engageSPARK Privacy Policy

Last Updated: June 15, 2026

At a Glance

A plain-language summary of how engageSPARK handles personal data. This summary is for convenience; the full policy below is the legally operative document.

What we collect from you. If you sign up for engageSPARK or visit our Website, we collect your account information (name, email, organization, phone, billing details), basic device/usage data, and any data you submit when communicating with us.

What we receive when you use the Service. Content you submit, including data you upload about your Contacts (the people you communicate with through engageSPARK), and data your Contacts submit back to you (survey replies, opt-in texts or calls, responses to campaigns).

What we don’t do. We do not sell or share your data. We do not serve ads. We do not enrich Contact data from external sources. We do not use your data to train AI models (unless you ask us to do so).

Where your data lives. Our servers are in Germany. Your data is primarily processed in the European Economic Area. Cross-border transfers to subprocessors use Standard Contractual Clauses or equivalent safeguards.

Your role for your Contacts’ data. When you use the Service to send messages, you are the data controller of your Contacts’ data and engageSPARK is your data processor. The binding contractual terms are in our Data Processing Agreement (DPA), incorporated into our Terms of Service.

Contact. Questions, requests, or complaints? Email our Data Protection Officer, Murat Knecht, at privacy-requests@engagespark.com.

Part 1 — Information for Customers and Website Visitors

This Part applies when you sign up for, use, or visit engageSPARK. We are the data controller for the information described in this Part.

1.1 What we collect

When you visit our Website, we may collect:

  • Device type, browser type, plugin details
  • Language preference, time zone, screen size
  • IP address
  • Cookies (see Section 1.7)

When you sign up or use engageSPARK, we may also collect:

  • Identifying information: name, email address, phone number, physical address
  • Your organization name and your role within it
  • Your IP address
  • Your credit card information (processed by our payment processor; we do not store full card numbers)
  • Your online profile URLs or usernames, where provided
  • Referring websites you visited before coming to ours

1.2 Legal bases for processing

Under the GDPR and UK GDPR, we process your personal data on the following legal bases:

  • Performance of a contract: to provide the Service, bill you, authenticate you, and support your account.
  • Legitimate interests: to secure our platform, prevent abuse, maintain logs, improve the Service, and communicate essential service information. We balance these interests against your rights. You have the right to object to this processing; we will stop unless we can demonstrate compelling legitimate grounds that override your interests (which is typically the case for security, abuse prevention, and fraud detection).
  • Legal obligation: to comply with tax, accounting, anti-fraud, anti-money-laundering, and law-enforcement obligations.
  • Consent: for marketing communications, non-essential cookies, and any processing specifically described as consent-based. You may withdraw consent at any time, without affecting processing that occurred before the withdrawal.
  • Vital interests and public task: reserved for emergencies; not ordinarily relied on.

1.3 How we use your data

We use your personal information to:

  • Provide and support the Service (basis: contract)
  • Bill you and collect payments, including via third-party payment processors (basis: contract / legal obligation)
  • Authenticate you and protect your account (basis: contract)
  • Send you system alerts, service announcements, and policy updates (basis: contract / legitimate interests)
  • Detect and prevent fraud, abuse, and security incidents (basis: legitimate interests / legal obligation). We do not subject you to solely automated decisions with legal or similarly significant effects; abuse-detection algorithms inform human review.
  • Comply with legal obligations, including responding to subpoenas, court orders, and regulator requests (basis: legal obligation)
  • Send you optional marketing about features, promotions, or events — only if you have opted in (basis: consent); you can unsubscribe at any time
  • Generate aggregated, anonymized analytics about the Service (basis: legitimate interests)

1.4 How we share your data

We share your personal information only as follows:

  • Service providers: payment processors, infrastructure providers, support tools, and sales and marketing tools under written contracts requiring them to protect your data and use it only on our behalf.
  • Legal authorities: when required by law, valid subpoena, court order, or regulator demand.
  • Professional advisors: attorneys, accountants, auditors — where reasonably necessary.
  • Business transactions: in connection with a sale, merger, or acquisition, provided the acquirer is bound by this Privacy Policy.

We do not sell or share your personal information as those terms are defined under the CCPA, CPRA, or any other US state privacy law. We do not serve advertising, and we do not authorize third parties to use your data to target advertising at you.

1.5 How long we keep your data

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Specific retention periods:

  • Account data (name, email, organization): for the lifetime of your account, plus up to six (6) years after closure for legal and tax reasons. We may retain certain identifiers (such as email addresses, phone numbers, and other identifiers of accounts) for longer where retention is necessary for fraud and abuse prevention, defense of legal claims, or enforcement of our Anti-Spam Policy.
  • Billing and invoice records: for as long as necessary for tax and accounting compliance, defense of legal claims, customer access to historical records, and audit purposes. In practice, this means we retain billing records for the duration of your account and for an extended period after closure.
  • Support communications: up to fifteen (15) years.
  • Security and audit logs: for the lifetime of your account, plus up to six (6) years after closure for legal and tax reasons. We may retain certain logs for longer where retention is necessary for fraud and abuse prevention, defense of legal claims, or enforcement of our Anti-Spam Policy.
  • Message metadata for abuse and SPAM prevention (timestamps, routing information, delivery status, complaint signals, and sender/recipient identifiers): retained for as long as necessary for fraud prevention, abuse detection, and enforcement of our Anti-Spam Policy. In practice, this means we retain such metadata indefinitely.
  • Backups: purged on a rolling thirty (30) day cycle.

Retention periods for Content (including Contact Personal Information) are described in Part 2 and in the DPA.

1.6 Your rights

Under the GDPR, UK GDPR, and other applicable laws, you have the following rights with respect to your personal data:

  • Right of access: request a copy of the personal data we hold about you. The first copy is free of charge; we may charge a reasonable fee for additional copies or requests that are manifestly unfounded or excessive.
  • Right of rectification: correct inaccurate or incomplete data.
  • Right of erasure: request deletion, subject to applicable retention obligations.
  • Right to restrict processing: limit how we process your data under certain conditions.
  • Right to object: object to processing based on legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds.
  • Right to data portability: receive your data in a structured, commonly used format.
  • Right to withdraw consent: withdraw any consent at any time, without affecting prior processing.
  • Right to lodge a complaint with a supervisory authority: you may complain to the data protection authority in the country where you live or work.

To exercise any of these rights, email privacy-requests@engagespark.com. We will respond within one month. Where requests are complex or numerous, we may extend the response period by up to two further months and will inform you of the extension and the reasons for it.

1.7 Cookies, tracking, and Global Privacy Control

Our Website uses cookies. For details on the cookies we use and how to manage your preferences, see our Cookie Policy, which is incorporated into and is a part of this Privacy Policy.

Global Privacy Control (GPC): We do not sell or share your personal information. Because we do not sell or share, opt-out signals such as Global Privacy Control (GPC) do not apply to our processing.

Do Not Track: We do not currently respond to “Do Not Track” browser header signals because there is no industry-standard interpretation of them.

1.8 California and US state privacy rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, or Delaware (or another US state with a comprehensive privacy law), you have additional rights, which generally include:

  • Right to know what personal information we collect, use, or disclose. We do not sell or share any personal information.
  • Right to delete personal information we hold about you, subject to statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell or share personal information as defined under these laws.
  • Right to limit use and disclosure of sensitive personal information. We do not use sensitive personal information for purposes beyond those permitted by law.
  • Right to non-discrimination for exercising any of these rights.

To exercise these rights, email privacy-requests@engagespark.com. We will verify your identity before responding. You may designate an authorized agent to make requests on your behalf.

1.9 Categories of personal information we collect (CCPA disclosure)

In the preceding 12 months, we have collected the following categories of personal information for the business purposes described in Section 1.3:

  • Identifiers: name, email, phone number, physical address, IP address, account ID.
  • Commercial information: records of purchases, engageSPARK Credits balances, transactions.
  • Internet or other electronic activity: browser type, pages viewed, referring URL, interaction with our Website.
  • Geolocation: coarse, inferred from IP. We do not collect precise geolocation.
  • Professional information: organization name, role.
  • Content submitted by Customers and their Contacts (covered in Part 2).

We do not knowingly request or solicit sensitive personal information beyond payment credentials (handled by our payment processor) and account credentials.

1.10 How we protect your data

We apply industry-standard technical and organizational measures to protect your data, including:

  • TLS 1.2 or higher for all data in transit
  • AES-256 (or equivalent) encryption for data at rest
  • Role-based access control on the principle of least privilege
  • Mandatory two-factor authentication for personnel accessing customer data
  • Centralized logging and security monitoring
  • Regular third-party vulnerability scanning and security review.
  • Documented incident response procedures
  • Mandatory security and privacy training for personnel

Payment card data is processed by a PCI DSS Level 1 compliant payment processor. We do not store full card numbers on our own systems. Account passwords are one-way hashed; we cannot recover forgotten passwords (only reset them).

1.11 International data transfers

Your account, billing, and support data are primarily processed in the European Economic Area (our servers are in Germany). Where engageSPARK transfers your data to service providers outside the EEA, the UK, or Switzerland — for example, payment processors or support tooling located in the United States — we rely on:

  • Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) for transfers from the EEA;
  • The UK International Data Transfer Addendum (UK IDTA) for transfers from the UK;
  • The EU SCCs as modified in accordance with guidance from the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers from Switzerland;
  • The EU-US Data Privacy Framework (and its UK Extension and Swiss-US DPF) for transfers to certified US recipients, where applicable.

For transfers of Content (including data about your Contacts) that engageSPARK processes on your behalf, see Part 2 and the DPA.

1.12 Personal data breaches

If we become aware of a personal data breach affecting your personal information, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

1.13 Sales prospects and outreach

If you are a prospective Customer we have contacted about engageSPARK, we may have obtained your business contact information (typically name, work email, job title, and company) from publicly available sources (such as LinkedIn or company websites) or from third-party sales intelligence providers. We process this data on the basis of our legitimate interests in promoting our services to organizations that may benefit from them.

You have an absolute right to object to receiving direct marketing from us at any time. To opt out, follow the unsubscribe link in any marketing email, or contact privacy-requests@engagespark.com. We will stop and remove your information from active outreach lists.

