Privacy Policy for App
Last updated: November 23, 2023
We are Spark Mail Limited ("we"), and we provide you services under the Terms of Service. In the Spark Application ("App" or "Spark") you can manage your email accounts, chats and conversations from one place ("Email Accounts").
We understand you care about your privacy, and we appreciate the trust you place in us. To justify your trust, we continuously embed the latest data security standards, improve our awareness of privacy matters, and comply with the EU General Data Protection Regulation (the “GDPR”) and other privacy laws.
This Privacy Policy describes which of your personal data the App collects, how it stores and processes it, and what happens when you use Spark.
Please note that we do not collect, track, or store any personal data over what we need to provide and improve our product and services, perform our marketing campaigns as described in this Policy, and comply with our legal obligations.
Our Commitments
- we only collect and use your data where we have a legal basis to do so;
- we always are transparent and tell you about how we use your information;
- when we collect your data for a particular purpose, we do not use it for anything else without your consent, unless another legal basis applies or the purposes are compatible (in the meaning of the GDPR);
- we do not sell your data;
- we do not ask for additional data unless it is needed for the purposes of providing our services;
- we adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
- we observe and respect your rights by ensuring that queries relating to privacy issues are dealt with promptly and transparently;
- we keep our staff trained in privacy and security obligations;
- we ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;
- we also ensure that all of our data processors have appropriate security measures in place with contractual provisions requiring them to comply with our commitment;
- we do not use your data to make automated decisions that might have a legal or similarly adverse effect on your rights;
- we obtain your consent and ensure that appropriate safeguards are in place before personal data is transferred to other countries.
DISCLAIMER! We inform you that different versions of Spark or different platforms may have no feature parity. Thus, be aware that the user experience of Spark via macOS, Windows, iOS, or Android may vary, and some versions or platforms may lack particular features present in others.
October 31, 2023 : Spark 3 version for Desktop (Windows, macOS) now includes Templates and Integrations, but lacks Shared Inboxes, Shared Drafts, Assignments, Calendar, the Send Large Attachments functionality. We may also add new features from time to time, and we will keep you updated on them.
Spark reserves the right to add/remove/rename its features and update this disclaimer as soon as any changes occur.
All features you, as our current User, had in the previous Spark Mail version free of charge remain free and accessible as long as you hold your Spark Account.
For our Chinese Premium users: We may no longer provide the Spark +AI feature (including AI Writing Assistant, +AI Summary, Quick +AI Replies, Templates +AI) in mainland China because of the changes in the deep synthesis algorithm laws.
DISCLAIMER! We inform you that different versions of Spark or different platforms may have no feature parity. Thus, be aware that the user experience of Spark via macOS, Windows, iOS, or Android) may vary, and some versions or platforms may lack particular features present in others.
14/09/2022 : Spark 3 version for Desktop (Windows, macOS) will lack Templates, Integrations, Shared Inboxes, Calendar, the Send Large Attachments feature. We may also add new features from time to time, and we will keep you updated on them.
Spark reserves the right to add/remove/rename its features and update this disclaimer as soon as any changes occur.
All features you, as our current User, had in the previous Spark Mail version free of charge remain free and accessible as long as you hold your Spark Account.
Please note: Spark’s website has its own Privacy Policy that covers any data flows via the Website.
Context:
- Our Commitment
- Definition of “User”
- Controller details
- Applicability
- Legal Grounds of Processing
- Personal Data in Spark: What We Collect
- Age limitation
- Term of storage and Retention Periods
- Backup storage
- Data sharing with 3rd parties
- Data transfer outside the European Economic Area
- Security measures
- Privacy rights
- Region-specific legislation
- Definitions
Definition of "User"
We divide App users into different categories depending on their access to our services as follows: Free User, Paying User, Enterprise, Partner, and Enterprise Member for privacy purposes.
| User (Free) | Any natural person that uses the App free of charge. |
| User (Premium) | The natural person that subscribed to one of Spark Mail’s premium plans. User (Premium) can be an employee or other person who uses the App on behalf of or at the expense of an Organization or Enterprise. |
| Team | Two or more Users (Free or Premium) that use the Team-specific features (e.g., Team billing, Assignments/Delegation, Shared inboxes, etc.). |
| Organization | Legal entity that purchased a subscription to the Spark Mail Premium plan. |
| Enterprise | Legal entity that purchased a personalized subscription plan. |
You own and control the personal data we collect about you. You can choose not to provide certain information or disable and prevent us from collecting, storing, and processing it by changing your account’s settings (e.g., by revoking consent or opt-out checkboxes), via our email address dpo@sparkmailapp.com or by any means of communication available for you. Please be aware that you may not be able to enjoy some of Spark’s features in such a case.
Controller Details
Any organization that collects and processes data can play different roles depending on particular data processing operation. For example, Spark plays different roles depending on the feature you use. In this Section, we explain how Spark meets the role requirements.
Controller
We are the Controller of the personal data for the Users (Free), Users (Premium), Teams, Organizations, and Enterprises (representatives of Organizations or Enterprises) from the moment of the User’s consent to the Terms of Service.
This means we determine the amount, purpose, and means of personal data processing when you use the App.
Processor
Under the applicable privacy protection rules, we can also act as the data processor depending on the particular data protection operation. This is the case where Spark provides a self-help tool, product, or feature and does not use personal data without the user’s instruction. For example, Spark does not use the email addresses of the email senders for Spark’s marketing activities, but only to enable the User to receive and send emails via Spark Service.
We are processing data on behalf of Organizations or Enterprises (based on the agreed instructions provided in the Data Processing Agreement; you may request a copy of our Data Processing Agreement at dpo@sparkmailapp.com).
Example: Company A purchased 15 licenses for employees. The Сontroller of the employees’ data is Company A, while we are the processor concerning this processing activity (namely, where we provide them with Spark services at the expense of Company A). As a data processor, Spark does not use such data (e.g., email addresses of third parties) for our own purposes, for example, for cold calls marketing.
As a result, we are processors for all personal data of Users, employees, or contractors of the three categories: the Organization, the Enterprise, and the User (Free or Premium).
