About This Agreement
This AI & Data Policy Agreement ("Agreement") governs your access to and use of all artificial intelligence applications, tools, and services provided by Xsparks ("we," "us," or "our"). It describes how we collect, process, store, share, and protect your personal data, and discloses how our AI systems operate.
This Agreement is a legally binding contract between you and Xsparks. It is designed to comply with applicable data protection and AI governance laws across all regions where Xsparks operates, including but not limited to the European Union, United Kingdom, United States, Canada, Brazil, China, India, Singapore, Japan, and Australia.
Who We Are (Data Controller)
Xsparks is the data controller responsible for your personal data processed through our AI applications.
- Company: Xsparks (xsparks.ai)
- Contact Email: [email protected]
- DPO / Privacy Contact: [email protected]
For users in the European Economic Area (EEA) and United Kingdom, Xsparks acts as the data controller under the General Data Protection Regulation (GDPR) and UK GDPR respectively. Where we engage third-party AI infrastructure providers, those providers may act as data processors on our behalf under signed Data Processing Agreements (DPAs).
AI System Disclosure
As required by the EU AI Act (Article 50, applicable from 2 August 2026), the UK AI governance framework, and equivalent regulations globally, we make the following disclosures:
What our AI does
Our AI applications use large language models to generate text-based responses to your inputs ("prompts"). The AI processes the content you submit, generates a response, and may use prior conversation context within a session to maintain continuity.
Limitations of AI
- AI responses are generated probabilistically and may contain errors, inaccuracies, or outdated information.
- AI outputs do not constitute professional advice (legal, medical, financial, or otherwise).
- The AI may reflect biases present in its training data. We work to mitigate these but cannot guarantee bias-free outputs.
- AI-generated content should always be reviewed by a human before use in consequential decisions.
Human oversight
Xsparks maintains human oversight of our AI systems through regular audits, output monitoring, and feedback mechanisms. No AI output will be used to make significant automated decisions about you without human review, except where you have explicitly requested automated processing.
AI-generated content labelling
In compliance with the EU AI Act Article 50 and applicable transparency laws, AI-generated content within Xsparks applications is clearly identified as AI-generated. Where outputs are shared publicly, we support content provenance standards.
Data We Collect
We collect only the minimum data necessary to provide and improve our services (data minimisation principle). The categories of data we may collect include:
Account Data
- Name, email address, and password (hashed)
- Organisation name and role (if applicable)
- Payment and billing information (processed by a PCI-DSS compliant payment provider; we do not store raw card data)
AI Interaction Data
- Prompts and inputs you submit to our AI applications
- AI-generated responses within your session
- Conversation history retained for session continuity (see Section 10 for retention periods)
- Feedback you provide on AI outputs (thumbs up/down, ratings, comments)
Usage and Technical Data
- Device type, browser, and operating system
- IP address and approximate geographic region
- Session timestamps, feature usage, and error logs
- Performance and telemetry data
Communications Data
- Support tickets, emails, and chat messages you send to Xsparks
- Survey responses and product research participation (voluntary)
How We Use Your Data
We use your data for the following purposes:
- Service delivery: Processing your inputs through AI models to generate responses; maintaining session continuity; displaying your conversation history.
- Account management: Creating and maintaining your account; authentication and security.
- Safety and trust: Detecting and preventing abuse, harmful content, fraud, and violations of our Acceptable Use Policy.
- Service improvement: Analysing aggregated, de-identified usage patterns to improve AI model performance, UI/UX, and reliability. We do not use your personal conversation data to train AI models without your explicit opt-in consent.
- Customer support: Responding to your enquiries and resolving issues.
- Legal compliance: Meeting our obligations under applicable laws, responding to lawful requests, and asserting or defending legal claims.
- Communications: Sending service notifications, security alerts, and (where consented) marketing communications.
Lawful Basis for Processing
Under the GDPR, UK GDPR, and equivalent frameworks, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Providing the AI service (processing prompts, generating responses) | Contract Performance of contract with you |
| Account creation and management | Contract Performance of contract with you |
| Safety monitoring and abuse prevention | Legitimate Interests Protecting users and our platform |
| Service analytics (aggregated, de-identified) | Legitimate Interests Improving our services |
| AI model training using your conversations | Consent Explicit opt-in only |
| Marketing communications | Consent Opt-in, withdrawable at any time |
| Legal obligations (tax, court orders, regulators) | Legal Obligation Compliance with law |
For users in California (USA), our processing is governed by CCPA/CPRA and we do not share personal information for cross-context behavioural advertising. For Canadian users, processing is based on meaningful consent under PIPEDA. For Brazilian users, we process data under applicable LGPD legal bases.
Automated Processing & Profiling
Xsparks AI applications involve automated processing by nature — your inputs are processed by AI models without a human reviewing each individual message in real time.
Decisions affecting you
We do not use automated processing to make legally significant or similarly significant decisions about you (such as employment decisions, credit assessments, or denial of services) without human review. This is consistent with your rights under GDPR Article 22, CCPA, and equivalent laws.
Content safety
Automated classifiers may flag content that violates our Acceptable Use Policy. Human reviewers assess any resulting account actions (such as warnings or suspensions).
Your right to object
You have the right to request human review of any automated decision that affects you. To exercise this right, contact [email protected].
Data Sharing & Third Parties
We share your data only as described below and never sell it to third parties.
AI infrastructure providers
Our AI applications are powered by third-party large language model providers. Your prompts and conversation data may be transmitted to these providers for processing. All providers are bound by Data Processing Agreements (DPAs) and are prohibited from using your data for their own model training purposes.
Service providers (processors)
We engage vetted third-party processors for: cloud hosting and storage, payment processing, customer support tooling, email delivery, and security monitoring. These processors act only on our documented instructions.
Business transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to equivalent privacy protections. You will be notified in advance.
Legal disclosures
We may disclose data to law enforcement, regulators, or courts when required by law, legal process, or to protect the safety of users and the public. We will notify you of such disclosures unless legally prohibited from doing so.
International Data Transfers
Xsparks operates globally. Your data may be transferred to and processed in countries outside your country of residence, including countries that may have different data protection standards.
We ensure appropriate safeguards for all international transfers, including:
- EU/EEA data: Standard Contractual Clauses (SCCs) as approved by the European Commission, adequacy decisions where applicable.
- UK data: International Data Transfer Agreements (IDTAs) or addendums to EU SCCs approved by the UK ICO.
- China (PIPL): Standard Contracts for cross-border transfers as required by China's Personal Information Protection Law, including security assessments where mandated.
- Brazil (LGPD): Standard contractual clauses or equivalent mechanisms approved by the ANPD.
- Other regions: Equivalent appropriate safeguards required by local law.
You may request a copy of the transfer mechanisms applicable to your data by contacting [email protected].
Data Retention
We retain your data only for as long as necessary for the purposes described in this Agreement or as required by law.
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your account + 2 years after closure |
| AI conversation history | 90 days by default; configurable in account settings |
| Usage and technical logs | 13 months (for security and analytics) |
| Payment records | 7 years (legal/tax obligation) |
| Support communications | 3 years from resolution |
| Safety incident records | 5 years (legal basis: legitimate interests / legal obligation) |
| Deleted account data | Fully purged within 30 days of verified deletion request |
You can delete your conversation history at any time from your account settings. Upon account deletion, your personal data is removed from active systems within 30 days and from backup systems within 90 days.
Your Rights
Depending on your location, you have the following rights regarding your personal data. We honour all applicable rights regardless of where you are based.
| Right | GDPR / UK | CCPA (CA) | LGPD (BR) | PIPL (CN) | PDPA (SG) |
|---|---|---|---|---|---|
| Access — obtain a copy of your data | ✓ | ✓ | ✓ | ✓ | ✓ |
| Rectification — correct inaccurate data | ✓ | – | ✓ | ✓ | ✓ |
| Erasure — request deletion | ✓ | ✓ | ✓ | ✓ | – |
| Portability — receive data in machine-readable format | ✓ | ✓ | ✓ | ✓ | – |
| Restriction — limit processing | ✓ | – | ✓ | ✓ | – |
| Object — object to processing | ✓ | ✓ | ✓ | ✓ | – |
| Withdraw consent — at any time | ✓ | ✓ | ✓ | ✓ | ✓ |
| Non-discrimination (opt-out without penalty) | – | ✓ | – | – | – |
| Automated decision review | ✓ | – | ✓ | ✓ | – |
| Lodge a complaint with supervisory authority | ✓ | ✓ | ✓ | ✓ | ✓ |
How to exercise your rights: Submit a request to [email protected]. We will respond within 30 days (GDPR: 1 month; CCPA: 45 days; PIPL: 15 days). We may need to verify your identity before processing your request.
Children's Data
Xsparks AI applications are not directed at children under the age of 18 (or the applicable age of digital consent in your jurisdiction, whichever is higher).
We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has submitted data to our services, please contact [email protected] immediately.
Applicable age thresholds in key jurisdictions: EU/UK (16, or 13–16 at member state discretion), USA (13 under COPPA, 16 under CCPA for opt-in consent), Brazil (12), China (14 with parental consent requirements).
Security
We implement technical and organisational measures to protect your data against unauthorised access, loss, or disclosure, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and role-based permissions for staff
- Regular security audits and penetration testing
- Incident response procedures and breach notification protocols
- Staff training on data protection and AI-specific security risks
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR and equivalent laws) and affected users without undue delay.
Applicable Laws by Jurisdiction
This Agreement is designed to comply with the following laws and frameworks. Where local law provides greater protections, those protections apply to you.
Changes to This Agreement
We may update this Agreement to reflect changes in our practices, services, or applicable law. When we make material changes, we will:
- Update the "Effective Date" at the top of this page
- Notify you by email at least 30 days before the changes take effect (for material changes)
- Display a prominent notice in the Xsparks application
- Require renewed acceptance for changes that significantly affect your rights or our data processing
Your continued use of Xsparks AI applications after the effective date of non-material changes constitutes acceptance of those changes. For material changes, your explicit re-acceptance will be required.
Contact & Data Protection Officer
For any questions, concerns, or to exercise your rights under this Agreement, please contact us:
- General privacy enquiries: [email protected]
- Data Protection Officer (DPO): [email protected]
- Website: xsparks.ai
Supervisory Authorities
You have the right to lodge a complaint with your local data protection authority. Key authorities include:
- EU: Your national Data Protection Authority (DPA); edpb.europa.eu
- UK: Information Commissioner's Office (ICO); ico.org.uk
- USA (CA): California Privacy Protection Agency (CPPA)
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
- India: Data Protection Board of India
- Singapore: Personal Data Protection Commission (PDPC)