Skip to main content

Introducing Sparqo, your AI CMO that runs Reddit and SEO growth, and hands you the work to approve.

Legal

Privacy Policy

Last updated: June 26, 2026

1. Who we are (Data Controller)

Sparqo is the data controller for the purposes of the EU General Data Protection Regulation (GDPR).

Contact for any privacy-related question, request, or complaint: [email protected]. We respond within 30 days as required by GDPR Art. 12.

See our Imprint for legal contact details.

2. Information we collect

Account information: Email address, display name, and profile picture (via Google sign-in or email login).

Workspace data: Your brand knowledge documents, the website/domain you connect, agent settings, drafts produced by the agents, and outcomes you record.

Connection credentials: Your AI model provider key (BYOK) and any third-party OAuth tokens (e.g. Reddit) are stored encrypted and used only to operate your agents.

Usage data (consent-based): If you accept on the consent banner, product analytics and session replay (pageviews, feature usage, masked interactions) via PostHog. Nothing is collected until you accept, and you can withdraw at any time.

Storage on your device: We do not set tracking cookies. We use localStorage on your browser to keep you signed in (auth token), remember your theme preference, and store dismissed in-app notifications. These are strictly necessary to operate the service.

3. Lawful bases (GDPR Art. 6)

Performance of a contract: for everything required to operate your agent: account creation, agent provisioning, message processing, billing, transactional emails, and integrations you authorize.

Legitimate interest: for fraud prevention and security logging. You can object at any time.

Legal obligation: for billing records and tax compliance.

Consent: for product analytics, session replay, and any optional marketing communications. You can withdraw at any time via the consent banner.

4. How we use your information

We use your information to: provide and operate your agents; tailor drafts to your brand and goals; send transactional emails (sign-in codes, account notifications); and measure aggregate, anonymous traffic to improve the service.

5. Data isolation

Your workspace data (brand knowledge, drafts, settings, and connection credentials) is isolated per workspace and is not accessible by other users or workspaces on the platform.

6. Third-party processors

We share data with the following processors strictly to provide the service. Each processes data on our behalf.

AI model providers (BYOK): Your brand context and the agents' prompts are sent to the AI model provider whose key you connect (e.g. Anthropic, OpenAI, or OpenRouter) to generate drafts. These providers operate primarily in the United States; transfers rely on EU Standard Contractual Clauses where applicable. You pay them directly.

Cloudflare (hosting): The application and database (Cloudflare Workers + D1) run on Cloudflare's infrastructure. See Cloudflare's Privacy Policy.

Composio (integrations): When you connect a third-party app (e.g. Reddit), Composio brokers the OAuth flow. Your tokens are stored encrypted.

Google (sign-in): When you sign in with Google we receive your email, name, and profile image only.

PostHog (analytics & session replay): With your consent, we use PostHog Cloud (EU region) for product analytics (pageviews, feature usage, and aggregate behaviour) and for session replay, which records how the interface is used (clicks and navigation) to help us improve the product. We ask for your consent before any of this runs, and you can withdraw it at any time via the consent banner. All form inputs are masked, so recordings never capture what you type (e.g. emails, passwords, model keys). PostHog stores data in the EU and acts as our processor. See PostHog's Privacy Policy.

We do not sell your personal data to anyone.

7. International data transfers

Some processors (AI model providers, and where applicable Cloudflare) operate from the United States. Transfers outside the European Economic Area rely on the EU Standard Contractual Clauses or, where applicable, an EU adequacy decision. By using the service you acknowledge these transfers are necessary to provide the platform.

8. Automated decision-making and AI

The agents run on large language models and draft content on your behalf. They do not publish autonomously. Drafts are surfaced for your approval, and you choose what to publish. This is not automated decision-making with legal effect under GDPR Art. 22. AI-generated outputs may be incorrect; review every draft before publishing.

9. Email communications

We may send transactional emails (sign-in codes, account and security notifications). You can stop them by deleting your account. We do not send marketing email without your consent.

10. Data retention

Your data is retained while your account is active. When you delete your workspace or account from Settings, associated data is removed and backups expire within 30 days. Account/billing records required by law are retained for the legally required period. Product analytics in PostHog are retained for up to 24 months.

11. Security

We implement: encrypted connections (HTTPS/TLS), per-workspace data isolation, encrypted storage of model keys and integration tokens, JWT-based authentication, rate limiting, and safe-pacing limits on connected accounts.

12. Your rights under GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

Access (Art. 15): obtain a copy of your data. Most of it is visible directly in the dashboard (brand knowledge, drafts, connections, settings).

Rectification (Art. 16): correct inaccurate data. Edit your agent and profile from Settings.

Erasure / "right to be forgotten" (Art. 17): delete your agent or your entire account from Settings. This permanently removes associated data.

Restriction (Art. 18) and objection (Art. 21): you can ask us to restrict processing or object to legitimate-interest-based processing.

Portability (Art. 20): request a machine-readable export by emailing [email protected].

Withdraw consent (Art. 7): if processing is based on consent, withdraw at any time.

Lodge a complaint (Art. 77): with the data protection authority of your country of residence. The list of EU/EEA authorities is available at edpb.europa.eu.

13. Children's privacy

The Service is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Changes to this policy

We may update this policy. Material changes are notified by email. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance.

15. Contact

Questions, requests, or complaints: [email protected].

Give your marketing a team.

Start free today. Your specialists are ready when you are.

Start for free