Privacy Policy

1. Introduction

Welcome to SellSpark AI's Privacy Policy. This policy explains how we collect, use, share, and protect your personal information when you use our AI-powered photo optimization service.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

GDPR (General Data Protection Regulation) - European Union
LGPD (Lei Geral de Proteção de Dados) - Brazil
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) - California, USA
CalOPPA (California Online Privacy Protection Act) - California, USA

1.1 Data Controller

The data controller responsible for your personal information is:

Legal Entity: SellSparkAI Ltda
CNPJ: 64.278.992/0001-04
Email:

By using SellSparkAI, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we collect:

Data Type	Purpose	Legal Basis (GDPR)
Email Address	Account creation, authentication, service communications, and optional notifications (optimization completion, usage alerts, marketing, product updates) when you opt-in to platform waitlist subscriptions or notification preferences	Contract performance, Consent (for optional notifications)
Password (hashed)	Account security	Contract performance
Name (optional)	Personalization, billing	Consent
Phone Number (optional)	Account creation and authentication via SMS verification (free-basic tier), account security (MFA for paid tiers)	Consent
Billing Address	Payment processing, tax compliance	Legal obligation

2.2 Payment Information

Payment data is processed by Stripe, our third-party payment processor. We do not store your complete credit card information on our servers. Stripe collects:

Credit/debit card numbers (tokenized)
Billing address
Payment method type (card, Apple Pay, Google Pay, Link)

For more information, see Stripe's Privacy Policy.

2.3 Photos You Upload

When you upload photos to our Service:

Photos are processed immediately using our AI technology
Uploaded photos (originals) are stored temporarily for 60 days to enable effective customer support, then permanently deleted
Optimized photos (AI-generated results) are stored and accessible in your gallery for 90 days, then permanently deleted to manage storage efficiently
Complete session data (including all photos, metadata, and processing logs) is permanently deleted after 90 days
We strongly recommend downloading your optimized photos promptly after processing
We do not use your photos for any purpose other than providing the Service to you

2.4 Automatically Collected Information

We automatically collect certain technical information:

Usage Data: Features used, photos processed, subscription tier, login times
Device Information: Browser type, operating system, device type, device fingerprint (for security and fraud prevention purposes)
IP Address: For security, fraud prevention, and geographic analytics
Phone Carrier Type: When you submit a phone number for verification, we determine the carrier type (mobile, VoIP, fixed line) for fraud prevention purposes
Login History: Timestamps, IP addresses, and user agents for each login session (for account security and audit purposes)
Cookies: Session management, authentication (see Section 10)
Meta Pixel Identifiers (with consent): When advertising cookies are enabled, we set the _fbp cookie (a first-party browser identifier generated by the Meta Pixel) and, when you arrive from a Meta ad, the _fbc cookie (the most recent Meta ad click ID). See Section 10.2.
Hashed Identifiers Sent to Meta (with consent): When advertising cookies are enabled, your IP address and user agent are transmitted to Meta Platforms, Inc. (along with hashed email and hashed user ID where available) for event match quality and conversion attribution via the Meta Conversions API.
Campaign Attribution Parameters: When you arrive at our Service via a tagged marketing link (for example a paid Meta ad), URL parameters such as utm_source, utm_medium, utm_campaign, utm_content, utm_term, and the Meta Click Identifier fbclid are captured into a first-party browser store (session storage and a 30-day first-party cookie) and, upon account creation, persisted to your account record so we can attribute your signup to the originating campaign or ad creative. These values are also transmitted to Meta Platforms, Inc. via the Conversions API custom_data field when you have granted Advertising consent — see Section 10.2.

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Provide the Service

Process your uploaded photos using AI
Deliver optimized photos to you
Manage your account and subscription
Process payments and billing

3.2 Communicate with You

Send transactional emails (e.g., subscription confirmations, receipts)
Provide customer support
Send important updates about the Service or policy changes
Respond to your inquiries

3.3 Improve the Service

Analyze usage patterns to improve features
Monitor performance and fix bugs
Develop new features and capabilities

3.4 Security and Fraud Prevention

Detect and prevent fraudulent activity
Protect against unauthorized access
Enforce our Terms of Service
Maintain automated abuse prevention systems that analyze registration and verification patterns to detect and block fraudulent or abusive behavior
Verify that registrations are made by real people using automated bot detection challenges
Analyze phone number characteristics to prevent abuse through virtual or disposable numbers
Restrict devices and network identifiers associated with confirmed abuse from future access
Monitor registration and verification patterns to detect coordinated abuse attempts
Send internal security alerts to our administrative team when suspicious activity is detected

Legal Basis: These security measures are based on our legitimate interest in fraud prevention (GDPR Article 6(1)(f) / LGPD Article 7(IX)).

3.5 Legal Compliance

Comply with applicable laws and regulations
Respond to legal requests (subpoenas, court orders)
Maintain records required by law

4. How We Share Your Information

We do not sell your personal information to third parties. We only share your information in the following limited circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

Service Provider	Purpose	Data Shared
Stripe	Payment processing, subscription management	Name, email, billing address, payment method
AI Analysis Provider (OpenAI)	AI-powered product image analysis	Product photos, product descriptions, category data
AI Image Generation Provider (Google Gemini / OpenAI)	AI-powered image generation and optimization	Product descriptions, style preferences, generation prompts
AI Upscaling Provider (Runware)	Image upscaling (fallback service)	Product photos for upscaling
SMS Verification Provider (Telnyx)	SMS verification for account authentication and MFA; phone number validation for fraud prevention	Phone number, verification codes
Bot Detection Provider (Cloudflare)	Automated bot detection during account registration to verify real human users	Challenge token, browser behavioral signals (processed by Cloudflare, not stored by us)
Email Service Provider (Porkbun)	Email delivery and verification	Email address, verification links, name
Cloud Hosting Provider (Render)	Application hosting, database storage, server infrastructure	All account data, photos, session data (servers located in Oregon, USA)
CDN & Security Provider (Cloudflare)	Content delivery network (CDN), DNS management, DDoS protection, TLS/SSL encryption, web application firewall	IP addresses, request metadata, cached static content (processed at nearest edge server globally, with potential routing through US data centers)
Meta Platforms, Inc. (United States)	Conversion tracking, ad optimization, and retargeting via Meta Pixel and the Meta Conversions API. Fires only after you grant consent (EU/UK/EEA opt-in) or while you have not opted out (US/other regions).	Hashed email, hashed user ID, IP address, user agent, `_fbp` cookie, `_fbc` cookie (when present), page URL, event metadata, and — for events originating from a Meta ad click — campaign attribution parameters (`utm_source`, `utm_medium`, `utm_campaign`, `utm_content`, `utm_term`) and the Meta Click Identifier (`fbclid`) sent server-side in the Conversions API `custom_data` field for per-creative attribution. Legal basis: Consent (GDPR/UK GDPR Article 6(1)(a)) / Sharing under CPRA (with right to opt out).

All service providers are contractually required to protect your data and use it only for the specified purposes.

4.2 Legal Obligations

We may disclose your information if required by law or in response to:

Subpoenas or court orders
Government or regulatory requests
Legal investigations
Protection of our rights or safety of others

4.3 Business Transfers

If SellSparkAI is acquired, merged, or sells assets, your information may be transferred to the acquiring entity. You will be notified of any such change via email.

4.4 Automated Decision-Making (GDPR Article 22)

We use automated systems to make certain decisions that may affect your ability to access our Service. These automated decisions are necessary for fraud prevention and are based on our legitimate interest in protecting the Service and its users:

Bot Detection: Registration requests are validated using automated challenges to verify you are a real person. Requests that fail these checks are automatically rejected.
Registration and Verification Controls: Automated systems may deny registration or verification based on various risk signals. These controls apply equally to all users and are designed to prevent abuse.
Device and Access Restrictions: Devices or network identifiers associated with confirmed abuse may be permanently restricted from future access to the Service.
Pattern Analysis: We analyze registration and verification patterns to detect and respond to coordinated abuse. This analysis may result in internal security reviews but does not directly restrict your account access without human review.

Your rights regarding automated decisions:

You have the right to contest any automated decision that denies you access to the Service
You have the right to request human review of the decision
You have the right to express your point of view and provide additional context

To contest an automated decision, contact us at with the subject line "Automated Decision Review Request." We will review your case and respond within 30 days (GDPR) or 15 days (LGPD).

Legal Basis (GDPR Article 6(1)(f)): These automated decisions are based on our legitimate interest in preventing fraud and abuse. They are necessary to protect the integrity of our free-tier service and the experience of legitimate users.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and comply with legal obligations:

Data Type	Retention Period
Account Information	Deleted immediately upon account deletion request
Uploaded Photos (Originals)	60 days after processing or until account deletion (whichever comes first)
Optimized Photos (AI-Generated)	90 days after processing or until account deletion (whichever comes first). Download your photos promptly.
Session Data	90 days after session creation or until account deletion (whichever comes first). Includes processing metadata, logs, and all associated files.
Product Optimization Cache	Up to 390 days (approximately 13 months). Contains anonymized product analysis patterns, styling recommendations, and marketplace metadata to improve AI recommendations. No personal photos are stored—only derived analysis data. Automatically pruned weekly based on usage patterns.
Payment Records & Invoices	5-7 years (required by tax/legal obligations in Brazil, EU, and USA)
Login History	Deleted immediately upon account deletion
Support Communications	Handled by our email service provider (subject to their retention policies)
Usage Analytics	2 years (aggregated/anonymized)
Fraud Prevention Data	30-90 days after account deletion + 365 days (see details below)
Abuse Prevention Rules	Retained indefinitely for identifiers associated with confirmed abuse
Security and Abuse Prevention Data	Device identifiers and abuse prevention records associated with confirmed abuse are retained indefinitely. Verification tokens are deleted after use or expiry. Rate limit tracking data is retained for up to 180 days.

5.1 Fraud Prevention Data Retention

To prevent abuse of our free tier through repeated account deletions and re-creations, we retain minimal, non-identifiable fraud prevention data after account deletion:

Card Fingerprints: Stripe-generated token (not actual card numbers)
Phone Number Hash: SHA-256 hash (irreversible, cannot recover actual phone number)
Device Fingerprints: Browser/device identifiers
Masked Email: First character + domain only (e.g., "u***@example.com")
Stripe Customer ID: Reference ID for invoice retrieval (legal requirement)

Retention periods:

First deletion: 30-day cooldown + 365 days (~13 months total)
Second deletion: 90-day cooldown + 365 days (~15 months total)
Third+ deletions: Retained indefinitely (abuse prevention)

Legal Basis (GDPR Article 6(1)(f)): Legitimate interest in fraud prevention. This data is minimized (no PII stored), purpose-limited (exclusively for fraud detection), and necessary to prevent abuse that harms our business and legitimate users.

6. Your Rights (GDPR/LGPD Compliance)

Under GDPR (EU) and LGPD (Brazil), you have the following rights regarding your personal data:

1. Right to Access: Request a copy of all personal data we hold about you.

2. Right to Rectification: Correct inaccurate or incomplete personal data.

3. Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.

4. Right to Data Portability: Receive your data in a machine-readable format (JSON).

5. Right to Object: Opt-out of certain data processing activities.

6. Right to Restriction of Processing: Request limitation of how we process your data in certain circumstances (e.g., while verifying accuracy or during objection review).

7. Right to Withdraw Consent: Revoke consent for data processing at any time.

8. Right to Lodge a Complaint: File a complaint with a supervisory authority (see Section 8.7 for ANPD contact, or your local EU Data Protection Authority).

9. Right to Challenge Automated Decisions (GDPR Article 22): If an automated decision (such as registration blocking, VoIP number rejection, or device flagging) affects your ability to access the Service, you have the right to contest the decision, request human review, and express your point of view. Contact us at with the subject line "Automated Decision Review Request."

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email:
Subject Line: "Data Privacy Request - [Your Name]"
Include: Your registered email address and specific request

We will respond within:

30 days (GDPR - EU residents)
15 days (LGPD - Brazil residents)

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

7.1 Categories of Personal Information Collected (Last 12 Months)

Category	Examples	Collected	Purpose
Identifiers	Name, email, user ID, device fingerprint	✅ Yes	Account creation, authentication, fraud prevention
Contact Information	Phone number (optional), billing address	✅ Yes	SMS verification, billing, order fulfillment
Commercial Information	Subscription tier, payment history, transaction records	✅ Yes	Service provision, billing, customer support
Internet Activity	Usage data, photos uploaded, features used, session data	✅ Yes	Service provision, optimization, analytics
Geolocation Data	Approximate location from IP address	✅ Yes	Security, fraud prevention, service optimization
Visual Information	Product photos you upload	✅ Yes	AI analysis and optimization service delivery
Inferences	Product category, style preferences, usage patterns	✅ Yes	Service personalization, recommendations

7.2 Sensitive Personal Information

We collect the following categories of sensitive personal information:

Payment Information: Credit/debit card details (processed and stored by Stripe, our payment processor - we do NOT store complete card numbers)
Phone Number (if provided): Used for SMS verification and fraud prevention
Precise Geolocation: We do NOT collect precise geolocation data

7.3 Sources of Personal Information

We collect personal information from the following sources:

Directly from you: When you create an account, upload photos, or provide information
Automatically: Through cookies, device fingerprinting, and usage analytics
Third-party services: OAuth providers (if you sign in with Google/Apple), payment processors

7.4 Business or Commercial Purposes for Collection

We collect and use personal information for the following purposes:

Providing the AI photo optimization service
Processing payments and managing subscriptions
Communicating with you about your account and service updates
Preventing fraud and ensuring security
Complying with legal obligations
Improving and personalizing the service
Analyzing usage patterns and service performance

7.5 Third Parties with Whom We Share Personal Information

We share personal information with the following categories of third parties:

Third Party	Purpose	Data Shared
Payment Processor (Stripe)	Payment processing, subscription management	Name, email, billing address, payment method
SMS Verification Provider (Telnyx)	SMS verification for account authentication and MFA; phone number validation for fraud prevention	Phone number, verification codes, carrier type response
Email Service Provider (Porkbun)	Email delivery and verification	Email address, verification links
AI Analysis Provider (OpenAI)	AI-powered product image analysis	Product photos, product descriptions, category data
AI Image Generation Provider (Google Gemini / OpenAI)	AI-powered image generation and optimization	Product descriptions, style preferences, generation prompts
AI Upscaling Provider (Runware)	Image upscaling (fallback service)	Product photos for upscaling
Meta Platforms, Inc.	Conversion tracking, ad optimization, and retargeting via Meta Pixel and the Meta Conversions API. Classified as "sharing" under CPRA (cross-context behavioral advertising). Fires only after you grant consent or while you have not exercised your right to opt out.	Hashed email, hashed user ID, IP address, user agent, `_fbp` cookie, `_fbc` cookie (when present), page URL, event metadata, and — for events originating from a Meta ad click — campaign attribution parameters (`utm_source`, `utm_medium`, `utm_campaign`, `utm_content`, `utm_term`) and the Meta Click Identifier (`fbclid`) sent in the Conversions API `custom_data` field for per-creative attribution.

7.6 Data Retention

We retain personal information as described in Section 5 of this policy. Uploaded photos (originals) are retained for 60 days (for customer support purposes), then permanently deleted. Optimized photos (AI-generated results) and complete session data are retained for 90 days, then permanently deleted. We recommend downloading your optimized photos promptly after processing.

7.7 Sale or Sharing of Personal Information

We do NOT sell your personal information. We do not exchange your personal information for money or other valuable consideration.

We DO share limited identifiers for cross-context behavioral advertising with Meta Platforms, Inc. (operator of Facebook and Instagram) for the purpose of conversion tracking, ad optimization, and retargeting. Under the CPRA, this activity is classified as "sharing." The data shared is limited to hashed email, hashed user ID, IP address, user agent, the _fbp and _fbc cookies (when present), page URL, event metadata, and — for events originating from a Meta ad click — campaign attribution parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) and the Meta Click Identifier (fbclid) sent in the Conversions API custom_data field for per-creative attribution.

This sharing is subject to your consent in the EU/UK/EEA (opt-in) and to your right to opt out in California and other US jurisdictions. See Section 7.8 and Section 10.3 for how to exercise these choices.

7.8 Your California Privacy Rights

As a California resident, you have the following rights:

Right to Know: You can request information about the categories and specific pieces of personal information we collected, the sources, purposes, and third parties with whom we shared it.

Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

Right to Correct: You can request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: We do not sell your personal information, but we do share limited identifiers with Meta Platforms, Inc. for cross-context behavioral advertising (see Section 7.7). You may opt out of this sharing at any time by opening Cookie settings and disabling the Advertising category, or by using the "Cookie settings" link in the page footer. Opt-out preferences are stored in a first-party cookie on your browser; you will need to renew the choice if you clear cookies or use a different browser/device.

Right to Limit Use of Sensitive Personal Information: You can request that we limit use of sensitive personal information to what is necessary to perform the service.

Right to Non-Discrimination: We will NOT discriminate against you for exercising your CCPA rights.

7.9 How to Exercise Your California Rights

To exercise any of these rights:

Email:
Subject Line: "CCPA Request - [Your Name]"
Include: Your registered email address and specific request

Verification: We will verify your identity by confirming your email address and account details before processing your request.

Response Time: We will respond within 45 days of receiving your request, with a possible 45-day extension if necessary.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

7.10 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do NOT share personal information with third parties for their direct marketing purposes.

8. Brazil Data Protection (LGPD Compliance)

Important Notice: SellSparkAI does not currently support Brazilian customers for purchases. While our company (SellSparkAI Ltda) is incorporated in Brazil, we are not yet offering services to customers located in Brazil. If you are interested in our service from Brazil, please contact us at —we may offer support on a case-by-case basis.

As a company incorporated in Brazil, we are committed to LGPD compliance for any personal data we may collect from Brazilian visitors or future customers. If you are a resident of Brazil visiting our website, your personal data is protected under the Lei Geral de Proteção de Dados (LGPD).

8.1 Data Controller Information

Legal Entity: SellSparkAI Ltda

CNPJ: 64.278.992/0001-04

Address: Av. Pref. Osmar Cunha, 416, Sala 1108 - Ed. Koerich Empresarial Rio Branco, Florianópolis - SC, 88015-100, Brazil

Email:

8.2 Data Protection Officer (DPO)

For LGPD-related inquiries, you may contact our Data Protection Officer:

DPO Email:
Subject Line: "LGPD - Data Protection Officer"

8.3 Legal Basis for Processing

We process your personal data under the following legal bases defined by LGPD:

Consent: When you create an account and agree to our Terms of Service
Contractual Necessity: To provide the photo optimization service you subscribed to
Legitimate Interests: Fraud prevention, security, service improvement
Legal Obligation: Compliance with Brazilian laws and regulations

8.4 Your Rights Under LGPD (Article 18)

As a Brazilian data subject, you have all rights under LGPD Article 18, including:

Confirmation of Processing: Confirm whether we process your personal data
Access: Access your personal data held by us
Rectification: Correct incomplete, inaccurate, or outdated data
Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
Data Portability: Transfer your data to another service provider
Deletion upon Consent Withdrawal: Delete data processed based on consent when you withdraw it
Information about Shared Data: Know which public and private entities we have shared your data with
Information about Consent Denial: Be informed about the consequences of not providing consent
Withdrawal of Consent: Revoke previously given consent at any time
Right to Petition ANPD: Lodge a complaint with the National Data Protection Authority

8.5 Response Time

We will respond to LGPD requests within 15 days as required by Brazilian law.

8.6 International Data Transfers

Your personal data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure adequate protection through Standard Contractual Clauses and data processing agreements.

8.7 Contact ANPD

You have the right to lodge a complaint with the Brazilian National Data Protection Authority (ANPD):

Website: www.gov.br/anpd
Address: SAS Quadra 6, Bloco O, Brasília - DF, 70070-917

9. International Data Transfers

SellSparkAI operates in many countries (though not currently Brazil—see Section 8). Your personal information may be transferred to and processed in countries outside your country of residence, including the United States.

9.1 Where Your Data Is Processed

Your data is processed by the following US-based infrastructure providers:

Render (Oregon, USA): Our application hosting provider. All account data, uploaded photos, and database content are stored on Render's servers in Oregon, United States.
Cloudflare (Global Network): Our CDN and security provider. Cloudflare operates data centers in 300+ cities across 100+ countries. Your requests are processed at the nearest edge server for performance, but may be routed through US data centers for certain operations.

9.2 Legal Mechanisms for Data Transfers

When transferring data internationally, we ensure adequate protection through multiple legal mechanisms:

EU-U.S. Data Privacy Framework (DPF): Both Render and Cloudflare are certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. This provides a lawful basis for data transfers under GDPR Article 45 (adequacy decision).
Standard Contractual Clauses (SCCs): As an additional safeguard, our service providers incorporate EU Standard Contractual Clauses approved by the European Commission into their Data Processing Agreements.
Data Processing Agreements (DPAs): We maintain data processing agreements with all service providers that include appropriate transfer mechanisms and security commitments.
Encryption: All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256).

9.3 Provider Compliance Certifications

Our infrastructure providers maintain the following compliance certifications:

Cloudflare: ISO 27001, ISO 27701, ISO 27018, SOC 2 Type II, PCI DSS Level 1, EU Cloud Code of Conduct compliance mark
Render: EU-U.S. Data Privacy Framework, SOC 2 Type II

For more information, see Cloudflare's GDPR page and Render's Privacy Policy.

10. Cookies and Tracking Technologies

We use essential cookies required for the Service to operate, and (with your consent, per region) advertising cookies from Meta Platforms, Inc. We also use a cookieless analytics service to measure aggregate page performance and visit counts (no cookies, no personal data, no cross-site tracking) and, with your consent, a third-party error monitoring service to capture JavaScript errors so we can fix bugs. The error monitoring service receives stack traces, browser type, and approximate country. It does NOT receive your IP address, does NOT set cookies, and does NOT track you across sites. You can decline error monitoring via the cookie banner. We do NOT use Google Analytics or any tracking service that fingerprints you.

10.1 Essential Cookies (Required)

These cookies are strictly necessary for the Service to operate. You cannot opt out of these cookies while using the Service.

Cookie Name	Purpose	Duration
connect.sid	Session management - keeps you logged in during your browser session	24 hours
refresh_token	Remember Me functionality - allows automatic re-login when you return	30 days (only set if you select "Remember Me")
klaro	Stores your cookie consent preferences (which categories you accepted or declined) so we do not re-prompt on every visit	120 days

10.2 Advertising Cookies (Consent Required)

When you grant consent to the Advertising category in our cookie banner, we load the Meta Pixel (a JavaScript snippet from Meta Platforms, Inc.) and trigger the Meta Conversions API on key events. These technologies place the following cookies and transmit the following data:

Cookie / Technology	Purpose	Duration
_fbp (first-party, set by Meta Pixel)	Browser identifier used by Meta to attribute conversions and optimize ad delivery	90 days
_fbc (first-party, set on Meta ad click)	Stores the most recent Meta ad click ID (`fbclid`) so conversions can be attributed to the originating ad	90 days
Meta Pixel (browser tag)	Sends event data (page views, sign-ups, purchases) directly from your browser to Meta for conversion tracking, ad optimization, and retargeting	Loaded only while consent is active
Meta Conversions API (server-side)	Transmits the same event data server-to-server from our infrastructure to Meta with hashed identifiers (email, user ID, IP, user agent) for event match quality and to mitigate browser-side data loss	Triggered per event while consent is active

We do not use Google Analytics, TikTok Pixel, X (Twitter) Pixel, or LinkedIn Insight Tag. We do use a cookieless analytics service (aggregate-only) for site performance measurement. With your consent, we also use a third-party error monitoring service (captures JavaScript errors so we can fix bugs; no IP, no cookies, no cross-site tracking). We do not use advertising or marketing cookies without consent.

10.3 Managing Your Cookie Preferences

We display a consent banner on your first visit. EU, UK, and EEA visitors must opt in before any advertising cookies fire. Visitors in the United States and other regions may opt out at any time; advertising cookies remain active until you do so.

You can change your choice at any time:

"Cookie settings" link in the footer of every page reopens the consent banner so you can grant or withdraw consent for the Advertising category.
Direct link: Open cookie settings now.
Browser controls: You can also block or delete cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using the Service.

Withdrawing consent stops new data from being shared with Meta; it does not retroactively delete data already transmitted. To request deletion of data Meta already holds about you, contact Meta directly via their Data Subject Rights form.

11. Children's Privacy

SellSparkAI is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

If we discover that we have collected information from a child under 18, we will immediately delete that information. If you believe we have collected information from a child, please contact us at .

12. Security Measures

We implement industry-standard security measures to protect your personal information:

12.1 Technical Safeguards

Encryption: All data encrypted in transit (HTTPS/TLS) and at rest (AES-256)
Password Hashing: Passwords stored using bcrypt with salt
Secure Servers: Access restricted to authorized personnel only
Regular Backups: Encrypted backups stored securely

12.2 Organizational Safeguards

Access Controls: Role-based access to data
Employee Training: Data protection training for all staff
Security Audits: Regular vulnerability assessments
Incident Response Plan: Procedures for data breaches

12.3 Data Breach Notification

In the event of a data breach affecting your personal information that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority:
- GDPR (EU): Within 72 hours per Article 33
- LGPD (Brazil): Within 3 working days per ANPD Resolution No. 15/2024
- CCPA (California): In the most expedient time possible
Notify you via email describing the nature and scope of the breach
Explain the steps we're taking to mitigate harm
Provide recommendations to protect yourself
Maintain records of all security incidents for 5 years (LGPD requirement)

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email at least 30 days before changes take effect
Display a prominent notice on the Service

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, you must cancel your account before the effective date.

14. Governing Law and Supervisory Authorities

14.1 Governing Law

This Privacy Policy is governed by the laws of the Federative Republic of Brazil, where SellSparkAI Ltda is incorporated. However, we comply with applicable data protection laws in all jurisdictions where we operate, including GDPR (EU), UK GDPR, LGPD (Brazil), and CCPA/CPRA (California). Note: While incorporated in Brazil, we do not currently support Brazilian customers for purchases—see Section 8 for details.

14.2 Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority. Relevant authorities include:

Brazil: ANPD (Autoridade Nacional de Proteção de Dados) - www.gov.br/anpd
EU/EEA: Your local Data Protection Authority. Find yours at edpb.europa.eu
UK: Information Commissioner's Office (ICO) - ico.org.uk
California: California Privacy Protection Agency - cppa.ca.gov

14.3 Legal Basis for International Data Transfers

When we transfer personal data outside your country of residence, we ensure appropriate safeguards:

From EU/EEA/UK: Our primary infrastructure providers (Render and Cloudflare) are certified under the EU-U.S. Data Privacy Framework, which provides an adequacy decision under GDPR Article 45. Additionally, we use Standard Contractual Clauses (SCCs) approved by the European Commission as a supplementary transfer mechanism.
From Brazil: Compliance with LGPD Chapter V requirements for international transfers, including SCCs and equivalent safeguards. Transfers to Render and Cloudflare are supported by their data processing agreements.
Infrastructure Providers: Render (hosting) and Cloudflare (CDN/security) maintain EU-U.S. Data Privacy Framework certification, UK Extension certification, and incorporate EU SCCs in their data processing agreements.
AI Service Providers: OpenAI, Google Gemini, and other AI processors are bound by data processing agreements that include Standard Contractual Clauses and appropriate transfer mechanisms.

14.4 Dispute Resolution

For privacy-related disputes, we encourage you to first contact us at . If we cannot resolve your concern:

Brazilian Residents: File complaints with ANPD or PROCON
EU/EEA Residents: Use the EU Online Dispute Resolution platform at ec.europa.eu/consumers/odr, or contact your local DPA
UK Residents: Contact the ICO at ico.org.uk/make-a-complaint
California Residents: Submit complaints to the CPPA or California Attorney General