Privacy Policy

Effective Date: January 1, 2026

Last Updated: February 4, 2026

1. Introduction and Scope

SparkyMinis ("Company," "We," "Us," or "Our") is committed to protecting your privacy and ensuring you have complete control over your data. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of information when you use our web application and services (collective, the "Service").

We operate on a "Local-First" Data Architecture. This means that unlike traditional cloud applications that centralize your data on their servers, our Service prioritizes the storage of your data on your local device, with cloud synchronization acting primarily as a backup and multi-device relay mechanism.

By accessing or using the Service, you consent to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1. Information You Explicitly Provide

To facilitate the Service, we collect the following:

* Identity Data: When you register, we collect your authentication token and basic profile information (Name, Email Address) from your chosen Identity Provider (e.g., Google or Microsoft). We do not store your password.

* User Content: This includes, but is not limited to, invoices, expense records, project details, contacts, travel itineraries, and files uploaded to the "Secure Vault."

* Billing Information: If you subscribe to a paid plan, our Payment Processors collect your payment method details. We do not store complete credit card numbers on our servers.

2.2. Automated Usage Data

When you access the Service, specific data is automatically collected to ensure performant delivery and security:

* Telemetry: Anonymous metrics regarding feature usage (e.g., "Invoice Created," "Export Generated"). This data is aggregated and cannot be used to reconstruct your User Content.

* Third-Party Analytics (Public Pages Only): On our public-facing pages (e.g., Home, Pricing, Blog), we use Google Analytics 4 (GA4) via Cloudflare Zaraz to understand site traffic and marketing effectiveness. This tracking is not present within the logged-in Dashboard area.

* Device Information: Browser type, operating system version, and screen resolution to optimize the user interface.

* Network Data: IP address and request timestamps, used strictly for security logging, rate-limiting, and fraud prevention.

3. Lawful Basis for Processing (GDPR Compliance)

Under the General Data Protection Regulation (GDPR), we process your personal data under the following lawful bases:

1. Performance of a Contract (Article 6(1)(b)): We process your Identity Data and User Content to provide the Service you have requested (e.g., syncing your invoices between your laptop and phone).

2. Legal Obligation (Article 6(1)(c)): We retain certain transaction records to comply with tax and financial regulations.

3. Legitimate Interests (Article 6(1)(f)): We process Usage Data to detect security threats, prevent DDOS attacks, and improve system stability.

4. Consent (Article 6(1)(a)): Where strictly required (e.g., optional marketing newsletters), we process data based on your explicit consent, which you may withdraw at any time.

4. How We Process and Store Data

4.1. The "Local-First" Commitment

Your User Content is generated and processed locally within your browser's secure sandbox.

* Primary Storage: Your device (via IndexedDB/Local Storage).

* Secondary Storage (Cloud Sync): Encrypted copies of your data are synchronized to our secure cloud infrastructure solely to enable multi-device access and backup recovery.

4.2. Zero-Knowledge Processing for AI

Our "Smart Camera" and "OCR" features utilize Client-Side Processing. Use of these features does not involve transmitting your raw images or documents to third-party AI training servers. All analysis occurs ephemerally within your browser session using WebAssembly technologies.

5. Data Sharing and Trusted Third Parties

We do not sell your personal data. We disclose data only to the following categories of Trusted Service Providers, bound by strict confidentiality and data processing agreements:

* Cloud Infrastructure Providers: To host the encrypted database and file storage systems required for the Service to function.

* Identity Providers: To authenticate your login session without requiring us to manage passwords.

* Payment Processors: To handle PCI-DSS compliant payment transactions.

* Legal Authorities: Only if compelled by a valid court order or binding legal process.

6. Data Security

We implement industry-standard technical and organizational measures to secure your data:

* Encryption: Data is encrypted in transit using TLS 1.2+ and at rest within our cloud storage facilities.

* Row-Level Security (RLS): Our database architecture enforces strict isolation, ensuring your User ID is cryptographically required to read or write your specific records.

* Zero-Access Support: Our support team does NOT have access to your app data. We cannot view your Invoices, Vault files, or Trip plans. If you require technical assistance, you must explicitly grant transient permission or share a sanitized reproduction; we cannot "log in as you."

* Access Control: Internal access to production data is restricted to authorized personnel with a critical business need, protected by Multi-Factor Authentication (MFA).

7. Your Data Rights (GDPR & Global Standards)

Regardless of your location, we extend the following rights to all users:

* Right to Access (Article 15): You may request a copy of all personal data we hold about you.

* Right to Rectification (Article 16): You have the ability to correct inaccurate profile data directly within the "Settings" panel.

* Right to Erasure ("Right to be Forgotten") (Article 17): You may request the permanent deletion of your account. Upon such request, we will purge your data from our active systems within 30 days, retaining only that which is legally mandated (e.g., tax records).

* Right to Restriction (Article 18): You may ask us to suspend processing of your data in certain scenarios.

* Right to Portability (Article 20): We adhere to the principle of "Your Data is Yours." You may generate a full "Sparky Export Bundle" (machine-readable JSON format) at any time via the Security Settings, facilitating transfer to another service provider.

* Right to Object (Article 21): You may object to our processing of your data for direct marketing purposes.

To exercise these rights, please contact our Data Protection Officer at privacy@sparkyminis.com.

8. Data Retention

We retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy.

* Active Accounts: Data is retained indefinitely to provide the Service.

* Deleted Accounts: User Content is soft-deleted immediately and permanently purged from backups within 90 days.

* Financial Records: Transaction data is retained for a minimum of 7 years in accordance with applicable tax laws.

9. International Data Transfers

Our Service utilizes a global edge network. Your data may be stored and processed in any country where we or our Service Providers have facilities. By using the Service, you consent to the transfer of information to countries outside of your country of residence, which may provide for different data protection rules than in your country. We utilize Standard Contractual Clauses (SCCs) where applicable to ensure data protection.

10. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with Personal Data, we will take steps to delete such information.

11. Contact Us

If you have questions about this Privacy Policy, your data rights, or our compliance practices, please contact our Data Protection Officer:

* Support Portal: SparkyMinis Connect

* Email: connect@sparkyminis.com