Privacy Policy

1. Who we are

GrowSmart is a product of Sparked Labs Ltd (“Sparked Labs”, “GrowSmart”, “we”, “us” or “our”). We provide an invite-only business-to-business platform that produces AI-generated market-entry and expansion intelligence — board-ready Go / No-Go verdicts on cities — for premium venue operators and the investors who back them.

This policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Sparked Labs Ltd is the data controller for the personal data described here. It is registered in England and Wales (company number 17043339), with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. If you have any questions, contact us at hello@sparked-labs.com.

2. The data we collect

We collect a deliberately limited set of personal data:

• Enquiry details. When you request a demo or a paid pilot, or otherwise contact us, we collect the details you submit — typically your name, business email address, company, and the cities or markets you are evaluating.
• Account & authentication data. For invited app users, we process the email address and password you use to sign in. Authentication is handled by Supabase on our behalf; passwords are stored in hashed form and we never see them in plain text.
• Product analytics. We collect privacy-friendly, aggregate usage analytics through Vercel Analytics — for example, which pages are viewed and broad interaction patterns. These analytics are designed to be cookieless and do not build advertising profiles or track you across other sites.
• Service content. The cities you analyse and the resulting analyses are stored in a shared, cached analysis store so the platform can serve results quickly and consistently. This content is about markets and venues rather than individuals, but a record of the queries you run may be associated with your account.

We do not intentionally collect special category data, and we ask that you do not submit sensitive personal information through the platform or your enquiries.

3. How and why we use your data

• To respond to enquiries. We use your contact details to reply to demo and pilot requests, arrange and run demos, and correspond with you about your interest in GrowSmart.
• To provide and secure the service. We use account and authentication data to give invited users access to the platform, keep accounts secure, and prevent unauthorised use.
• To improve the product. We use aggregate analytics to understand how the platform is used, diagnose problems, and make GrowSmart more useful and reliable.
• To meet legal and operational needs. We may use data to maintain records, enforce our terms, and comply with legal obligations.

4. Legal bases for processing

Under UK GDPR we rely on one or more of the following legal bases:

• Legitimate interests. To respond to business enquiries, secure and improve the service, and understand aggregate usage — balanced against your interests and rights.
• Contract. To provide the platform to invited users and pilot customers under our agreement with them.
• Consent. Where consent is the appropriate basis — for example, certain optional communications — which you may withdraw at any time.
• Legal obligation. Where we must process data to comply with the law.

5. Cookies and analytics

GrowSmart is designed to use as few cookies as possible. We do not use advertising or cross-site tracking cookies.

• Vercel Analytics. Our product analytics are provided by Vercel Analytics, which is privacy-friendly and cookieless — it measures aggregate usage without identifying you individually.
• Authentication cookie. For signed-in app users only, Supabase sets a strictly necessary session cookie so you remain logged in as you move through the application. This cookie is essential to the service and is not used for advertising.

6. Sharing and sub-processors

We do not sell your personal data, and we never share it for third-party advertising. We share data only with trusted service providers who process it on our behalf, under contract, and solely to help us deliver GrowSmart:

• Supabase — authentication and the database that stores account data and the analysis cache.
• Vercel — application hosting and privacy-friendly product analytics.
• AI model providers — frontier AI providers that generate the analyses, grounded in live web data. We send them the city or market parameters of a query, not your authentication credentials.

We may also disclose data where required by law, to protect our rights, or in connection with a business transfer (such as a merger or acquisition), in which case this policy will continue to govern your data.

7. Data retention

We keep personal data only for as long as we need it for the purposes set out above. Enquiry details are retained for the duration of our discussions and for a reasonable period afterwards for record-keeping and follow-up. Account data is retained for as long as you have access to the platform and is deleted or anonymised after your access ends, subject to any legal retention requirements. Cached analyses are kept for a limited period to keep the service responsive and are refreshed or expired over time.

8. International transfers

Some of our service providers operate outside the United Kingdom, so your data may be transferred to and processed in other countries. Where we transfer personal data outside the UK, we rely on appropriate safeguards — such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries the UK has deemed adequate — to ensure your data remains protected.

9. Your rights

Under UK GDPR you have rights over your personal data, including the right to access a copy of it, to have inaccurate data rectified, to have data erased, to restrict or object to processing, and to data portability. Where we rely on consent, you may withdraw it at any time.

To exercise any of these rights, email us at hello@sparked-labs.com. We will respond within the timeframes required by law. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk, though we would welcome the chance to address your concerns first.

10. Security

We take appropriate technical and organisational measures to protect personal data, including encrypted connections, access controls, invite-only access to the platform, and reputable infrastructure providers. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.

11. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. When we do, we will revise the “Effective date” above. Material changes will be communicated where appropriate. We encourage you to review this page periodically.

12. Contact us

For any privacy question or to exercise your data rights, contact Sparked Labs at hello@sparked-labs.com.