Privacy Policy

Effective Date: Jan 1, 2026

1. Introduction

Sparkhaus ("Company," "we," "us," or "our") provides a customer relationship management (CRM) platform designed for automotive businesses, including dealerships and related service providers. Our platform integrates with Dealer Management Systems (DMS) and other third-party tools to streamline operations, sales, and customer engagement.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our platform, services, and integrations (collectively, the "Services"). It is designed to comply with applicable privacy laws, including:

• The General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR
• The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA")
• Other U.S. state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), and similar state laws as enacted
• The FTC Safeguards Rule, where applicable to dealership financing data
• Other applicable federal, state, and international privacy laws

2. Scope

This Privacy Policy applies to:

• Users of our CRM platform
• Automotive dealerships and businesses using our Services
• End customers whose information is processed through our platform on behalf of our clients
• Visitors to our websites and marketing properties

3. Roles and Responsibilities

Depending on the context, we act as:

• Data Processor / Service Provider / Contractor: When processing personal data on behalf of dealership clients under their instructions. Under the CCPA/CPRA, we operate as a "service provider" or "contractor" and do not sell or share personal information we process on behalf of clients for purposes outside the scope of the applicable contract.
• Data Controller / Business: For our own operational data (e.g., account management, billing, platform analytics, marketing of our Services).

We enter into Data Processing Agreements (DPAs) with clients where required under Article 28 GDPR and equivalent Service Provider / Contractor Agreements under the CCPA/CPRA and other U.S. state laws.

4. Categories of Personal Information We Collect

4.1 Information Provided by Clients (Controller/Business → Processor/Service Provider)

• Identifiers: Names, postal addresses, email addresses, phone numbers, account IDs, customer IDs
• Vehicle Information: VIN, make, model, year, purchase/lease history, service history
• Commercial Information: Purchase, financing, and transaction data; lease terms; service records
• Financial Information: Credit application data, loan/lease details
• Communications: Emails, SMS, call logs, chat transcripts, call recordings (where lawfully collected)
• Protected Classifications (as directly provided): e.g., age, marital status, where relevant to a transaction

4.2 Information Collected Automatically

• IP address, device identifiers, browser type, operating system
• Usage logs, activity data, and analytics
• Cookies, pixels, and similar tracking technologies
• Approximate geolocation (derived from IP)

4.3 Information from Integrations (e.g., DMS, OEM systems)

• Inventory and sales records
• Service and maintenance data
• Customer interaction, lead, and marketing data
• Inventory pricing, incentive, and OEM program data

4.4 Sensitive Personal Information (CCPA/CPRA)

To the extent we process the following on behalf of clients, we treat it as "sensitive personal information" under the CCPA/CPRA and as "sensitive data" under other U.S. state laws:

• Government-issued identifiers (e.g., driver's license numbers)
• Financial account information (e.g., credit application or loan data)
• Precise geolocation (only if provided by a client integration)

We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA § 7027 (e.g., performing the Services, security, fraud prevention, and compliance with law).

5. Sources of Personal Information

We collect personal information from:

• Clients (dealerships and their authorized users)
• End customers (directly, via forms, chat, or phone, where integrated)
• Integration partners (DMS, OEM, marketing, and financing platforms)
• Service providers and subprocessors
• Automatic collection when users interact with our Services

6. Purposes of Processing / Business Purposes

We use personal information to:

• Provide, operate, maintain, and improve the CRM platform
• Enable integrations and data synchronization between systems
• Facilitate sales, service, marketing, and customer engagement workflows
• Provide customer and technical support
• Ensure platform performance, security, fraud prevention, and debugging
• Conduct internal research, analytics, and product development (using de-identified or aggregated data where feasible)
• Comply with legal obligations and enforce our agreements
• Support business transfers (see Section 10.5)

We process data on behalf of our clients in accordance with their instructions and applicable agreements.

7. Legal Bases for Processing (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b))
• Legitimate interests (Art. 6(1)(f)), balanced against data subject rights
• Compliance with legal obligations (Art. 6(1)(c))
• Consent (Art. 6(1)(a)), where required (e.g., non-essential cookies, certain marketing)

For U.S. processing, we rely on permissible business purposes as defined under the CCPA/CPRA and equivalent state laws.

8. How We Share and Disclose Personal Information

8.1 With Clients

Data is shared with the dealership or business that owns the customer relationship.

8.2 Service Providers and Subprocessors

We engage vetted third-party vendors, including:

• Cloud hosting and infrastructure providers
• Messaging providers (SMS/email)
• VOIP and telephony providers
• Analytics and monitoring providers
• Security and fraud prevention vendors

A current list of subprocessors is available upon request or via . Subprocessors are contractually bound by GDPR-compliant DPAs and CCPA-compliant Service Provider/Contractor Agreements that limit their use of personal information.

8.3 Integration Partners

Data may be shared with DMS providers, OEM systems, financing partners, and marketing platforms as directed by clients.

8.4 Legal Disclosures

We may disclose personal information where required by law, regulation, subpoena, court order, or other legal process, or to protect our rights, safety, or property.

8.5 Business Transfers

In connection with a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred to the successor entity, subject to applicable law and confidentiality commitments.

8.6 "Sales" and "Sharing" of Personal Information (CCPA/CPRA)

We do not sell personal information for monetary consideration, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We have not knowingly sold or shared the personal information of minors under 16 in the preceding 12 months.

To the extent our marketing properties deploy third-party advertising cookies that could constitute "sharing" under CCPA/CPRA, users may opt out as described in Section 11.4.

8.7 Categories of Recipients (Prior 12 Months)

In the preceding 12 months, we have disclosed the categories of personal information described in Section 4 for the business purposes described in Section 6 to the categories of recipients described in Sections 8.1–8.3.

9. International Data Transfers

We may process and store data in the United States and other countries. Where personal data is transferred outside the EEA, UK, or Switzerland, we implement safeguards such as:

• Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum
• Transfers to countries benefiting from an adequacy decision
• The EU-U.S. Data Privacy Framework and its UK/Swiss extensions, where we self-certify
• Additional technical and organizational safeguards where necessary (e.g., encryption, pseudonymization)

10. Data Retention

We retain personal information:

• For the duration of client contracts
• As instructed by clients (processor / service provider context)
• As necessary to provide the Services, enforce our agreements, and comply with legal obligations
• For limited periods in backup systems before secure deletion or anonymization

Clients control retention periods for data they provide, subject to contractual terms. Deletion or anonymization occurs upon request or contract termination, subject to legal obligations.

11. Your Privacy Rights

11.1 GDPR / UK GDPR Rights (Articles 12–22)

Individuals in the EEA, UK, or Switzerland have the right to:

• Access their personal data
• Rectify inaccurate data
• Erase data ("right to be forgotten")
• Restrict processing
• Object to processing (including direct marketing)
• Data portability
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with a supervisory authority

11.2 California Rights (CCPA/CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, sell, or share
• Access and receive a copy of their personal information (portability)
• Delete personal information, subject to exceptions
• Correct inaccurate personal information
• Opt out of the "sale" or "sharing" of personal information
• Limit the use and disclosure of sensitive personal information
• Non-discrimination for exercising these rights

California residents may also request information under California's "Shine the Light" law (Cal. Civ. Code § 1798.83) regarding our disclosure of personal information to third parties for their direct marketing purposes.

11.3 Other U.S. State Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have rights similar to those above, including the right to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and certain profiling. Where applicable, consumers have the right to appeal a denial of a rights request.

11.4 How to Exercise Your Rights

Requests should generally be directed to the dealership or business that collected the data (they are typically the "controller" or "business"). We will assist clients in fulfilling these rights.

For requests concerning data we process as a controller/business, contact us at development@sparkhaus.com. You may also:

• Opt out of sales/sharing and limit use of sensitive personal information via our "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links on our website
• Honor opt-outs communicated through Global Privacy Control (GPC) signals, where legally required

11.5 Response Timelines

We respond to verifiable consumer requests within the timeframes required by applicable law (generally 45 days under CCPA, extendable by 45 days; one month under GDPR, extendable by two months).

12. Data Protection Measures

Customer data is stored and processed in the Salesforce CRM platform, which provides enterprise-grade security controls and compliance certifications. Salesforce's handling of data is governed by its own privacy notice, available at https://www.salesforce.com/company/privacy/.

We implement appropriate technical and organizational measures under Article 32 GDPR, the FTC Safeguards Rule, and CCPA/CPRA reasonable security requirements, including:

• Encryption in transit and at rest
• Role-based access controls and authentication
• Audit logging and monitoring
• Regular security assessments, penetration testing, and vulnerability management
• Vendor security diligence
• Employee training and confidentiality obligations
• Incident response planning

However, no system is completely secure, and we cannot guarantee absolute security.

13. Data Breach Notification

In the event of a personal data breach, we:

• Notify affected clients without undue delay
• Assist clients in meeting their notification obligations under Articles 33–34 GDPR, state breach notification laws (e.g., Cal. Civ. Code § 1798.82), and FTC Safeguards Rule breach notification requirements (including the FTC's 30-day notification rule for qualifying events affecting 500+ consumers)
• Cooperate with regulators and law enforcement as required

14. Industry-Specific Compliance

Given our work with automotive dealerships and DMS systems, we support client compliance with regulations such as:

• FTC Safeguards Rule (16 CFR Part 314), including maintaining an information security program and assisting with required risk assessments
• State privacy laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA)
• Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act compliance features, where relevant to outbound messaging workflows

Clients remain responsible for their own compliance obligations, including obtaining necessary consents from end customers.

15. Data Protection Impact Assessments (DPIAs)

We support clients in conducting DPIAs (Art. 35 GDPR) and data protection assessments under U.S. state privacy laws (e.g., VCDPA, CPA) where required, particularly for large-scale processing, targeted advertising, profiling, or processing of sensitive data.

16. Cookies, Tracking Technologies, and Opt-Out Signals

We use cookies and similar technologies to:

• Maintain user sessions and authenticate users
• Analyze usage and improve functionality
• Support marketing (on our own marketing properties, with appropriate disclosures)

Users can control cookies through browser settings and, where offered, via our cookie consent banner. Where legally required (e.g., EEA/UK, California), non-essential cookies are deployed only with appropriate notice and consent or opt-out mechanisms. We honor Global Privacy Control (GPC) signals on our marketing properties as required by California law.

17. Records of Processing (Article 30 GDPR)

We maintain records of processing activities as required under GDPR and maintain equivalent documentation to support compliance with U.S. state privacy laws.

18. Children's Privacy

Our Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 16. Consistent with CCPA/CPRA, we do not sell or share the personal information of consumers under 16 without appropriate opt-in consent. We comply with the Children's Online Privacy Protection Act (COPPA) where applicable.

19. Third-Party Links and Services

Our platform may include links to, or integrations with, third-party services. We are not responsible for the privacy practices of those third parties. We encourage users to review the privacy policies of any third-party services they use.

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes as required by law (e.g., by posting a revised policy with an updated effective date and, where required, providing direct notice).

21. Contact Information

For privacy-related inquiries, including GDPR, CCPA/CPRA, and other state privacy law requests:

Sparkhaus
19600 Fairchild Rd. Suite 300, Irvine, CA 92612
development@sparkhaus.com
+1 949.381.6200