Last updated: 4 October, 2022
We are Spark Mail Limited ("we") and we provide you services under the Terms of Service. In the Spark Application ("App" or "Spark") you can manage your email accounts, chats and conversations from one place ("Email Accounts").
We understand you care about your privacy and we appreciate the trust you place in us. To justify your trust, we continuously embed the latest data security standards, improve our awareness of privacy matters, and comply with the EU General Data Protection Regulation (the “GDPR”) and other privacy laws.
Please note that we do not collect, track, or store any personal data over what we need to provide and improve our product and services, perform our marketing campaigns as described in this Policy, and comply with our legal obligations.
DISCLAIMER! We inform you that different versions of Spark or different platforms may have no feature parity. Thus, be aware that the user experience of Spark via macOS, Windows, iOS, or Android may vary, and some versions or platforms may lack particular features present in others.
10/04/2022 : Spark 3 version for Desktop (Windows, macOS) will lack Templates, Integrations, Shared Inboxes, Calendar, the Send Large Attachments feature. We may also add new features from time to time, and we will keep you updated on them.
Spark reserves the right to add/remove/rename its features and update this disclaimer as soon as any changes occur.
All features you, as our current User, had in the previous Spark Mail version free of charge remain free and accessible as long as you hold your Spark Account.
DISCLAIMER! We inform you that different versions of Spark or different platforms may have no feature parity. Thus, be aware that the user experience of Spark via macOS, Windows, iOS, or Android) may vary, and some versions or platforms may lack particular features present in others.
14/09/2022 : Spark 3 version for Desktop (Windows, macOS) will lack Templates, Integrations, Shared Inboxes, Calendar, the Send Large Attachments feature. We may also add new features from time to time, and we will keep you updated on them.
Spark reserves the right to add/remove/rename its features and update this disclaimer as soon as any changes occur.
All features you, as our current User, had in the previous Spark Mail version free of charge remain free and accessible as long as you hold your Spark Account.
We divide App users into different categories depending on their access to our services as follows: Free User, Paying User, Enterprise, Partner, and Enterprise Member for privacy purposes.
|User (Free)||Any natural person that uses the App free of charge.|
|User (Premium)||The natural person that subscribed to one of Spark Mail’s premium plans. User (Premium) can be an employee or other person who uses the App on behalf of or at the expense of an Organization or Enterprise.|
|Team||Two or more Users (Free or Premium) that use the Team-specific features (e.g., Team billing, Assignments/Delegation, Shared inboxes, etc.).|
|Organization||Legal entity that purchased a subscription to the Spark Mail Premium plan.|
|Enterprise||Legal entity that purchased a personalized subscription plan.|
You own and control the personal data we collect about you. You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it by changing your account’s settings (e.g., by revoking consent or opt-out checkboxes), via our email address email@example.com or by any means of communication available for you. Please be aware that you may not be able to enjoy some of Spark’s features in such a case.
Any organization that collects and processes data can play different roles depending on particular data processing operation. For example, Spark plays different roles depending on the feature you use. In this Section, we explain how Spark meets the role requirements.
We are the Controller of the personal data for the Users (Free), Users (Premium), Teams, Organizations, and Enterprises (representatives of Organizations or Enterprises) from the moment of the User’s consent to the Terms of Service.
This means we determine the amount, purpose, and means of personal data processing when you use the App.
Under the applicable privacy protection rules, we can also act as the data processor depending on the particular data protection operation. This is the case where Spark provides a self-help tool, product, or feature and does not use personal data without the user’s instruction. For example, Spark does not use the email addresses of the email senders for Spark’s marketing activities, but only to enable the User to receive and send emails via Spark Service.
We are processing data on behalf of Organizations or Enterprises (based on the agreed instructions provided in the Data Processing Agreement; you may request a copy of our Data Processing Agreement at firstname.lastname@example.org).
