Privacy Policy
Last updated: May 29, 2026
1. Introduction
This Privacy Policy explains how Sparqbox collects, uses, stores, and shares personal data. It covers visitors to our marketing sites (sparqbox.com and sparqbox.nl), people who sign up for a trial or contact us, and end users of the Sparqbox application. Questions: support@sparqbox.com.
2. Who we are
Sparqbox is a product of SupplyUp, a Dutch sole proprietorship (eenmanszaak) run by Dennis Jacobs and headquartered in the Netherlands.
- KvK (Chamber of Commerce): 75179415
- VAT: NL002238592B33
- Contact: support@sparqbox.com
A dedicated Sparqbox B.V. is planned for later in 2026. When that entity is registered and takes over the product, this policy will be updated with the new controller identification and all existing users will be notified by email.
Controller vs processor
Our role under the GDPR depends on the data:
- Marketing and prospect data (visits to sparqbox.com, newsletter signups, contact-form submissions, trial-list signups) — SupplyUp is the controller.
- Workspace data (ideas, scores, comments, employee accounts inside the Sparqbox application) — the customer (your employer) is the controller; SupplyUp is the processor. Our Data Processing Agreement governs this relationship.
3. What we collect
Data you give us directly
- Account information: name, email address, company name, and role when you sign up or accept an invitation.
- Workspace content: ideas, scores, comments, and reviews that you and your colleagues submit to Sparqbox.
- Support conversations: emails, chat threads, and ticket content when you contact support.
- Billing data: billing contact and payment method (full card numbers are processed and stored by Stripe; Sparqbox sees only the last four digits and brand).
Data we collect automatically
- Usage data: feature interactions, page views, session timestamps, and error logs to maintain service quality.
- Marketing analytics: on sparqbox.com and sparqbox.nl, when you consent we use Microsoft Clarity to understand which pages are useful and where the layout breaks. See cookie policy.
- Cookies: strictly necessary cookies (session, CSRF, consent record) and, with consent, analytics cookies. See cookie policy.
Data we receive from others
- SSO providers (Scale tier): if you sign in via SAML or OIDC, your identity provider shares your name, email, and group memberships with us as defined by your admin.
- Stripe: payment status, billing address, partial card data, and fraud signals for chargeback handling.
4. Why we process data (and on what legal basis)
We process personal data only when we have a legal basis under Article 6 of the GDPR. The table below maps each purpose to its basis.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Sparqbox service to your workspace | Contract performance · 6(1)(b) |
| Process payments and prevent fraud | Contract · 6(1)(b) + legitimate interest · 6(1)(f) |
| Send transactional emails (invitations, receipts, password resets) | Contract performance · 6(1)(b) |
| AI-assisted scoring when enabled in your workspace | Contract performance, on controller instructions · 6(1)(b) |
| Security, abuse detection, and debugging | Legitimate interest · 6(1)(f) |
| Product update emails to workspace admins | Legitimate interest · 6(1)(f) (opt-out in every message) |
| Marketing emails to prospects (newsletter, sales) | Consent · 6(1)(a) (revocable at any time) |
| Marketing analytics (Microsoft Clarity) | Consent · 6(1)(a) (via cookie banner) |
| Tax, accounting, and legal record-keeping | Legal obligation · 6(1)(c) |
5. How long we keep data
| Data | Retention |
|---|---|
| Active account data | Duration of the subscription |
| Workspace content after cancellation | 30-day export window, then deleted from production. Backups purged within 90 days. |
| Billing and invoicing records | 7 years (Dutch tax law) |
| Marketing contacts (prospects) | Until you unsubscribe |
| Application and system logs | 90 days |
| Security incident records | Up to 3 years |
| Marketing analytics (Clarity) | Per Clarity defaults (rolling, capped at 1 year) |
6. Who we share data with
We do not sell personal data. We share it only with the third parties below, under written data processing agreements.
Sub-processors (workspace data)
Sub-processors handle customer workspace data on our behalf. The current list, including data category, location, and transfer mechanism, is published at sparqbox.com/subprocessors. Workspace admins are notified by email at least 30 days before we add a new sub-processor that handles personal data.
Marketing-side third parties (controller data)
For our role as controller (visits, signups, prospect data) we also use:
- Notion — prospect CRM. Contact-form, trial-list, and newsletter submissions (name, email, company, role, notes) are stored in our Notion workspace. Notion processes data in EU and US regions.
- Microsoft Clarity — marketing-site analytics. Page interactions and session replays on sparqbox.com and sparqbox.nl only. Loads only after you consent via the cookie banner. Microsoft processes data primarily in the US.
- Vercel Blob — storage for our pilot signup list and marketing image uploads.
Legal disclosure
We disclose personal data when required by law, court order, or to protect rights, safety, or property. We notify affected customers where legally permitted.
7. International transfers
Workspace data is stored in the European Union (Supabase, Frankfurt; Render, Frankfurt). Some processing necessarily happens outside the EEA, primarily in the United States (Anthropic, Microsoft, Vercel edge nodes, Stripe US, Resend US). For those transfers we rely on:
- The EU-US Data Privacy Framework where the recipient is certified; and
- Standard Contractual Clauses (European Commission Decision 2021/914) as a fallback, plus supplementary safeguards where appropriate.
The transfer mechanism per sub-processor is shown at sparqbox.com/subprocessors.
8. How we protect data
Our technical and organisational measures include TLS 1.2+ in transit, AES-256 at rest, three-layer tenant isolation, least privilege with logged access, strong password rules with SSO on the Scale tier, documented backup and disaster recovery, and a documented incident response process. Full detail is on our security page.
9. Your rights under the GDPR
- Access: request a copy of your personal data.
- Rectification: ask us to correct inaccurate data.
- Erasure: request deletion, subject to legal retention obligations (e.g. invoices).
- Restriction: ask us to limit processing while a request is open.
- Objection: object to processing based on legitimate interest.
- Portability: export your workspace data as CSV.
- Withdraw consent: for any processing based on consent, at any time, with no effect on prior lawful processing.
To exercise these rights, email support@sparqbox.com. We acknowledge within 5 business days and respond fully within 30 days. If the request concerns workspace-controlled data (your employer's data inside the Sparqbox app), please contact your employer first as they are the controller; we will assist them in responding.
You also have the right to complain to your national supervisory authority. For customers in the Netherlands, that is the Autoriteit Persoonsgegevens.
10. Data breaches
We have a documented incident response process. If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, in any event, within 72 hours of becoming aware of it (GDPR Article 33). Where the breach is likely to result in a high risk, we will notify affected customers and individuals without undue delay (GDPR Article 34).
11. Children
Sparqbox is a workplace product. We do not knowingly collect personal data from individuals under 16. If we learn we have done so, we will delete it promptly.
12. Changes to this policy
Material changes will be notified to workspace admins by email at least 30 days before taking effect. The "Last updated" date at the top of this page always reflects the most recent change.
13. Contact
- Privacy and data subject requests: support@sparqbox.com
- Security incidents and responsible disclosure: support@sparqbox.com
- General support: hello@sparqbox.com
SupplyUp · KvK 75179415 · VAT NL002238592B33 · Netherlands