Legal
Privacy Policy
Last updated: May 2026 — pending final legal review
1. Who we are
SparkSummary is operated from Spain. References to "we", "us", and "our" in this policy mean the operator of the SparkSummary service. We are the data controller for the personal data described below, as defined in Article 4(7) of Regulation (EU) 2016/679 (the GDPR).
For any privacy enquiry — including the data-subject-rights requests described in section 7 — write to privacy@sparksummary.com.
2. What we collect
- Email address — when you subscribe to a newsletter, create an account, or contact us.
- Account data — your name (if provided), the date your account was created, your subscription status, and admin role if applicable.
- Billing data — your payment method, billing country, and subscription history are processed by Stripe; we do not see or store your full card number. We do store a Stripe customer ID, subscription ID, country, and the last status update.
- Server logs — IP address, browser user-agent, request paths, and timestamps, as part of normal service operation and security monitoring.
- Cookies and equivalent technologies — see section 8.
We do not knowingly collect special categories of personal data (Article 9 GDPR). We do not knowingly collect data from individuals under 18.
3. Why we process your data — and on what legal basis
| Purpose | Lawful basis (Art. 6 GDPR) |
|---|---|
| Deliver newsletters you subscribed to | Consent — Art. 6(1)(a) |
| Run paid subscriptions, billing, invoicing | Contract — Art. 6(1)(b) |
| Authenticate admin access | Contract / legitimate interest — Art. 6(1)(b)/(f) |
| Detect abuse, fraud, debug errors | Legitimate interest — Art. 6(1)(f) |
| Comply with tax and accounting law | Legal obligation — Art. 6(1)(c) |
4. Who we share data with
We use a small number of third-party processors. Each has signed a data-processing agreement that meets Article 28 GDPR, and each receives only the data needed for its specific role:
- Beehiiv (United States) — newsletter delivery. Receives your email and subscription preferences.
- Stripe (United States) — payment processing. Receives your billing information.
- Vercel (United States) — hosting and request logging.
- Database hosting (EU) — Postgres backend storing account and subscription data.
- Anthropic (United States) — powers the language-model portion of our news-aggregation pipeline. We do not send any subscriber personal data to Anthropic. Only public market data and editorial drafts flow to the model.
- Sentry (United States) — error monitoring. Receives error events with limited context; we strip personal identifiers before logging.
We do not sell your personal data. We do not transfer your data to third parties for their own marketing purposes.
5. International transfers
Several of our processors operate from the United States. Where we transfer personal data outside the European Economic Area, we rely on Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914) and, where applicable, the EU-US Data Privacy Framework. You can request a copy of the safeguards in place by contacting us.
6. Data retention
- Newsletter subscribers — kept for as long as you are subscribed; deleted within 30 days of unsubscription.
- Paid subscribers — account and subscription records kept for the duration of your subscription and for 6 years afterwards to satisfy Spanish tax and accounting obligations.
- Server logs — kept up to 90 days for security and debugging.
- Webhook idempotency records — kept up to 30 days.
7. Your rights
Under the GDPR and the Spanish LOPDGDD, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). To exercise any of these rights, email privacy@sparksummary.com from the address associated with your account. We respond within 30 days; if the request is complex we may extend this by up to 60 additional days and notify you in writing.
You also have the right to lodge a complaint with the Spanish data-protection authority — the Agencia Española de Protección de Datos — www.aepd.es.
8. Cookies
We use only strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies. If we add analytics cookies in the future, we will request your consent first via a banner.
9. Changes to this policy
We may update this policy from time to time. Material changes will be announced by email to subscribers and posted at the top of this page at least 14 days before they take effect.