Privacy Policy

Sparker Verify ("Sparker", "we", "us", or "our") operates the media verification platform at sparker.io and related services. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.

By using Sparker Verify, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use our services.

2.1 Account information

When you create an account via Google OAuth, we receive and store:

• Your name and email address (from your Google account)
• A unique account identifier
• Authentication tokens (stored securely, not shared)

2.2 Device information

When you register a device for hardware-backed verification, we collect:

• Device public key (ECDSA P-256) generated in your device's Trusted Execution Environment
• Hardware attestation proof (platform-specific: WebAuthn, Apple Secure Enclave, Android StrongBox)
• Device metadata (name, model, operating system version)
• Platform-specific device identifier

We do not and cannot access your device's private key. Private keys are generated inside your device's hardware security module and never leave the device.

2.3 Verification data

When you create a verification, we collect and store:

• The media file (image, video, or audio)
• Cryptographic signature and signature hash
• GPS coordinates (latitude, longitude, accuracy) if you choose to provide them
• C2PA manifest data including device information and attestation status
• Timestamp of capture and verification

2.4 Usage data

We automatically collect:

• IP address and approximate location derived from it
• Browser type and version (user agent)
• API request patterns (for rate limiting and abuse prevention)
• Feature usage metrics (aggregated and anonymized)

We use the information we collect to:

• Provide verification services: Process media captures, verify signatures, generate C2PA manifests, and maintain the verification registry
• Authenticate users: Verify your identity via Google OAuth and manage session tokens
• Manage quotas: Track usage against your account's quota tier (Free, Pro, Enterprise)
• Prevent abuse: Enforce rate limits, detect fraudulent usage, and protect the integrity of the verification system
• Improve our services: Analyze aggregated usage patterns to improve performance and user experience
• Communicate with you: Send service-related notifications, respond to support requests, and provide account updates
• Comply with legal obligations: Meet regulatory requirements and respond to lawful requests

4.1 Public verification data

The following information is publicly accessible through our public verification API to enable third-party authenticity checks:

• Verification status (authentic/not authentic)
• Confidence level
• Signature hash
• Verification timestamp
• C2PA manifest (which may include device platform and GPS data if provided)

Your name and email address are not included in public verification data.

4.2 Service providers

We may share information with trusted service providers who assist in operating our platform, including cloud hosting providers, database services, and analytics tools. These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Legal requirements

We may disclose your information if required to do so by law or in response to valid legal process, such as a court order, subpoena, or government request. We will notify you of such requests when legally permitted to do so.

4.4 Anonymous tokens

When you share an anonymous verification token, the recipient can create verifications associated with your account. However, the recipient does not gain access to your account information, other verifications, or personal data. Verifications created via tokens count against your quota.

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption in transit: All communications use TLS 1.3
• Encryption at rest: Stored data is encrypted using AES-256
• Hardware key isolation: Device private keys never leave the hardware security module and cannot be accessed by our servers
• Access controls: Internal access to user data is restricted and logged
• Rate limiting: API endpoints are rate-limited to prevent abuse
• Nonce protocol: Single-use nonces with 5-minute TTL prevent replay attacks

5.1 Data retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

• Account data: retained until account deletion
• Verification records: retained indefinitely to maintain the verification registry integrity
• Media files: retained for the duration specified by your account tier
• API logs and usage data: retained for 90 days
• Expired nonces: automatically purged after 24 hours

Depending on your jurisdiction, you may have the following rights regarding your personal data:

6.1 Access and portability

You can access your account data, verification history, and registered devices at any time through the Sparker dashboard. You may request a full export of your data in a machine-readable format.

6.2 Deletion

You can delete your account at any time. Upon deletion, we will remove your personal information within 30 days. Verification records may be retained in anonymized form to maintain the integrity of the public verification registry.

6.3 Correction

You can update your account information through the dashboard. For corrections to verification data, contact us at privacy@sparker.io.

6.4 Opt-out

You may opt out of non-essential analytics and tracking. Essential data collection required for service operation (authentication, verification, rate limiting) cannot be opted out of while using the service.

6.5 GDPR rights (EEA residents)

If you are in the European Economic Area, you have additional rights under GDPR including the right to restrict processing, the right to object to processing, and the right to lodge a complaint with your local data protection authority.

6.6 CCPA rights (California residents)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. Sparker does not sell personal information.

We use the following types of cookies and similar technologies:

• Essential cookies: Required for authentication and session management. Cannot be disabled.
• Functional cookies: Remember your preferences (theme, language). Can be disabled in browser settings.
• Analytics cookies: Help us understand usage patterns. Can be opted out via dashboard settings.

We do not use third-party advertising cookies or sell data to advertisers.

Sparker Verify is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@sparker.io.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer data internationally, we implement appropriate safeguards including:

• Standard Contractual Clauses approved by the European Commission
• Data processing agreements with all service providers
• Encryption of data in transit and at rest

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or a prominent notice on our website.

Your continued use of Sparker Verify after changes are posted constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: