Legal

Privacy Policy - Spark (Website)

Last updated: November 23, 2023.

We are Spark Mail Limited ("we"), and we provide you services under these Terms of Service. On our website ("Website" or "Spark") you can (voluntarily or when requested to) leave some of your personal information to learn more about our Spark App, an email application for iOS, macOS, Windows and Android. Note that the application is governed by its own Privacy Policy.

We understand you care about your privacy, and we appreciate the trust you place in us. To justify your trust, we embed the latest data security standards, improve our awareness of privacy matters, and comply with the General Data Protection Regulation and other privacy laws.

This Privacy Policy describes what personal information the Website collects from you, and how it is stored and processed.

We do not collect, track or store any personal data over what we need to provide and improve our Website and services.

DISCLAIMER! This Policy covers your interaction with our Website only. If you want to know more about Spark Mail App and get information on how it processes your personal data, please read Spark Mail App Privacy Policy.

Our Commitments

we only collect and use your data where we have a legal basis to do so;
we are always transparent and tell you about how we use your information;
when we collect your data for a particular purpose, we do not use it for anything else without your consent, unless other legal basis applies or the purposes are compatible (in the meaning of the GDPR (the EU General Data Protection Regulation));
we do not sell your data;
we do not ask for more data than needed for the purposes of providing our services;
we adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
we observe and respect your rights by ensuring that queries relating to privacy issues are dealt with promptly, efficiently, and transparently;
we keep our staff trained in privacy and security obligations;
we ensure that we have appropriate technological and organizational measures in place to protect your data;
we also ensure that all of our data processors have appropriate security measures in place with contractual provisions requiring them to comply with our data privacy obligations;
we obtain your consent where we need it to process your personal data (e.g. for cookies) and ensure that suitable safeguards are in place before personal data is transferred to other countries.

Context:

Our Commitment
Definition of "User"
Controller (and DPO) details
Applicability
Personal Data: General
Personal Data: Website
Analytics Tools we Use
Term of Storage
Data sharing with third parties
Data transfer outside the European Economic Area
Security measures
- HTTPS and encryption
- Security measures (detailed explanation)
Privacy rights
- EU privacy rights
- The USA citizens’ privacy rights
Privacy Policy Update

Definition of "User"

By using our Website you enter the category of “User”. A User is any natural person who uses the Website.

You own and control the personal data we collect about you on the Website. You can choose not to provide certain information or disable it and prevent us from collecting, storing, and processing it.

Please be aware you may not be able to take advantage of some features of the Website in this case.

Controller (and Data Protection Officer) Details

We are the controller of the personal data of our Users. This means that we determine what, for what purpose, and how your personal data will be processed by us.

Company: Spark Mail Limited.
Address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland.

External Data Protection Officer: Legal IT Group LLC
Email: dpo@sparkmailapp.com

If you have a particularly sensitive request, please contact us or our Data Protection Officer.

Applicability

This Policy applies to our website.

Personal Data: General

This section explains our approach and practices for processing personal data at different features on the Website. We use tables and charts to present the information in a structured and easy-to-digest fashion.

We process two categories of data: technical and personal data that you provide to us.

Usually, we can process personal data based on the following legal bases:

performance of the contract: for processing that is strictly necessary for service provision as set forth in the Terms of Service, technical and customer support;
legitimate interest: for processing that is reasonable for the user and required for the development of the service;
legal obligation for the processing of data as required by applicable laws or if requested by a law enforcement agency, court, supervisory authority or another state-authorized public body;
consent: for additional processing for specific purposes.

Example of consent:
You agree to receive updates by email.

Age Limitation

Please Note: We knowingly do not process the data from Users below 16 years of age without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at dpo@sparkmailapp.com.

Personal Data: Website

We collect your personal data according to this Privacy Policy when you use the Website.

Website operation

We need technical data to operate, maintain, and improve our website. This may include:

browser information: type of browser, language settings, country and timezone;
cookie or web beacon information: cookie IDs and settings and other personal information received through cookies, web beacons, or pixel tags;
device information: the type of device, hardware model, and operating system;
Identification details: unique identifiers such as an IDFA (for iOS), MAC address, or a UserID;
network information: IP-addresses and mobile network information;
preferences: for example language settings or interests;
location data: data on your geo-location. If we use your device-based precise GPS location, we will make sure we only do so after receiving your consent;
service usage: information regarding the way you interact with our Website.

Payment data

You may be able to pay for our services and products on the Website. To make a payment, we will redirect you to the webpage of the payment processor (namely, Stripe), and the payment processor will be collecting your personal data to carry out the payment operation. We will not have access to your sensitive payment data (your credit card data is passed directly to Stripe and never passes through our servers), so please ensure that you’ve read Stripe's Privacy Policy to learn more about their handling of your data. On our side, we may retain your email and other data that describes the payment status, service or product purchased, such as payment identifier and timestamp or duration of subscription.

Investigation of your help requests

When you contact us with help requests, we connect you with our help center (to know how your personal data will be processed, you may read Helpjuice’s Privacy Policy). We will process your name, email address, case description, and additional information you may provide in the request for support or attached files (such as logs); you may choose to upload, attach or create any content which contains all sorts of personal information about you and others (such content may also contain a filename, size and filetype). We will investigate the issue as part of our duties under the contract that you entered into when agreed to our Terms of Service. We may keep and process this data for a few years but no longer than 6 years (as provided by the general statute of limitations in Ireland), and do not use your data for any other purposes except for investigation of the issue and notifying you of the results of the investigation, or preparing a product enhancement proposal for our product development team (provided that your personal data is erased before sharing the proposal).

Logs

We collect this information to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the Website. The server that hosts the Website may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, and mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the Website and to investigate possible security incidents. Your device may also contain Logs, but their scope and retention period depend on your device’s manufacturer.

Analytics and statistics

To better understand general app usage patterns, and improve the Website and its user experience, Spark may collect general statistical information about the usage of the Website. Collecting such data helps us optimize the Website in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. We may collect information about your device (such as model, series, manufacturer, OS update, screen parameters, Internet connection data), App version, iOS version information, non-precise location data (such as country), cookies and other web tracking technologies so we may understand which webpages are most useful for you and which ones should be added or deleted. We usually process such data in a pseudonymised or anonymised form where possible, and our processing is based on either your consent, legal obligation, or our legitimate interest. More information about analytics and statistics subcontractors we engage is available in the “Analytics Tools We Use” section of this Policy.

Pixel, Beacons, Links, and Cookie Information

These technologies are necessary for Spark for Website administration and measuring the efficiency of our marketing campaigns. Cookies and similar technologies allow us to identify you as a visitor, remember your settings and preferences, such as language, keep the Website safe and secure, and collect marketing email statistics to create more interesting materials and offers for you. Cookies are stored on your device; to delete them, you may clear the cache of your browser; to find out how you can delete the cookies, please visit the Help Center or Settings of your browser. However, deletion of cookies may result in a worse Website surfing experience or even prevent you from using some of the features of the Website. Email pixels can be disabled in the settings of your email service provider. We may also collect some statistics information on whether email recipients click on the links in the emails we send. To learn more about cookies and other technologies, please refer to the Cookie Policy.

Marketing and Product Updates

We may use some of your personal data (such as email, and your name) to inform you of our new features and products, changes implemented into the Website or App (including the updates on the Privacy Policies or Terms of Service), and special offers you may participate in. We may also use some data, such as your IP address or a cookie ID, to measure the effectiveness of our email campaigns (for example, to count link clicks, unique visitors, or repeated visits). Marketing messages can be sent on the basis of your consent (marketing) or our legitimate interest (rare marketing emails and product updates). Importantly, we never sell private data to or share it otherwise with other third parties (except our affiliates and subcontractors).

Your Feedback

We may publish your feedback, reviews and comments about your experience with our App ("Feedback") on our Website, in the App or otherwise. This includes the Feedback you provide to us directly or via any platform, including but not limited to online distribution platforms, marketplaces, and social media. We process personal data in your Feedback, which may include your first and last name, username, the text of the Feedback and/or any other information contained in or related to the Feedback. We do not process personal data of children under the age of 16 and/or sensitive types of data in the Feedback. Under the GDPR, we rely on our legitimate interest as the legal basis for processing personal data in the Feedback if your Feedback was collected from the third-party platform (such as online distribution platforms, marketplaces, and social media), and we will ask for your consent to publish the Feedback that you provided to us directly. We use your Feedback to demonstrate the capabilities and features of the App, to share real user experiences with the App and to attract potential customers. For more information about your Feedback, please refer to the "Your Feedback" section of our Terms of Service.

Analytics Tools We Use

This Website uses a few analytics tools and, therefore, uses cookies (as provided for in our Cookie Policy). If you want to disable cookies, then you can find instructions for managing your browser settings at these links:

Crazyegg

We use Crazyegg tools to monitor which webpages are popular and attract more attention than others, for how long an anonymous user stays on the webpage, to hold A/B experiments etc.

Crazyegg collects heatmaps and helps us optimize the website and App to provide you with an efficient and smooth experience.

The interactions that may be recorded or analyzed by Crazyegg may include mouse scrolls and clicks, keystrokes entered by you, and/or pages viewed or visited by you, including the duration of such visits.

We receive this information in the form of an aggregated anonymized report and/or statistics. You may read more about Crazyegg’s privacy practices in their Privacy Policy.

Google Analytics

The Website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help analyze how you use the Website. The information generated by the cookie about your use of the Website will normally be transmitted to and stored by Google on servers in the United States.

In case IP anonymization is activated on the Website, your IP address will be truncated within the area of member states of the European Union or within other contracting states to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of Spark for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services for Spark relating to website activity and internet usage. The IP address that your browser transfers within the scope of Google Analytics will not be associated with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings in your browser, however, please note that if you do so you may not be able to use all functions of the Website. You can also opt out from the storage by Google of the data that is created by the cookie and is related to the use of the Website (including your IP address) and the processing of such data by Google by downloading and installing the Google Analytics opt-out browser add-on available under this link. As an alternative to the browser add-on or within browsers on mobile devices, you can click this link in order to opt out from being tracked by Google Analytics within this Website in the future (this opt-out option applies only to the browser in which you set it and with regard to the Website). In this case, an opt-out cookie is put on your device. In case you delete your cookies, you will have to use the aforementioned link again.

For further information on Google Analytics please refer to Google Analytics Terms of Service, Google’s “Safeguarding your data” policy and Google’s Privacy Policy.

Amplitude

In order to better understand general usage patterns for our Product, we use a third-party tool of Amplitude, Inc, 501 2nd Street, San Francisco, CA 94107, called Amplitude (see their Privacy Policy here).

Amplitude is an analytics software tool, which helps us improve our Service by providing statistical patterns of our product use. This tool does not provide us with any additional personal data about you or your behavior online.

Other tracking mechanisms

Email messages sent by us via third-party services like MailChimp or CampaignMonitor may contain tracking pixels which help us collect statistics on delivery and opening rates of our correspondence. These pixels do not provide us with any additional personal data about you or your behavior online. You can disable image rendering in your email client which will deactivate this feature, however, you will be unable to see any images within other received emails.

Term of Storage

We store the personal data of the User for the 12 months after the last usage of the Website. However, we will retain the Feedback which you provided to us directly for 5 years and the one which was collected from the third-party platform for 2 years, unless the law compels us to store it for longer in case of any procedures or actions. At the same time, we reserve the right to delete your Feedback at any time at our sole discretion. You may also contact us at support@sparkmailapp.com to request that we refrain from or cease using your Feedback.

After the above period expires, we anonymize the data and store it for statistical and analytical purposes.

We process your personal data based on your consent during the provision of services, or during the term of storage (as defined above) or until you withdraw your consent.

If you want to exercise your rights, please contact our data protection officer by sending an email at dpo@sparkmailapp.com. To opt out of cookies (or withdraw your consent to the processing of your data by cookies), please read our Cookie Policy.

Data Sharing with Third Parties

We use your personal data on the basis of the performance of the contract (i.e. our Terms of Service) to provide services and communicate with the Users.

We may share personal data with our affiliates to the extent necessary to develop and/or support Spark. We share your personal data with our contractors in the scope we need to provide services, and technical and customer support. Also, we can share your data on the following grounds: consent, compliance with the law, and legitimate interest.

Here is the detailed information on the legal grounds for data sharing with third parties:

Consent. We share your personal data based on your explicit consent.

Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:

to comply with a government request, court order, or applicable law;
to prevent unlawful use of our Website or violation of the Terms of Service and our policies;
to protect against claims of third parties;
to help prevent or investigate fraud.

Legitimate interest or performance of the contract: We share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf or for us.

In order to best facilitate our services and interactions with you, we may store some of your personal data using cloud technologies managed by our third-party service providers.

We have agreements in place with those third-party service providers and we require them to operate and conduct themselves in a way that is consistent with our legal and ethical obligations.

We also employ technical and organisational measures to protect the confidentiality and security of any personal data shared with our third-party service providers.

Due to the specifics of our work, we sometimes share your information with our third-party service providers who perform functions on our behalf. These third parties service providers can include:

our professional advisers (legal professionals, accountants, information security specialists, etc.);
suppliers who provide certain support services (for example, document production, translation, analytics);
IT service providers, such as those who administer and maintain our website for us and provide us with systems (software engineers, website maintenance engineers, marketing specialists, hosting infrastructure, registration and authentication services, payment processors, infrastructure monitoring service, etc.).

We use Google reCAPTCHA (Google LLC, USA) to protect the website’s forms users use to send us their email addresses from harmful bot activities (for example, subscribing third persons to our newsletters without their consent). For more details, please refer to Google’s Privacy Policy.

We will ask for your consent unless the transfer of data is part of the performance of a contract.

Data Transfer Outside the European Economic Area

The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also may share some data with our service providers in other countries outside Ireland and the USA subject to technical and organisational measures.

There is no adequate decision by the European Commission regarding neither the USA nor Ukraine. This means that the USA and Ukraine are not deemed to provide an adequate level of protection for your personal data. We use adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.

You can read more detailed measures to protect your personal data in this Policy. You can read detailed information on measures we take to protect your personal data here. If you upload, send or create personal data via one of our Services, you may ask for more details by sending an email to dpo@sparkmailapp.com.

However, if a data transfer is required to perform a contract or to provide you services, we have the right to do so without your consent.

Security Measures

We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.

To be more specific, to protect your personal data we use HTTPS and encryption, divided group and individual access (where appropriate), alarm system, corporate VPN, written approved internal policies (like password policy and physical access policy).

Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.

Here you can find information about the steps we mentioned above:

HTTPS and encryption

We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.

We currently use Hetzner and Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure the safety of your data with them.

Security measures (detailed explanation):

1. Physical access control: group access and alarm system

We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.

An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.

2. System access control: individual access and password policy

Each employee has access to the systems/services only via his/her employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.

Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.

We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.

Passwords must meet specific requirements. It must be at least:

12 characters long
1 letter in upper-case
1 letter in lower-case
1 number
1 non-alphanumeric character

Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.

3. Data access control: monitoring and physical access policy.

All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.

Due to the proximity of the employees, a visual inspection is possible at any time.

Locking and/or logging off when leaving work is prescribed and practiced.

4. Transfer control: contractual obligations and corporate VPN

Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.

Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.

Access to the systems outside the company network is possible only via secure VPN access.

5. Input control: general restriction

Our employees do not work directly at the database level, but instead use applications to access the data.

IT employees access the system via individual access and use a common login.

6. Availability control: backups and division

We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.

Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.

Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.

We would like to specify that we use MDM-solution to protect employee devices with security settings.

7. Separation control: limited access.

We use logically separate databases to prevent unauthorized persons from accidentally reading data to separate data.

Access to the data is also restricted because employees use services (applications) that control access.

Privacy Rights

EU privacy rights

You, as subjects of personal data, have the following rights:

Right	Description
Right to access	You can request an explanation of the processing of your personal data.
Right to rectification	You can change the information if it is inaccurate or incomplete.
Right to erasure	You can send us a request to delete your personal data from our systems.
Right to data portability	You can request all the data that you provided to us, as well as request to transfer data to another controller.
Right to object	You can object to the processing of your data.
Right to restriction	You may partially or wholly prohibit us from processing your personal data.
Right to withdraw consent	You can withdraw your consent at any time.
Right to lodge a complaint	If your request was not satisfied, you can file a complaint to the regulatory body.