Example: Company A purchased 15 licenses for employees. The Сontroller of the employees’ data is Company A, while we are the processor concerning this processing activity (namely, where we provide them with Spark services at the expense of Company A). As a data processor, Spark does not use such data (e.g., email addresses of third parties) for our own purposes, for example, for cold calls marketing.
As a result, we are processors for all personal data of Users, employees, or contractors of the three categories: the Organization, the Enterprise, and the User (Free or Premium).
For more details about our role as a Controller and a personal data Processor, please contact us at email@example.com. Alternatively, you can also send us a letter.
Company: Spark Mail Limited.
Address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland.
External Data Protection Officer: Legal IT Group LLC
Address: Office 1, 38 Volodymyrska Str., 01050 Kyiv, Ukraine
If you have a particularly sensitive request, please contact us or our data protection officer by postal mail.
We can process personal data based on the following legal bases:
In particular, we rely on legitimate interests when we process your personal data for the following purposes:
We rely on our legitimate interest only after a careful assessment of the balance of purpose, necessity, and proportionality, and in a manner that is expected and does not limit your rights.
Examples of consent:
"Spark" Would Like to Send You Notifications
Notifications may include alerts, sounds, and icon badges. These can be configured in Settings.
Don’t Allow / Allow
“Spark” Would Like to Access Your Photos
Access to photos will let you attach photos:
Select Photos… / Allow Access to All Photos / Don’t Allow
Example of legitimate interest:
We collect the history of your requests made on the App in order to customize services we propose to you. Sometimes, we will write emails to our registered Users to inform them of our new features and products.
This section explains our approach and practices for processing personal data at different features in the App.
We process two categories of data: technical and personal data you provide to us. Some of it can be seen on the client-side (interface), and some are processed on the backend.
Client-Side is the part of the App displayed or takes place on the users’ devices.
Backend is an invisible crucial part of the App where algorithms operate on the variables and data points. In the majority of cases, it is crucial to process such data in order to provide our services to you. For example, we keep backend data taking into account organizational and technical measures to ensure the security of your data.
As defined, you may belong to one of the categories of Users:
We either create new personal data items or receive them from you. For example,
We process some personal data for purely business purposes: to enable you to use our services, to notify you of our new products and features, to invite you to participate in our special programs and offers, and to use parts of your data (usually pseudonymized) to monitor the trends and develop our product and business. We collect certain information about you when you provide it directly to us or use our App and Service. We only collect the information necessary to provide you with our services.
Unless we specify a particular legal basis, we process your personal data based on the contract (our Terms of Service) (Article 6(1)(b) of the GDPR: performance of contract).
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product will not be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
Billing data. We may need to process your personal data to ensure the smooth operation of your subscription plan and comply with the applicable laws. We do not have access to your sensitive payment data (as the payment processor will only collect your personal data to process the payment), but we may store your payment processor id, payment status, and information about your subscription terms (such as type and duration).
Identity of a team you join: In order to make team collaboration within Spark possible, we allow you and your colleagues to create teams within the Service. It allows you to share information such as email conversations, shared email drafts, private discussions, or create links to a specific email message. Team identity is necessary to associate you with that specific team as well as secure your information from people who are not a part of your team. Our system creates a record about the team only when you create one.
Email content while using Spark Services: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space to share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. We may retain your email for some time (at your request) when you use the “Send later” feature. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates via email.
IP address and settings: The core functionality of our Product is based on an Internet connection, that is why our App and Service will not properly function without it. Your IP address is a unique identifier that lets you connect to the Internet, and our service will log connections for security and troubleshooting purposes. We also retain information about your settings so you may ensure the synchronization of your choices and experience between your devices.
APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new emails or private team comments in your email inbox. You’re free to enable or disable them during the initial App setup or later using your device’s system preferences.
App token assigned by us: This token allows us to identify your device in our system and troubleshoot potential issues you might experience.
Device, App version, iOS version information: We need to have this information so the App functions properly on your specific device.
