Privacy Policy

Sparkmark Inc. operates the Sparkmark platform, accessible at sparkmark.io. We provide automated employee gifting and workplace appreciation software for businesses of all sizes.

For the purposes of applicable privacy laws, we act as a data controller with respect to admin and company data, and as a data processor with respect to employee personal data that our customers upload to the platform.

2.1 Data you provide directly

• Account registration: Name, work email, company name, password (hashed), billing information.
• Employee records: Employee name, email address, birthday, work anniversary (start date), job title, delivery address, and dietary preferences — uploaded by the account holder.
• Gift redemption: When an employee redeems a gift, we collect their delivery address and gift selection for fulfillment purposes.
• Communications: Any messages or support requests you send to us.

2.2 Data collected automatically

• Usage data: Pages visited, features used, timestamps, and in-app events.
• Device data: IP address, browser type, operating system, and referring URL.
• Cookies: Session cookies for authentication; analytics cookies (see Section 11).

2.3 Data from third parties

• OAuth sign-in: If you sign in via Google, we receive your name, email, and profile picture from Google.
• HRIS integrations: If you connect a CSV export from your HRIS (e.g., BambooHR, Rippling, Gusto), we import the employee fields you include in that file.
• Payment processors: Stripe provides us with tokenized payment information. We do not store full card numbers.

• Providing and operating the Sparkmark platform.
• Automatically sending personalized gift notifications to employees on birthdays and work anniversaries.
• Processing gift redemptions and communicating with employees about their gifts.
• Billing and payment processing.
• Sending transactional emails (e.g., password resets, gift confirmations).
• Improving our product through analytics and aggregate usage data.
• Responding to support requests.
• Complying with legal obligations.

We do not sell personal data to third parties. We do not use employee data for advertising or marketing purposes unrelated to the gifting service requested by their employer.

We share data only with service providers necessary to operate the platform:

All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards.

• Account data: Retained for the duration of your subscription plus 90 days following account cancellation, to allow for account recovery.
• Employee data: Deleted within 30 days of account termination or upon written request.
• Gift redemption records: Retained for 7 years for tax and accounting compliance.
• Analytics data: Aggregated and anonymized after 24 months.
• Support communications: Retained for 3 years.

Sparkmark processes employee personal data (name, email, birthday, work anniversary, address) on behalf of our business customers (the employers). The employer — not Sparkmark — is the data controller for their employees' data and is responsible for:

• Obtaining appropriate consent or having a lawful basis for sharing employee data with us.
• Notifying employees that their data is processed by Sparkmark for gifting purposes.
• Responding to employee data subject requests (we will cooperate and assist).

Employees who receive gifts may contact their HR team or support@sparkmark.io to request access to, correction of, or deletion of their personal data held by Sparkmark.

We implement industry-standard security measures:

• All data is encrypted in transit using TLS 1.2+ and at rest using AES-256.
• Passwords are hashed using bcrypt and are never stored in plaintext.
• Sensitive operations require re-authentication.
• We use role-based access controls and audit logging internally.
• Stripe handles all payment card data — we never receive or store raw card numbers.
• Our infrastructure is hosted on Vercel and uses PostgreSQL with row-level security.

Despite our best efforts, no transmission over the internet is completely secure. If you discover a security issue, please disclose it responsibly to support@sparkmark.io.

Sparkmark is operated from the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Canada, your data may be transferred to and processed in the United States.

For EU/UK users, such transfers are carried out using Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards. For Canadian users, transfers comply with PIPEDA cross-border requirements.

As a Canadian resident, or as an employee of a Canadian organization using Sparkmark, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation:

• Right of access: You may request access to the personal information we hold about you, including the purposes for which it is being used and to whom it has been disclosed. We will respond within 30 days of a written request, as required by PIPEDA.
• Right to correction: If your personal information is inaccurate, incomplete, or outdated, you may request that we correct it. We will either correct the information or, if we disagree, note your requested correction alongside the record.
• Right to withdraw consent: Where we rely on your consent to process your personal information, you may withdraw that consent at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect our ability to provide certain services.
• Right to challenge compliance: You have the right to challenge our compliance with PIPEDA by contacting us (see Section 16) or by filing a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.

To exercise any of these rights, contact us at support@sparkmark.io with the subject line "PIPEDA Privacy Request."

Quebec's Act Respecting the Protection of Personal Information in the Private Sector, as amended by Law 25 (Bill 64), imposes additional obligations for personal information collected from Quebec residents. These provisions apply in addition to PIPEDA for any of our customers or their employees located in Quebec.

• Right to data portability: Quebec residents may request that we communicate their personal information to them in a structured, commonly used technological format, or transmit it directly to another organization where technically feasible.
• Right to erasure ("right to be forgotten"): Quebec residents may request deletion of their personal information where it is no longer necessary for the purposes for which it was collected, or where consent has been withdrawn and no other lawful basis applies.
• Right to know about automated decisions: If a decision that significantly affects you is made using automated processing of your personal information, you have the right to be informed, to know what information was used, and to request that the decision be reviewed by a human.
• Privacy contact person: As required under Law 25, a member of the Sparkmark Inc. founding team is responsible for the protection of personal information in lieu of a formally appointed Privacy Officer. Contact details are provided in Section 16 of this policy.
• Privacy Impact Assessments: We conduct privacy impact assessments before implementing new technologies or processes that involve collecting, using, or disclosing personal information, in accordance with Law 25 requirements.
• Consent transparency: When we collect personal information from Quebec residents, we clearly state the purpose of collection, whether the information will be communicated outside Quebec, and how to reach our privacy contact.

To exercise your Quebec privacy rights, contact support@sparkmark.io with the subject line "Quebec Law 25 Request." You may also file a complaint with the Commission d'accès à l'information (CAI) at www.cai.gouv.qc.ca.

If you are located in the EU or UK, you have the following rights under the GDPR and UK GDPR:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction: Request that we limit how we process your data in certain circumstances.
• Right to data portability: Receive your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at support@sparkmark.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the UK ICO or an EU data protection authority).

If you are a California resident, the CCPA grants you the following rights:

• Right to know: Request disclosure of categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to opt-out of sale: We do not sell personal information.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, email support@sparkmark.io with the subject line "CCPA Request."

Sparkmark complies with Canada's Anti-Spam Legislation (CASL) for all commercial electronic messages (CEMs) sent to Canadian email addresses.

Types of messages we send

• Transactional messages (CASL-exempt): Gift delivery notifications, gift redemption confirmations, magic-link gift invitations, account registration confirmations, password reset emails, billing receipts, and data breach notifications. These are sent as a necessary part of providing the Service and do not require separate CASL consent.
• Commercial electronic messages (require consent): Any promotional or marketing emails — including product updates, feature announcements, newsletters, or promotional offers — will only be sent to individuals who have provided express or implied consent under CASL. Every such message will clearly identify Sparkmark Inc. as the sender, include our contact information, and include a working unsubscribe mechanism.

Unsubscribing

You may withdraw consent to receive commercial electronic messages from us at any time by: (a) clicking the "Unsubscribe" link in any marketing email; or (b) emailing support@sparkmark.io with the subject "Unsubscribe." We will process all unsubscribe requests within 10 business days, as required by CASL. Unsubscribing from marketing emails will not affect delivery of transactional messages required to operate your account.

We use the following types of cookies:

• Strictly necessary cookies: Required for authentication and basic platform functionality. Cannot be disabled.
• Analytics cookies: Used to understand how users interact with our platform (e.g., page views, feature usage). These are aggregated and not tied to individually identifying information.

We do not use advertising or retargeting cookies. For analytics cookies, we rely on your implied consent as a business visitor to our platform. You may withdraw consent to non-essential cookies by adjusting your browser settings or clearing stored cookies at any time. Disabling analytics cookies does not affect platform functionality.

Quebec residents: Under Law 25, you have the right to refuse non-essential cookies. If you are a Quebec resident and wish to formally withdraw consent, please contact us at support@sparkmark.io.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify registered users via email at least 14 days before the changes take effect. Your continued use of Sparkmark after the effective date constitutes your acceptance of the revised policy.

As required under Quebec Law 25 and consistent with best practices under PIPEDA, a member of the Sparkmark Inc. founding team is publicly responsible for overseeing compliance with this policy and applicable Canadian privacy legislation. We do not currently have a formally appointed Privacy Officer; all privacy inquiries are handled directly by our team.

For any questions, data access requests, correction requests, erasure requests, portability requests, CASL unsubscribe requests, or privacy complaints, please contact: