Privacy Policy
Last updated: 21 April 2026 · Controller: Spark Koçluk Danışmanlık A.Ş. (“Spark”, “we”, “us”) operating the Sparkus platform. Non-English versions are provided for convenience; if a meaning differs, the English version prevails for contractual interpretation unless mandatory local law requires otherwise.
Choose a language. Use arrow keys while a tab is focused to move between languages.
1. Scope and data controller
This Privacy Policy describes how Spark Koçluk Danışmanlık A.Ş., operating the Sparkus leadership development platform (the “Service”), processes personal data when you visit our websites, authenticate, participate in programs, use coaching or mentoring features, integrations (such as calendars or video), or otherwise interact with Sparkus.
Controller: Spark Koçluk Danışmanlık A.Ş., Turkey. Product / brand: Sparkus. Privacy contact: privacy@sparkus.com · General support: support@sparkus.com.
2. Definitions
- Personal data — information relating to an identified or identifiable natural person.
- Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
- Data subject — the individual to whom personal data relates (for example, you).
- Processor — a party that processes personal data on our instructions (for example, a hosting provider).
- Customer / organisation — the company or institution that subscribes to Sparkus and may invite you as a participant.
3. Categories of personal data we process
Depending on how you use the Service, we may process:
- Identity and contact data: name, email address, telephone number, job title, employer, locale and time zone.
- Account and security data: user identifiers, authentication events, password reset tokens, session data, audit logs.
- Programme and learning data: goals, reflections, assessments, forms, exercises, feedback, competency ratings, progress metadata.
- Collaboration data: messages, notes, handshake or matching preferences, session scheduling, attendance, recordings metadata (where applicable).
- Technical and usage data: IP address, device type, browser, approximate location derived from IP, diagnostics, performance metrics, error reports.
- Integration data: calendar availability or event metadata when you connect Google Calendar or similar integrations; identifiers from SSO providers.
- Support and correspondence: content you send to support or surveys you complete.
We avoid collecting special categories of data (for example, health data) unless your organisation explicitly configures fields that capture such information and a lawful basis exists. If you are unsure, contact your programme administrator.
4. Purposes and legal bases (GDPR Article 6)
Where the GDPR applies, we rely on one or more of the following legal bases:
| Purpose | Typical legal basis |
|---|---|
| Providing accounts, authentication, core platform features | Performance of a contract; legitimate interests in secure delivery |
| Operating programmes on behalf of your organisation | Contract; legitimate interests of your organisation and ours in delivering workplace learning |
| Product analytics, reliability, abuse prevention, security monitoring | Legitimate interests (balanced against your rights) |
| Communications strictly necessary for the Service | Contract; legitimate interests |
| Optional marketing communications | Consent (where required) |
| Legal claims, regulatory requests, compliance | Legal obligation; legitimate interests |
When we act as a processor on behalf of your organisation (for example, for enterprise deployments), your organisation is the controller for much of the programme data and determines purposes; we process such data under contract and documented instructions.
5. Cookies and similar technologies
We use cookies and similar technologies that are strictly necessary for operation (for example, session and security cookies), preference storage where enabled, and analytics where configured. You can control non-essential cookies through your browser settings; disabling certain cookies may limit functionality.
6. Recipients, subprocessors, and international transfers
We share personal data with:
- Infrastructure and hosting providers that store or process data on our behalf.
- Communications and productivity tools (for example, email delivery, calendar or meeting integrations).
- Analytics and observability partners where enabled (subject to configuration and contract).
- Professional advisers where legally required.
- Your organisation and authorised coaches, mentors, or administrators as configured in the Service.
Your personal data may be processed in the European Economic Area, the United Kingdom, Turkey, the United States, and other countries where we or our subprocessors operate. Where required, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement, or adequacy decisions.
7. Retention
We retain personal data only as long as necessary for the purposes described in this notice, including to satisfy legal, accounting, or reporting requirements. Retention periods may depend on your organisation’s programme settings, statutory limitation periods, and technical backup cycles. When data is no longer required, we delete or irreversibly anonymise it in line with our retention schedule.
8. Security
We implement appropriate technical and organisational measures designed to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. No method of transmission over the Internet is completely secure; we encourage you to use strong passwords and protect your credentials.
9. Your rights
Subject to applicable law, you may have the right to:
- Access your personal data and receive a copy in a structured, commonly used format (data portability, where applicable).
- Rectify inaccurate data or complete incomplete data.
- Erase personal data in certain circumstances.
- Restrict processing or object to processing based on legitimate interests.
- Withdraw consent at any time, where processing is consent-based, without affecting the lawfulness of processing before withdrawal.
- Lodge a complaint with a supervisory authority in your country of residence, place of work, or place of an alleged infringement.
To exercise rights, contact privacy@sparkus.com. We may need to verify your identity. Where your organisation is the controller for certain programme data, we may redirect your request to that organisation.
10. Automated decision-making
We do not make solely automated decisions that produce legal or similarly significant effects about you unless explicitly disclosed in a separate notice and permitted by law.
11. Children
The Service is intended for professional and organisational use and is not directed at children under 16 (or the higher age required in your jurisdiction). If you believe we have collected data from a child without appropriate authority, contact us and we will take appropriate steps to delete it.
12. Links and third-party sites
The Service may contain links to third-party websites or services. This notice does not apply to those sites; please review their privacy policies.
13. Changes to this notice
We may update this Privacy Policy to reflect operational, legal, or regulatory changes. We will post the updated version with a revised “Last updated” date and, where changes are material, provide additional notice (for example, by email or in-product banner).
14. Supervisory authorities (EEA / UK examples)
You may contact your local supervisory authority. Non-exhaustive examples: in the Netherlands, the Autoriteit Persoonsgegevens; in Türkiye, the Kişisel Verileri Koruma Kurumu (KVKK); in Spain, the AEPD; in France, the CNIL; in Germany, your state data protection authority.