Recently accessed email messages, collaboration threads, and shared inboxes: We need this information to provide Spark Services to you and your teammates, such as private discussions around email, shared drafts, shared email conversations, and shared inboxes. By collecting and storing this data, we are able to present message discussion threads through your Spark App and provide better a communication experience with your team.
Some of your email contacts: Spark Smart Notifications will send you push notifications only for important messages from real people. To block push notifications for promotional newsletters and automatic emails, we need to keep the “whitelist” of senders for push notifications. We’ll sync this “whitelist” of contacts to our server to enable Smart Notifications. If you decide not to use Smart Notifications, we will never sync your email contacts.
Logs: Some information about your use of the Spark Mail services can be stored either by us or by your device. When we collect this information on our servers, we do so to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. The server that hosts the App may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App,to investigate possible security incidents, and to troubleshoot bugs and problems with the App reported by you. If you report an issue that prevents you from enjoying Spark, we may need the log data that is contained on your device to investigate the issue and troubleshoot. As we cannot obtain those logs without you sending them to us, we will rely on your consent.
Customer Support communication: Regarding the email: we save a record of communication, including attachments and information you voluntarily decide to share with us for troubleshooting purposes whenever you communicate with our support team.
Other information you decide to provide us with: Based on your decision and consent, we may also process any other personal data provided by you (for example, the information in your email signature or the first couple of lines from the email to show you the push notification) to make your experience of using some of our features more pleasant and tailored to your purposes and needs.
Please note: some data (such as company data) can be treated as non-personal data when processed in the absence of context. However, if such data is collected and processed alongside other data points or data items (such as name, telephone number, email, etc.), it can identify a particular person and therefore constitutes personal data. You may check the official position of the EU by reading:
Spark's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. This section may be helpful for you if you use Spark in conjunction with your Gmail account.
Permissions. When seeking access to your Google user data, all permission requests are being sent by Spark Mail App. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need; we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.
Revoking access to Google User Data. You may revoke Spark’s access to your Gmail account by using Gmail settings: My Account -> Security tab -> Third-party apps with account access -> Manage third-party access -> Spark -> Remove access.
If you decide to do so, we will lose access to your Gmail account in Spark, and we will no longer be able to show you emails from it, and show and sync your Google Calendar. Upon your request (and when you delete your Spark account), we will delete all data collected from your Gmail account; however, in such a case, we may not be able to provide you with the ability to use Spark Mail features to work with your Gmail emails.
Types of data requested. We will list the types of data requested on the permission request webpage. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.
Request purpose. The purpose for which the App requests your user data is to enable you to use Spark Mail features when working with your Gmail account emails. Without access to the emails, we cannot provide you with the features that include assessing, using, writing, changing, deleting, storing, sharing, filtering, whitelisting, and other manipulations with the emails as described in this Data Processed (by feature) section that are performed on your behalf (in other words, pursuant to your instructions issued by manipulating the Spark’s interface). We do not use your Google User Data for any other purposes but to provide you with access and the ability to use the Spark Mail Service.
With regard to the access to Google User Data as specified above, we will:
Please pay attention. We do not knowingly process the data from Users under the age of 16 without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at firstname.lastname@example.org.
The retention periods mentioned in this section have been calculated by taking into account the data minimization principle enshrined in the GDPR and applicable laws that affect the processing of personal data. We analyzed the processing of data on every step of data processing and calculated the shortest periods necessary to meet the purposes of data processing.
Please read this section together with the retention periods provided in the descriptions of the features.
In general, we store personal data for the following periods of time:
|User (Free)||User (Premium) and representatives of Organizations and Enterprises||Teams
(Free and Premium)
|Processing and retention: duration of the contract (Terms of Service). If the User is inactive for 36 months, Spark will send two reminder emails notifying that the Account will be suspended (and personal data deleted) unless the User logs in.
The User will then have some time (“renewal period”) to log in to the Account and renew their Free Subscription. Otherwise, the Account will be deleted upon the expiry of the renewal period.
At the User’s request, their Account can be retrieved after the deletion but not later than after 12 months after the User refused to activate the Account or ignored the reminder emails.
|Processing and retention: duration of the contract (Terms of Service or personalized service contract for Enterprise(s)). If the charges cannot be withdrawn from the User, their Account then downgrades to the Free User subscription terms. The retention period is triggered on the day when the subscription plan changes, Spark will send two reminder emails after 36 months of inactivity, as described in the column on the left.
The retention and archiving periods are aligned with the service contract terms.
|Processing and retention: duration of the contract (the Terms of Service). If the last remaining Team member is inactive for 36 months (if they were using Free Subscription), Spark will send to the last remaining User the reminder that the Team data will be deleted unless the User logs in during the renewal period outlined in the reminder emails. Intra-Team communications that contain personal data will be retained as long as the Team owner remains an active Premium User.
At the User’s request, their Account can be retrieved after the deletion but not later than after 36 months after the User refused to activate the Account or ignored the reminder emails.
Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data.
Updates and marketing emails. We may send you emails describing our new updates, features, discounts or opportunities. Given that the major updates are rare and Spark works closely with the users’ requests for new features, we may keep your data for up to a few years (but no longer than 3 years after the User account is deemed abandoned) to keep you informed of new opportunities Spark offers. You will always have the option to unsubscribe using the link at the end of the email or contact us via email at email@example.com to opt out from receiving such emails.
Customer Support communication. We may retain the history of communication (including the contents of the communication, attached files, etc) between you and our Customer Support team for a few years but no longer than 6 years (as provided by the general statute of limitations in Ireland) to be able to respond to all your further questions and requests or inquiries of the entities that you authorize to act on your behalf, including those of legal nature. We apply necessary security measures to ensure that the communications and attachments are archived with access to them restricted.
Deletion. We will delete the data we process as a Controller under GDPR within one (1) month following the request. In case the request is complex or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. We will inform you of any such prolongation within one month of receipt of the request, together with the reasons for the delay in response.
We store your personal data either until you delete the Account or after a certain period depending on the data type. When a retention period expires, we either delete your personal data or anonymize it so that it cannot be restored.
|Type of information||Term of storage|
|Email address, email content, mail server credentials, APNS device token, appToken assigned by us, device info||During the services provision period services + archive time
If you delete Spark Account: 3 months after deletion of your Spark Account.
If you request the data erasure: we will erase your data within 30 days of your request. In case the request is complex, or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. After we delete your data, it will be stored for 1 week in our backups.
|Recent messages from your inbox||Deleted after 4 hours|
|Emails pending in the Send Later feature, IP addresses||Deleted once the message is sent|
|Emails of Shared Inboxes||Stored during the provision of the services and deleted once the Shared Inboxes are deleted.|
After the above respective periods expire, we delete your personal data. It may be stored for statistical and analytical purposes in anonymized form.
We process your personal data based on your consent during the provision of services, during the term of storage (as defined above), or until you withdraw your consent, depending on the Feature.
We store your data in the backups of databases. We regularly back up our databases: at least once a day and usually store them for one (1) week.
We use Google Cloud SQL service for the backup purposes. You can learn more about the procedure in their guide here.
We use your personal data based on the performance of the contract to provide services and communicate with the Users.
We may share personal data with our affiliates to the extent necessary to develop and/or support Spark. We share your personal data with our contractors to the extent necessary to provide services, technical and customer support. In addition, we can share your data on the following grounds: consent, compliance with the law (or legal obligation), and legitimate interest. Also, we have implemented organizational and technical measures to ensure the security of personal data during data transfer to third-party.
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
Legitimate interest or performance of the contract. We may share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf.
Subcontractors. We will ask for your consent unless data transfer is part of the contract performance. Here is the list of the third parties we may engage in the processing of personal data:
We may share your personal data with other Subcontractors, such as auditors, lawyers, accountants, software engineers, and other specialists and experts that we may engage on a contractual basis.
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.
There is no adequate decision by the European Commission regarding neither the USA nor Ukraine. Therefore, we have prepared a data processing agreement based on the standards of the Standard Contractual Clauses and carried out the legislation assessments for data protection during transfer and storage in third countries under the GDPR, such as the USA and Ukraine.
You can read detailed information on measures we take to protect your personal data here and, if signed, in our Data Processing Agreement with you. If you upload, send or create personal data of your clients or other data subjects via one of our Services, you may ask for a signed Data Processing Agreement by sending an email to firstname.lastname@example.org.
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data, we use HTTPS and encryption, divided group and individual access (where appropriate), alarm systems, corporate VPN, written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
Our team is competent in the matter of your personal data protection. Company regularly performs training in order to ensure that every team member has enough knowledge to keep your data safe and protect it in accordance with the best practices prescribed by European and U.S. laws on data protection.
We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.
We currently use Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure your data safety.
1. Physical access control: group access and alarm system
We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.
An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
2. System access control: individual access and password policy
Each employee has access to the systems/services only via their employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet specific requirements. It must be at least:
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Data access control: monitoring and physical access policy.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and practiced.
4. Transfer control: contractual obligations and corporate VPN
Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.
Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.
Access to the systems outside the company network is possible only via secure VPN access.
5. Input control: general restriction
Our employees do not work directly at the database level but instead, use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Availability control: backups and division
We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.
Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, and laptops are encrypted.
We would like to specify that we use MDM-solution to protect employee devices with security settings.
7. Separation control: limited access.
We use logically separate databases to prevent unauthorized persons from accidentally reading data with limited access.
Access to the data is also restricted because employees use services (applications) that control access.
You, as subjects of personal data, have the following rights:
|Right to access||You can request an explanation of the processing of your personal data.|
|Right to rectification||You can change the information if it is inaccurate or incomplete.|
|Right to erasure||You can send us a request to delete your personal data from our systems.|
|Right to data portability||You can request all the data that you provided to us, as well as request to transfer data to another Controller.|
|Right to object||You can object to the processing of your data.|
|Right to restriction||You may partially or wholly prohibit us from processing your personal data.|
|Right to withdraw consent||You can withdraw your consent at any time.|
|Right to lodge a complaint||If your request is not satisfied, you can file a complaint to the regulatory body.|
To exercise your rights, write us an email at email@example.com. If some data is being exchanged between Spark and your accounts in other services, you may also fulfill your rights (such as your right to withdraw your consent) by disabling the access of your Spark account to such third-party services or, alternatively, manage your privacy settings in your third-party service accounts that are linked with Spark and your Spark account.
Also, it is your right to lodge a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms. Please note that you can contact your local supervisory authority. Your local authority will then contact the Irish supervisory authority to communicate your complaint or request.
You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at firstname.lastname@example.org
Your rights vary depending on the laws that apply to you but may include:
Please see more detailed information about your state’s privacy data protection laws in a separate section; you can find it in the navigation on the right of the page.
|Virginia’s Consumer Data Protection Act||Consumer Privacy Act and California Privacy Rights Act||Colorado Privacy Act||Nevada Privacy Law||Delaware Online Privacy and Protection Act|
|Right to Know whether the Controller is processing a customer’s personal data.||Right to Know what personal information is collected and Right to Access personal information.||Right to Access Information.||Right to Know whether the Controller is processing the customer’s personal data.||Right to Access Information.|
|Right to Access personal data processed by the Controller.||Right to Know if Personal Information is Sold.||Right to confirm the processing of personal data.||Right to opt out of Sale.||Right to withdraw consent.|
|Right to Correct.
Right to Erasure.
Right to Data Portability.
Right to opt out of targeted advertising, the sale of personal data, or profiling.
|Right to Erasure. Subject to certain exceptions.
