Sparkly

< Back

Sparkly Privacy Policy

Effective Date: June 16, 2026  |  Last Updated: June 16, 2026

INTRODUCTION

This Privacy Policy explains how Sparkly, Inc. ("Sparkly," "we," "us," or "our"), a corporation incorporated in the State of Delaware, USA, and its Nigerian subsidiary, SPARKLYHQ LIMITED, collect, use, store, share, protect, and otherwise process your personal data when you access or use the Sparkly platform, including our website, mobile applications, and all related services (collectively, the "Platform").


For users located in Nigeria, SPARKLYHQ LIMITED acts as the Data Controller within the meaning of the Nigeria Data Protection Regulation 2019 (NDPR) and the Nigeria Data Protection Act 2023 (NDPA). For all other users, Sparkly, Inc. acts as the Data Controller. Both entities are committed to responsible and lawful data processing.


NDPR Notice: If you are located in Nigeria, your personal data is processed by SPARKLYHQ LIMITED as Data Controller in compliance with the NDPR and NDPA. You have specific rights under Nigerian data protection law, set out in Section 12 of this Policy.


By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will obtain your express consent before processing your personal data.


If you do not agree with this Privacy Policy, you must not use the Platform. For questions or concerns, please contact us at support@sparkly.so.

1. DEFINITIONS

The following definitions apply throughout this Privacy Policy:

  • "Personal Data" means any information relating to an identified or identifiable natural person, including name, email address, phone number, financial information, location data, device identifiers, and any other data that can identify you directly or indirectly.
  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data. For Nigerian users: SPARKLYHQ LIMITED. For all other users: Sparkly, Inc.
  • "Data Processor" means a third party that processes Personal Data on behalf of, and under the instruction of, a Data Controller.
  • "Data Subject" means any living individual whose Personal Data is processed under this Policy — that is, you.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, dissemination, or deletion.
  • "Sensitive Personal Data" means special categories of Personal Data including health information, biometric data, financial data beyond standard transactional records, and other categories afforded heightened protection under applicable law.
  • "NDPR" means the Nigeria Data Protection Regulation 2019 and all amendments thereto, read together with the Nigeria Data Protection Act 2023.
  • "NDPC" means the Nigeria Data Protection Commission, the regulatory authority responsible for enforcing the NDPR.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "CCPA" means the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.).
  • "Cookies" means small data files stored on your device when you visit a website, used to remember information about you and your preferences.

2. ABOUT US — DUAL ENTITY STRUCTURE

Sparkly operates through two related legal entities:

  • Sparkly, Inc. — a corporation incorporated under the laws of the State of Delaware, USA. Sparkly, Inc. is the parent entity and the Data Controller for all users outside Nigeria.
  • SPARKLYHQ LIMITED — a company incorporated under the laws of the Federal Republic of Nigeria, and a wholly owned subsidiary of Sparkly, Inc. SPARKLYHQ LIMITED acts as the local Data Controller for Nigerian users pursuant to the NDPR and is registered with the Nigeria Data Protection Commission (NDPC).

Both entities operate the same Platform and are subject to this Privacy Policy. References to "Sparkly," "we," "us," or "our" refer to the applicable entity based on your location and how you access the Platform.

3. PERSONAL DATA WE COLLECT

3.1 Information You Provide Directly

  • Account Information: Name, email address, phone number, username, password, profile photograph, and biography when you register for an account.
  • Identity Verification (KYC): Government-issued photo identification, Bank Verification Number (BVN) for Nigerian users, proof of address, business registration documents, Tax Identification Number (TIN), and any other documents we request for regulatory compliance.
  • Payment & Financial Information: Bank account number, account name, and routing details for payouts. We do not store full payment card numbers — all card transactions are handled by our PCI-DSS compliant payment processors (Stripe and Flutterwave).
  • Creator Content: Products, descriptions, event details, challenge parameters, community information, and any other content you upload or create on the Platform.
  • Communications: Support requests, feedback, survey responses, customer service messages, and any other communications you direct to us.
  • Integration Data: Configuration details, membership settings, and community information related to third-party Integrations you connect (Telegram, WhatsApp, Slack, Discord).

3.2 Information We Collect Automatically

  • Usage Data: Pages and features visited, search queries, purchases made, interactions with communities, time and duration of sessions, and click patterns.
  • Transaction Data: Date, time, amount, currency, and outcome of each transaction; payment method used; IP address at the time of transaction; for recurring payments, last four digits of the payment card, card type, country of issue, and a tokenized payment reference.
  • Location Data: Approximate location derived from your IP address. More precise location data is only collected if you grant explicit permission through your device settings, which you may revoke at any time.
  • Log Data: Server logs, error reports, crash data, and system diagnostic information generated by your use of the Platform.

3.3 Information from Third Parties

  • Payment Processors: Transaction status, risk scores, and fraud prevention signals from Stripe and Flutterwave.
  • Identity Verification Providers: Verification outcomes from accredited KYC and AML screening services.
  • Integrated Platforms: Membership counts, community access events, and integration performance data from Telegram, WhatsApp, Slack, and Discord, to the extent permitted by those platforms.
  • Analytics Providers: Aggregated and pseudonymized usage and behavioral data from our analytics service providers.

3.4 Cookies & Tracking Technologies

We collect information through cookies and similar technologies. See Section 7 below for full details of how we use cookies and your choices regarding them.

4. HOW WE USE YOUR PERSONAL DATA

We use your Personal Data for the following purposes:

4.1 Providing & Operating the Platform

To create and manage your account; to authenticate your identity; to enable Creator and Member features; to process payments and facilitate payouts; to enable Integrations; to deliver Platform features, updates, and improvements; and to provide customer support.

4.2 Payments & Financial Operations

To process Member payments, credit Creator earnings to Wallets, facilitate payout withdrawals, detect and prevent fraudulent transactions, and comply with financial regulations and AML obligations.

4.3 Identity Verification & Regulatory Compliance

To verify your identity through KYC procedures; to comply with anti-money laundering (AML), counter-terrorism financing (CTF), and tax reporting obligations; and to report information to regulatory authorities as required by applicable law.

4.4 Safety & Security

To detect, investigate, and prevent fraud, abuse, policy violations, unauthorized access, and security incidents; to maintain and improve Platform security; and to protect the rights and safety of our Users and third parties.

4.5 Personalization & Recommendations

To personalize your Platform experience; to recommend relevant communities, products, events, and challenges; and to tailor Platform features to your preferences and usage patterns.

4.6 Communications

To send you transactional and service communications (account alerts, payment receipts, security notifications, subscription renewals); and where permitted by applicable law or with your consent, to send marketing communications about Sparkly features, promotions, and partner offerings. You may opt out of marketing communications at any time via the unsubscribe link or by adjusting your notification settings.

4.7 Analytics & Platform Improvement

To analyze how Users interact with the Platform; to conduct research; to test new features; and to improve the quality, performance, and functionality of our Services.

4.8 Legal Compliance & Enforcement

To comply with applicable laws and regulations; to respond to valid legal process, court orders, or government requests; and to enforce our Terms of Use and other policies.

5. LAWFUL BASIS FOR PROCESSING (NDPR & GDPR)

Where required by applicable law (including the NDPR for Nigerian users and the GDPR for EU/EEA users), we must identify a lawful basis for each category of processing. We rely on the following lawful bases:

  • Performance of a Contract: Processing that is necessary to provide you with the Platform and Services you have requested, including creating and managing your account, processing payments, facilitating Creator-Member transactions, and delivering integrations.
  • Compliance with a Legal Obligation: Processing that is required to fulfill our obligations under applicable law, including NDPR, AML and KYC regulations, tax laws, financial reporting obligations, and court orders.
  • Legitimate Interests: Processing for purposes that advance our legitimate business interests — including fraud prevention, Platform security, abuse detection, product analytics, and internal administration — provided such interests are not overridden by your fundamental rights and freedoms.
  • Consent: Where required by applicable law, we obtain your explicit, freely given, specific, informed, and unambiguous consent before processing your Personal Data, including for direct marketing communications and non-essential cookie usage. You may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Vital Interests: In exceptional circumstances, we may process data to protect your vital interests or the vital interests of another person.

6. DATA MINIMIZATION & PURPOSE LIMITATION

In accordance with the NDPR and applicable data protection principles, we are committed to:

  • Collecting only the Personal Data that is necessary for the specific, defined purposes set out in this Privacy Policy (purpose limitation).
  • Not processing Personal Data for purposes incompatible with those for which it was collected, unless we have your consent or another lawful basis.
  • Regularly reviewing our data practices to ensure we are not retaining or processing data beyond what is necessary.

7. COOKIES & TRACKING TECHNOLOGIES

7.1 What We Use

We use cookies, web beacons, pixel tags, local storage, and similar tracking technologies to operate the Platform, recognize you across sessions, remember your preferences, analyze usage, and deliver relevant advertising.

7.2 Types of Cookies

  • Essential / Required Cookies: Necessary for the fundamental operation of the Platform, including session management, authentication, and security. These cookies cannot be disabled without impairing core Platform functionality.
  • Functional / Preference Cookies: Remember your settings and preferences (e.g., language selection, login details, display preferences) to provide a more personalized experience.
  • Analytics Cookies: Collect anonymized or pseudonymized data about how you use the Platform to help us understand user behavior and improve performance. Current analytics providers include: Google Analytics (Google LLC), Mixpanel (Mixpanel Inc.), and Cloudflare Analytics (Cloudflare Inc.).
  • Advertising / Marketing Cookies: Used to deliver personalized advertisements across the Platform and on third-party advertising networks, and to measure the effectiveness of campaigns. Where required by law, such cookies are only placed with your prior consent.

7.3 Your Cookie Choices

Upon your first visit to the Platform, we will present a cookie consent notice. You may:

  • Accept all cookies, including analytics and advertising cookies.
  • Accept only essential cookies (strictly necessary for Platform functionality).
  • Manage your cookie preferences individually through our cookie settings tool.

You may update your cookie preferences at any time through the Platform settings. You may also manage or delete cookies through your browser settings; however, disabling certain cookies may affect Platform functionality or your user experience.

7.4 Analytics Opt-Outs

To opt out of specific analytics services:

  • Google Analytics: Install the opt-out browser add-on at https://tools.google.com/dlpage/gaoptout
  • Cloudflare Analytics: See https://www.cloudflare.com/privacypolicy/

8. HOW WE SHARE YOUR PERSONAL DATA

We do not sell your Personal Data to third parties. We may share your Personal Data in the following circumstances:

8.1 With Creators

When you (as a Member) join a Creator's community, purchase a product, register for an Event, or participate in a Challenge, we share relevant profile information (such as your name, email address, and purchase details) with the Creator to enable them to deliver the purchased service and manage their community.

8.2 With Members

When you are a Creator, your public profile information (including your name, biography, and community details) is visible to Members and prospective Members of your community.

8.3 With Service Providers (Data Processors)

We share Personal Data with carefully vetted third-party service providers who assist us in operating and improving the Platform, including:

  • Payment processors: Stripe, Inc., Paystack Inc., and Flutterwave, Inc. (for payment processing and payout facilitation)
  • Identity verification and KYC providers (for regulatory compliance)
  • Cloud hosting and infrastructure providers
  • Analytics and monitoring services (Google Analytics, Cloudflare Analytics)
  • Email and communication service providers
  • Customer support and ticketing tools

All service providers are engaged under written data processing agreements that require them to process your Personal Data only as instructed by Sparkly, implement appropriate security measures, and not disclose your data to unauthorized parties.

8.4 With Integrated Platforms

When you connect a third-party Integration (Telegram, WhatsApp, Slack, Discord), we share configuration and membership access data with that Integrated Platform to enable and maintain the connection. Your data is also subject to the privacy policy of the relevant Integrated Platform.

8.5 For Legal Compliance & Protection

We may disclose your Personal Data where required or permitted by applicable law, including: to comply with a valid court order, subpoena, or other legal process; in response to a lawful request from a regulatory or government authority (including the NDPC, NITDA, or tax authorities); or where we believe disclosure is necessary to protect the rights, property, or safety of Sparkly, our Users, or the public.

8.6 Business Transfers

In connection with a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your Personal Data may be transferred to the acquiring entity. We will provide you with notice of any such transfer before your data is transferred, and we will require the acquirer to honor the commitments in this Privacy Policy.

8.7 With Your Consent

We may share your Personal Data with other third parties for additional purposes not listed above if we have obtained your prior, explicit consent.

9. INTERNATIONAL DATA TRANSFERS

9.1 Cross-Border Transfers

Sparkly operates globally, and your Personal Data may be transferred to, stored in, and processed in countries other than the country in which you reside — including the United States, the European Economic Area, and other jurisdictions where our service providers maintain infrastructure.

9.2 Transfer Safeguards

Where we transfer Personal Data across borders, we implement appropriate safeguards to ensure that your data receives an adequate level of protection, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (for EU/EEA-origin transfers);
  • Data processing agreements incorporating NDPR-compliant cross-border transfer provisions (for Nigeria-origin transfers);
  • Adequacy decisions or binding corporate rules where applicable; and
  • Other transfer mechanisms recognized under applicable law.

9.3 NDPR-Specific Requirements

For Personal Data originating in Nigeria, all cross-border transfers are conducted in accordance with Part III of the NDPR and the NDPA, including the requirement that recipient countries or organizations provide an adequate level of protection.

10. DATA RETENTION

10.1 General Principle

We retain your Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, as set out in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.

10.2 Account Data

Account information is retained for the duration your account is active. Following account deletion or deactivation, we retain certain account data for a period of up to seven (7) years to comply with financial, tax, and regulatory reporting obligations, and for fraud prevention and dispute resolution purposes.

10.3 Transaction & Financial Data

Payment records, transaction histories, and financial data are retained for a minimum of seven (7) years following the relevant transaction in compliance with applicable financial regulations, accounting standards, and tax laws.

10.4 KYC & Identity Data

Identity verification records are retained for the period required by applicable AML and KYC regulations — typically five (5) to seven (7) years after the end of your relationship with us.

10.5 Usage & Analytics Data

Aggregated and anonymized usage and analytics data that cannot be used to identify you may be retained indefinitely for Platform improvement and research purposes.

10.6 Post-Deletion Retention

Even after you request deletion of your account or Personal Data, we may retain certain information where: required by applicable law or regulation; necessary to prevent fraud or abuse; necessary to resolve outstanding disputes or enforce our agreements; or to satisfy the retention periods specified above. We will inform you of any data that cannot be immediately deleted and the reason for its continued retention.

11. DATA SECURITY

11.1 Security Measures

We implement appropriate technical, administrative, and organizational security measures designed to protect your Personal Data from unauthorized access, accidental loss, destruction, disclosure, alteration, or misuse. These measures include, without limitation:

  • Encryption of data in transit using Transport Layer Security (TLS/SSL);
  • Encryption of sensitive data at rest;
  • Role-based access controls limiting data access to authorized personnel on a need-to-know basis;
  • Secure, access-controlled server infrastructure;
  • Regular security assessments, penetration testing, and vulnerability monitoring;
  • Employee data protection training; and
  • Data processing agreements with all third-party service providers.

11.2 No Absolute Guarantee

Despite our rigorous security measures, no method of data transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your Personal Data. You acknowledge and accept the inherent security risks of providing information online.

11.3 Data Breach Notification

In the event of a personal data breach that is reasonably likely to result in harm to you or to others, we will:

  • notify the relevant data protection authority (including NITDA/NDPC in Nigeria and, where applicable, EU supervisory authorities) within 72 hours of becoming aware of the breach, as required by applicable law;
  • notify affected individuals without undue delay where the breach is likely to result in a high risk to your rights and freedoms; and
  • take prompt remedial action to contain the breach and mitigate its impact.

11.4 Your Responsibility

You are responsible for maintaining the security and confidentiality of your account credentials. We will never ask for your password via email or unsolicited communications. If you believe your account has been compromised, notify us immediately at support@sparkly.so.

12. YOUR DATA SUBJECT RIGHTS

12.1 Rights Under the NDPR (Nigerian Users)

Pursuant to the NDPR and the Nigeria Data Protection Act 2023, if you are located in Nigeria, you have the following rights in respect of your Personal Data:

  • Right of Access: To request a copy of the Personal Data we hold about you, and to receive information about how it is processed.
  • Right to Rectification: To request correction of inaccurate, incomplete, or outdated Personal Data.
  • Right to Erasure: To request deletion of your Personal Data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent and no other lawful basis applies.
  • Right to Restriction of Processing: To request that we restrict processing of your Personal Data in certain circumstances (e.g., while accuracy is disputed).
  • Right to Data Portability: To receive a copy of your Personal Data in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible.
  • Right to Object: To object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
  • Right to Withdraw Consent: To withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing conducted before withdrawal.

12.2 Rights Under the GDPR (EU/EEA Users)

If you are located in the EU or EEA, you have equivalent rights under the GDPR, including all rights described in Section 12.1 above. You also have the right to lodge a complaint with the data protection supervisory authority in your EU Member State.

12.3 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA:

  • The right to know what Personal Data we collect, use, share, or sell about you (we do not sell Personal Data).
  • The right to request deletion of your Personal Data, subject to certain exceptions.
  • The right to opt out of the sale or sharing of your Personal Data for cross-context behavioral advertising (we do not sell Personal Data).
  • The right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.
  • The right to designate an authorized agent to submit requests on your behalf, subject to verification requirements.

13. HOW TO EXERCISE YOUR RIGHTS

13.1 Submitting a Request

To exercise any of the rights described in Section 12, please:

  • Email us at support@sparkly.so with the subject line: "Data Subject Rights Request — [Your Name]"; or
  • Send a written request to us at the address listed in Section 17 (Contact Us).

13.2 Identity Verification

To protect your Personal Data and prevent unauthorized access, we may require you to verify your identity before processing your request.

13.3 Response Timeframes

We will acknowledge receipt of your request within 7 business days and provide a substantive response within the following timeframes:

  • General data subject requests (access, rectification, portability, objection): within 30 calendar days.
  • Data erasure requests: within 21 business days.
  • Urgent breach-related requests: within 72 hours.

13.4 Limitations on Requests

We may decline or limit requests in certain circumstances, including where: compliance is required by law; the request would adversely affect the rights of others; the request is manifestly unfounded or excessive; or the data is necessary to fulfill our ongoing contractual obligations to you. We will explain the reason for any refusal.

14. CHILDREN'S PRIVACY

The Platform is not directed to individuals under the age of 18 years. We do not knowingly collect, solicit, or process Personal Data from anyone under 18.

If you are a parent or legal guardian and believe that a child under 18 has provided us with Personal Data without your consent, please contact us immediately at support@sparkly.so, providing sufficient information for us to identify the relevant data. We will take prompt steps to delete such Personal Data from our systems.

Any account we discover to have been created by a person under 18 will be suspended and deleted, and any associated funds will be handled in accordance with applicable law.

15. THIRD-PARTY LINKS & SERVICES

The Platform may contain links to or integrations with third-party websites, applications, or services not owned or controlled by Sparkly, including our Integrated Platforms (Telegram, WhatsApp, Slack, and Discord). Sparkly has no control over and assumes no responsibility for the content, data practices, security, or privacy policies of any third-party site or service.

This Privacy Policy does not govern the data practices of any third-party website or service. We strongly encourage you to read the privacy policy of every third-party service you use, especially before sharing any Personal Data with them.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically to reflect changes in our data practices, Platform features, applicable law, or regulatory guidance. When we make changes, we will:

  • post the updated Privacy Policy on the Platform with a revised "Last Updated" date;
  • for material changes — those that significantly affect your rights or how we process your data — provide at least 14 days' advance notice via email to your registered address and/or a prominent notice on the Platform before the changes take effect; and
  • obtain fresh consent where required by applicable law for any material changes to the purposes or legal basis for processing your Personal Data.

Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you must cease using the Platform.

17. CONTACT US

For any questions, concerns, complaints, or requests relating to this Privacy Policy or our data practices, please contact us:

Sparkly, Inc. (United States):

Email: support@sparkly.so

Website: www.sparkly.so

SPARKLYHQ LIMITED (Nigeria):

Email: support@sparkly.so

Effective Date: June 16, 2026

By using Sparkly, you agree to this Privacy Policy

Help