Last updated: 4 October, 2022.
We understand you care about your privacy and we appreciate the trust you place in us. To justify your trust, we embed the latest data security standards, improve our awareness of privacy matters, and comply with the General Data Protection Regulation and other privacy laws.
We do not collect, track or store any personal data over what we need to provide and improve our Website and services.
By using our Website you enter the category of “User”. A User is any natural person who uses the Website.
You own and control the personal data we collect about you on the Website. You can choose not to provide certain information or disable it and prevent us from collecting, storing, and processing it.
Please be aware you may not be able to take advantage of some features of the Website in this case.
We are the controller of the personal data of our Users. This means that we determine what, for what purpose, and how your personal data will be processed by us.
Company: Spark Mail Limited.
Address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland.
External Data Protection Officer: Legal IT Group LLC
If you have a particularly sensitive request, please contact us or our Data Protection Officer.
This Policy applies to our website.
This section explains our approach and practices for processing personal data at different features on the Website. We use tables and charts to present the information in a structured and easy-to-digest fashion.
We process two categories of data: technical and personal data that you provide to us.
Usually, we can process personal data based on the following legal bases:
Example of consent:
You agree to receive updates by email.
Please Note: We knowingly do not process the data from Users below 16 years of age without a legal representative’s consent. If you are such a User or the user’s legal representative, please inform us by email at firstname.lastname@example.org.
We need technical data to operate, maintain, and improve our website. This may include:
We collect this information to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the Website. The server that hosts the Website may record requests your device makes to the server, the details on the device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, and mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the Website and to investigate possible security incidents. Your device may also contain Logs, but their scope and retention period depend on your device’s manufacturer.
In order to better understand general app usage patterns, and improve the Website and its user experience, Spark may collect general statistical information about the usage of the Website. Collecting such data helps us optimize the Website in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts. We may collect information about your device (such as model, series, manufacturer, OS update, screen parameters, Internet connection data), App version, iOS version information, non-precise location data (such as country), cookies and other web tracking technologies so we may understand which webpages are most useful for you and which ones should be added or deleted. We usually process such data in a pseudonymised or anonymised form where possible, and our processing is based on either your consent, legal obligation, or our legitimate interest. More information about analytics and statistics subcontractors we engage is available in the “Analytics Tools We Use” section of this Policy.
We may use some of your personal data (such as email, and your name) to inform you of our new features and products, changes implemented into the Website or App (including the updates on the Privacy Policies or Terms of Service), and special offers you may participate in. These messages can be sent on the basis of your consent (marketing) or our legitimate interest (rare marketing emails and product updates), and we do not sell to or share with other third parties (except our affiliates).
We use Crazyegg tools to monitor which webpages are popular and attract more attention than others, for how long an anonymous user stays on the webpage, to hold A/B experiments etc.
Crazyegg collects heatmaps and helps us optimize the website and App to provide you with an efficient and smooth experience.
The interactions that may be recorded or analyzed by Crazyegg may include mouse scrolls and clicks; keystrokes entered by you; and/or pages viewed or visited by you, including the duration of such visits.
The Website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help analyze how you use the Website. The information generated by the cookie about your use of the Website will normally be transmitted to and stored by Google on servers in the United States.
In case IP anonymization is activated on the Website, your IP address will be truncated within the area of member states of the European Union or within other contracting states to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of Spark for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services for Spark relating to website activity and internet usage. The IP address that your browser transfers within the scope of Google Analytics will not be associated with any other data held by Google.
Amplitude is an analytics software tool, which helps us improve our Service by providing statistical patterns of our product use. This tool does not provide us with any additional personal data about you or your behavior online.
Email messages sent by us via third-party services like MailChimp or CampaignMonitor may contain tracking pixels which help us collect statistics on delivery and opening rates of our correspondence. These pixels do not provide us with any additional personal data about you or your behavior online. You can disable image rendering in your email client which will deactivate this feature, however, you will be unable to see any images within other received emails.
We store the personal data of the User for the 12 months after the last usage of the Website.
After the above period expires, we anonymize the data and store it for statistical and analytical purposes.
We process your personal data based on your consent during the provision of services, or during the term of storage (as defined above) or until you withdraw your consent.
We use your personal data on the basis of the performance of the contract (i.e. our Terms of Service) to provide services and communicate with the Users.
We may share personal data with our affiliates to the extent necessary to develop and/or support Spark. We share your personal data with our contractors in the scope we need to provide services, and technical and customer support. Also, we can share your data on the following grounds: consent, compliance with the law, and legitimate interest.
Here is the detailed information on the legal grounds for data sharing with third parties:
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
Legitimate interest or performance of the contract: We share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors hired to provide certain services on our behalf or for us.
In order to best facilitate our services and interactions with you, we may store some of your personal data using cloud technologies managed by our third-party service providers.
We have agreements in place with those third-party service providers and we require them to operate and conduct themselves in a way that is consistent with our legal and ethical obligations.
We also employ technical and organisational measures to protect the confidentiality and security of any personal data shared with our third-party service providers.
Due to the specifics of our work, we sometimes share your information with our third-party service providers who perform functions on our behalf. These third parties service providers can include:
We will ask for your consent unless the transfer of data is part of the performance of a contract.
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also may share some data with our service providers in other countries outside Ireland and the USA subject to technical and organisational measures.
There is no adequate decision by the European Commission regarding neither the USA nor Ukraine. This means that the USA and Ukraine are not deemed to provide an adequate level of protection for your personal data. We use adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.
You can read more detailed measures to protect your personal data in this Policy. You can read detailed information on measures we take to protect your personal data here. If you upload, send or create personal data via one of our Services, you may ask for more details by sending an email to email@example.com.
However, if a data transfer is required to perform a contract or to provide you services, we have the right to do so without your consent.
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data we use HTTPS and encryption, divided group and individual access (where appropriate), alarm system, corporate VPN, written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations which are compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric and asymmetric encryption: private and public keys.
We currently use Hetzner and Google ("Hosting providers"). These Hosting providers have various international security certificates that ensure the safety of your data with them.
1. Physical access control: group access and alarm system
We secure access to the premises via ID readers, so only authorized persons have access to them. The ID cards can be blocked individually; access is also logged.
An alarm system is installed on the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
2. System access control: individual access and password policy
Each employee has access to the systems/services only via his/her employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
Password policy. We regulate access to our systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet specific requirements. It must be at least:
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Data access control: monitoring and physical access policy.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and practiced.
4. Transfer control: contractual obligations and corporate VPN
Before transferring any data, we specify organizational and security requirements in Data Processing and Data Transfer Agreements (if applicable). These agreements are obligatory for every Enterprise and us as the Controller.
Furthermore, the handling of local data storage devices, e.g., USB sticks, is regulated via agreements.
Access to the systems outside the company network is possible only via secure VPN access.
5. Input control: general restriction
Our employees do not work directly at the database level, but instead use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Availability control: backups and division
We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail.
Critical services are operated redundantly in multiple data centers and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.
We would like to specify that we use MDM-solution to protect employee devices with security settings.
7. Separation control: limited access.
We use logically separate databases to prevent unauthorized persons from accidentally reading data to separate data.
Access to the data is also restricted because employees use services (applications) that control access.
You, as subjects of personal data, have the following rights:
|Right to access||You can request an explanation of the processing of your personal data.|
|Right to rectification||You can change the information if it is inaccurate or incomplete.|
|Right to erasure||You can send us a request to delete your personal data from our systems.|
|Right to data portability||You can request all the data that you provided to us, as well as request to transfer data to another controller.|
|Right to object||You can object to the processing of your data.|
|Right to restriction||You may partially or wholly prohibit us from processing your personal data.|
|Right to withdraw consent||You can withdraw your consent at any time.|
|Right to lodge a complaint||If your request was not satisfied, you can file a complaint to the regulatory body.|
To exercise your rights, please write us an email at firstname.lastname@example.org
If your request is not satisfied, you can file a complaint to the Data Protection Commission (DPC) regulatory body by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland, or use their webforms.
You, as the subject of personal data, have some specific privacy rights. To exercise them, write us an email at email@example.com
Your rights vary depending on the laws that apply to you but may include:
Please see more detailed information about your state privacy data protection laws in a separate section; you can find it in the navigation on the right of the page.
|Virginia’s Consumer Data Protection Act||Consumer Privacy Act and California Privacy Rights Act||Colorado Privacy Act||Nevada Privacy Law||Delaware Online Privacy and Protection Act|
|Right to Know whether the controller is processing a customer’s personal data.||Right to Know what personal information is collected and Right to Access personal information.||Right of Access.||Right to Know whether the controller is processing the customer’s personal data.||Right of Access.|
|Right to Access personal data processed by the controller.||Right to Know if Personal Information is Sold.||The right to confirm the processing of personal data.||Right to Opt-Out of Sale.||Right to withdraw consent.|
|Right to Correct.
Right to Delete.
Right to Data Portability.
Right to Opt-Out of targeted advertising, the sale of personal data, or profiling.
|Right to Delete. Subject to certain exceptions.
Right to Data Portability.
Right to Correct.
Right to Opt-Out of Sale.
Right to Limit Use and Disclosure of Sensitive Personal Information.
|Right to Access.
Right to Correction.
Right to Deletion.
Right to Data Portability.
Right to Opt-Out of targeted advertising, the sale of personal data, or profiling via a universal Opt-Out mechanism.
|Right to Correct.||Right to Correction.
Right for "do not track" request
Right to Opt-Out of Sale.
What do these rights mean?
Depending on the state and its legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for additional 30 days.
“Spark”, “Spark Mail”, “we”, “our”, “us”: Spark Mail Limited, an Ireland-based technology company that maintains and operates the Spark Mail Website.
“Controller”, “data controller”: the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. In the CCPA, the term “business” is used to refer to the person who performs similar functions.
“Data protection officer”, “DPO”: an employee or a contractor who is designated by Spark Mail Limited to help it comply with the GDPR and other data protection laws and who is assigned to help you protect your personal data rights. You may contact DPO at firstname.lastname@example.org.
“Data subject”: a natural person about whom Spark holds personal data (an identified or identifiable natural person).
“GDPR”: European Union’s General Data Protection Regulation.
“Personal data”: any information relating to you and helping identify you (directly or indirectly) such as your name, last name, email, location data, etc.
“Processing”: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”, “data processor”: the natural or legal person who processes personal data on behalf of the data controller. In the CCPA, the term “service provider” can be used in the context of delegation of some parts of data processing to another person under the business’ instruction.
“Services”, “Spark Mail Services” (either capitalised or not): the Spark Mail Website and App and the features available through the use of the Spark Mail Website and App, either Free or Premium, together or separately.
“Subprocessor”: anyone other than us who we have appointed to process the personal data of our clients. Subprocessors can see no more data than we can see (unless you supply them with your personal data outside the Spark Mail Website). Examples include our data hosting providers and payment processors.
“Supervisory authority”: a local regulator under the GDPR which has the job of seeing that we protect your data properly.