To exercise your rights, please write us an email at dpo@sparkmailapp.com

If your request is not satisfied, you can file a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland, or use their webforms.

The USA Citizens’ Privacy Rights.

You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at dpo@sparkmailapp.com

Your rights vary depending on the laws that apply to you but may include:

The right to be informed about the personal data we collect and/or process about you;
The right to learn the source of personal data about you we process;
The right to access, modify, and correct personal data about you;
The right to know with whom we have shared your personal data, for what purposes, and what personal data has been shared (including whether personal data was disclosed to third parties for their direct marketing purposes);
The right to withdraw your consent, where the processing of personal data is based on your consent; and
The right to lodge a complaint with a supervisory authority located in the jurisdiction of your habitual residence, place of work, or where an alleged violation of law occurred.

Please see more detailed information about your state privacy data protection laws in a separate section; you can find it in the navigation on the right of the page.

Virginia’s Consumer Data Protection Act	Consumer Privacy Act and California Privacy Rights Act	Colorado Privacy Act	Nevada Privacy Law	Delaware Online Privacy and Protection Act
Right to Know whether the controller is processing a customer’s personal data.	Right to Know what personal information is collected and Right to Access personal information.	Right of Access.	Right to Know whether the controller is processing the customer’s personal data.	Right of Access.
Right to Access personal data processed by the controller.	Right to Know if Personal Information is Sold.	The right to confirm the processing of personal data.	Right to Opt-Out of Sale.	Right to withdraw consent.
Right to Correct. Right to Delete. Right to Data Portability. Right to Opt-Out of targeted advertising, the sale of personal data, or profiling.	Right to Delete. Subject to certain exceptions. Right to Data Portability. Right to Correct. Right to Opt-Out of Sale. Right to Limit Use and Disclosure of Sensitive Personal Information.	Right to Access. Right to Correction. Right to Deletion. Right to Data Portability. Right to Opt-Out of targeted advertising, the sale of personal data, or profiling via a universal Opt-Out mechanism.	Right to Correct.	Right to Correction. Right for "do not track" request Right to Opt-Out of Sale.

What do these rights mean?

The right to access information. You can request an explanation of the processing of your personal data: what data exactly we process and how.
The right to withdraw consent. After you once give us any consent, you can withdraw it at any time without any consequences for you.
The right to portability. You can request all the data you provided to us and request to transfer data to another controller in a machine-readable format.
The right to file complaints. If your request was not satisfied, you can file a complaint to the regulatory body. But please first contact us, and we will do our best to help you.
Right to delete (Right to Deletion). You can send us a request to delete your personal data from our systems.

Depending on the state and its legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for additional 30 days.

Privacy Policy Update

This Privacy Policy and the relationships falling under its effect are governed by the GDPR. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Policy on our website. If material changes are made to this Privacy Policy and (or) the Website that affects your privacy and confidentiality, we will notify you by email or display information on the website and ask for your consent if necessary.

Definitions

Here you can find the definitions of the terms used throughout the Privacy Policy.

“Spark”, “Spark Mail”, “we”, “our”, “us”: Spark Mail Limited, an Ireland-based technology company that maintains and operates the Spark Mail Website.

“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. In the CCPA, the term “business” is used to refer to the person who performs similar functions.

“Data protection officer”, “DPO”: an employee or a contractor who is designated by Spark Mail Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at dpo@sparkmailapp.com.

“Data subject”: a natural person about whom Spark holds personal data (an identified or identifiable natural person).

“GDPR”: European Union’s General Data Protection Regulation.

“Personal data”: any information relating to you and helping identify you (directly or indirectly) such as your name, last name, email, location data, etc.

“Processing”: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller. In the CCPA, the term “service provider” can be used in the context of delegation of some parts of data processing to another person under the business’ instruction.

“Services”, “Spark Mail Services” (either capitalised or not): the Spark Mail Website and App and the features available through the use of the Spark Mail Website and App, either Free or Premium, together or separately.

“Subprocessor”: anyone other than us who we have appointed to process the personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the Spark Mail Website). Examples include our data hosting providers and payment processors.

“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.