Privacy Policy — SparLink
Last updated: April 21, 2026 Version: 1.0
⚠️ Draft pending legal review. This policy has been drafted in accordance with EU Regulation 2016/679 (GDPR) and with Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, but must be validated by counsel before publication.
1. Who we are
SparLink (hereafter "SparLink", "we", "the Service") is a digital service operated by:
- Data controller: SparLink
- Registered office: [to be defined]
- VAT number: [to be defined]
- Support email: info@sparlink.app
- Privacy email: privacy@sparlink.app
- Website: sparlink.app
Data protection contact. We have not formally appointed a Data Protection Officer (DPO), as we do not perform large-scale processing of special categories of data under Art. 37 GDPR. All privacy-related requests should be sent to privacy@sparlink.app and are handled internally by the controller.
2. What SparLink is
SparLink is an application for combat-sports practitioners (BJJ, MMA, boxing, Muay Thai, judo, wrestling, and other disciplines) that integrates three core functions:
- Matchmaker — search for compatible sparring partners, based on profile and geographic location.
- Timer — timer for training rounds, with discipline presets.
- Log and feedback — session logging, structured feedback between practitioners, progression statistics.
To deliver these services it is necessary to collect and process some personal data, as detailed below.
3. What data we collect
3.1 Table of data processed
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Authentication, service communications, password recovery | Contract performance (Art. 6.1.b GDPR) | Account lifetime + 30 days after deletion | |
| Password (hash only, never in clear) | Authentication | Contract performance | Account lifetime |
Display name (display_name) | Public identification within the Service | Contract performance | Account lifetime + 30 days |
| Bio, years of experience, role (practitioner/coach/gym) | Public profile creation | Contract performance | Account lifetime + 30 days |
| Sex, weight (kg), height (cm) | Compatible matchmaking (pairing similar weights, etc.) | Explicit consent (Art. 6.1.a) — sensitive data declared by the user | Account lifetime + 30 days |
| City, latitude/longitude | Distance-based matchmaker, Travel Mode | Explicit consent (Art. 6.1.a) | Account lifetime + 30 days |
| Profile photo | