Privacy policy.

We respect your privacy and are committed to handling personal information transparently and responsibly. This policy applies to information we collect directly from you, information generated through your use of the Service, and information we receive from third-party services you choose to connect.

Capitalized terms not defined here have the meaning given in our Terms of Service. If you do not agree with this policy, please do not use the Service.

We collect the following categories of information:

Account information

• Identity — your name, email address, job title, and company name provided at registration.
• Authentication — password hashes, multi-factor authentication secrets, and session tokens required to keep your account secure.
• Billing — if you become a paying customer, our payment processor collects billing contact and payment method details; we store only the last four digits of your card and the billing descriptor.

Connected data sources

• OAuth tokens — encrypted access and refresh tokens from services you connect (for example Stripe, HubSpot, QuickBooks, Zoho) used to retrieve data on your behalf.
• Business data — customer records, invoices, subscription records, CRM objects, and similar data pulled from connected sources and stored in your dedicated warehouse schemas.

Usage & technical data

• Product telemetry — pages viewed, queries run, dashboards opened, buttons clicked, and feature adoption signals.
• Device data — browser type and version, operating system, screen size, and locale.
• Network data — IP address, approximate geolocation derived from IP, and request timestamps.
• Logs — diagnostic logs, error stacks, and performance traces that help us operate and improve the Service.

We use the information we collect for the following purposes:

• Deliver the Service — authenticate you, sync data from connected sources, compute metrics, render dashboards, and power AI Assist responses.
• Secure the Service — detect and prevent fraud, abuse, credential stuffing, and unauthorized access; investigate and respond to incidents.
• Support — answer your questions, troubleshoot issues, and communicate service notices.
• Improve the product — analyze aggregate usage to prioritize features, fix bugs, and evaluate performance. We do not train third-party AI models on your business data.
• Billing & compliance — issue invoices, meet tax and accounting obligations, and comply with applicable laws.

Where the GDPR or similar laws apply, we process personal data under one or more of the following legal bases:

• Contractual necessity — processing required to provide the Service you have requested.
• Legitimate interests — improving, securing, and promoting our Service, balanced against your rights and expectations.
• Consent — where you have given explicit permission, for example for optional analytics or marketing communications. You can withdraw consent at any time.
• Legal obligation — compliance with tax, accounting, and law-enforcement requests.

We do not sell or rent your personal information. We share information only in these limited cases:

• Subprocessors — reputable vendors bound by data-protection agreements who help us deliver the Service (cloud hosting, email, error monitoring, analytics, customer support). We maintain a current list on request.
• Connected services — when you connect a third-party source, atSpark sends authentication tokens to that service and receives data back. Your use of those services is governed by their own terms and privacy policies.
• Business transfers — if atSpark is involved in a merger, acquisition, or asset sale, information may transfer to the successor entity subject to this policy.
• Legal requests — when we believe in good faith that disclosure is required by law, to protect the rights and safety of users, or to respond to valid legal process.
• With your direction — for example when you share a dashboard link or invite a teammate to your workspace.

atSpark primarily hosts data in AWS regions in the United States. If you are located outside the United States, your information may be transferred to, stored in, and processed in jurisdictions where data-protection laws may differ from those in your country.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission, supplemented with technical and organizational measures as needed.

We keep personal information only as long as needed to deliver the Service and meet the purposes described in this policy:

• Account data — retained for the life of your account plus up to 30 days after deletion to support recovery.
• Connected source data — retained in your warehouse schemas while the connection is active; purged within 30 days after disconnection unless you export it first.
• Usage logs — retained for up to 13 months, then aggregated or deleted.
• Billing records — retained for up to 7 years to meet tax and accounting obligations.

You can request earlier deletion of data you control; see "Your rights" below.

We apply industry-standard safeguards to protect your information:

• Encryption — AES-256-GCM at rest and TLS 1.2+ in transit.
• Access control — least-privilege role-based access, multi-factor authentication, and scoped OAuth tokens.
• Isolation — multi-tenant workspaces with row-level security and per-organization schema boundaries in the warehouse.
• Audit logging — every sensitive action is recorded with actor, time, and context.
• Monitoring — continuous anomaly detection, vulnerability scanning, and a formal incident-response process.

No system is perfectly secure. We encourage strong passwords, use of MFA, and prompt reporting of suspicious activity to security@atspark.com.

Depending on your jurisdiction, you may have the following rights over your personal information:

• Access — request a copy of the personal information we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your personal information, subject to our lawful retention obligations.
• Restriction — limit how we process your information in specific circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests or direct marketing.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Complain — lodge a complaint with your local supervisory authority.

To exercise any right, email privacy@atspark.com. We respond within 30 days and may ask you to verify your identity before disclosing personal data.

We use a small number of cookies and similar technologies to operate the Service:

• Essential — session cookies that keep you signed in and preserve your workspace selection.
• Preferences — remember UI choices such as theme and timezone.
• Analytics — first-party, privacy-respecting product analytics to understand feature usage. You can opt out in account settings.

We honor Do Not Track and Global Privacy Control signals where technically feasible. Our marketing site uses only essential and aggregate analytics cookies.

atSpark is a B2B analytics platform intended for business users. The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it promptly.

We may update this Privacy Policy as the Service evolves or as laws change. When we make material changes, we will notify you by email or through a prominent notice in the Service at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

For questions, requests, or complaints about this Privacy Policy or our handling of your data, contact our privacy team at privacy@atspark.com. For general inquiries, email contact@atspark.com.