GDPR Compliance - Sparkora.lu

Our Commitment

Sparkora is built from the ground up with data protection at its core. As a Luxembourg-based company, we fully comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and are committed to safeguarding the personal data of our users, their employees, and their clients.

Key GDPR Principles We Follow

Lawfulness & Transparency

We process data only with valid legal basis and clearly communicate how data is used.

Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes only.

Data Minimization

We collect only the data that is necessary for the services we provide.

Storage Limitation

Personal data is retained only as long as necessary and securely deleted afterwards.

Data Portability

Export your complete data anytime in structured formats via built-in tools.

EU Data Residency

All data is stored and processed within the European Union. No transfers outside the EU.

Your Rights Under GDPR

As a data subject, you have comprehensive rights under the GDPR. Sparkora makes it easy to exercise these rights:

Right of Access - Request a complete copy of all personal data we hold about you. Available via account settings or by contacting us.

Right to Rectification - Update or correct any inaccurate personal data directly in the platform or by request.

Right to Erasure - Request permanent deletion of your personal data. We will comply within 30 days, except where retention is legally required.

Right to Restrict Processing - Request that we limit how we process your data in certain circumstances.

Right to Data Portability - Export all your data in a structured, machine-readable format (Excel). Built into the platform with one-click export.

Right to Object - Object to data processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent - Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

Technical and Organizational Measures

Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
Access control: Role-based permissions (Owner, Manager, Employee) enforced at the application and database level
Authentication: Secure PIN-based and password authentication with session management
Audit logging: Comprehensive logs of data access and modifications for accountability
Regular security assessments: Periodic vulnerability scans and security reviews
Data backup: Encrypted backups with secure, EU-based storage
Incident response: Documented breach notification procedures compliant with the 72-hour GDPR reporting requirement

Data Processing Agreements

When Sparkora acts as a data processor on behalf of our clients (the data controllers), we enter into Data Processing Agreements (DPAs) that comply with Article 28 of the GDPR. Our standard DPA is available upon request for all paying customers.

Sub-processors

We use a limited number of sub-processors to provide the Service. All sub-processors are contractually bound to comply with GDPR requirements and process data only within the EU. A current list of sub-processors is available upon request.

Data Breach Notification

In the unlikely event of a personal data breach, Sparkora will:

Notify the relevant supervisory authority (CNPD - Commission Nationale pour la Protection des Données) within 72 hours of becoming aware of the breach
Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
Document all breaches and remediation actions taken

Supervisory Authority

Our lead supervisory authority is the Luxembourg data protection authority:

CNPD - Commission Nationale pour la Protection des Données

15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg

Website: cnpd.public.lu

Contact Our Data Protection Team

For any GDPR-related inquiries, data subject requests, or to report a concern:

Sparkora - Data Protection

Luxembourg, EU

Email: privacy@sparkora.lu

We respond to all data subject requests within 30 days.