or platform cannot advertise or market content inappropriate for children. In this regard, DOPPA provides an enumerated list of prohibited content, including alcohol, tobacco, firearms, fireworks, tanning equipment and facilities, lotteries and gambling, tattoos, drug paraphernalia, and pornography. You should note that an operator need not monitor the preceding if it uses an advertising service and ensures that it complies with DOPPA.
Do-not-track requests. Delaware residents visiting our websites may request that we do not automatically gather and track information about their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently cannot honor these requests. We may modify this Policy as our abilities change.
For residents of Nevada, we provide more information about the relevant legislation and your privacy rights granted by the Nevada privacy law Senate Bill 220.
Opt-Out of the sale. Nevada allows consumers to opt out of the sale of "covered information" collected through a website or online service. Under the law, "covered information" includes:
Do-not-sell request. Nevada does not require entities to include a "Do Not Sell My Personal Information" button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified Opt-Out requests.
Response time. Upon receiving a "verified consumer request," a business has 45 days, with a possible 90-day extension when "reasonably necessary" and by providing notice to the consumer, for a total of 135 days.
Here you can find the definitions of the terms used throughout the Privacy Policy.
“Spark”, “Spark Mail”, “we”, “our”, “us”: Spark Mail Limited, an Ireland-based technology company that maintains and operates Spark Mail App (“App”).
“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and how any personal data is processed. In the CCPA, the term “business” refers to the person performing similar functions.
“Data protection officer”, “DPO”: an employee or a contractor who is designated by Spark Mail Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at dpo@sparkmailapp.com.
“Data subject”: a natural person about whom Spark holds personal data (an identified or identifiable natural person).
“GDPR”: European Union’s General Data Protection Regulation.
“Personal data”: any information relating to you and helping identify you (directly or indirectly), such as your name, last name, email, location data, etc.
“Processing”: any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller. In the CCPA, the term “service provider” can be used in the context of delegating some parts of data processing to another person under the business’ instruction.
“Services”, “Spark Mail Services” (either capitalized or not): the Spark Mail App and the features available through the use of the Spark Mail App, either Basic or Premium, together or separately.
“Subprocessor”: anyone other than us who we have appointed to process the personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the Spark Mail App). Examples include our data hosting providers and payment processors.
“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.