Part 2 — About the Content You Submit to the Service

This Part applies when you use the Service to run campaigns and submit Content. The information here is provided for transparency. The contractually binding terms governing engageSPARK’s processing of Content are in our Data Processing Agreement (DPA), which forms part of your Terms of Service.

2.1 The controller-processor relationship

When you submit Content to the Service (including data about your Contacts), and when your Contacts submit data back to you through the Service (survey replies, opt-in texts, responses to campaigns, etc.), you are the data controller of that data and engageSPARK is your data processor.

This means:

  • You decide why and how the data is processed; we process it on your documented instructions.
  • We are not the data controller of your Contacts’ data, and we do not engage directly with your Contacts about their personal information. If a Contact contacts us, we will identify the relevant Customer and notify you so you can handle the request.

2.2 What Content can include

Because Content is created by you and your Contacts, and may include free-text fields, we cannot predict or limit its scope in advance. Content may include:

  • Phone numbers, names, and contact details you upload
  • Custom fields and segmentation data you submit
  • Message content (SMS, voice, WhatsApp, and other channels)
  • Survey questions, replies, and other inbound communications
  • Opt-in and opt-out signals
  • Delivery status, timestamps, and routing metadata
  • Location, when received in form of a WhatsApp Location message or similar
  • Any other data you or your Contacts choose to submit through the Service

If your use of the Service involves special categories of personal data under GDPR Article 9 (such as health data or data revealing ethnic origin, which can arise in humanitarian or public health use cases), additional obligations apply to you as data controller. See the DPA for details.

2.3 How we handle Content

Without restating the DPA in full, our key commitments are:

  • We process Content only on your documented instructions.
  • We do not sell or share Content.
  • We do not retain, use, or disclose Content for any purpose other than providing the Service to you.
  • We do not use Content to develop, train, evaluate, or improve AI/ML models, except where you specifically ask us to do so.
  • We apply the same security measures (encryption, access controls, monitoring) to Content that we apply to all data we hold.
  • We notify you of personal data breaches affecting Content without undue delay and, where feasible, within 72 hours of becoming aware.
  • We may generate aggregated or de-identified data derived from the Service for our own legitimate business purposes, provided that data cannot reasonably be used to identify any individual and is not re-identified.

2.4 Subprocessors

We use service providers (subprocessors) to deliver the Service. A current list is published at https://www.engagespark.com/legal/subprocessors. The DPA sets out our subprocessor obligations, including advance notice of changes and your right to object on data-protection grounds.

2.5 Return and deletion

You can export Content at any time during the term of your account using the export functionality in the Service. You may also delete specific Contacts through the Service at any time. Following closure or termination of your account, engageSPARK deletes Content in accordance with our standard deletion process described in the DPA.

2.6 Your responsibilities as data controller

As the data controller for your Contacts’ data, you are responsible for:

  • Having a valid legal basis for collecting and processing your Contacts’ personal data
  • Providing required notices to and obtaining required consents from your Contacts
  • Responding to your Contacts’ data subject rights requests
  • Ensuring your use of the Service complies with applicable law

2.7 Full contractual terms

The complete contractual terms governing engageSPARK’s processing of Content — including Article 28 GDPR processor obligations, Standard Contractual Clauses for international transfers, security measures, subprocessor terms, breach notification, audit rights, and return/deletion at end — are set out in our Data Processing Agreement (DPA), available at https://www.engagespark.com/legal/data-processing-agreement/, and incorporated into our Terms of Service.

Part 3 — General

3.1 Data Protection Officer

Data Protection Officer: Murat Knecht, privacy-requests@engagespark.com.

3.2 Children and minors

The Service is not intended for minors. We do not knowingly collect personal information from children under thirteen (13) (consistent with COPPA in the United States) and we do not rely on consent as a legal basis to process data of children under sixteen (16) (consistent with GDPR Article 8) for information-society services. If we learn we have collected personal data from a minor, we will delete it. If you have reason to believe this has occurred, please contact privacy-requests@engagespark.com.

3.3 Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via your account email and post a notice on our Website. Changes take effect thirty (30) days after we send the notice unless you object before then by closing your account.

Note: The contractual terms governing engageSPARK’s processing of Content (the DPA) have their own amendment mechanics set out in the DPA. Updates to this Privacy Policy do not modify the DPA.

3.4 Enforcement and complaints

We regularly review our compliance with this Privacy Policy. To file a complaint, email privacy-requests@engagespark.com. You also have the right to lodge a complaint with your local data protection authority.

3.5 Third-party links

Our Website may contain links to third-party websites or services. Those sites have their own privacy practices, which may differ from ours. If you submit personal information to a third-party site through a link from our Website, that submission is governed by that third party’s privacy policy, not this one. We encourage you to review the privacy policies of any sites you visit.

3.6 Contact us

engageSPARK, Inc.

Data Protection Officer: Murat Knecht

Email: privacy-requests@engagespark.com

Thank you for taking the time to read engageSPARK’s Privacy Policy.

Previous versions

For your reference, please find past versions of our Privacy Policy here: