Privacy Policy

1. Scope and data controller

This Privacy Policy describes how Spark Koçluk Danışmanlık A.Ş., operating the Sparkus leadership development platform (the “Service”), processes personal data when you visit our websites, authenticate, participate in programs, use coaching or mentoring features, integrations (such as calendars or video), or otherwise interact with Sparkus.

Controller: Spark Koçluk Danışmanlık A.Ş., Turkey. Product / brand: Sparkus. Privacy contact: privacy@sparkus.com · General support: support@sparkus.com.

2. Definitions

• Personal data — information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
• Data subject — the individual to whom personal data relates (for example, you).
• Processor — a party that processes personal data on our instructions (for example, a hosting provider).
• Customer / organisation — the company or institution that subscribes to Sparkus and may invite you as a participant.

3. Categories of personal data we process

Depending on how you use the Service, we may process:

• Identity and contact data: name, email address, telephone number, job title, employer, locale and time zone.
• Account and security data: user identifiers, authentication events, password reset tokens, session data, audit logs.
• Programme and learning data: goals, reflections, assessments, forms, exercises, feedback, competency ratings, progress metadata.
• Collaboration data: messages, notes, handshake or matching preferences, session scheduling, attendance, recordings metadata (where applicable).
• Technical and usage data: IP address, device type, browser, approximate location derived from IP, diagnostics, performance metrics, error reports.
• Integration data: calendar availability or event metadata when you connect Google Calendar or similar integrations; identifiers from SSO providers.
• Support and correspondence: content you send to support or surveys you complete.

We avoid collecting special categories of data (for example, health data) unless your organisation explicitly configures fields that capture such information and a lawful basis exists. If you are unsure, contact your programme administrator.

4. Google services and Google user data

This section supplements the rest of this Privacy Policy and is provided for transparency where you use Google as a sign-in provider or connect Google Calendar to Sparkus (the application operated by Spark Koçluk Danışmanlık A.Ş. under the Sparkus brand, including the portal at portal.sparkus.com). It describes how Sparkus accesses, uses, stores, and shares information received from Google’s APIs or OAuth services, in line with common requirements for Google API Services User Data Policy and OAuth app verification.

4.1 Sign-in with Google (authentication)

If your organisation enables Google sign-in, Google acts as an identity provider. With your consent during the Google OAuth flow, we may receive and store identifiers and profile elements that Google makes available for the scopes requested (typically including your email address, name, and profile picture URL, consistent with standard email and profile / OpenID Connect claims). We use this information solely to authenticate you, provision or link your Sparkus account, and keep your session secure.

4.2 Google Calendar (optional integration)

If you choose to connect Google Calendar (for example from coaching session or calendar settings where your role and tenant configuration allow it), we request the permissions needed for that integration. Depending on configuration, this may include access consistent with scopes such as calendar, calendar.events, and basic profile/email scopes used to identify the connected account. We use Google Calendar data only to provide scheduling and calendar features inside Sparkus—for example to read free/busy or availability where supported, and to create, update, or delete calendar events you or the Service initiate in connection with sessions or bookings. We do not use your Google Calendar data to build unrelated profiles about you outside the Service.

4.3 Storage, protection, and retention

Google-derived account fields and OAuth tokens (where applicable) are stored on our systems and protected using the technical and organisational measures described in Section 9 (Security) of this notice. We retain this data only for as long as needed for the purposes in this notice and as described in Section 8 (Retention), including to operate integrations until you or your administrator disconnects them or deletes the account. You may be able to revoke Sparkus’s access from your Google Account permissions; doing so may limit calendar or sign-in features until you reconnect or use another login method where available.

4.4 Sharing and onward transfers

We do not sell Google user data. We do not disclose Google user data to third parties for targeted advertising, personalised advertising, retargeting, data brokerage, creditworthiness or lending decisions, or similar unrelated purposes. We share Google-derived or calendar-related personal data only with subprocessors that help us host and operate the Service (for example cloud infrastructure), where required by law, or with your organisation and authorised roles (such as programme administrators or coaches) as reasonably needed to deliver the features you use—consistent with Section 7 (Recipients, subprocessors, and international transfers). Transfers outside your country may occur where our subprocessors operate; we use appropriate safeguards as described in that section.

