Privacy Policy

1. Introduction

Spark Deal ("Platform", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our marketplace platform. This policy applies to all users including contributors, companies, and visitors.

We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable EU data protection laws.

2. Data We Collect

2.1 Information You Provide

• Account data: Name, email address, password (stored as a bcrypt hash), and selected role (contributor or company)
• Submission data: Cost-saving strategies, titles, descriptions, pricing, and related content submitted by contributors
• Transaction data: Purchase history, payment amounts, and refund requests
• Reviews: Ratings and comments left on opportunities

2.2 Information Collected Automatically

• Usage analytics: Page views on opportunity listings (recorded anonymously with viewer role only — no IP addresses or device fingerprints)
• Session data: Authentication tokens (JWT) stored in browser cookies for session management

2.3 Information We Do Not Collect

• We do not collect IP addresses, device fingerprints, or location data
• We do not use third-party tracking pixels or advertising cookies
• We do not store credit card numbers — payment processing is handled entirely by our payment provider (Stripe)

3. How We Use Your Data

We use your personal data for the following purposes:

• Service delivery: Creating and managing your account, processing purchases, facilitating payouts to contributors
• Content moderation: Automated triage of submissions (PII detection, quality scoring, duplicate detection) to maintain marketplace quality
• Analytics: Providing contributors with view counts, conversion rates, and earnings data for their submissions
• Communication: Sending transactional emails (purchase confirmations, password resets, refund notifications)
• Security: Detecting fraud, preventing abuse, and enforcing our Terms of Service

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Contract performance: Processing necessary to provide our marketplace services (account management, purchases, payouts)
• Legitimate interest: Content moderation, fraud prevention, and platform analytics
• Consent: Non-essential cookies (you may withdraw consent at any time via the cookie banner)
• Legal obligation: Tax records and financial reporting as required by law

5. Data Sharing

We share your personal data only in the following circumstances:

• Payment processor (Stripe): To process payments and payouts securely
• Between users: Contributor names are visible on published opportunities. Company names are visible on reviews and to contributors on purchase notifications.
• Legal requirements: When required by law, court order, or regulatory authority

We do not sell your personal data to third parties. We do not share data with advertisers or marketing companies.

6. Cookies

We use the following types of cookies:

• Essential cookies: Authentication session tokens (required for the Platform to function). These cannot be disabled.
• Analytics cookies: Anonymous page view tracking for contributor analytics. You can opt out via the cookie consent banner.

We do not use advertising cookies, social media tracking pixels, or cross-site tracking technologies.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Transaction records: Retained for 7 years as required by financial regulations.
• Submitted content: Retained while published. Removed within 30 days of deletion by the contributor, unless purchased (in which case the purchased version is retained for buyer access).
• Password reset tokens: Expire after 1 hour and are retained for audit purposes only.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request limitation of processing in certain circumstances
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@sparkdeal.app. We will respond within 30 days.

9. Data Security

We protect your data through:

• Password hashing using bcrypt with salt rounds
• Cryptographically secure tokens for password resets and API keys
• HTTPS encryption for all data in transit
• Role-based access control for platform data
• Automated PII detection to prevent accidental disclosure in submissions

10. International Data Transfers

Your data is processed and stored within the European Union. If any data transfer outside the EU becomes necessary (e.g., through third-party service providers), we will ensure appropriate safeguards are in place as required by the GDPR, such as Standard Contractual Clauses.

11. Children's Privacy

The Platform is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

For privacy-related inquiries or to exercise your data rights, contact our Data Protection team:

Email: privacy@sparkdeal.app

14. Supervisory Authority

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.