- Our details as the data controller
- Information we collect and how we use this information
- What we do with your personal data
- How long personal data is stored for
- Security measures used by Us
- Categories of recipients and Data Processors
- Your rights
- California Residents Notice
- Children's privacy
- Our commitment
- Contact Information
1. Our details as the data controller
Spark Application (the "App") and Spark for Teams Service (the "Service") are brought to you by Readdle, Inc. (the "Data Controller" of your personal data). Consequently, "We", "Us" and "Ours" refers to the Data Controller.
2. Information we collect and how we use this information
We collect certain information about you when you provide it directly to us or use our App and Service. We only obtain information necessary to provide you with our services.
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
Identity of a team you join: To make Spark Services possible, we allow you and your colleagues to create teams within the Service. It allows you to have a secure space where you share information such as email conversations, shared email drafts, private discussions, or create links to a specific email message. Team identity is necessary in order to associate you with that specific team as well as secure your information from people who are not a part of your team. Our system creates a record about the team only when you create one.
Email content while using Spark Services: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space where you share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. This information is stored on our secure servers in order to make Services available to you, so you can collaborate with your teammates around email.
IP address: Core functionality of our Product is based on connection to the Internet. That is why our App and Service won’t properly function without Internet connection. Your IP address is a unique identifier that lets you connect to the Internet and our service will log connections for security and troubleshooting purposes.
APNS device token (Apple Push Notification Service): Push notifications allow you to get immediate updates about new emails or private team comments in your email inbox. You’re free to enable or disable them during initial App setup or later using your device’s system preferences.
App token assigned by us: This token allows us to identify your device in our system and troubleshoot potential issues you might experience.
Device, App version, iOS version information: We need to have this information so the App functions properly on your specific device.
Statistical information with regards to App usage: In order to better understand general app usage patterns, improve the Product and its user experience, Spark collects general statistical information about the usage of the Product. Collecting such data helps us optimize the App in future updates and such usage does not affect your rights and freedoms and does not disclose any personal data of yourself or your contacts.
Recently accessed email messages, collaboration threads and shared inboxes: We need this information to provide Spark Services to you and your teammates such as private discussions around email, shared drafts, shared email conversations and shared inboxes. By collecting and storing this data, we are able to present message discussion threads through your Spark app and provide better communication experience with your team.
Some of your email contacts: Spark Smart Notifications will send you push notifications only for important messages from real people. To block push notifications for promotional newsletters and automatic emails, we need to keep the “whitelist” of senders for push notifications. We’ll sync this “whitelist” of contacts to our server to enable Smart Notifications. If you decide not to use Smart Notifications, we will never sync your email contacts.
Logs: We collect this information to prevent fraud and potential unauthorized access to your personal information, ensuring the technical availability and security of the App. The server that hosts the App may record requests your device makes to the server, the details on device and browser you use, your IP address, date and time of access, city and country, operating system, browser type, mobile network information. This data is used only for technical purposes – that is, to ensure the proper functioning and security of the App and to investigate possible security incidents.
Cookie information: This information is necessary for the Spark for Teams administration portal. Cookies allows us to identify you as a member of the team and prevent unauthorized access to your team administration portal by other users. All of this information is stored locally on your device.
Customer Support communication: Regarding the email: we save a record of communication including attachments and information you voluntary decide to share with us for troubleshooting purposes whenever you communicate with our support team.
Regarding the Website: your browser transfers certain data so that it can access the Website, namely:
- the IP address
- the date and time of the request
- the browser type
- the operating system
- the language and version of the browser software.
Cookies: Use of (Further Analyzing) Tools
Cookies are stored on your computer when using the Website. Cookies are small text files that are stored on your hard disk of the computer with which you visit a website and which are allocated to your browser and through which certain information is submitted to the cookies user that sets the cookie (in this case us). Cookies serve to make the website offering more user-friendly and effective overall.
- Transient / Session cookies
- Persistent / Setting cookies
- Analytics cookies
Transient cookies are automatically deleted when you close your browser. This includes in particular the session cookies. These store a so-called session ID, which identify user session in the browser. Session cookies are deleted when you log out or close your browser.
Persistent cookies help the Website remember your information and settings when you visit them in the future. They are automatically deleted after a specified period, which may differ depending on the cookie.
The Website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help analyze how you use the Website. The information generated by the cookie about your use of the Website will normally be transmitted to and stored by Google on servers in the United States.
In case IP-anonymization is activated on the Website, your IP address will be truncated within the area of member states of the European Union or within other contracting states to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of Readdle for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services for Readdle relating to website activity and internet usage.
The IP address that your browser transfers within the scope of Google Analytics will not be associated with any other data held by Google.
As an alternative to the browser add-on or within browsers on mobile devices, you can click this link in order to opt-out from being tracked by Google Analytics within this Website in the future (this opt-out option applies only for the browser in which you set it and with regard to the Website). In this case an opt-out cookie is put on your device. In case you delete your cookies, you will have to use the aforementioned link again.
For further information on Google Analytics please refer to: http://www.google.com/analytics/terms/, https://support.google.com/analytics/answer/6004245?hl=en and https://policies.google.com/privacy?hl=en&gl=en
In order to better understand general usage patterns for our Product, we use a third-party tool of Amplitude, Inc, 501 2nd Street, San Francisco, CA 94107, called Amplitude (see https://amplitude.com/privacy). Amplitude is an analytics software tool, which helps us improve our Service by providing statistical patterns of our product use. This tool does not provide us with any additional personal data about you or your behavior online.
Email messages sent by us via third-party services like MailChimp or CampaignMonitor may contain tracking pixel which helps us collect statistics on delivery and opening rates of our correspondence. These pixels do not provide us with any additional personal data about you or your behavior online. You can disable image rendering in your email client which will deactivate this feature, however you will be unable to see any images within other received emails.
If you decide to deactivate (some of) the cookies and tools described above, please note that certain features and functionalities of the Services might not work or might not be accessible to you.
3. What we do with your personal data
Your personal data is used to provide you our App and Services, and to improve the Product. Your personal data is not used for marketing purposes. We encrypt your emails and then store some of your personal data on secure servers that would prevent unauthorized access or destruction. Unless you have asked us not to, We may rarely contact you by email about similar products and services to the App. Whenever We contact you, We would always give you the right to opt out at any time (see the section "Your Rights" below).
As stated in section 2 above, We only process personal data for the purposes strictly necessary to provide you with the service. Some of the purposes for processing the data provided by you include:
- Providing you with the services
- Fraud prevention
- Improving our services
- Notifying you of any changes in our services
4. How long personal data is stored for
Depending on the type, your personal data is stored either until you delete the App or after a certain period.
|Type of information||Length of storage|
|Email address, email content for Spark Services, mail server credentials, APNS device token, App token assigned by us, device info||3 months after deletion of your email account from Spark on all devices|
|Recent messages from your inbox||Deleted after 4 hours|
|Emails pending in the "send later" feature, IP addresses||Deleted once the message is sent|
|Emails of Shared Inboxes||Deleted once the Shared Inboxes are deleted.|
5. Security measures used by Us
Your data is stored on secure servers that we rent and We use the recommended industry practices to keep your data secure. We use appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
For instance, We ensure that all transmission is secured with HTTPS so that no one else can access your data. Your email and account credentials are stored on secure cloud-based servers using symmetric encryption. We currently use Hetzner and Google (the "Hosting providers"). Those Hosting providers are in possession of various international security certificates that ensure safety of your data with them. You can read more on the security measures of Google, for instance, by following the link: https://cloud.google.com/security/compliance/
We use appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. A non-exhaustive list of such measures include:
1. Protective measures for physical access control:
We secure access to the premises via ID readers, so that only authorised persons have access. The ID cards can be blocked individually; access is also logged.
Furthermore, an alarm system is installed in the premises, preventing infiltration by unauthorised persons. The alarm system is linked to a locking mechanism for the doors.
2. Protective measures for system access control:
Each employee has access to the systems/services only via his/her own employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
We regulate access to our own systems via password procedures and the use of SSH keys of at least 4096 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as the password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet the following requirements:
At least 8 characters long
At least 1 letter in upper-case
At least 1 letter in lower-case
At least 1 number
At least 1 non-alphanumeric character
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
3. Protective measures for data access control:
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the close proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed and is practised.
4. Protective measures for transfer control:
The handling of local data storage devices, e.g. USB sticks, is regulated via agreements.
Access to the systems from outside the company network is possible only via secure VPN access.
5. Protective measures for input control:
Our employees do not work directly at database level, but instead use applications to access the data.
IT employees access the system via individual access and use a common login.
6. Protective measures for availability control:
We ensure the availability of data in several ways. On the one hand, there is regular backup of the entire system. This steps in if the other availability measures fail.
Critical services are operated redundantly in multiple data centres and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.
7. Protective measures for separation control:
To separate data, We use logically separate databases so that no accidental reading of data by unauthorised persons can occur.
Access to the data itself is also restricted by the fact that employees use services (applications) which control access.
6. Categories of recipients and Data Processors
We do not rent, sell or share your personal data with any third parties, except where We have to comply with Our legal obligation. Some of the data of our users is aggregated for statistical purposes and processed in the legitimate interests as stated in section 2 above.
This does not mean that We blindly follow disclosure orders. We will check each request to ensure it satisfies the relevant safeguards, contains a court order or is issued under a legislative measure for the prevention, investigation, detection or prosecution of criminal offences. If We employ a processor to act on our behalf, We ensure that there are adequate contractual measures to ensure responsibility, security and liability to the same level as expected of Us.
In any case where a third party accesses your data on our behalf or upon our instructions (be it inside or outside the EEA), We use the relevant legal basis to comply with the data protection legislation. In cases where there is no finding of an adequacy decision by the European Commission, we use model contracts approved by the European Commission to safeguard your rights and data.
Technical implementation of the services by subcontractors
We partly use service providers who process Personal Data on behalf of us to operate the technical platform for the Services (for example, the documents that you scan and upload via the App are hosted by a third party hosting provider (whereas the respective servers are exclusively situated in EU member states)). These service providers process the data exclusively according to our instructions (order processing). The legal basis for the data processing described in this section 4 is Art. 6 (1) sentence 1 lit. b GDPR (performance of contract and pre-contractual measures) and Art. 28 GDPR (order processing).
7. Your rights
Spark is a subject of various data privacy regulations including the General Data Protection Regulation and the California Consumer Privacy Act. You are entitled to the full spectrum of the rights under those regulations. We will go out of our way to accommodate any valid request. You can either exercise your rights by deleting your account and all information associated with it from your device or by emailing us at email@example.com.
Spark under no circumstances sell your data and performs only lawful processing of your personal data, please see section 2 and 3 above for details.
You have a wide array of rights that we respect. Among those the right to:
- Require access to your personal data;
- Require rectification of your personal data (this is less relevant since otherwise we could not provide you with the service);
- Require erasure of your personal data;
- Withdraw consent to the processing of your personal data, where applicable, otherwise we could not provide you with the service;
- Lodge a complaint with your national supervisory authority (in the EEA) if you believe that your privacy rights have been breached.
The right to data portability is inapplicable with the App. You should contact your email provider directly to request combined access to all of your personal data. If your personal data is erased at your request or in accordance with our data retention policy, We only retain such information that is necessary to protect our legitimate interests or to comply with a legal obligation.
8. California Residents Notice
In relation to paragraph (5), s.1798.130 of California Consumer Privacy Act of 2018 (CCPA):
- following subparagraph (A) the list of consumer rights can be found in section 7 above;
- following subparagraph (B) personal information categories that We collect or have collected about consumers can be found in section 2 and 3 above;
- subparagraph (C) does not apply to our practices as We neither sell nor have in the past 12 months sold your personal information as described in subdivision (t) of s.1798.140 CCPA.
9. Children's privacy
We never knowingly collect or solicit any information from anyone of 13 years and younger. The App and its content are not directed at nor made look to appeal to such persons. Parents or guardians that believe that We hold information about their children aged 13 and under may contact Us at firstname.lastname@example.org.
10. Our commitment
- We will only collect and use your data where We have a legal basis to do so;
- We will always be transparent and tell you about how we use your information;
- When We collect your data for a particular purpose, We will not use it for anything else without your consent, unless other legal basis applies;
- We will not ask for more data than needed for the purposes of providing our services;
- We will adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
- We will observe and respect Your rights (in section 8 above) by ensuring that queries relating to privacy issues are dealt with promptly and transparently;
- We will keep our staff trained in privacy and security obligations;
- We will ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;
- We will also ensure that all of our data processors have appropriate security measures in place with contractual provisions requiring them to comply with Our commitment;
- We will obtain your consent and ensure that suitable safeguards are in place before personal data is transferred to other countries.
12. Contact Information
We are based outside the European Economic Area and have nominated the following representative to promptly respond to any requests by our customers and relevant authorities:
|Address:||WeWork c/o Readdle GmbH, Stresemannstrasse 123, 10963 Berlin, Germany|
Our data protection officer details:
|FAO:||DPO, Readdle GmbH|
|Address:||WeWork c/o Readdle GmbH, Stresemannstrasse 123, 10963 Berlin, Germany|