Privacy
SPARKS Privacy Notice
Controller, rights, processors, retention, and consent controls for SPARKS account data.
Controller
Mateo Guzman, operating SPARKS is the controller for SPARKS account and event-discovery data. Contact for privacy inquiries: mateo.guzman@founder.sprks.eu.
Data We Process
SPARKS processes only the personal data needed for account operation, event discovery, preference management, moderation, security, reminders, and consented analytics. This includes your email address, display name, profile preferences, event interactions (saves, attendance, reviews, collections), notification settings, and consent records.
Lawful Basis and Consent
Essential account and security processing uses legitimate interest or contract performance as lawful basis. All non-essential processing categories (analytics, marketing, behavioral personalization, weekly digest, reminders, and provider promotional communication) default to off and require your explicit consent. No cookies or third-party analytics are active unless you opt in.
Your Rights
You may exercise these rights at any time through your account settings or by contacting the controller:
- Access and export your personal data in machine-readable JSON.
- Rectify your profile information.
- Erase your account and personal data.
- Restrict or object to specific processing.
- Withdraw consent for any non-essential category.
- Reset preferences to clear personalization data.
Account deletion anonymizes or removes your personal data from product tables. Supabase Auth account deletion is completed as an operational step and has been verified with disposable test accounts.
Processors
Supabase (database, authentication) and Vercel (hosting, serverless functions) are the infrastructure processors. Supabase is configured in Central EU (Frankfurt). DPA review evidence for Supabase and Vercel is maintained in the operator compliance record. No third-party analytics, email, maps, AI, scraping, search, queue, or monitoring processor is active.
Email sending is disabled. No newsletter or marketing emails are sent until an approved email processor with a signed DPA is documented.
Retention
Active account, profile, preference, saved-event, collection, review, notification, and consent-controlled product data is retained while your account is active. When you request deletion, user-owned product data is deleted or anonymized immediately, except records retained for security, legal, or compliance reasons.
Privacy requests and consent records are retained for six years for compliance evidence. Audit and security logs are retained for 24 months. Rate-limit records are retained for 90 days. First-party analytics events are retained for 12 months, and user identifiers are removed during account deletion. Disabled email outbox and suppression rows tied to a user are deleted during account deletion.
Breach Response
The breach-response owner is Mateo Guzman. Suspected personal-data incidents should be reported to mateo.guzman@founder.sprks.eu. SPARKS triages suspected incidents, contains affected systems or credentials, preserves evidence, assesses risk to individuals, and documents whether regulator or user notification is required. GDPR notifiability is assessed within 72 hours of becoming aware of a personal-data breach.