4.5 Limited use and Workspace API data

Attestation: The use of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We limit use of Google user data to providing and improving user-facing Sparkus functionality (including security, reliability, and abuse prevention for those features), and to meeting our legal obligations. We do not use Google user data for serving ads, selling data, or creating databases for unrelated marketing. Data obtained through Google Workspace APIs (including Google Calendar) is used only for the integration purposes described in this notice—for example scheduling, availability, and calendar events inside Sparkus. We do not use such data to develop, improve, or train generalized, foundational, or broad artificial intelligence or machine learning models; we do not retain it for those purposes; and we do not provide Workspace API-derived data to third-party AI or large language model providers for model training or improvement. Optional AI-assisted product features for other roles, where offered, do not use Google Calendar or other Workspace API data as described in Section 4.2. If our practices change, we will update this Privacy Policy and, where appropriate, obtain any additional consent or provide notice required by law or by Google’s policies.

5. Purposes and legal bases (GDPR Article 6)

Where the GDPR applies, we rely on one or more of the following legal bases:

Purpose	Typical legal basis
Providing accounts, authentication, core platform features	Performance of a contract; legitimate interests in secure delivery
Operating programmes on behalf of your organisation	Contract; legitimate interests of your organisation and ours in delivering workplace learning
Product analytics, reliability, abuse prevention, security monitoring	Legitimate interests (balanced against your rights)
Communications strictly necessary for the Service	Contract; legitimate interests
Optional marketing communications	Consent (where required)
Legal claims, regulatory requests, compliance	Legal obligation; legitimate interests

When we act as a processor on behalf of your organisation (for example, for enterprise deployments), your organisation is the controller for much of the programme data and determines purposes; we process such data under contract and documented instructions.

6. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary for operation (for example, session and security cookies), preference storage where enabled, and analytics where configured. You can control non-essential cookies through your browser settings; disabling certain cookies may limit functionality.

7. Recipients, subprocessors, and international transfers

We share personal data with:

• Infrastructure and hosting providers that store or process data on our behalf.
• Communications and productivity tools (for example, email delivery, calendar or meeting integrations).
• Analytics and observability partners where enabled (subject to configuration and contract).
• Professional advisers where legally required.
• Your organisation and authorised coaches, mentors, or administrators as configured in the Service.

Your personal data may be processed in the European Economic Area, the United Kingdom, Turkey, the United States, and other countries where we or our subprocessors operate. Where required, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement, or adequacy decisions.

8. Retention

We retain personal data only as long as necessary for the purposes described in this notice, including to satisfy legal, accounting, or reporting requirements. Retention periods may depend on your organisation’s programme settings, statutory limitation periods, and technical backup cycles. When data is no longer required, we delete or irreversibly anonymise it in line with our retention schedule.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. No method of transmission over the Internet is completely secure; we encourage you to use strong passwords and protect your credentials.

10. Your rights

Subject to applicable law, you may have the right to:

• Access your personal data and receive a copy in a structured, commonly used format (data portability, where applicable).
• Rectify inaccurate data or complete incomplete data.
• Erase personal data in certain circumstances.
• Restrict processing or object to processing based on legitimate interests.
• Withdraw consent at any time, where processing is consent-based, without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint with a supervisory authority in your country of residence, place of work, or place of an alleged infringement.

To exercise rights, contact privacy@sparkus.com. We may need to verify your identity. Where your organisation is the controller for certain programme data, we may redirect your request to that organisation.

11. Automated decision-making

We do not make solely automated decisions that produce legal or similarly significant effects about you unless explicitly disclosed in a separate notice and permitted by law.

12. Children

The Service is intended for professional and organisational use and is not directed at children under 16 (or the higher age required in your jurisdiction). If you believe we have collected data from a child without appropriate authority, contact us and we will take appropriate steps to delete it.

13. Links and third-party sites

The Service may contain links to third-party websites or services. This notice does not apply to those sites; please review their privacy policies.

14. Changes to this notice

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. We will post the updated version with a revised “Last updated” date and, where changes are material, provide additional notice (for example, by email or in-product banner).

15. Supervisory authorities (EEA / UK examples)

You may contact your local supervisory authority. Non-exhaustive examples: in the Netherlands, the Autoriteit Persoonsgegevens; in Türkiye, the Kişisel Verileri Koruma Kurumu (KVKK); in Spain, the AEPD; in France, the CNIL; in Germany, your state data protection authority.

