Privacy Policy

1. Introduction

Welcome to SellSpark AI's Privacy Policy. This policy explains how we collect, use, share, and protect your personal information when you use our AI-powered photo optimization service.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

GDPR (General Data Protection Regulation) - European Union
LGPD (Lei Geral de Proteção de Dados) - Brazil
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) - California, USA
CalOPPA (California Online Privacy Protection Act) - California, USA

1.1 Data Controller

The data controller responsible for your personal information is:

Legal Entity: SellSparkAI Ltda
CNPJ: 64.278.992/0001-04
Email:

By using SellSparkAI, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we collect:

Data Type	Purpose	Legal Basis (GDPR)
Email Address	Account creation, authentication, service communications, and optional notifications (optimization completion, usage alerts, marketing, product updates) when you opt-in to platform waitlist subscriptions or notification preferences	Contract performance, Consent (for optional notifications)
Password (hashed)	Account security	Contract performance
Name (optional)	Personalization, billing	Consent
Phone Number (optional)	Account creation and authentication via SMS verification (free-basic tier), account security (MFA for paid tiers)	Consent
Billing Address	Payment processing, tax compliance	Legal obligation

2.2 Payment Information

Payment data is processed by Stripe, our third-party payment processor. We do not store your complete credit card information on our servers. Stripe collects:

Credit/debit card numbers (tokenized)
Billing address
Payment method type (card, Apple Pay, Google Pay, Link)

For more information, see Stripe's Privacy Policy.

Additionally, for tax compliance and automation, we use Quaderno as our tax automation service. Quaderno receives:

Transaction data (amount, date, product/service type)
Customer location information (country, state/region for tax jurisdiction determination)
Billing address (for tax rate calculation and invoice generation)

For more information, see Quaderno's Privacy Policy.

2.3 Photos You Upload

When you upload photos to our Service:

Photos are processed immediately using our AI technology
Uploaded photos are stored temporarily for 60 days to enable effective customer support, then permanently deleted
Optimized photos are stored and accessible in your gallery until account deletion
We do not use your photos for any purpose other than providing the Service to you

2.4 Automatically Collected Information

We automatically collect certain technical information:

Usage Data: Features used, photos processed, subscription tier, login times
Device Information: Browser type, operating system, device type, device fingerprint (for security purposes)
IP Address: For security, fraud prevention, and geographic analytics
Login History: Timestamps, IP addresses, and user agents for each login session (for account security and audit purposes)
Cookies: Session management, authentication (see Section 10)

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Provide the Service

Process your uploaded photos using AI
Deliver optimized photos to you
Manage your account and subscription
Process payments and billing

3.2 Communicate with You

Send transactional emails (e.g., subscription confirmations, receipts)
Provide customer support
Send important updates about the Service or policy changes
Respond to your inquiries

3.3 Improve the Service

Analyze usage patterns to improve features
Monitor performance and fix bugs
Develop new features and capabilities

3.4 Security and Fraud Prevention

Detect and prevent fraudulent activity
Protect against unauthorized access
Enforce our Terms of Service

3.5 Legal Compliance

Comply with applicable laws and regulations
Respond to legal requests (subpoenas, court orders)
Maintain records required by law

4. How We Share Your Information

We do not sell your personal information to third parties. We only share your information in the following limited circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

Service Provider	Purpose	Data Shared
Stripe	Payment processing, subscription management	Name, email, billing address, payment method
AI Analysis Provider (OpenAI)	AI-powered product image analysis	Product photos, product descriptions, category data
AI Image Generation Provider (Google Gemini / OpenAI)	AI-powered image generation and optimization	Product descriptions, style preferences, generation prompts
AI Upscaling Provider (Runware)	Image upscaling (fallback service)	Product photos for upscaling
SMS Verification Provider (Telnyx)	SMS verification for account authentication and MFA	Phone number, verification codes
Tax Automation Provider (Quaderno)	Tax calculation, invoice generation, compliance	Transaction data, billing address, customer location
Email Service Provider (Porkbun)	Email delivery and verification	Email address, verification links, name
Cloud Hosting Provider	Data storage, application hosting	All account and photo data

All service providers are contractually required to protect your data and use it only for the specified purposes.

4.2 Legal Obligations

We may disclose your information if required by law or in response to:

Subpoenas or court orders
Government or regulatory requests
Legal investigations
Protection of our rights or safety of others

4.3 Business Transfers

If SellSparkAI is acquired, merged, or sells assets, your information may be transferred to the acquiring entity. You will be notified of any such change via email.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and comply with legal obligations:

Data Type	Retention Period
Account Information	Deleted immediately upon account deletion request
Uploaded Photos	60 days after processing or until account deletion (whichever comes first)
Optimized Photos	Until account deletion (accessible in your gallery)
Payment Records & Invoices	5-7 years (required by tax/legal obligations in Brazil, EU, and USA)
Login History	Deleted immediately upon account deletion
Support Communications	Handled by our email service provider (subject to their retention policies)
Usage Analytics	2 years (aggregated/anonymized)
Fraud Prevention Data	30-90 days after account deletion + 365 days (see details below)

5.1 Fraud Prevention Data Retention

To prevent abuse of our free tier through repeated account deletions and re-creations, we retain minimal, non-identifiable fraud prevention data after account deletion:

Card Fingerprints: Stripe-generated token (not actual card numbers)
Phone Number Hash: SHA-256 hash (irreversible, cannot recover actual phone number)
Device Fingerprints: Browser/device identifiers
Masked Email: First character + domain only (e.g., "u***@example.com")
Stripe Customer ID: Reference ID for invoice retrieval (legal requirement)

Retention periods:

First deletion: 30-day cooldown + 365 days (~13 months total)
Second deletion: 90-day cooldown + 365 days (~15 months total)
Third+ deletions: Retained indefinitely (abuse prevention)

Legal Basis (GDPR Article 6(1)(f)): Legitimate interest in fraud prevention. This data is minimized (no PII stored), purpose-limited (exclusively for fraud detection), and necessary to prevent abuse that harms our business and legitimate users.

6. Your Rights (GDPR/LGPD Compliance)

Under GDPR (EU) and LGPD (Brazil), you have the following rights regarding your personal data:

1. Right to Access: Request a copy of all personal data we hold about you.

2. Right to Rectification: Correct inaccurate or incomplete personal data.

3. Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.

4. Right to Data Portability: Receive your data in a machine-readable format (JSON).

5. Right to Object: Opt-out of certain data processing activities.

6. Right to Restriction of Processing: Request limitation of how we process your data in certain circumstances (e.g., while verifying accuracy or during objection review).

7. Right to Withdraw Consent: Revoke consent for data processing at any time.

8. Right to Lodge a Complaint: File a complaint with a supervisory authority (see Section 8.7 for ANPD contact, or your local EU Data Protection Authority).

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email:
Subject Line: "Data Privacy Request - [Your Name]"
Include: Your registered email address and specific request

We will respond within:

30 days (GDPR - EU residents)
15 days (LGPD - Brazil residents)

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

7.1 Categories of Personal Information Collected (Last 12 Months)

Category	Examples	Collected	Purpose
Identifiers	Name, email, user ID, device fingerprint	✅ Yes	Account creation, authentication, fraud prevention
Contact Information	Phone number (optional), billing address	✅ Yes	SMS verification, billing, order fulfillment
Commercial Information	Subscription tier, payment history, transaction records	✅ Yes	Service provision, billing, customer support
Internet Activity	Usage data, photos uploaded, features used, session data	✅ Yes	Service provision, optimization, analytics
Geolocation Data	Approximate location from IP address	✅ Yes	Security, fraud prevention, service optimization
Visual Information	Product photos you upload	✅ Yes	AI analysis and optimization service delivery
Inferences	Product category, style preferences, usage patterns	✅ Yes	Service personalization, recommendations

7.2 Sensitive Personal Information

We collect the following categories of sensitive personal information:

Payment Information: Credit/debit card details (processed and stored by Stripe, our payment processor - we do NOT store complete card numbers)
Phone Number (if provided): Used for SMS verification via Telnyx
Precise Geolocation: We do NOT collect precise geolocation data

7.3 Sources of Personal Information

We collect personal information from the following sources:

Directly from you: When you create an account, upload photos, or provide information
Automatically: Through cookies, device fingerprinting, and usage analytics
Third-party services: OAuth providers (if you sign in with Google/Apple), payment processors

7.4 Business or Commercial Purposes for Collection

We collect and use personal information for the following purposes:

Providing the AI photo optimization service
Processing payments and managing subscriptions
Communicating with you about your account and service updates
Preventing fraud and ensuring security
Complying with legal obligations
Improving and personalizing the service
Analyzing usage patterns and service performance

7.5 Third Parties with Whom We Share Personal Information

We share personal information with the following categories of third parties:

Third Party	Purpose	Data Shared
Payment Processor (Stripe)	Payment processing, subscription management	Name, email, billing address, payment method
Tax Automation Provider (Quaderno)	Tax calculation, invoice generation, compliance	Transaction data, billing address, customer location
SMS Verification Provider (Telnyx)	SMS verification for account authentication and MFA	Phone number, verification codes
Email Service Provider (Porkbun)	Email delivery and verification	Email address, verification links
AI Analysis Provider (OpenAI)	AI-powered product image analysis	Product photos, product descriptions, category data
AI Image Generation Provider (Google Gemini / OpenAI)	AI-powered image generation and optimization	Product descriptions, style preferences, generation prompts
AI Upscaling Provider (Runware)	Image upscaling (fallback service)	Product photos for upscaling

7.6 Data Retention

We retain personal information as described in Section 5 of this policy. Uploaded photos are retained for 60 days (for customer support purposes), then permanently deleted. Optimized photos are retained until account deletion.

7.7 Sale or Sharing of Personal Information

Important: We do NOT sell your personal information.

We do NOT sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We do NOT share your personal information for cross-context behavioral advertising.

7.8 Your California Privacy Rights

As a California resident, you have the following rights:

Right to Know: You can request information about the categories and specific pieces of personal information we collected, the sources, purposes, and third parties with whom we shared it.

Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

Right to Correct: You can request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: Since we do NOT sell or share your personal information, this right does not apply.

Right to Limit Use of Sensitive Personal Information: You can request that we limit use of sensitive personal information to what is necessary to perform the service.

Right to Non-Discrimination: We will NOT discriminate against you for exercising your CCPA rights.

7.9 How to Exercise Your California Rights

To exercise any of these rights:

Email:
Subject Line: "CCPA Request - [Your Name]"
Include: Your registered email address and specific request

Verification: We will verify your identity by confirming your email address and account details before processing your request.

Response Time: We will respond within 45 days of receiving your request, with a possible 45-day extension if necessary.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

7.10 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do NOT share personal information with third parties for their direct marketing purposes.

8. Brazil Data Protection (LGPD Compliance)

Important Notice: SellSparkAI does not currently support Brazilian customers for purchases. While our company (SellSparkAI Ltda) is incorporated in Brazil, we are not yet offering services to customers located in Brazil. If you are interested in our service from Brazil, please contact us at —we may offer support on a case-by-case basis.

As a company incorporated in Brazil, we are committed to LGPD compliance for any personal data we may collect from Brazilian visitors or future customers. If you are a resident of Brazil visiting our website, your personal data is protected under the Lei Geral de Proteção de Dados (LGPD).

8.1 Data Controller Information

Legal Entity: SellSparkAI Ltda

CNPJ: 64.278.992/0001-04

Address: Av. Pref. Osmar Cunha, 416, Sala 1108 - Ed. Koerich Empresarial Rio Branco, Florianópolis - SC, 88015-100, Brazil

Email:

8.2 Data Protection Officer (DPO)

For LGPD-related inquiries, you may contact our Data Protection Officer:

DPO Email:
Subject Line: "LGPD - Data Protection Officer"

8.3 Legal Basis for Processing

We process your personal data under the following legal bases defined by LGPD:

Consent: When you create an account and agree to our Terms of Service
Contractual Necessity: To provide the photo optimization service you subscribed to
Legitimate Interests: Fraud prevention, security, service improvement
Legal Obligation: Compliance with Brazilian laws and regulations

8.4 Your Rights Under LGPD (Article 18)

As a Brazilian data subject, you have all rights under LGPD Article 18, including:

Confirmation of Processing: Confirm whether we process your personal data
Access: Access your personal data held by us
Rectification: Correct incomplete, inaccurate, or outdated data
Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
Data Portability: Transfer your data to another service provider
Deletion upon Consent Withdrawal: Delete data processed based on consent when you withdraw it
Information about Shared Data: Know which public and private entities we have shared your data with
Information about Consent Denial: Be informed about the consequences of not providing consent
Withdrawal of Consent: Revoke previously given consent at any time
Right to Petition ANPD: Lodge a complaint with the National Data Protection Authority

8.5 Response Time

We will respond to LGPD requests within 15 days as required by Brazilian law.

8.6 International Data Transfers

Your personal data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure adequate protection through Standard Contractual Clauses and data processing agreements.

8.7 Contact ANPD

You have the right to lodge a complaint with the Brazilian National Data Protection Authority (ANPD):

Website: www.gov.br/anpd
Address: SAS Quadra 6, Bloco O, Brasília - DF, 70070-917

9. International Data Transfers

SellSparkAI operates in many countries (though not currently Brazil—see Section 8). Your personal information may be transferred to and processed in countries outside your country of residence, including the United States.

When transferring data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): Approved by the European Commission
Data Processing Agreements: With all service providers
Encryption: All data encrypted in transit and at rest

If you are located in the EU or Brazil, you have the right to object to international transfers that don't meet adequate protection standards.

10. Cookies and Tracking Technologies

We use only essential cookies required for the Service to function. We do NOT use any third-party analytics or tracking cookies.

10.1 Essential Cookies (Required)

These cookies are strictly necessary for the Service to operate. You cannot opt-out of these cookies while using the Service.

Cookie Name	Purpose	Duration
connect.sid	Session management - keeps you logged in during your browser session	24 hours
refresh_token	Remember Me functionality - allows automatic re-login when you return	30 days (only set if you select "Remember Me")

10.2 No Third-Party Tracking

We do NOT use:

Google Analytics or any third-party analytics
Advertising or marketing cookies
Cross-site tracking pixels
Social media tracking cookies

10.3 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies will prevent you from logging in and using the Service. Since we only use essential cookies, a cookie consent banner is not required under GDPR/LGPD.

11. Children's Privacy

SellSparkAI is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

If we discover that we have collected information from a child under 18, we will immediately delete that information. If you believe we have collected information from a child, please contact us at .

12. Security Measures

We implement industry-standard security measures to protect your personal information:

12.1 Technical Safeguards

Encryption: All data encrypted in transit (HTTPS/TLS) and at rest (AES-256)
Password Hashing: Passwords stored using bcrypt with salt
Secure Servers: Access restricted to authorized personnel only
Regular Backups: Encrypted backups stored securely

12.2 Organizational Safeguards

Access Controls: Role-based access to data
Employee Training: Data protection training for all staff
Security Audits: Regular vulnerability assessments
Incident Response Plan: Procedures for data breaches

12.3 Data Breach Notification

In the event of a data breach affecting your personal information that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority:
- GDPR (EU): Within 72 hours per Article 33
- LGPD (Brazil): Within 3 working days per ANPD Resolution No. 15/2024
- CCPA (California): In the most expedient time possible
Notify you via email describing the nature and scope of the breach
Explain the steps we're taking to mitigate harm
Provide recommendations to protect yourself
Maintain records of all security incidents for 5 years (LGPD requirement)

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email at least 30 days before changes take effect
Display a prominent notice on the Service

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, you must cancel your account before the effective date.

14. Governing Law and Supervisory Authorities

14.1 Governing Law

This Privacy Policy is governed by the laws of the Federative Republic of Brazil, where SellSparkAI Ltda is incorporated. However, we comply with applicable data protection laws in all jurisdictions where we operate, including GDPR (EU), UK GDPR, LGPD (Brazil), and CCPA/CPRA (California). Note: While incorporated in Brazil, we do not currently support Brazilian customers for purchases—see Section 8 for details.

14.2 Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority. Relevant authorities include:

Brazil: ANPD (Autoridade Nacional de Proteção de Dados) - www.gov.br/anpd
EU/EEA: Your local Data Protection Authority. Find yours at edpb.europa.eu
UK: Information Commissioner's Office (ICO) - ico.org.uk
California: California Privacy Protection Agency - cppa.ca.gov

14.3 Legal Basis for International Data Transfers

When we transfer personal data outside your country of residence, we ensure appropriate safeguards:

From EU/EEA/UK: Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable
From Brazil: Compliance with LGPD Chapter V requirements for international transfers, including SCCs and equivalent safeguards
Service Providers: All third-party processors are bound by data processing agreements that include appropriate transfer mechanisms

14.4 Dispute Resolution

For privacy-related disputes, we encourage you to first contact us at . If we cannot resolve your concern:

Brazilian Residents: File complaints with ANPD or PROCON
EU/EEA Residents: Use the EU Online Dispute Resolution platform at ec.europa.eu/consumers/odr, or contact your local DPA
UK Residents: Contact the ICO at ico.org.uk/make-a-complaint
California Residents: Submit complaints to the CPPA or California Attorney General