Right to Data Portability.
Right to Correct.
Right to opt out of Sale.
Right to Limit Use and Disclosure of Sensitive Personal Information.
|Right to Access information.
Right to Correct.
Right to Erasure.
Right to Data Portability.
Right to opt out of targeted advertising, the sale of personal data, or profiling via a universal opt out mechanism.
|Right to Correct.||Right to Correct.
Right for "do not track" request
Right to opt out of Sale.
What do these rights mean?
Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right for additional 30 days.
For residents of California, we provide more information about the relevant legislation and your privacy rights granted by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act.
Opt out of disclosure for direct marketing purposes. California law allows residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at email@example.com.
Please be aware that this Opt-Out does not prohibit our disclosure of personal data for any purpose other than direct marketing.
Automatic gathering of information. We collect data you provide to us online and through unaffiliated third parties’ websites.
Automatic gathering of information by third parties. When you visit our websites, third parties can collect personal data about your online activities over time and across different websites on your visit to or use our and other websites.
Minors. A business shall not sell the customers’ personal information if the business has actual knowledge that the customer is a child under the age of 16. A business may process data of a child under the age of 16 only upon a parent or guardian’s request and only after verifying parent/guardian identity and authority to represent a child. A business that willfully disregards the customer’s age shall be deemed to have had actual knowledge of the customer’s age. This right may be referred to as the "right to opt-in."
A business that has not received consent to sell the minor customer’s personal information shall be prohibited from selling the personal information unless the customer subsequently provides express authorization.
The California Consumer Privacy Act ("CCPA") and California Privacy Rights Act provide our Users who are California residents with the following additional rights:
You can exercise these rights any time by contacting us via email at firstname.lastname@example.org.
Notice, the CCPA envisages some specific requirements related to exercising these data protection rights. Considering them, we may:
Also, please be aware that we are allowed to maintain personal data after erasure requests are received as permitted by the CCPA (for instance, for detection of security incidents, repair errors, compliance with legal obligations, and transaction completion).
We want to draw your particular attention that Spark does not sell, rent, or trade your personal data to anyone. We will not discriminate against you if you exercise your rights under the CCPA.
For residents of Virginia, we provide more information about the relevant legislation and your privacy rights granted by Virginia’s Consumer Data Protection Act.
The VCDPA obliges some businesses to give consumers the ability to access and control personal data that the business collects about them.
Minors. Controllers and processors that comply with COPPA’s verifiable parental consent requirements shall be deemed compliant with any obligation to obtain parental consent under the CDPA.
A known child’s parent or legal guardian may invoke customer rights on behalf of the child regarding personal processing data belonging to the known child.
No Discrimination. A Controller cannot process personal data in violation of state and federal customer anti-discrimination laws or discriminate against a customer for exercising rights under the CDPA.
Controllers are prohibited from requiring a customer to create a new account to exercise their customer rights but may require a customer to use an existing account.
Response time. Controllers are required to respond to customer requests within forty-five (45) days. This period may be extended once by forty-five (45) additional days if certain requirements are met.
No charge for the information. Controllers must provide information in response to a customer request free of charge, up to twice annually per customer. The Controller may charge the customer a reasonable fee or decline to act on the request if requests are manifestly unfounded, excessive, or repetitive, but the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request is on the controller.
Right to Opt-Out. Virginia residents visiting our websites may request to opt out of targeted advertising, the sale of personal data, or profiling. Virginia laws allow its residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at email@example.com.
For residents of Colorado, we provide more information about the relevant legislation and your privacy rights granted by the Colorado Privacy Act.
Minors. A Controller shall not process the personal data of a known child without first obtaining consent from the child’s parent or lawful guardian.
The method you must take into account:
Controllers shall not require a customer to create a new account to exercise customer rights. However, the Controller may require a customer to use an existing account.
Response time. 45 days to respond. The Controller shall inform a customer of any action taken on a request within 45 days. In certain circumstances, this 45-day window to respond may be extended by an additional 45 days.
No charge for the information. Controllers must provide the information requested free of charge once per year. The Controller may charge an additional amount for additional requests within 12 months.
Justification for failure to act. If a Controller does not take action as requested by a customer, the Controller shall inform the customer within 45 days after receipt of the request of the reasons for not taking action and instructions for how to appeal the decision.
Denial of requests. The Controller is not required to comply with a request to exercise any of the customer’s rights if the Controller cannot authenticate the request using commercially reasonable efforts and may request the provision of additional information reasonably necessary to authenticate the request.
Right to appeal. The Controller shall establish an internal process whereby customers may appeal a refusal to take action on a customer request. They must do so within a reasonable period after the Controller notifies them that the Controller denies the request. The appeal process must be conspicuously available and easy to use.
Responding to an appeal. The Controller shall inform the customer of the result of the appeal and provide a written explanation of the reasons in support of the outcome within 45 days of receipt of the appeal. These 45 days may be extended by an additional 60 days in certain circumstances.
For residents of Delaware, we provide more information about the relevant legislation and your privacy rights granted by the Delaware Online Privacy and Protection Act.
Advertising to children. DOPPA regulates operators only as far as they provide services or platforms that are 'targeted or intended to reach an audience composed predominantly of children. However, this does not include services or platforms that merely refer or link to another service or platform directed at children.
Operators can also be liable under DOPPA if, despite not directing their services or platforms to children, they have actual knowledge that children are accessing the services or platforms. In such an event, an operator cannot knowingly use, disclose, or compile that child’s personal information, nor can an operator allow another to do the same. An operator that provides a covered service or platform cannot advertise or market content inappropriate for children. In this regard, DOPPA provides an enumerated list of prohibited content, including alcohol, tobacco, firearms, fireworks, tanning equipment and facilities, lotteries and gambling, tattoos, drug paraphernalia, and pornography. You should note that an operator need not monitor the preceding if it uses an advertising service and ensures that it complies with DOPPA.
Do-not-track requests. Delaware residents visiting our websites may request that we do not automatically gather and track information about their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently cannot honor these requests. We may modify this Policy as our abilities change.
For residents of Nevada, we provide more information about the relevant legislation and your privacy rights granted by the Nevada privacy law Senate Bill 220.
Opt-Out of the sale. Nevada allows consumers to opt out of the sale of "covered information" collected through a website or online service. Under the law, "covered information" includes:
Do-not-sell request. Nevada does not require entities to include a "Do Not Sell My Personal Information" button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified Opt-Out requests.
Response time. Upon receiving a "verified consumer request," a business has 45 days, with a possible 90-day extension when "reasonably necessary" and by providing notice to the consumer, for a total of 135 days.
“Spark”, “Spark Mail”, “we”, “our”, “us”: Spark Mail Limited, an Ireland-based technology company that maintains and operates Spark Mail App (“App”).
“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and how any personal data is processed. In the CCPA, the term “business” refers to the person performing similar functions.
“Data protection officer”, “DPO”: an employee or a contractor who is designated by Spark Mail Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at firstname.lastname@example.org.
“Data subject”: a natural person about whom Spark holds personal data (an identified or identifiable natural person).
“GDPR”: European Union’s General Data Protection Regulation.
“Personal data”: any information relating to you and helping identify you (directly or indirectly), such as your name, last name, email, location data, etc.
“Processing”: any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller. In the CCPA, the term “service provider” can be used in the context of delegating some parts of data processing to another person under the business’ instruction.
“Services”, “Spark Mail Services” (either capitalized or not): the Spark Mail App and the features available through the use of the Spark Mail App, either Basic or Premium, together or separately.
“Subprocessor”: anyone other than us who we have appointed to process the personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the Spark Mail App). Examples include our data hosting providers and payment processors.
“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.