Privacy Policy
How we collect, use, and protect data — both on this website and across the Spaarke platform.
Last updated: 2026-05-07
This policy covers two related but distinct contexts: (1) the information we collect when you visit spaarke.com or interact with our forms, and (2) how we handle your customer data when you use the Spaarke platform as a paying customer or early-access partner. Our Terms of Service also apply to platform use.
Part 1 — This website
What we don’t do
We do not run third-party advertising trackers on this site, build cross-site behavioral profiles, or sell visitor data. We do not require a cookie banner because we don’t set non-essential tracking cookies.
What we do use
| Tool | What it sees | Cookies? | Policy |
|---|---|---|---|
| Plausible Analytics | Pageviews, referrer, country, device, browser | No | Link |
| Microsoft Clarity | Anonymous session playback, heatmaps (form fields masked) | First-party only | Link |
| Azure Application Insights | Server-side error and performance telemetry | No | Link |
| Google reCAPTCHA | Risk score for bot detection on form submissions | Yes | Link |
Plausible Analytics
Plausible is a privacy-first analytics tool that records pageviews without setting cookies and without storing personal data. It tells us which pages get traffic, where visitors arrive from, and rough geographic and device categories. Plausible is GDPR, CCPA, and ePrivacy compliant by design.
Microsoft Clarity
Clarity records anonymous session playbacks and produces heatmaps so we can see where visitors get stuck or confused. Text typed into form fields is automatically masked before recording, so we never see the names, emails, or messages people type. Recordings are tied to a first-party identifier only and are not used for advertising.
First-party attribution storage
When you first arrive at the site, your browser stores a small JSON snapshot under the localStorage key spk_attribution_v1. It contains your entry referrer (e.g., “google.com”), the first page you landed on, the timestamp of your first visit, and any UTM parameters from the URL. It contains no personal information and no device identifiers. It expires after 90 days and is used only to attribute your own form submissions to their original referrer when you submit a form on this site. You can clear it any time using your browser’s “Clear site data” tool.
Forms (contact, get access, take tour)
When you submit a form, we store what you typed (name, work email, organization, message, and any other fields you complete) along with the attribution snapshot above. Form data is stored in Azure Table Storage in our tenant and is used solely to respond to your inquiry and operate any early-access provisioning that follows. We do not share form data with third parties for marketing purposes.
Azure Application Insights
Application Insights collects server-side telemetry: HTTP request timing, exceptions, and aggregate logs we use to keep the site running. It does not set client cookies and does not capture form content. We use it for engineering operations, not behavioral profiling.
AI crawler logging
When AI crawlers (e.g., GPTBot, ClaudeBot, PerplexityBot, Google-Extended) visit the site, we log the bot name and the path it requested via Application Insights. This tells us how the site is being indexed for AI citations. No personal data is captured — just the bot identifier and the public path it visited.
Part 2 — The Spaarke platform
Customer data lives in your tenant
Spaarke is a Microsoft ISV solution. Customer Data — your matters, documents, communications, and operational records — is stored inside your own Microsoft 365 tenant, primarily in Microsoft Dataverse and SharePoint Embedded. Microsoft is the data processor for that tenant under your existing agreements with Microsoft (the Microsoft Online Services Terms, Product Terms, and Data Protection Addendum). Spaarke acts at the application layer above your tenant, accessing your data only as needed to provide the Service.
What this means in practice
- Your data is not pooled with other customers’ data — it stays in your tenant boundary.
- You can revoke Spaarke’s access at any time through your tenant’s admin controls; doing so terminates our processing of your data.
- Microsoft’s region commitments, encryption defaults, and compliance certifications (ISO 27001, SOC 2, HIPAA, FedRAMP where applicable) apply to the underlying storage.
- Spaarke does not sell customer data, does not use it for advertising, and does not use it to train foundation AI models.
AI features
Spaarke’s AI features (Foundry IQ, Microsoft Agent Framework agents, and approved enterprise model integrations, surfaced through Microsoft Power Platform and Microsoft 365) are grounded in your Customer Data via retrieval rather than training. Prompts and grounding content sent to underlying model providers are processed under enterprise data protection terms — including the Azure OpenAI Service data handling commitments and Microsoft Copilot enterprise data protection — that prohibit training on customer inputs and limit retention to what is needed to return a response. Where your plan supports it, you may select the model and constrain processing to a region or tenant-bound endpoint.
Personal data and lawful basis
When you use the platform, we may process personal data of your employees and end users — names, work email addresses, role information, and the activity records the platform generates. We process that data on the lawful bases of (a) performance of our agreement with you, and (b) legitimate interest in operating and securing the Service. Where your customers or matter participants are themselves data subjects under GDPR or CCPA, you act as the controller and we as a processor. Customers subject to GDPR-class regimes can request our standard Data Processing Addendum at privacy@spaarke.com.
Subprocessors
We use a small number of subprocessors to operate the Service, all of which are contracted under data protection terms at least as protective as our commitments to you. The current list includes Microsoft (Azure, Microsoft 365, Entra ID), SendGrid (transactional email), and Google reCAPTCHA (form bot detection). We will provide advance notice of material changes to our subprocessor list to customers under a Data Processing Addendum.
Retention
Customer Data persists for as long as you use the Service. After termination, your data remains in your Microsoft tenant under your control; we deactivate Spaarke-managed access on request. Operational telemetry (logs, metrics) generated by Spaarke is retained for up to 90 days, and longer where required for security, audit, or legal purposes.
International transfers
For website telemetry and form storage, data is processed in Microsoft Azure regions in the United States. For platform customer data, the storage region is governed by your Microsoft tenant settings. Where data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, transfers are made under Standard Contractual Clauses or equivalent transfer mechanisms.
Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or object to processing of personal data we hold about you, and the right not to be subject to solely automated decisions with significant effects. To exercise any of these rights, or to ask any privacy question:
- Clear “Cookies and other site data” in your browser to remove the
spk_attribution_v1snapshot and any Clarity identifiers. - Use a tracking-protection extension or browser-level setting — both Plausible and Clarity respect standard opt-outs.
- Email privacy@spaarke.com for data deletion requests, DPA requests, or any privacy questions, or use our contact form.
Changes to this policy
We may update this policy as the Service evolves. Material changes will be announced via the website and, where you have an account, by email or in-product notice. The “Last updated” date at the top of the page reflects the latest revision.