AI & Data Policy Agreement

Please read this agreement carefully before accessing Xsparks AI applications. Your continued use constitutes acceptance of these terms.

📅 Effective: 28 June 2026 🌍 Scope: Global 📝 Version: 2.0

📋 AI & Data Policy Agreement

Please read this agreement carefully. By accessing Xsparks AI applications, you agree to the collection and processing of your data as described in the sections below. This agreement complies with applicable data protection laws across all regions where Xsparks operates.

1

About This Agreement

This AI & Data Policy Agreement ("Agreement") governs your access to and use of all artificial intelligence applications, tools, and services provided by Xsparks ("we," "us," or "our"). It describes how we collect, process, store, share, and protect your personal data, and discloses how our AI systems operate.

This Agreement is a legally binding contract between you and Xsparks. It is designed to comply with applicable data protection and AI governance laws across all regions where Xsparks operates, including but not limited to the European Union, United Kingdom, United States, Canada, Brazil, China, India, Singapore, Japan, and Australia.

⚠️ Important: If you do not agree to this Agreement, you may not access or use Xsparks AI applications. Accepting this Agreement does not waive any rights you hold under applicable law.
2

Who We Are (Data Controller)

Xsparks is the data controller responsible for your personal data processed through our AI applications.

For users in the European Economic Area (EEA) and United Kingdom, Xsparks acts as the data controller under the General Data Protection Regulation (GDPR) and UK GDPR respectively. Where we engage third-party AI infrastructure providers, those providers may act as data processors on our behalf under signed Data Processing Agreements (DPAs).

3

AI System Disclosure

🤖 You are interacting with AI. Xsparks applications use generative artificial intelligence (AI) powered by large language models (LLMs). You are not communicating with a human unless explicitly stated.

As required by the EU AI Act (Article 50, applicable from 2 August 2026), the UK AI governance framework, and equivalent regulations globally, we make the following disclosures:

What our AI does

Our AI applications use large language models to generate text-based responses to your inputs ("prompts"). The AI processes the content you submit, generates a response, and may use prior conversation context within a session to maintain continuity.

Limitations of AI

  • AI responses are generated probabilistically and may contain errors, inaccuracies, or outdated information.
  • AI outputs do not constitute professional advice (legal, medical, financial, or otherwise).
  • The AI may reflect biases present in its training data. We work to mitigate these but cannot guarantee bias-free outputs.
  • AI-generated content should always be reviewed by a human before use in consequential decisions.

Human oversight

Xsparks maintains human oversight of our AI systems through regular audits, output monitoring, and feedback mechanisms. No AI output will be used to make significant automated decisions about you without human review, except where you have explicitly requested automated processing.

AI-generated content labelling

In compliance with the EU AI Act Article 50 and applicable transparency laws, AI-generated content within Xsparks applications is clearly identified as AI-generated. Where outputs are shared publicly, we support content provenance standards.

4

Data We Collect

We collect only the minimum data necessary to provide and improve our services (data minimisation principle). The categories of data we may collect include:

Account Data

  • Name, email address, and password (hashed)
  • Organisation name and role (if applicable)
  • Payment and billing information (processed by a PCI-DSS compliant payment provider; we do not store raw card data)

AI Interaction Data

  • Prompts and inputs you submit to our AI applications
  • AI-generated responses within your session
  • Conversation history retained for session continuity (see Section 10 for retention periods)
  • Feedback you provide on AI outputs (thumbs up/down, ratings, comments)
⚠️ Sensitive Data Warning: Do not submit special category data (health, biometric, financial account credentials, passwords, government ID numbers, or data about children) to our AI applications unless we have explicitly enabled a feature designed for that purpose with appropriate safeguards.

Usage and Technical Data

  • Device type, browser, and operating system
  • IP address and approximate geographic region
  • Session timestamps, feature usage, and error logs
  • Performance and telemetry data

Communications Data

  • Support tickets, emails, and chat messages you send to Xsparks
  • Survey responses and product research participation (voluntary)
5

How We Use Your Data

We use your data for the following purposes:

  • Service delivery: Processing your inputs through AI models to generate responses; maintaining session continuity; displaying your conversation history.
  • Account management: Creating and maintaining your account; authentication and security.
  • Safety and trust: Detecting and preventing abuse, harmful content, fraud, and violations of our Acceptable Use Policy.
  • Service improvement: Analysing aggregated, de-identified usage patterns to improve AI model performance, UI/UX, and reliability. We do not use your personal conversation data to train AI models without your explicit opt-in consent.
  • Customer support: Responding to your enquiries and resolving issues.
  • Legal compliance: Meeting our obligations under applicable laws, responding to lawful requests, and asserting or defending legal claims.
  • Communications: Sending service notifications, security alerts, and (where consented) marketing communications.
📌 No selling of data: Xsparks does not sell your personal data to third parties. We do not use your data for third-party advertising targeting.
6

Lawful Basis for Processing

Under the GDPR, UK GDPR, and equivalent frameworks, we rely on the following lawful bases:

PurposeLawful Basis
Providing the AI service (processing prompts, generating responses)Contract Performance of contract with you
Account creation and managementContract Performance of contract with you
Safety monitoring and abuse preventionLegitimate Interests Protecting users and our platform
Service analytics (aggregated, de-identified)Legitimate Interests Improving our services
AI model training using your conversationsConsent Explicit opt-in only
Marketing communicationsConsent Opt-in, withdrawable at any time
Legal obligations (tax, court orders, regulators)Legal Obligation Compliance with law

For users in California (USA), our processing is governed by CCPA/CPRA and we do not share personal information for cross-context behavioural advertising. For Canadian users, processing is based on meaningful consent under PIPEDA. For Brazilian users, we process data under applicable LGPD legal bases.

7

Automated Processing & Profiling

Xsparks AI applications involve automated processing by nature — your inputs are processed by AI models without a human reviewing each individual message in real time.

Decisions affecting you

We do not use automated processing to make legally significant or similarly significant decisions about you (such as employment decisions, credit assessments, or denial of services) without human review. This is consistent with your rights under GDPR Article 22, CCPA, and equivalent laws.

Content safety

Automated classifiers may flag content that violates our Acceptable Use Policy. Human reviewers assess any resulting account actions (such as warnings or suspensions).

Your right to object

You have the right to request human review of any automated decision that affects you. To exercise this right, contact [email protected].

8

Data Sharing & Third Parties

We share your data only as described below and never sell it to third parties.

AI infrastructure providers

Our AI applications are powered by third-party large language model providers. Your prompts and conversation data may be transmitted to these providers for processing. All providers are bound by Data Processing Agreements (DPAs) and are prohibited from using your data for their own model training purposes.

Service providers (processors)

We engage vetted third-party processors for: cloud hosting and storage, payment processing, customer support tooling, email delivery, and security monitoring. These processors act only on our documented instructions.

Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to equivalent privacy protections. You will be notified in advance.

Legal disclosures

We may disclose data to law enforcement, regulators, or courts when required by law, legal process, or to protect the safety of users and the public. We will notify you of such disclosures unless legally prohibited from doing so.

📋 Sub-processors: A current list of our sub-processors and AI infrastructure providers is available at [email protected] upon request.
9

International Data Transfers

Xsparks operates globally. Your data may be transferred to and processed in countries outside your country of residence, including countries that may have different data protection standards.

We ensure appropriate safeguards for all international transfers, including:

  • EU/EEA data: Standard Contractual Clauses (SCCs) as approved by the European Commission, adequacy decisions where applicable.
  • UK data: International Data Transfer Agreements (IDTAs) or addendums to EU SCCs approved by the UK ICO.
  • China (PIPL): Standard Contracts for cross-border transfers as required by China's Personal Information Protection Law, including security assessments where mandated.
  • Brazil (LGPD): Standard contractual clauses or equivalent mechanisms approved by the ANPD.
  • Other regions: Equivalent appropriate safeguards required by local law.

You may request a copy of the transfer mechanisms applicable to your data by contacting [email protected].

10

Data Retention

We retain your data only for as long as necessary for the purposes described in this Agreement or as required by law.

Data TypeRetention Period
Account dataDuration of your account + 2 years after closure
AI conversation history90 days by default; configurable in account settings
Usage and technical logs13 months (for security and analytics)
Payment records7 years (legal/tax obligation)
Support communications3 years from resolution
Safety incident records5 years (legal basis: legitimate interests / legal obligation)
Deleted account dataFully purged within 30 days of verified deletion request

You can delete your conversation history at any time from your account settings. Upon account deletion, your personal data is removed from active systems within 30 days and from backup systems within 90 days.

11

Your Rights

Depending on your location, you have the following rights regarding your personal data. We honour all applicable rights regardless of where you are based.

RightGDPR / UKCCPA (CA)LGPD (BR)PIPL (CN)PDPA (SG)
Access — obtain a copy of your data
Rectification — correct inaccurate data
Erasure — request deletion
Portability — receive data in machine-readable format
Restriction — limit processing
Object — object to processing
Withdraw consent — at any time
Non-discrimination (opt-out without penalty)
Automated decision review
Lodge a complaint with supervisory authority

How to exercise your rights: Submit a request to [email protected]. We will respond within 30 days (GDPR: 1 month; CCPA: 45 days; PIPL: 15 days). We may need to verify your identity before processing your request.

California residents (CCPA/CPRA): You have the right to opt out of the "sharing" of personal information for cross-context behavioural advertising. To opt out, contact [email protected] or visit your account Privacy Settings. We do not sell personal information.
12

Children's Data

Xsparks AI applications are not directed at children under the age of 18 (or the applicable age of digital consent in your jurisdiction, whichever is higher).

We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has submitted data to our services, please contact [email protected] immediately.

Applicable age thresholds in key jurisdictions: EU/UK (16, or 13–16 at member state discretion), USA (13 under COPPA, 16 under CCPA for opt-in consent), Brazil (12), China (14 with parental consent requirements).

13

Security

We implement technical and organisational measures to protect your data against unauthorised access, loss, or disclosure, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions for staff
  • Regular security audits and penetration testing
  • Incident response procedures and breach notification protocols
  • Staff training on data protection and AI-specific security risks

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR and equivalent laws) and affected users without undue delay.

14

Applicable Laws by Jurisdiction

This Agreement is designed to comply with the following laws and frameworks. Where local law provides greater protections, those protections apply to you.

🇪🇺
GDPR + EU AI Act
European Union
General Data Protection Regulation & EU Artificial Intelligence Act (2024/1689)
🇬🇧
UK GDPR + DUA Act
United Kingdom
UK GDPR, Data Protection Act 2018 & Data (Use and Access) Act 2026
🇺🇸
CCPA / CPRA
California, USA
California Consumer Privacy Act & California Privacy Rights Act. 19 US state privacy laws also addressed.
🇨🇦
PIPEDA
Canada
Personal Information Protection and Electronic Documents Act
🇧🇷
LGPD
Brazil
Lei Geral de Proteção de Dados (General Data Protection Law)
🇨🇳
PIPL
China
Personal Information Protection Law (2021), including 2026 cross-border transfer framework
🇮🇳
DPDP Act
India
Digital Personal Data Protection Act 2023, Rules approved November 2025
🇸🇬
PDPA
Singapore
Personal Data Protection Act 2012 (amended 2021)
🇯🇵
APPI
Japan
Act on the Protection of Personal Information (amended 2022)
🇦🇺
Privacy Act 1988
Australia
Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
🌏
PDPA (TH/MY)
Thailand & Malaysia
Thailand PDPA (2019) and Malaysia PDPA (2010, amended 2025)
🌍
Additional
144+ Countries
We monitor and comply with emerging data protection laws across all jurisdictions we operate in.
15

Changes to This Agreement

We may update this Agreement to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

  • Update the "Effective Date" at the top of this page
  • Notify you by email at least 30 days before the changes take effect (for material changes)
  • Display a prominent notice in the Xsparks application
  • Require renewed acceptance for changes that significantly affect your rights or our data processing

Your continued use of Xsparks AI applications after the effective date of non-material changes constitutes acceptance of those changes. For material changes, your explicit re-acceptance will be required.

16

Contact & Data Protection Officer

For any questions, concerns, or to exercise your rights under this Agreement, please contact us:

Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority. Key authorities include:

  • EU: Your national Data Protection Authority (DPA); edpb.europa.eu
  • UK: Information Commissioner's Office (ICO); ico.org.uk
  • USA (CA): California Privacy Protection Agency (CPPA)
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
  • India: Data Protection Board of India
  • Singapore: Personal Data Protection Commission (PDPC)
Response times: We aim to respond to all privacy enquiries within 5 business days, and will resolve data subject requests within the statutory deadlines required by applicable law (generally 30 days for GDPR, 45 days for CCPA, 15 days for PIPL).

📌 Summary

This AI & Data Policy Agreement is effective as of 28 June 2026 and applies globally. For questions or to exercise your data rights, contact [email protected] or our Data Protection Officer at [email protected].