Introducing Sparqo, your AI CMO that runs Reddit and SEO growth, and hands you the work to approve.
Privacy Policy
Last updated: June 26, 2026
1. Who we are (Data Controller)
Sparqo is the data controller for the purposes of the EU General Data Protection Regulation (GDPR).
Contact for any privacy-related question, request, or complaint: [email protected]. We respond within 30 days as required by GDPR Art. 12.
See our Imprint for legal contact details.
2. Information we collect
Account information: Email address, display name, and profile picture (via Google sign-in or email login).
Workspace data: Your brand knowledge documents, the website/domain you connect, agent settings, drafts produced by the agents, and outcomes you record.
Connection credentials: Your AI model provider key (BYOK) and any third-party OAuth tokens (e.g. Reddit) are stored encrypted and used only to operate your agents.
Usage data (consent-based): If you accept on the consent banner, product analytics and session replay (pageviews, feature usage, masked interactions) via PostHog. Nothing is collected until you accept, and you can withdraw at any time.
Storage on your device: We do not set tracking cookies. We use localStorage on your browser to keep you signed in (auth token), remember your theme preference, and store dismissed in-app notifications. These are strictly necessary to operate the service.
3. Lawful bases (GDPR Art. 6)
Performance of a contract: for everything required to operate your agent: account creation, agent provisioning, message processing, billing, transactional emails, and integrations you authorize.
Legitimate interest: for fraud prevention and security logging. You can object at any time.
Legal obligation: for billing records and tax compliance.
Consent: for product analytics, session replay, and any optional marketing communications. You can withdraw at any time via the consent banner.
4. How we use your information
5. Data isolation
6. Third-party processors
We share data with the following processors strictly to provide the service. Each processes data on our behalf.
AI model providers (BYOK): Your brand context and the agents' prompts are sent to the AI model provider whose key you connect (e.g. Anthropic, OpenAI, or OpenRouter) to generate drafts. These providers operate primarily in the United States; transfers rely on EU Standard Contractual Clauses where applicable. You pay them directly.
Cloudflare (hosting): The application and database (Cloudflare Workers + D1) run on Cloudflare's infrastructure. See Cloudflare's Privacy Policy.
Composio (integrations): When you connect a third-party app (e.g. Reddit), Composio brokers the OAuth flow. Your tokens are stored encrypted.
Google (sign-in): When you sign in with Google we receive your email, name, and profile image only.
PostHog (analytics & session replay): With your consent, we use PostHog Cloud (EU region) for product analytics (pageviews, feature usage, and aggregate behaviour) and for session replay, which records how the interface is used (clicks and navigation) to help us improve the product. We ask for your consent before any of this runs, and you can withdraw it at any time via the consent banner. All form inputs are masked, so recordings never capture what you type (e.g. emails, passwords, model keys). PostHog stores data in the EU and acts as our processor. See PostHog's Privacy Policy.
We do not sell your personal data to anyone.
7. International data transfers
8. Automated decision-making and AI
9. Email communications
10. Data retention
11. Security
12. Your rights under GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:
Access (Art. 15): obtain a copy of your data. Most of it is visible directly in the dashboard (brand knowledge, drafts, connections, settings).
Rectification (Art. 16): correct inaccurate data. Edit your agent and profile from Settings.
Erasure / "right to be forgotten" (Art. 17): delete your agent or your entire account from Settings. This permanently removes associated data.
Restriction (Art. 18) and objection (Art. 21): you can ask us to restrict processing or object to legitimate-interest-based processing.
Portability (Art. 20): request a machine-readable export by emailing [email protected].
Withdraw consent (Art. 7): if processing is based on consent, withdraw at any time.
Lodge a complaint (Art. 77): with the data protection authority of your country of residence. The list of EU/EEA authorities is available at edpb.europa.eu.