Spark privacy policy

  1. Our details as the data controller
  2. Information we collect and how we use this information
  3. What we do with your personal data
  4. How long personal data is stored for
  5. Security measures used by Us
  6. Categories of recipients and Data Processors
  7. Your rights
  8. Children's privacy
  9. Our commitment
  10. Changes to the privacy policy
  11. Contact Information

1. Our details as the data controller

Spark Application (the "App") and Spark for Teams Service (the "Service") are brought to you by Readdle, Inc. (the "Data Controller" of your personal data). Consequently, "We", "Us" and "Ours" refers to the Data Controller.

2. Information we collect and how we use this information

We collect certain information about you when you provide it directly to us or use our App and Service. We only obtain information necessary to provide you with our services.

Email address: As an email client, the core functionality of our Product is based on providing you with the ability to manage your email. For this reason, Spark services access your email account when you start using the App. Your email address is a unique identifier of you as a user within our system and allows us to secure your data. Your email address will also be used as a primary means of communication for us on anything related to changes to the App and Service such as Privacy Policy, Terms of Use, or core functionality of our App or Service. We may also occasionally contact you for marketing purposes and it will be in our legitimate interests to do so, but you will always have a chance to opt out of such marketing communications for similar products and/or services anytime. Your email is safe and we do not use it for profiling or targeting.

OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.

Identity of a team you join: To make Spark Services possible, we allow you and your colleagues to create teams within the Service. It allows you to have a secure space where you share information such as email conversations, shared email drafts, private discussions, or create links to a specific email message. Team identity is necessary in order to associate you with that specific team as well as secure your information from people who are not a part of your team. Our system creates a record about the team only when you create one.

Some technical details are also collected in order for our App and Service to function properly. This data can’t be used to directly identify you. We will make every reasonable effort to keep this data safe and secure.

We do not use your data for marketing purposes.

Email content while using Spark Services: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space where you share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates around email.

IP address: Core functionality of our Product is based on connection to the Internet. That is why our App and Service won’t properly function without Internet connection. Your IP address is a unique identifier that lets you connect to the Internet and our service will log connections for security and troubleshooting purposes.

APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new emails or private team comments in your email inbox. You’re free to enable or disable them during initial App setup or later using your device’s system preferences.

App token assigned by us: This token allows us to identify your device in our system and troubleshoot potential issues you might experience.

Device, App version, iOS version information: We need to have this information so the App functions properly on your specific device.

Statistical information with regards to App usage: In order to better understand general app usage patterns, improve the Product and its user experience, Spark collects general statistical information about the usage of the Product. Collecting such data helps us optimize the App in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts.

Recently accessed email messages and collaboration threads: We need this information to provide Spark Services to you and your teammates such as private discussions around email, shared drafts and shared email conversations. By collecting and storing this data, we are able to present message discussion threads through your Spark app and provide better communication experience with your team.

Some of your email contacts: Spark Smart Notifications will send you push notifications only for important messages from real people. To block push notifications for promotional newsletters and automatic emails, we need to keep the “whitelist” of senders for push notifications. We’ll sync this “whitelist” of contacts to our server to enable Smart Notifications. If you decide not to use Smart Notifications, we will never sync your email contacts.

Logs: We collect this information to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. The server that hosts the App may record requests your device makes to the server, the details on device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App and to investigate possible security incidents.

Cookie information: This information is necessary for the Spark for Teams administration portal. Cookies allows us to identify you as a member of the team and prevent unauthorized access to your team administration portal by other users. All of this information is stored locally on your device.

Customer Support communication: Regarding the email: we save a record of communication including attachments and information you voluntary decide to share with us for troubleshooting purposes whenever you communicate with our support team.

Regarding the Website: your browser transfers certain data so that it can access the Website, namely:

  • the IP address
  • the date and time of the request
  • the browser type
  • the operating system
  • the language and version of the browser software.

Cookies: Use of (Further Analyzing) Tools

Cookies are stored on your computer when using the Website. Cookies are small text files that are stored on your hard disk of the computer with which you visit a website and which are allocated to your browser and through which certain information is submitted to the cookies user that sets the cookie (in this case us). Cookies serve to make the website offering more user-friendly and effective overall.

The Website uses cookies to the following extent:

  • Transient / Session cookies
  • Persistent / Setting cookies
  • Analytics cookies

Transient cookies are automatically deleted when you close your browser. This includes in particular the session cookies. These store a so-called session ID, which identify user session in the browser. Session cookies are deleted when you log out or close your browser.

Persistent cookies help the Website remember your information and settings when you visit them in the future. They are automatically deleted after a specified period, which may differ depending on the cookie.