For more details about our role as a Controller and a personal data Processor, please contact us at dpo@sparkmailapp.com. Alternatively, you can also send us a letter.
Contact Details of the DPO (Data Protection Officer)
Company: Spark Mail Limited.
Address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland.
External Data Protection Officer: Legal IT Group LLC
Address: Office 1, 38 Volodymyrska Str., 01050 Kyiv, Ukraine
Email: dpo@sparkmailapp.com
If you have a particularly sensitive request, please contact us or our Data Protection Officer by postal mail at the above indicated address.
Applicability
This Privacy Policy applies to the desktop and mobile versions of Spark compatible with macOS, iOS, Android, and Windows, accessible for download through our website, App Store, Microsoft Store, Huawei AppGallery, and Google Play.
Legal Grounds of Processing
We can process personal data based on the following legal bases:
- performance of the contract for processing that is strictly necessary for service provision as written in Terms of Service, such as technical and customer support;
- legitimate interest for processing that is reasonable for the User and required for the development of the service;
- consent for additional processing for specific purposes;
- legal obligation for the processing of data as required by applicable laws or if requested by a law enforcement agency, court, supervisory authority, or another state-authorized public body.
In particular, we rely on legitimate interests when we process your personal data for the following purposes:
- security of the App: preventing risk and fraud;
- support: answering questions or providing other types of support;
- business development: providing and improving our App;
- business intelligence: providing reporting and analytics to further enhance our App;
- quality assurance: testing out features or additional services;
- marketing: assisting with marketing, advertising, or other communications.
We rely on our legitimate interest only after a careful assessment of the balance of purpose, necessity, and proportionality, and in a manner that is expected and does not limit your rights.
Examples of consent:
"Spark" Would Like to Send You Notifications
Notifications may include alerts, sounds, and icon badges. These can be configured in Settings.
Don’t Allow / Allow
“Spark” Would Like to Access Your Photos
Access to photos will let you attach photos:
Select Photos… / Allow Access to All Photos / Don’t Allow
Example of legitimate interest:
We collect the history of your requests made on the App in order to customize services we propose to you. Sometimes, we will write emails to our registered Users to inform them of our new features and products.
Personal Data in Spark: What We Collect
This section explains our approach and practices for processing personal data at different features in the App.
Before we start
We process two categories of data: technical and personal data you provide to us. Some of it can be seen on the client-side (interface), and some are processed on the backend.
Client-Side is the part of the App displayed or takes place on the users’ devices.
Backend is an invisible crucial part of the App where algorithms operate on the variables and data points. In the majority of cases, it is crucial to process such data in order to provide our services to you. For example, we keep backend data taking into account organizational and technical measures to ensure the security of your data.
As defined, you may belong to one of the categories of Users:
- Free User (Free)
- Paying User (Premium)
- Team
- Organization
- Enterprise
We collect your personal data according to this Privacy Policy when you use the App. When you use our Website, your personal data is processed in accordance with the Website’s Privacy Policy. Some of the data the App collects automatically, such as the country the App is used in: we get this data based on the IP address or from the App Store (we receive this information in a generalized form). Generally, all the data provided to us can either be linked to you or not (i.e., anonymized data).
We either create new personal data items or receive them from you. For example,
- data we create and assign will include userID, subscription expiration date, appToken, and
- data we collect from you or the third parties on your behalf would include payment history, requests, app usage data, account data, technical data.
Data Processed
We process some personal data for purely business purposes: to enable you to use our services, to notify you of our new products and features, to invite you to participate in our special programs and offers, and to use parts of your data (usually pseudonymized) to monitor the trends and develop our product and business. We collect certain information about you when you provide it directly to us or use our App and Service. We only collect the information necessary to provide you with our services.
Unless we specify a particular legal basis, we process your personal data based on the contract (our Terms of Service) (Article 6(1)(b) of the GDPR: performance of contract).
Email address: As an email client, the core functionality of our Product is based on providing you with the ability to manage your email. For this reason, Spark services access your email account when you start using the App. Your email address is a unique identifier of you as a User within our system and allows us to secure your data. Your email address will also be used as a primary means of communication for us on anything related to changes to the App and Service, such as Privacy Policy, Terms of Service, or core functionality of our App or Service. We may also use your email to sync your data with your third-party accounts (if you request us to do so in the App), or occasionally contact you for marketing purposes (it will be in our legitimate interests to do so). You will always have a chance to opt-out of such sync or any marketing communications for similar products and/or services anytime. Please note that your email is safe with us, and we do not use it for profiling or targeting.
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product will not be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
Billing data. We may need to process your personal data to ensure the smooth operation of your subscription plan and comply with the applicable laws. We do not have access to your sensitive payment data (as the payment processor will only collect your personal data to process the payment), but we may store your payment processor id, payment status, and information about your subscription terms (such as type and duration).
Identity of a team you join: In order to make team collaboration within Spark possible, we allow you and your colleagues to create teams within the Service. It allows you to share information such as email conversations, shared email drafts, private discussions, or create links to a specific email message. Team identity is necessary to associate you with that specific team as well as secure your information from people who are not a part of your team. Our system creates a record about the team only when you create one.
Email content while using Spark Services: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space to share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. We may retain your email for some time (at your request) when you use the “Send later” feature. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates via email.
IP address and settings: The core functionality of our Product is based on an Internet connection, that is why our App and Service will not properly function without it. Your IP address is a unique identifier that lets you connect to the Internet, and our service will log connections for security and troubleshooting purposes. We also retain information about your settings so you may ensure the synchronization of your choices and experience between your devices.
APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new emails or private team comments in your email inbox. You’re free to enable or disable them during the initial App setup or later using your device’s system preferences.
App token assigned by us: This token allows us to identify your device in our system and troubleshoot potential issues you might experience.
Device, App version, iOS version information: We need to have this information so the App functions properly on your specific device.
Statistical information with regards to App usage: In order to better understand general app usage patterns and improve the Product and its user experience, Spark collects general statistical information about the usage of the Product. Collecting such data helps us optimize the App in future updates, and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. You may read Amplitude’s Privacy Policy to learn more about their processing of personal data.
