SparkText

Who we are:

What SparkText does:

Screenshot & chat content:

What we do store:

Payments:

Your rights (GDPR)

SparkText is operated by SparkText, a sole proprietorship (eenmanszaak) registered in the NL under Chamber of Commerce (KvK) nr: 42000479

A chat-coaching web app that provides suggested replies and guidance for dating conversations.

When you upload a screenshot, we process it with OpenAI to extract text. We do NOT store the screenshot or the extracted text ourselves, it is returned to your browser only. You control what (if anything) saved.

Your account details, billing metadata, and onlt the "Match memory" items you explicitly choose to save.

Stripe handles all billing. We never see or store your full card number.

You can access, correct, download, or delete your data at any time. Email us or use in-app settings.

Key Points (Summary)

Before diving in, here's what matters most:

‍

We don't store your screenshots. When you upload a chat screenshot, it's sent to OpenAI to extract the text, then discarded. We do not save the image in our database.

You control what we remember. Only items you explicitly save — facts, preferences, wins — are stored in your Match Memory. Nothing else from your coaching session is persisted.

We use a small number of trusted service providers. OpenAI processes screenshots; Stripe handles payments; Supabase stores your account data; Google handles OAuth sign-in.

You have real rights over your data. You can access, correct, export, or delete your data at any time by emailing us or using in-app settings.

We're based in the Netherlands. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is your supervisory authority if you're in the EU.

SparkText is not for people under 18 (or under 16 in the EU). If you're under that age, please don't use the service.

‍

1. About this Policy

This Privacy Policy explains how SparkText ("SparkText", "we", "us", "our") collects, uses, stores, and shares your personal data when you use:

‍

The marketing website at https://www.spark-text.com

The web application at https://sparktext.app

‍

We are the data controller for the personal data described in this policy. Where we use third-party services to process data on our behalf, those parties act as data processors or sub-processors.

We follow the EU General Data Protection Regulation (GDPR) and the UK GDPR. We also aim to respect the privacy rights of users in the United States and other regions. Relevant regional specifics are noted throughout.

‍

2. Definitions

‍

Term

Personal Data

Processing

Data controller

Data processor

Sub-processor

Legal basis

Match Memory

Meaning

Any information that relates to an identified or identifiable person.

Anything done with personal data - collecting, storing, using, sharing, deleting.

The party that decides why and how personal data is processed (that's us).

A party that processes data on our behalf, under our instructions.

A third party engaged by a data processor to help with processing.

The GDPR-recognised reason that makes our processing lawful.

In-app feature that lets you explicitly save facts, preferences, or wins about a match.

3. Data We Collect

‍

We collect personal data in three ways: directly from you, automatically when you use the service, and from third-party sign-in providers.

‍

3.1 Account & Identity Data

‍

When you create an account, we collect:

‍

Email address — to identify your account and send important service communications.
Password (hashed and stored securely by Supabase; we never see your plaintext password) — if you register with email/password.
Name and profile picture (from Google) — if you sign in with Google OAuth. We request only minimal scopes: openid, email, and profile. We do not access your Gmail, Google Drive, or any other Google services.

3.2 Profile & Subscription Data

‍

We maintain a user profile containing:

‍

Your chosen plan (free, plus, or pro)
Plan status and current period end date
A Stripe cusomter ID (cus_...) — a reference token used to link your account to your Stripe billing record

‍

We do not store credit card numbers or full payment details. Those live exclusively with Stripe.

‍

3.3 Chat Content & Screenshots

‍

This section is especially important. Please read it.

‍

When you use SparkText's coaching features:

‍

Screenshots you upload are converted into JPEG in memory on our server and sent to OpenAI's API for processing. OpenAI extracts a text transcript and metadata from the image. We do not save the raw screenshot to our database.
The extracted transcripts is returned to your browser session. It is not automatically saved to your account.
Conversation content you type (e.g., chat messages you paste) is processed to generate coaching suggestions. Like screenshots, this content is not stored unless you take an explicit save action after you got a reply from Coach.
Server logs may capture request metadata (e.g., timestamps, endpoint paths) as part of normal infrastructure operation. We do not intentionally log the content of your messages or transcripts in application logs, but standard infratructure logs may exist for a limited period for security and debugging purposes.

‍

What IS stored - only if you choose to save it:

‍

Save action

"Save as fact"

"Save as preference"

"Save as win"

What gets stored

A specific piece of information you mark as a fact about your match

A preference you note about your match

A positive moment or success you choose to record

4. How We Use Your Data

‍

4.1 Providing the service

‍

Authenticate you and manage your sessions.
Deliver suggested replies and coaching guidance based on the content you share.
Save your Match Memory items when you choose to save them.
Manage your subscriptions and grant access to paid features

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - processing is necessary to provide the service you signed up for.

‍

4.2 Payment processing

‍

Create and manage your Stripe customer record
Process subscription payments in USD or GBP.
Handle subscription lifecycle events (renewal, cancellation, failed payments) via Stripe webhooks.

Legal basis: Performance of a contract (Art. 6(1)(b)) and Compliance with a legal obligation (Art. 6(1)(c) for accounting record-keeping.

‍

4.3 Security & Fraud prevention

‍

Detect and prevent unauthorized access or abuse.
Monitor for unusual or suspicous activity.

Legal basis: Legitimate interesta (Art. 6(1)(f) GDPR - protecting the service and users. We have balanced these interests against your rights and consider proportionate.

‍

4.4 Service improvement & Debugging

‍

Analyse error logs and usage patterns to fix bugs and improve the product.
We do not use your chat content or messages to train AI models.

Legal basis: Legitimate interests (Art. 6(1)(f)) improving service reliability and quality.

‍

4.5 Legal and Compliance

‍

Comply with applicable laws, court orders, or requests from competent authorities.
Defend or exercise legal claims.

Legal basis: Legal obligation (Art. 6(1)(c)) or Legitimate interests (Art. 6(1)(f)).

‍

4.6 Transactional Communications

‍

Send account information, password reset, and billing notification emails.
We do not currently send marketing emails. If we introduce these in the future, we will obtain your consent first.

Legal basis: Performance of a contract (Art. 6(1)(b)) for transactional emails; Consent (Art. 6(1)(a)) for any future marketing.

‍

5. How We Share Your Data

‍

We do not sell your personal data. We share data only with the service providers listed below, who process it on our behalf under contractual obligations to protect it.

‍

5.1 OpenAI - Screenshot & Chat processing

‍

What is shared: Base64-encoded JPEG image data of the screenshot you upload, in-session.
Why: To extract the chat transcript and contextual metadata so SparkText can generate coaching guidance.
How it works: Data is transmitted over HTTPS to OpenAI's API (vision-capable model). Processing is in-memory on our server. We do not send extracted text back to OpenAI.
Storage by OpenAI: Please refer to OpenAI's API data usage policies for hpw they handle API inputs. We treat OpenAI as a sub-processor acting under a Data Processing Agreement (DPA).
Data transfer: OpenAI's infrastructure may be located outside the EEA. Transfers are governed by Standard Contractual Clauses or equivalent safeguards.

OpenAI privacy policy: https://openai.com/privacy

‍

5.2 Stripe - Payments

‍

What is shared: Your email address and billing country (to create a Stripe customer record). Payment card data is entered directly into Stripe's secure form and never touches our servers.
Why: To process subscription payments and manage billing lifecycle events.
Stripe customer ID: Stored in our database as a reference token to link your account to Stripe's records.
Data transfer: Stripe Inc. is a US-based company. Transfers are covered by SCC's and Stripe's compliance frameworks.

Stripe privacy policy: https://stripe.com/privacy

‍

5.3 Supabase - Database & Authentication

‍

What is shared: All data stored in our database (account info, subscription metadata, Match Memory items) and authentication credentials.
Why: Supabase provides our hosted Postgres database and authentication infrastructure.
Data location: We configure our Supabase project to use an EU region where available.
Data transfer: If data is processed outside the EEA, transfers are covered by Supabase's DPA and applicable SCCs.

Supabase privacy policy: https://supabase.com/privacy

‍

5.4 Google - OAuth Sign-in

‍

What is shared: When you use "Sign in with Google", Google provides us with your name, email address, and profile picture URL via an OpenID Connect token.
Scopes requested: openid, email, and profile only. We do not request access to Gmail, Google Drive, or any other Google services.
Why: To authenticate you without requiring a password.

Google privacy policy: https://policies.google.com/privacy

‍

6. Data Retention

‍

We keep your data only as long as needed. Here is a summary by category:

‍

Data Category

Account information

Subscription & billing metadata

Stripe customer ID

Uploaded screenshots

Extracted chat transcripts

Matchy Memory items

Technical / server logs

Analytics data

How Long We Keep It

Retained while your account is active. Deleted within 30 days of an account deletion request.

Retained for 7 years from the relevant transaction date to comply with Dutch and EU accounting and tax obligations, even after account deletion.

Retained alongside billing records for the same 7-year period. We remove it from our active database request after any legal retention period expires.

Not stored by SparkText. Processed in-memory only. Server infrastructure logs (if any) capturing request metadata are rotated automatically (typically within 7-30 days).

Not stored by SparkText. Returned to your browser only. We do not intentionally write message content to our database.

Retained until you delete them. Delete individual items in-app, or request full deletion by contacting us.

Retained for up to 30 days, unless required for an active security incident investigation.

Refer to the analytics provider's own retention settings.

7. International Data Transfers

‍

SparkText is based in the Netherlands (EU). However, some of our service providers process data outside the European Area (EEA), including in the United States.

‍

When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place. These typically include:

‍

Standard Contractual Clauses (SCCs) adopted by the European Commission
Adequacy decisions by the European Commission for transfers to certain countries
The UK's International Data Transfer Agreement (IDTA) for UK data transfers where relevant

‍

Specific providers and their transfer mechanisms:

‍

OpenAI: SCC-based DPA or equivalent. Review OpenAI's latest compliance documentation.
Stripe: SCC-based DPA. Stripe is certified under applicable compliance frameworks.
Supabase: SCC-based DPA; EU region selected where possible.
Google (OAuth): SCC-based DPA. Google LLC is a US entity.

‍

If you have questions about specific transfer mechanisms, contact us using the details in section 13.

‍

8. Your Rights Under GDPR (and UK GDPR)

‍

If you are in the EU or UK, you have the following rights regarding your personal data. We will respond to all verified requests within one month (extendable by two further months for complex requests)

‍

8.1 Summary of your Rights

‍

Right of Access (Art. 15)

Request a copy of the personal data we hold about you.

‍

Right to Rectification (Art. 16)

Ask us to connect inaccurate data or complete incomplete data.

‍

Right to Erasure / Right to be Forgotten (Art. 17)

Ask us to delete your personal data. We will comply unless we have a legal obligation to retain (e.g. financial records). Deleting your account removes your profile data, but billing records are retained for legal compliance.

‍

Right to Restriction of Processing (Art. 18)

Ask us to pause processing of your data in certain circumstances (e.g. while you contest its accuracy).

‍

Right to Data Portability (Art. 20)

Request a copy of the data you have provided to us in a structured, machine-readable format (JSON or CSV).

‍

Right to Object (Art. 21)

Object to processing based on our legitimate interests at any time. We will stop unless we have compelling legitimate grounds that override your interests.

‍

Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent (e.g. analytics cookies), you can withdraw consent at any time without affecting the lawfulness of prior processing.

‍

Right not to be Subject to Automated Decision-Making (Art. 22)

SparkText does not make decisions based solely on automated processing that produce legal or similarly significant effects.

‍

8.2 How to exercise your Rights

‍

In-app: Use Profile to edit your profile, delete your account by mailing us, or manage Match Memory items in your account.
By email: contact us at support@spark-text.com

‍

We may ask you to verify your identity before processing a request. We will respond within 30 days; complex requests may take up to 3 months (we will let you know).

‍

8.3 Complaints

‍

If you are unhappy with how we handle your data, you have the right to lodge a complaint with:

‍

Netherlands - Autoriteit Persoonsgegevens (AP): https://autoriteitpersoonsgegevens.nl
United Kingdom - Information Commissioner's Office (ICO): https://ico.org.uk
Other EU member states: Your local supervisory authority.

We would always prefer the chance to resolve things with you directly first. Please reach out to us.

‍

9. Cookies & Tracking

‍

SparkText uses cookies and similar technologies some of which require your consent before they activate. Here is what we currently use:

‍

9.1 Essential cookies

‍

There are required for SparkText to work. They cannot be turned off.

‍

Session / Auth token: A cookie set by Supabase Auth to keep you logged in. Without this, you would be logged out every time you navigate.
CSRF protection tokens: To prevent cross-site request forgery.

‍

9.2 Analytics & Marketing Cookies

‍

We use non-essential tracking tools, each blocked by default until you give consent via our cookie banner.

‍

Plausible Analytics (requires: Statistics consent)

‍

We use Plausible to understand how visitors use SparkText - which pages are visited, where traffic comes from and how users navigate the site. Plausible is a privacy-first analytics tool: it does not use tracking cookies, does not fingerprint your device and does not share your data with advertising networks. It collects anonymous, aggregate statistics only.

‍

Provider: Plausible Analytics
Data collected: Page URL, referrer, browser type, country, device type, no personal identifiers
Cookies set: None
Data location: EU (Plausible is GDPR compliant by design).
Privacy Policy: https://plausible.io/privacy

‍

Meta Pixel (Facebook) (Requires: Marketing consent)

‍

We use the Meta Pixel to measure the effectiveness of any advertising we run on Facebook and Instagram. If you visit SparkText after seeing one of our ads, the pixel helps us understand whether thad ad led to a visit. This data may be shared with Meta Platforms, Inc.

‍

Provider: Meta Platforms, Inc.
Cookies set: _fbp (browser identifier, 90 days), _ fbc (click identifier, session)
Data collected: Page views, browser and device identifiers, referral URL
Data location: United States (transfers governed by Meta's SCCs)
Privacy Policy: https://www.facebook.com/privacy/policy/

‍

The Meta Pixel does not load unless you have accepted Marketing cookies. If you decline or withdraw consent, no pixel data is sent.

‍

9.3 Cookie banner

‍

We use Cookiebot as our consent management platform. When you first visit SparkText, a cookie banner appears asking for your preferences across three categories:

‍

Necessary - always active, required for the service to function (see 9.1)
Statistics - Plausible Analytics (opt-in)
Marketing - Meta Pixel (opt-in)

‍

All non-essential scripts are blocked automatically until you give consent. This is handled by Cookiebot's auto-blocking mode, meaning no analytics or marketing code runs before your choice is recorded.

‍

You can change your preference any time by clicking the cookie icon or preferences link in the footer of the site. Withdrawing consent stops all non-essential tracking immediately and does not affect the lawfulness of any processing that took place before you withdrew.

‍

Your consent is recorded by Cookiebot and stored locally in your browser. Consent records expire after 12 months, after which you will be asked again.

‍

For more information on how Cookiebot handles consent data, see: https://www.cookiebot.com/en/privacy-policy/

‍

10. Children's Privacy

‍

SparkText is intended for adults aged 18 and over. We do not knowingly provide services under 18, and we do not knowingly collect personal data from anyone under that age. If you are a parent or guardian and believe your child under 18 has created a SparkText account, please contact us immediately at support@spark-text.com. We will promptly delete the account and associated data. If you are under 18, please do not use SparkText.

‍

11. Security

‍

We take the security of your data seriously. Our measures include:

‍

All data transmitted between your browser and SparkText is encrypted using HTTPS / TLS.
Passwords are stored as salted, hashed values - we do not store or transmit plain text passwords.
Access to production systems is restricted to authorized personnel using least privilege principles.
Our infrastructure (Supabase) applies its own security controls, including encryption at rest.
API keys and secrets are stored in environment variables - not in code.
We aim to apply industry-standard security practices and review our controls regularly.

‍

Important: No system is 100% secure. While we do our best, we cannot guarantee absolute security. If you suspect unauthorized access to your account, please contact us immediately and change your password.

‍

12. Changes To This Policy

‍

We may update this Privacy Policy from time to time. When we do:

We will update the 'Last updated' date at the top.
For material changes, we will notify you by email or by a prominent notice in the app at least 14 days before the change takes effect.
Continued use of SparkText after the effective date of a change means you accept the updated Policy.

We encourage you to review this page periodically. Older versions of this policy are available on request.

‍

13. Contact Us

‍

For any privacy-related questions, requests, or concerns, please contact:

‍

Business Name

Legal form

KvK number

VAT number

Registered address

Support email

Website