We also use cookies on our website which enable an analysis of the user's surfing behavior.

You can configure your browser settings according to your wishes and, for example, restrict the use of cookies or refuse them altogether. However, we would like to point out that you may not be able to use all the functions of the Website in this case.

The Website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help analyze how you use the Website. The information generated by the cookie about your use of the Website will normally be transmitted to and stored by Google on servers in the United States.

In case IP-anonymization is activated on the Website, your IP address will be truncated within the area of member states of the European Union or within other contracting states to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of Readdle for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services for Readdle relating to website activity and internet usage.

The IP address that your browser transfers within the scope of Google Analytics will not be associated with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings in your browser, however please note that if you do so you may not be able to use all functions of the Website. You can also opt-out from the storage by Google of the data that is created by the cookie and is related to the use of the Website (including your IP address) and the processing of such data by Google by downloading and installing the Google Analytics opt-out Browser add-on available under https://tools.google.com/dlpage/gaoptout?hl=en.

As an alternative to the browser add-on or within browsers on mobile devices, you can click this link in order to opt-out from being tracked by Google Analytics within this Website in the future (this opt-out option applies only for the browser in which you set it and with regard to the Website). In this case an opt-out cookie is put on your device. In case you delete your cookies, you will have to use the aforementioned link again.

For further information on Google Analytics please refer to: http://www.google.com/analytics/terms/, https://support.google.com/analytics/answer/6004245?hl=en and https://policies.google.com/privacy?hl=en&gl=en

In order to better understand general usage patterns for our Product, we use a third-party tool of Amplitude, Inc, 501 2nd Street, San Francisco, CA 94107, called Amplitude (see https://amplitude.com/privacy). Amplitude is an analytics software tool, which helps us improve our Service by providing statistical patterns of our product use. This tool does not provide us with any additional personal data about you or your behavior online.

Email messages sent by us via third-party services like MailChimp or CampaignMonitor may contain tracking pixel which helps us collect statistics on delivery and opening rates of our correspondence. These pixels do not provide us with any additional personal data about you or your behavior online. You can disable image rendering in your email client which will deactivate this feature, however you will be unable to see any images within other received emails.

If you decide to deactivate (some of) the cookies and tools described above, please note that certain features and functionalities of the Services might not work or might not be accessible to you.

3. What we do with your personal data

Your personal data is used to provide you our App and Services, and to improve the Product. Your personal data is not used for marketing purposes. We encrypt your emails and then store some of your personal data on secure servers that would prevent unauthorized access or destruction. Unless you have asked us not to, We may rarely contact you by email about similar products and services to the App. Whenever We contact you, We would always give you the right to opt out at any time (see the section "Your Rights" below).

As stated in section 2 above, We only process personal data for the purposes strictly necessary to provide you with the service. Some of the purposes for processing the data provided by you include:

  • Providing you with the services
  • Fraud prevention
  • Improving our services
  • Notifying you of any changes in our services

4. How long personal data is stored for

Depending on the type, your personal data is stored either until you delete the App or after a certain period.

Type of information Length of storage
Email address, email content for Spark Services, mail server credentials, APNS device token, App token assigned by us, device info 3 months after deletion of your email account from Spark on all devices
Recent messages from your inbox Deleted after 4 hours
Emails pending in the "send later" feature, IP addresses Deleted once the message is sent

5. Security measures used by Us

Your data is stored on secure servers that we rent and We use the recommended industry practices to keep your data secure. We use appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

For instance, We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using asymmetric encryption. We currently use Hetzner and Google (the "Hosting providers"). Those Hosting providers are in possession of various international security certificates that ensure safety of your data with them. You can read more on the security measures of Google, for instance, by following the link: https://cloud.google.com/security/compliance/

We use appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. A non-exhaustive list of such measures include:

1. Protective measures for physical access control:

We secure access to the premises via ID readers, so that only authorised persons have access. The ID cards can be blocked individually; access is also logged.

Furthermore, an alarm system is installed in the premises, preventing infiltration by unauthorised persons. The alarm system is linked to a locking mechanism for the doors.

2. Protective measures for system access control:

Each employee has access to the systems/services only via his/her own employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.

We regulate access to our own systems via password procedures and the use of SSH keys of at least 1024 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as the password-based access to the relevant systems is disabled.

We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.

Passwords must meet the following requirements:
At least 8 characters long
At least 1 letter in upper-case
At least 1 letter in lower-case
At least 1 number
At least 1 non-alphanumeric character

Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.

3. Protective measures for data access control:

All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.

Due to the close proximity of the employees, a visual inspection is possible at any time.

Locking and/or logging off when leaving work is prescribed and is practised.

4. Protective measures for transfer control:

The handling of local data storage devices, e.g. USB sticks, is regulated via agreements.

Access to the systems from outside the company network is possible only via secure VPN access.

5. Protective measures for input control:

Our employees do not work directly at database level, but instead use applications to access the data.

IT employees access the system via individual access and use a common login.

6. Protective measures for availability control:

We ensure the availability of data in several ways. On the one hand, there is regular backup of the entire system. This steps in if the other availability measures fail.

Critical services are operated redundantly in multiple data centres and controlled by a high-availability system.

Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.

7. Protective measures for separation control:

To separate data, We use logically separate databases so that no accidental reading of data by unauthorised persons can occur.

Access to the data itself is also restricted by the fact that employees use services (applications) which control access.

6. Categories of recipients and Data Processors

We do not rent, sell or share your personal data with any third parties, except where We have to comply with Our legal obligation. Some of the data of our users is aggregated for statistical purposes and processed in the legitimate interests as stated in section 2 above.

This does not mean that We blindly follow disclosure orders. We will check each request to ensure it satisfies the relevant safeguards, contains a court order or is issued under a legislative measure for the prevention, investigation, detection or prosecution of criminal offences. If We employ a processor to act on our behalf, We ensure that there are adequate contractual measures to ensure responsibility, security and liability to the same level as expected of Us.

In any case where a third party accesses your data on our behalf or upon our instructions (be it inside or outside the EEA), We use the relevant legal basis to comply with the data protection legislation. In cases where there is no finding of an adequacy decision by the European Commission, we use model contracts approved by the European Commission to safeguard your rights and data.

Technical implementation of the services by subcontractors

We partly use service providers who process Personal Data on behalf of us to operate the technical platform for the Services (for example, the documents that you scan and upload via the App are hosted by a third party hosting provider (whereas the respective servers are exclusively situated in EU member states)). These service providers process the data exclusively according to our instructions (order processing). The legal basis for the data processing described in this section 4 is Art. 6 (1) sentence 1 lit. b GDPR (performance of contract and pre-contractual measures) and Art. 28 GDPR (order processing).

7. Your rights

You are entitled to the full spectrum of the rights under the General Data Protection Regulation and We will go out of our way to accommodate any valid request. You can either exercise your rights by deleting your account and all information associated with it from your device or by emailing us at dpo@readdle.com.

You have a wide array of rights that we respect. Among those the right to:

  • Require access to your personal data;
  • Require rectification of your personal data (this is less relevant since otherwise we could not provide you with the service);
  • Require erasure of your personal data;
  • Withdraw consent to processing of your personal data, where applicable;
  • Lodge a complaint with your national supervisory authority (in the EEA) if you believe that your privacy rights have been breached.

The right to data portability is inapplicable with the App. You should contact your email provider directly to request combined access to all of your personal data. If your personal data is erased at your request or in accordance with our data retention policy, We only retain such information that is necessary to protect our legitimate interests or to comply with a legal obligation.

8. Children's privacy

We never knowingly collect or solicit any information from anyone of 13 years and younger. The App and its content are not directed at nor made look to appeal to such persons. Parents or guardians that believe that We hold information about their children aged 13 and under may contact Us at dpo@readdle.com.

9. Our commitment

  • We will only collect and use your data where We have a legal basis to do so;
  • We will always be transparent and tell you about how we use your information;
  • When We collect your data for a particular purpose, We will not use it for anything else without your consent, unless other legal basis applies;
  • We will not ask for more data than needed for the purposes of providing our services;
  • We will adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
  • We will observe and respect Your rights (in section 8 above) by ensuring that queries relating to privacy issues are dealt with promptly and transparently;
  • We will keep our staff trained in privacy and security obligations;
  • We will ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;
  • We will also ensure that all of our data processors have appropriate security measures in place with contractual provisions requiring them to comply with Our commitment;
  • We will obtain your consent and ensure that suitable safeguards are in place before personal data is transferred to other countries.

10. Changes to the privacy policy

We will always notify you via email or otherwise should we update this privacy policy. We will update the "last modified" date at the bottom of this privacy policy to indicate the latest revision, as well as the changes were made.

11. Contact Information

We are based outside the European Economic Area and have nominated the following representative to promptly respond to any requests by our customers and relevant authorities:

Name: Readdle GmbH
Address: WeWork c/o Readdle GmbH, Stresemannstrasse 123, 10963 Berlin, Germany
Email: dpo@readdle.com

Our data protection officer details:

FAO: DPO, Readdle GmbH
Address: WeWork c/o Readdle GmbH, Stresemannstrasse 123, 10963 Berlin, Germany
Email: dpo@readdle.com