Recently accessed email messages, collaboration threads, and shared inboxes: We need this information to provide Spark Services to you and your teammates, such as private discussions around email, shared drafts, shared email conversations, and shared inboxes. By collecting and storing this data, we are able to present message discussion threads through your Spark App and provide a better communication experience with your team.
Some of your email contacts: Spark Smart Notifications will send you push notifications only for important messages from real people. To block push notifications for promotional newsletters and automatic emails, we need to keep the “whitelist” of senders for push notifications. We’ll sync this “whitelist” of contacts to our server to enable Smart Notifications. If you decide not to use Smart Notifications, we will never sync your email contacts.
Pixel data and link clicks information. We may use email and other marketing software to collect metrics on our marketing campaigns. Usually, pixels help their providers to collect technical data, such as the time when the image was loaded and the IP address, etc. For example, we may use the Braze service to see email opening rate, and then use this opening rate to enhance our emails and send our users a more helpful material or relevant offer in the future. Braze can also register that the link in the email was clicked on. You may disable pixels in your email service provider’s settings and avoid opening links, if you don’t want to participate in the collection of this statistics. In Spark, you should go to the “General” section of Settings page to disable loading the pixels.
Logs: Some information about your use of the Spark Mail services can be stored either by us or by your device. When we collect this information on our servers, we do so to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. The server that hosts the App may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App,to investigate possible security incidents, and to troubleshoot bugs and problems with the App reported by you. If you report an issue that prevents you from enjoying Spark, we may need the log data that is contained on your device to investigate the issue and troubleshoot. As we cannot obtain those logs without you sending them to us, we will rely on your consent.
Customer Support communication: Regarding the email: we save a record of communication, including attachments and information you voluntarily decide to share with us for troubleshooting purposes whenever you communicate with our support team.
Data from Microsoft Corporation: When you download and use Spark Mail from the Microsoft Store, we may occasionally receive data, including telemetry or crash data, from Microsoft Corporation. This data is used only to improve the App and to test or troubleshoot quality issues, such as bugs, in accordance with the Microsoft Store App Developer Agreement.
Your Feedback. We may publish your feedback, reviews and comments about your experience with our App ("Feedback") on our website, in the App or otherwise. This includes the Feedback you provide to us directly or via any platform, including but not limited to online distribution platforms, marketplaces, and social media. We process personal data in your Feedback, which may include your first and last name, username, the text of the Feedback and/or any other information contained in or related to the Feedback. We do not process personal data of children under the age of 16 and/or sensitive types of data in the Feedback. Under the GDPR, we rely on our legitimate interest as the legal basis for processing personal data in the Feedback if your Feedback was collected from the third-party platform (such as online distribution platforms, marketplaces, and social media), and we will ask for your consent to publish the Feedback that you provided to us directly. We use your Feedback to demonstrate the capabilities and features of the App, to share real user experiences with the App and to attract potential customers. For more information about your Feedback, please refer to the "Your Feedback" section of our Terms of Service.
Other information you decide to provide us with: Based on your decision and consent, we may also process any other personal data provided by you (for example, the information in your email signature or the first couple of lines from the email to show you the push notification) to make your experience of using some of our features more pleasant and tailored to your purposes and needs.
Please note: some data (such as company data) can be treated as non-personal data when processed in the absence of context. However, if such data is collected and processed alongside other data points or data items (such as name, telephone number, email, etc.), it can identify a particular person and therefore constitutes personal data. You may check the official position of the EU by reading:
- Recital 26 of the GDPR,
- Article 4 of the GDPR,
- Opinion 4/2007 on the concept of personal data issued by the Working Party 29 (predecessor of the EDPB), and
- Guidelines 8/2020 on the targeting of social media users issued by the EDPB.
Please note that we do not store all the data we receive from you. Mainly, the data is stored locally on your device. This means we see pseudonymized or even anonymized data. For more information on retention periods of your personal data please see “Term of storage and retention periods" section of this Privacy Policy.
Google User Data
Spark's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. This section may be helpful for you if you use Spark in conjunction with your Gmail account.
Permissions. When seeking access to your Google user data, all permission requests are being sent by Spark Mail App. Your authorized client credentials to access your Gmail account provided to us will be kept confidential. We request access only to the information we need; we will prompt you to refresh the access permissions if we implement new features. Where possible, we will use incremental auth.
Revoking access to Google User Data. You may revoke Spark’s access to your Gmail account by using Gmail settings: My Account -> Security tab -> Third-party apps with account access -> Manage third-party access -> Spark -> Remove access.
If you decide to do so, we will lose access to your Gmail account in Spark, and we will no longer be able to show you emails from it, and show and sync your Google Calendar. Upon your request (and when you delete your Spark account), we will delete all data collected from your Gmail account; however, in such a case, we may not be able to provide you with the ability to use Spark Mail features to work with your Gmail emails.
Types of data requested. We will list the types of data requested on the permission request webpage. If we need more (or less) permissions to run our Service, we will prompt a new permission request for you to review and consent (or reject). Not all Google User Data may contain personal data. Some statistical data will be anonymized.
Request purpose. The purpose for which the App requests your user data is to enable you to use Spark Mail features when working with your Gmail account emails. Without access to the emails, we cannot provide you with the features that include assessing, using, writing, changing, deleting, storing, sharing, filtering, whitelisting, and other manipulations with the emails as described in this Data Processed (by feature) section that are performed on your behalf (in other words, pursuant to your instructions issued by manipulating the Spark’s interface). We do not use your Google User Data for any other purposes but to provide you with access and the ability to use the Spark Mail Service.
Disclaimer. We do not use Google User Data to display, sell, or distribute this data to any third party conducting surveillance. Spark Mail has no hidden features, services, or actions that are not mentioned in this Privacy Policy or the Terms of Service. Spark takes reasonable and appropriate steps to protect all applications or systems that make use of Google User Data against unauthorized or unlawful access, use, destruction, loss, alteration, or disclosure. Spark Mail belongs to a Permitted Application Type as mentioned in the Google API Services User Data Policy (namely, an application that enhances the email experience for productivity purposes).
With regard to the access to Google User Data as specified above, we will:
- use access only to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows Users to compose, send, read, and process emails and will not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets;
- not use this Gmail data for serving advertisements, including retargeting, personalized, or interest-based advertising;
- not allow humans to read this data unless we have your affirmative agreement (consent) to view specific messages, doing so is necessary for security purposes such as investigating a bug or abuse, complying with applicable law, investigating an issue, and even then only when the data have been aggregated and anonymized;
- ensure that your employees, agents, contractors, and successors comply with this Google API Services: User Data Policy.
Azure OpenAI Service Data
We use the Azure OpenAI Service to provide you with the Spark +AI feature, which is designed to help you create and edit emails with the help of machine learning algorithms. In order to use the Azure OpenAI Service, we need to collect, process, and transfer data, including personal data, the processes which are subject to this Privacy Policy.
Spark +AI feature is exclusively available to our Premium Users of Spark 3 only, and may also be offered during the Trial period.
Applicability. This section of the Privacy Policy applies only to our Premium Users of Spark 3 who use the Spark +AI feature or Users who get access to it during the Trial period. By default, Spark +AI is switched off: you must opt in to enable the Spark +AI feature.
Permissions. We use the Azure OpenAI Service and Spark +AI based on your consent. By using Spark +AI, you consent to the processing of your personal data by us as described in this Privacy Policy. If you do not consent to the use of the Azure OpenAI Service, you should not switch on the Spark +AI feature that incorporates the Azure OpenAI Service.
Generation of Spark +AI data. Spark +AI helps you generate and edit email drafts. Spark +AI does not send emails on your behalf. You have full control over the generated content at all times, and can review and edit it any time before sending.
Use of Spark +AI data. Spark +AI is designed to protect your private data we obtain from you or about you. We do not store the contents of your emails and your requests for the Spark +AI feature. If you choose to use the Spark +AI feature, we will only transfer the textual context of your email to Microsoft to process your request and generate or edit email text based on that and additional context.
Model training. We do not use your private data to train Microsoft, OpenAI or any other machine learning model when you use the Spark +AI feature. Any information, including personal data, that you furnish while using the Spark +AI feature will be shared with Microsoft solely for the purpose of functioning of the Spark +AI feature. We do not permit our partners at OpenAI to use your personal data for any other purpose except for debugging in the event of a failure and to monitor the potential misuse or abuse of the Azure OpenAI Service.
Security of Spark +AI data. Your email content and requests you make to Spark +AI are private and encrypted in accordance with our standard privacy and information security practices. We implement the latest commercially reasonable technical, administrative, and organizational measures to protect your personal data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.
Input and Output. You may provide input (prompt) to be processed by Spark +AI (“Input”), and receive output generated and returned by Spark +AI based on the Input (“Output”). When you use Spark +AI, Input and Output are your customer data (“Customer Data”). You are solely responsible for the development, content, operation, maintenance, and use of your Customer Data.
You will ensure that your use of Spark +AI and Customer Data will not (i) violate any applicable law; (ii) violate these Spark Terms or Service; or (iii) infringe, violate, or misappropriate any of our rights or the rights of any third party. You acknowledge that due to the nature of machine learning and the technology powering Spark +AI features, Output may occasionally be inaccurate. For this reason, it is your responsibility to carefully review the output text generated by the Spark +AI feature, edit it, if necessary, and independently verify the accuracy of the generated information against your purposes. In addition, we are not responsible for circumvention of any privacy settings or security measures contained in Spark, or third party services.
Third Party Provider Policies. If you choose to use the Spark +AI, you may not use its features in a manner that violates any Microsoft policy, including their Code of conduct for Azure OpenAI Service.
Age Limitation
Please pay attention. We do not knowingly process the data from Users under the age of 16 without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at dpo@sparkmailapp.com.
Term of Storage and Retention Periods
The retention periods mentioned in this section have been calculated by taking into account the data minimization principle enshrined in the GDPR and applicable laws that affect the processing of personal data. We analyzed the processing of data on every step of data processing and calculated the shortest periods necessary to meet the purposes of data processing.
Please read this section together with the retention periods provided in the descriptions of the features.
In general, we store personal data for the following periods of time:
| User (Free) | User (Premium) and representatives of Organizations and Enterprises | Teams (Free and Premium) |
|---|---|---|
| Processing and retention: duration of the contract (Terms of Service). If the User is inactive for 36 months, Spark will send two reminder emails notifying that the Account will be suspended (and personal data deleted) unless the User logs in. The User will then have some time (“renewal period”) to log in to the Account and renew their Free Subscription. Otherwise, the Account will be deleted upon the expiry of the renewal period. At the User’s request, their Account can be retrieved after the deletion but not later than after 12 months after the User refused to activate the Account or ignored the reminder emails. |
Processing and retention: duration of the contract (Terms of Service or personalized service contract for Enterprise(s)). If the charges cannot be withdrawn from the User, their Account then downgrades to the Free User subscription terms. The retention period is triggered on the day when the subscription plan changes, Spark will send two reminder emails after 36 months of inactivity, as described in the column on the left. The retention and archiving periods are aligned with the service contract terms. |
Processing and retention: duration of the contract (the Terms of Service). If the last remaining Team member is inactive for 36 months (if they were using Free Subscription), Spark will send to the last remaining User the reminder that the Team data will be deleted unless the User logs in during the renewal period outlined in the reminder emails. Intra-Team communications that contain personal data will be retained as long as the Team owner remains an active Premium User. At the User’s request, their Account can be retrieved after the deletion but not later than after 36 months after the User refused to activate the Account or ignored the reminder emails. |
Consent. We process the data based on your consent during the general term unless you withdraw it. After you withdraw your consent, it will take us up to 30 calendar days to erase your data.
Updates and marketing emails. We may send you emails describing our new updates, features, discounts or opportunities. Given that the major updates are rare and Spark works closely with the users’ requests for new features, we may keep your data for up to a few years (but no longer than 6 years after the User account is deemed abandoned) to keep you informed of new opportunities Spark offers. You will always have the option to unsubscribe using the link at the end of the email or contact us via email at dpo@sparkmailapp.com to opt out from receiving such emails.
Customer Support communication. We may retain the history of communication (including the contents of the communication, attached files, etc) between you and our Customer Support team for a few years but no longer than 6 years (as provided by the general statute of limitations in Ireland) to be able to respond to all your further questions and requests or inquiries of the entities that you authorize to act on your behalf, including those of legal nature. We apply necessary security measures to ensure that the communications and attachments are archived with access to them restricted.
Your Feedback. We will retain the Feedback which you provided to us directly for 5 years and the one which was collected from the third-party platform for 2 years, unless the law compels us to store it for longer in case of any procedures or actions. However, we reserve the right to delete your Feedback at any time at our sole discretion. You may also contact us at support@sparkmailapp.com to request that we refrain from or cease using your Feedback.
Deletion. We will delete the data we process as a Controller under GDPR within one (1) month following the request. In case the request is complex or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. We will inform you of any such prolongation within one month of receipt of the request, together with the reasons for the delay in response.
We store your personal data either until you delete the Account or after a certain period depending on the data type. When a retention period expires, we either delete your personal data or anonymize it so that it cannot be restored.
Summary of Retention Details:
| Type of information | Term of storage |
|---|---|
| Email address, email content, mail server credentials, APNS device token, appToken assigned by us, device info | During the services provision period services + archive time If you delete Spark Account: 3 months after deletion of your Spark Account. If you request the data erasure: we will erase your data within 30 days of your request. In case the request is complex, or we have received a number of requests from the same individual, we may extend the time to respond to it by a further 2 months. After we delete your data, it will be stored for 1 week in our backups. |
| Recent messages from your inbox | Deleted after 4 hours |
| Emails pending in the Send Later feature, IP addresses | Deleted once the message is sent |
| Emails of Shared Inboxes | Stored during the provision of the services and deleted once the Shared Inboxes are deleted. |
After the above respective periods expire, we delete your personal data. It may be stored for statistical and analytical purposes in anonymized form.
We process your personal data based on your consent during the provision of services, during the term of storage (as defined above), or until you withdraw your consent, depending on the Feature.
Backup Storage
We store your data in the backups of databases. We regularly back up our databases: at least once a day and usually store them for one (1) week.
We use Google Cloud SQL service for the backup purposes. You can learn more about the procedure in their guide here.
Data Sharing with Third Parties
We use your personal data based on the performance of the contract to provide services and communicate with the Users.
We may share personal data with our affiliates to the extent necessary to develop and/or support Spark. We share your personal data with our contractors to the extent necessary to provide services, technical and customer support. In addition, we can share your data on the following grounds: consent, compliance with the law (or legal obligation), and legitimate interest. Also, we have implemented organizational and technical measures to ensure the security of personal data during data transfer to third-party.
Details:
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
- to comply with a government request, court order, or applicable law;
- to prevent unlawful use of our App or violation of the Terms of Service and our policies;
- to protect against claims of third parties;
- to help prevent or investigate fraud.
Legitimate interest or performance of the contract. We may share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf.
Independent data controllers. We may sometimes receive your personal data from other, independent data controllers. We usually do so in one of two cases:
- the third-party data controller shares your personal data with us in response to your request (for example, when you sync Spark Mail with your account in another app); and/or
- an app store shares some data about on-market or in-app purchases, crash events, failed attempts to download or launch the app, or any other information that may affect your ability to buy, download, and use Spark Mail and its features on your device. For example, such independent data controllers can be Mac App Store, App Store, Microsoft Store, Google Play, and Huawei AppGallery depending on your choice and device.
We process these personal data only to enable you to use Spark Mail or its particular features (for example, to fix the bugs that do not allow your device to launch the app). We will not use your data received from these independent controllers to build any profile about you, or use it for any marketing or advertising purposes. We anonymize or aggregate these data where possible (such as where there is no request from you to our tech support to help fix the bug) before processing.
Subcontractors. We will ask for your consent unless data transfer is part of the contract performance. Here is the list of the third parties we may engage in the processing of personal data:
- Google Cloud (Google LLC, USA). Here we store our databases, logs, and backups. For more details, please refer to the Subcontractor’s Privacy Policy.
- Firebase Cloud Messaging (Google LLC, USA). We use it to process personal data to push messages to our Android Users. For more details, please refer to the Subcontractor’s Privacy Policy.
- Huawei Push Kit (Huawei Device Co., Ltd., China). We use it to process personal data to push messages to our Android users. For more details, please refer to the Subcontractor’s Privacy Policy.
- Stripe (Stripe Inc, USA). We transfer your data for payment processing on our behalf. For more details, please refer to the Subcontractor’s Privacy Policy.
- VAT Sense (Weio Ltd, UK). We use VAT Sense for VAT validation. For more details, please refer to the Subcontractor’s Privacy Policy.
- CampaignMonitor (Campaign Monitor Pty Ltd., USA). For more details, please refer to the Subcontractor’s Privacy Policy.
- Postmark (Wildbit LLC, USA). This service is used to process your data for sending transactional emails. Transactional emails are emails about transactions, for example, the purchase of premium, about the start or the end of the trial. For more details, please refer to the Subcontractor’s Privacy Policy.
- Braze (Braze Inc, USA): This service is used to process your data for sending some marketing communications and analytics. For more details, please refer to the Subcontractor’s Privacy Policy.
- Calendly (Calendly LLC, USA): We use them to schedule calendar appointments with our customers. For more details, please refer to the Subcontractor’s Privacy Policy.
- Helpjuice (Helpjuice, Inc, USA) is a knowledge base software to help us provide you with the necessary customer support. For more details, please refer to the Subcontractor’s Privacy Policy.
- Google (Google LLC, USA). We use your data for the synchronization of accounts. For more details, please refer to the Subcontractor’s Privacy Policy.
- Apple Inc (Apple Inc, USA). We receive the technical data about the iOS systems and general statistics. For more details, please refer to the Subcontractor’s Privacy Policy.
- RevenueCat (RevenueCat, Inc., USA). We use them to monitor personal billing. For more details, please refer to the Subcontractor’s Privacy Policy.
- Amplitude (Amplitude, Inc., USA) is an analytics tool we use to understand how Users experience our App. For more details, please refer to the Subcontractor’s Privacy Policy.
- AppCenter (Microsoft-provided tool, USA): we use them to monitor crash logs. For more details, please refer to the Subcontractor’s Privacy Policy.
- AppsFlyer (AppsFlyer Ltd., USA) provides us with measurement, analytics, fraud protection, and engagement technologies. For more details, please refer to the Subcontractor’s Privacy Policy.
- Zoom (Zoom Video Communications, Inc., USA) is a video conferencing platform, which can be connected to Spark Calendar to help Users schedule video and audio meetings. For more details, please read their Privacy Policy.
- Azure OpenAI Service (Microsoft Corporation, USA). We use Azure OpenAI Service to provide you with Spark +AI, which is designed to help you create and edit emails using machine learning algorithms co-developed by Microsoft Corporation and OpenAI (OPENAI, LLC). For more details, please refer to their Privacy Statement.
- Setapp (Setapp Ltd., Ireland). We collaborate with Setapp to offer you unique combinations of features and apps for your workload management. Your data will only be available to Setapp if you decide to download Spark through the Setapp service. For more details, please refer to their Privacy Policy.
- Zapier (Zapier, Inc., USA). We use Zapier to receive information about some of your financial transactions (such as a date of first payment or subscription cancellation). For more details, please, refer to their Privacy Policy.
- Airtable (Formagrid Inc, dba Airtable, USA). We use Airtable to manage subscriptions. For more details, please, refer to their Privacy Policy.
We may share your personal data with other Subcontractors, such as auditors, lawyers, accountants, software engineers, and other specialists and experts that we may engage on a contractual basis.
Data Transfer Outside the European Economic Area
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.
There is no adequate decision by the European Commission regardingneither the USA nor Ukraine. Therefore, we have prepared a data processing agreement based on the standards of the Standard Contractual Clauses and carried out the legislation assessments for data protection during transfer and storage in third countries under the GDPR, such as the USA and Ukraine.
You can read detailed information on measures we take to protect your personal data here and, if signed, in our Data Processing Agreement with you. If you upload, send or create personal data of your clients or other data subjects via one of our Services, you may ask for a signed Data Processing Agreement by sending an email to dpo@sparkmailapp.com.
Security Measures
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data, we use HTTPS and encryption, divided group and individual access (where appropriate), alarm systems, corporate VPN, written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
Trained team
Our team is competent in the matter of your personal data protection. Company regularly performs training in order to ensure that every team member has enough knowledge to keep your data safe and protect it in accordance with the best practices prescribed by European and U.S. laws on data protection.
HTTPS and encryption
We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.
We currently use Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure your data safety.
- App Center. You can read more on the security measures via the link.
- Google. You can read more on the security measures via the link.
Security measures (detailed explanation):
1. Physical access control: group access and alarm system
We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.
An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
2. System access control: individual access and password policy
Each employee has access to the systems/services only via their employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet specific requirements. It must be at least:
- 12 characters long
- 1 letter in upper-case
- 1 letter in lower-case
- 1 number
- 1 special symbol
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Data access control: monitoring and physical access policy.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and practiced.
4. Transfer control: contractual obligations and corporate VPN
Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.
Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.
Access to the systems outside the company network is possible only via secure VPN access.
5. Input control: general restriction
Our employees do not work directly at the database level but instead, use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Availability control: backups and division
We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.
Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, and laptops are encrypted.
We would like to specify that we use MDM-solution to protect employee devices with security settings.
7. Separation control: limited access.
We use logically separate databases to prevent unauthorized persons from accidentally reading data with limited access.
Access to the data is also restricted because employees use services (applications) that control access.
Privacy Rights
EU privacy rights
You, as subjects of personal data, have the following rights:
| Right | Description |
|---|---|
| Right to access | You can request an explanation of the processing of your personal data. |
| Right to rectification | You can change the information if it is inaccurate or incomplete. |
| Right to erasure | You can send us a request to delete your personal data from our systems. |
| Right to data portability | You can request all the data that you provided to us, as well as request to transfer data to another Controller. |
| Right to object | You can object to the processing of your data. |
| Right to restriction | You may partially or wholly prohibit us from processing your personal data. |
| Right to withdraw consent | You can withdraw your consent at any time. |
| Right to lodge a complaint | If your request is not satisfied, you can file a complaint to the regulatory body. |
To exercise your rights, write us an email at dpo@sparkmailapp.com. If some data is being exchanged between Spark and your accounts in other services, you may also fulfill your rights (such as your right to withdraw your consent) by disabling the access of your Spark account to such third-party services or, alternatively, manage your privacy settings in your third-party service accounts that are linked with Spark and your Spark account.
Also, it is your right to lodge a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or using webforms. Please note that you can contact your local supervisory authority. Your local authority will then contact the Irish supervisory authority to communicate your complaint or request.
The USA citizens’ privacy rights.
You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at dpo@sparkmailapp.com
Your rights vary depending on the laws that apply to you but may include:
- The right to be informed about the personal data we collect and/or process about you;
- The right to learn the source of personal data about you we process;
- The right to access, modify, and correct personal data about you;
- The right to know with whom we have shared your personal data, for what purposes, and what personal data has been shared (including whether personal data was disclosed to third parties for their direct marketing purposes);
- The right to withdraw your consent, where the processing of personal data is based on your consent; and
- The right to lodge a complaint with a supervisory authority located in the jurisdiction of your habitual residence, place of work, or where an alleged violation of law occurred.
Please see more detailed information about your state’s privacy data protection laws in a separate section; you can find it in the navigation on the right of the page.
| Virginia’s Consumer Data Protection Act | Consumer Privacy Act and California Privacy Rights Act | Colorado Privacy Act | Nevada Privacy Law | Delaware Online Privacy and Protection Act |
|---|---|---|---|---|
| Right to Know whether the Controller is processing a customer’s personal data. | Right to Know what personal information is collected and Right to Access personal information. | Right to Access Information. | Right to Know whether the Controller is processing the customer’s personal data. | Right to Access Information. |
| Right to Access personal data processed by the Controller. | Right to Know if Personal Information is Sold. | Right to confirm the processing of personal data. | Right to opt out of Sale. | Right to withdraw consent. |
| Right to Correct. Right to Erasure. Right to Data Portability. Right to opt out of targeted advertising, the sale of personal data, or profiling. |
Right to Erasure. Subject to certain exceptions. Right to Data Portability. Right to Correct. Right to opt out of Sale. Right to Limit Use and Disclosure of Sensitive Personal Information. |
Right to Access information. Right to Correct. Right to Erasure. Right to Data Portability. Right to opt out of targeted advertising, the sale of personal data, or profiling via a universal opt out mechanism. |
Right to Correct. | Right to Correct. Right for "do not track" request Right to opt out of Sale. |
What do these rights mean?
- The right to access information. You can request an explanation of the processing of your personal data: what data exactly we process and how.
- The right to withdraw consent. After you once give us any consent, you can withdraw it at any time without any consequences for you.
- The right to portability. You can request all the data you provided to us and request to transfer data to another Controller in a machine-readable format.
- The right to file complaints. If your request is not satisfied, you can file a complaint to the regulatory body. But please first contact us, and we will do our best to help you.
- Right to erasure. You can send us a request to delete your personal data from our systems.
Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right for additional 30 days.
Privacy Policy Update
The GDPR regulates this Privacy Policy and the relationships falling under its effect. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Policy on our website.
If we make substantial changes to this Policy (or the App) that affect your privacy and confidentiality, we will notify you by email or display information in the App and ask you to read it. We will notify you in advance, and if you continue using our Service after the changes come into effect, we will presume that you agree with the updated Privacy Policy.
Region Specific Data Privacy Law
California Legislation
For residents of California, we provide more information about the relevant legislation and your privacy rights granted by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act.
Opt out of disclosure for direct marketing purposes. California law allows residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at dpo@sparkmailapp.com.
Please be aware that this Opt-Out does not prohibit our disclosure of personal data for any purpose other than direct marketing.
Automatic gathering of information. We collect data you provide to us online and through unaffiliated third parties’ websites.
Automatic gathering of information by third parties. When you visit our websites, third parties can collect personal data about your online activities over time and across different websites on your visit to or use our and other websites.
Minors. A business shall not sell the customers’ personal information if the business has actual knowledge that the customer is a child under the age of 16. A business may process data of a child under the age of 16 only upon a parent or guardian’s request and only after verifying parent/guardian identity and authority to represent a child. A business that willfully disregards the customer’s age shall be deemed to have had actual knowledge of the customer’s age. This right may be referred to as the "right to opt-in."
A business that has not received consent to sell the minor customer’s personal information shall be prohibited from selling the personal information unless the customer subsequently provides express authorization.
Do-not-Track Requests
California residents using our App may request that we do not automatically gather and track information on their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently do not have the ability to honor these requests. We reserve the right to modify this Privacy Policy as our capabilities change.
California Residents’ Data Protection Rights
The California Consumer Privacy Act ("CCPA") and California Privacy Rights Act provide our Users who are California residents with the following additional rights:
- Right to Know: You have the right to request that we disclose certain information to you about the personal data we collected, used, disclosed, and sold about you in the past 12 months. This includes a request to know any or all of the following:
- categories of personal data collected about you;
- categories of sources from which we collected your personal data;
- categories of personal data that we have sold or disclosed about you for a business purpose;
- categories of third parties to whom your personal data was sold or disclosed for a business purpose;our business or commercial purpose for collecting or selling your personal data; and
- specific pieces of personal data we have collected about you.
- Data Portability: You have the right to request a copy of personal data we have collected and maintained about you in the past 12 months.
- Right to Erasure: You have the right to request that we delete the personal data we collected from you and maintained, subject to certain exceptions. Please note that if you request erasure of your personal data, we may deny your request or may retain some aspects of your personal data if it is necessary for us or our service providers to:
- complete the transaction for which the personal data was collected, provide goods or services requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between our business and you;
- detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
- debug to identify and repair errors that impair existing intended functionality;
- exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
- comply with the California Electronic Communications Privacy Act according to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code;
- engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research if you have provided informed consent;
- enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
- comply with a legal obligation;
- otherwise, use the personal data internally in a lawful manner that is compatible with the context in which you provided the information.
- Right to Opt-Out/In: You have the right to opt out of the sale of your personal data. You also have the right to opt-in to the sale of personal data. However, we do not sell your personal data.
- Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us to exercise your CCPA privacy rights. Unless permitted by the CCPA, we will not:
- deny you goods or services;
- charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- provide you a different level or quality of goods or services;
- suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
You can exercise these rights any time by contacting us via email at dpo@sparkmailapp.com.
Notice, the CCPA envisages some specific requirements related to exercising these data protection rights. Considering them, we may:
- respond to your request within forty-five (45) days of receiving the request;
- provide you with personal data we collected about you no more than twice in a 12-months period (categories and specific pieces of collected personal data, business purpose and sources of collection, categories of third parties personal data is shared with);
- NOT provide you with personal data if we cannot verify your identity. You shall provide us with sufficient information to verify you as the person we collected personal data. However, we do consider requests made through your Account sufficiently verified;
- NOT transmit your personal data to another entity.
Also, please be aware that we are allowed to maintain personal data after erasure requests are received as permitted by the CCPA (for instance, for detection of security incidents, repair errors, compliance with legal obligations, and transaction completion).
We want to draw your particular attention that Spark does not sell, rent, or trade your personal data to anyone. We will not discriminate against you if you exercise your rights under the CCPA.
We are accessible to customers with disabilities. Consumers with disabilities may also contact us by emailing to request an alternative format of this Privacy Policy.
Virginia Legislation
For residents of Virginia, we provide more information about the relevant legislation and your privacy rights granted by Virginia’s Consumer Data Protection Act.
The VCDPA obliges some businesses to give consumers the ability to access and control personal data that the business collects about them.
Minors. Controllers and processors that comply with COPPA’s verifiable parental consent requirements shall be deemed compliant with any obligation to obtain parental consent under the CDPA.
A known child’s parent or legal guardian may invoke customer rights on behalf of the child regarding personal processing data belonging to the known child.