1. Toepassingsgebied en verwerkingsverantwoordelijke

Dit privacybeleid beschrijft hoe Spark Koçluk Danışmanlık A.Ş. (“wij”) persoonsgegevens verwerkt wanneer u het Sparkus-platform gebruikt (authenticatie, programma’s, coaching, integraties en ondersteuning). Contact privacy: privacy@sparkus.com.

2. Welke gegevens verwerken wij?

Onder meer: identiteits- en contactgegevens, account- en beveiligingsgegevens, programma- en leergegevens (doelen, formulieren, reflecties, beoordelingen), samenwerkingsgegevens (berichten, afspraken), technische gegevens (IP-adres, apparaat, browser, logboeken) en integratiegegevens (bijv. agenda-metadata via gekoppelde diensten).

3. Doelen en rechtsgronden (AVG)

Wij verwerken gegevens om de dienst te leveren en te beveiligen (uitvoering van een overeenkomst en gerechtvaardigd belang), om programma’s namens uw organisatie uit te voeren, voor ondersteuning, naleving van wettelijke verplichtingen en, waar vereist, op basis van toestemming voor optionele communicatie.

4. Bewaartermijnen en beveiliging

Wij bewaren gegevens niet langer dan nodig is voor de doeleinden, rekening houdend met wettelijke termijnen en instellingen van uw organisatie. Wij treffen passende technische en organisatorische maatregelen.

5. Doorgifte buiten de EER

Gegevens kunnen buiten uw land worden verwerkt. Waar nodig gebruiken wij passende waarborgen, zoals de Standaardcontractbepalingen van de Europese Commissie.

6. Uw rechten

U heeft rechten op inzage, rectificatie, verwijdering, beperking, bezwaar en gegevensoverdraagbaarheid (voor zover van toepassing), en het recht een klacht in te dienen bij de Autoriteit Persoonsgegevens of een andere toezichthouder.

7. Wijzigingen

Wij kunnen dit beleid bijwerken. De datum “Laatst bijgewerkt” bovenaan wijst op de actuele versie.

1. Kapsam ve veri sorumlusu

Bu Gizlilik Bildirimi, Spark Koçluk Danışmanlık A.Ş.’nin (“biz”) Sparkus liderlik geliştirme platformunu kullanırken kişisel verilerinizi nasıl işlediğini açıklar. Gizlilik iletişimi: privacy@sparkus.com.

2. İşlenen kişisel veri kategorileri

Kimlik ve iletişim bilgileri; hesap ve güvenlik verileri; program ve öğrenme içeriği (hedefler, formlar, geri bildirimler); iş birliği verileri (mesajlar, oturum planlama); teknik veriler (IP adresi, cihaz, tarayıcı, günlükler); entegrasyon verileri (ör. takvim meta verileri).

3. Amaçlar ve hukuki sebepler

Hizmeti sunmak ve güvence altına almak (sözleşmenin ifası ve meşru menfaat), kurumsal programları işletmek, destek sağlamak, yasal yükümlülüklere uymak ve gerektiğinde açık rızaya dayalı isteğe bağlı iletişimler.

4. Saklama ve güvenlik

Verileri amaçlar doğrultusunda ve yasal sürelere uygun süreyle saklarız; teknik ve idari güvenlik önlemleri uygularız.

5. Yurt dışına aktarım

Veriler Türkiye, AB/ABD/Birleşik Krallık ve alt işleyicilerin bulunduğu diğer ülkelerde işlenebilir. Gerekli hallerde KVKK ve GDPR çerçevesinde uygun güvenceler (ör. standart sözleşme maddeleri) kullanılır.

6. Haklarınız

KVKK ve GDPR kapsamında erişim, düzeltme, silme, işlemenin kısıtlanması, itiraz, veri taşınabilirliği (uygun olduğu ölçüde) ve başvuru hakkına sahip olabilirsiniz. Şikâyet için Kişisel Verileri Koruma Kurulu’na başvurabilirsiniz.

7. Güncellemeler

Bu bildirimi zaman zaman güncelleyebiliriz; önemli değişikliklerde ek bildirim sağlamaya çalışırız.

1. Ámbito y responsable del tratamiento

Este aviso describe cómo Spark Koçluk Danışmanlık A.Ş. trata datos personales cuando utiliza la plataforma Sparkus. Contacto de privacidad: privacy@sparkus.com.

2. Datos que tratamos

Datos identificativos y de contacto; datos de cuenta y seguridad; datos de programas y aprendizaje; datos de colaboración; datos técnicos (dirección IP, dispositivo, registros); datos de integraciones autorizadas (por ejemplo, metadatos de calendario).

3. Finalidades y bases legales (RGPD)

Prestación del servicio y seguridad (ejecución de contrato e interés legítimo), gestión de programas para su organización, soporte, cumplimiento legal y, en su caso, consentimiento para comunicaciones opcionales.

4. Conservación, seguridad y transferencias internacionales

Conservamos los datos el tiempo necesario y aplicamos medidas técnicas y organizativas apropiadas. Pueden existir transferencias internacionales con garantías adecuadas (por ejemplo, Cláusulas Contractuales Tipo).

5. Sus derechos

Puede ejercer derechos de acceso, rectificación, supresión, limitación, oposición y portabilidad cuando corresponda, y presentar reclamación ante una autoridad de control (por ejemplo, la AEPD en España).

6. Cambios

Podremos actualizar este aviso; la fecha de “Última actualización” indicará la versión vigente.

1. Geltungsbereich und Verantwortlicher

Diese Datenschutzerklärung erläutert, wie Spark Koçluk Danışmanlık A.Ş. personenbezogene Daten bei der Nutzung der Sparkus-Plattform verarbeitet. Datenschutzkontakt: privacy@sparkus.com.

2. Verarbeitete Datenkategorien

Identitäts- und Kontaktdaten, Konto- und Sicherheitsdaten, Programm- und Lerndaten, Kooperationsdaten, technische Daten (z. B. IP-Adresse, Gerät, Protokolle) sowie Integrationsdaten, sofern Sie Dienste verbinden.

3. Zwecke und Rechtsgrundlagen (DSGVO)

Bereitstellung und Absicherung der Plattform (Vertrag und berechtigtes Interesse), Durchführung von Programmen für Ihre Organisation, Support, gesetzliche Pflichten und – soweit erforderlich – Einwilligung für optionale Mitteilungen.

4. Speicherung, Sicherheit und Drittlandübermittlung

Wir speichern Daten nur so lange wie erforderlich und setzen angemessene technische und organisatorische Maßnahmen ein. Übermittlungen in Drittländer erfolgen mit geeigneten Garantien (z. B. EU-Standardvertragsklauseln), sofern erforderlich.

5. Ihre Rechte

Sie können Rechte auf Auskunft, Berichtigung, Löschung, Einschränkung, Widerspruch und Datenübertragbarkeit ausüben und sich bei einer Aufsichtsbehörde beschweren.

6. Änderungen

Wir können diese Erklärung aktualisieren; das Datum „Zuletzt aktualisiert“ zeigt die geltende Fassung.

1. Champ d’application et responsable du traitement

Cette politique décrit comment Spark Koçluk Danışmanlık A.Ş. traite les données personnelles lorsque vous utilisez la plateforme Sparkus. Contact confidentialité : privacy@sparkus.com.

2. Données traitées

Données d’identité et de contact ; données de compte et de sécurité ; données de programmes et d’apprentissage ; données de collaboration ; données techniques (adresse IP, appareil, journaux) ; données issues d’intégrations que vous activez.

3. Finalités et bases légales (RGPD)

Fourniture et sécurisation du service (exécution du contrat et intérêt légitime), exécution de programmes pour votre organisation, assistance, obligations légales et, le cas échéant, consentement pour des communications facultatives.

4. Conservation, sécurité et transferts

Nous conservons les données le temps nécessaire et appliquons des mesures techniques et organisationnelles appropriées. Des transferts hors EEE peuvent intervenir avec des garanties adaptées (clauses contractuelles types, etc.).

5. Vos droits

Vous pouvez exercer vos droits d’accès, de rectification, d’effacement, de limitation, d’opposition et à la portabilité, et introduire une réclamation auprès d’une autorité de contrôle (par exemple la CNIL en France).

6. Modifications

Nous pouvons mettre à jour cette politique ; la date de « Dernière mise à jour » indique la version en vigueur.