No Discrimination. A Controller cannot process personal data in violation of state and federal customer anti-discrimination laws or discriminate against a customer for exercising rights under the CDPA.
Access Requests. Controllers are required to establish and describe in a Privacy Policy one or more secure and reliable means for customers to submit a request to exercise their rights. The method used needs to consider how customers normally interact with the Controller, the need for secure and reliable communication of such requests, and the ability of the Controller to authenticate the requests.
Controllers are prohibited from requiring a customer to create a new account to exercise their customer rights but may require a customer to use an existing account.
Response time. Controllers are required to respond to customer requests within forty-five (45) days. This period may be extended once by forty-five (45) additional days if certain requirements are met.
No charge for the information. Controllers must provide information in response to a customer request free of charge, up to twice annually per customer. The Controller may charge the customer a reasonable fee or decline to act on the request if requests are manifestly unfounded, excessive, or repetitive, but the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request is on the controller.
Right to Opt-Out. Virginia residents visiting our websites may request to opt out of targeted advertising, the sale of personal data, or profiling. Virginia laws allow its residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at dpo@sparkmailapp.com.
Colorado Legislation
For residents of Colorado, we provide more information about the relevant legislation and your privacy rights granted by the Colorado Privacy Act.
Minors. A Controller shall not process the personal data of a known child without first obtaining consent from the child’s parent or lawful guardian.
Access Requests. Consumers may exercise their rights by submitting a request using a method specified by the Controller in the required Privacy Policy.
The method you must take into account:
- how customers normally interact with the Controller;
- the need for secure and reliable communication relating to the request; and
- the ability of the Controller to authenticate the identity of the customer making the request.
Controllers shall not require a customer to create a new account to exercise customer rights. However, the Controller may require a customer to use an existing account.
Response time. 45 days to respond. The Controller shall inform a customer of any action taken on a request within 45 days. In certain circumstances, this 45-day window to respond may be extended by an additional 45 days.
No charge for the information. Controllers must provide the information requested free of charge once per year. The Controller may charge an additional amount for additional requests within 12 months.
Justification for failure to act. If a Controller does not take action as requested by a customer, the Controller shall inform the customer within 45 days after receipt of the request of the reasons for not taking action and instructions for how to appeal the decision.
Denial of requests. The Controller is not required to comply with a request to exercise any of the customer’s rights if the Controller cannot authenticate the request using commercially reasonable efforts and may request the provision of additional information reasonably necessary to authenticate the request.
Right to appeal. The Controller shall establish an internal process whereby customers may appeal a refusal to take action on a customer request. They must do so within a reasonable period after the Controller notifies them that the Controller denies the request. The appeal process must be conspicuously available and easy to use.
Responding to an appeal. The Controller shall inform the customer of the result of the appeal and provide a written explanation of the reasons in support of the outcome within 45 days of receipt of the appeal. These 45 days may be extended by an additional 60 days in certain circumstances.
Delaware legislation
For residents of Delaware, we provide more information about the relevant legislation and your privacy rights granted by the Delaware Online Privacy and Protection Act.
Advertising to children. DOPPA regulates operators only as far as they provide services or platforms that are 'targeted or intended to reach an audience composed predominantly of children. However, this does not include services or platforms that merely refer or link to another service or platform directed at children.
Operators can also be liable under DOPPA if, despite not directing their services or platforms to children, they have actual knowledge that children are accessing the services or platforms. In such an event, an operator cannot knowingly use, disclose, or compile that child’s personal information, nor can an operator allow another to do the same. An operator that provides a covered service or platform cannot advertise or market content inappropriate for children. In this regard, DOPPA provides an enumerated list of prohibited content, including alcohol, tobacco, firearms, fireworks, tanning equipment and facilities, lotteries and gambling, tattoos, drug paraphernalia, and pornography. You should note that an operator need not monitor the preceding if it uses an advertising service and ensures that it complies with DOPPA.
Do-not-track requests. Delaware residents visiting our websites may request that we do not automatically gather and track information about their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide customers the ability to exercise choice regarding the collection of personal data about an individual customer's online activities over time and across third-party websites or online services. We currently cannot honor these requests. We may modify this Policy as our abilities change.
Nevada Legislation
For residents of Nevada, we provide more information about the relevant legislation and your privacy rights granted by the Nevada privacy law ​​Senate Bill 220.
Opt-Out of the sale. Nevada allows consumers to opt out of the sale of "covered information" collected through a website or online service. Under the law, "covered information" includes:
- first and last name;
- home or other physical address, which includes the name of a street and the name of a city or town;
- electronic mail (email) address;
- telephone number;
- social security number;
- identifier that allows a specific person to be contacted either physically or online;
- other information concerning a person is collected from the person through the operator’s Internet website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Do-not-sell request. Nevada does not require entities to include a "Do Not Sell My Personal Information" button or link on their websites. Instead, it mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified Opt-Out requests.
Response time. Upon receiving a "verified consumer request," a business has 45 days, with a possible 90-day extension when "reasonably necessary" and by providing notice to the consumer, for a total of 135 days.
Definitions
Here you can find the definitions of the terms used throughout the Privacy Policy.
“Spark”, “Spark Mail”, “we”, “our”, “us”: Spark Mail Limited, an Ireland-based technology company that maintains and operates Spark Mail App (“App”).
“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and how any personal data is processed. In the CCPA, the term “business” refers to the person performing similar functions.
“Data protection officer”, “DPO”: an employee or a contractor who is designated by Spark Mail Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at dpo@sparkmailapp.com.
“Data subject”: a natural person about whom Spark holds personal data (an identified or identifiable natural person).
“GDPR”: European Union’s General Data Protection Regulation.
“Personal data”: any information relating to you and helping identify you (directly or indirectly), such as your name, last name, email, location data, etc.
“Processing”: any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller. In the CCPA, the term “service provider” can be used in the context of delegating some parts of data processing to another person under the business’ instruction.
“Services”, “Spark Mail Services” (either capitalized or not): the Spark Mail App and the features available through the use of the Spark Mail App, either Basic or Premium, together or separately.
“Subprocessor”: anyone other than us who we have appointed to process the personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the Spark Mail App). Examples include our data hosting providers and payment processors.
“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.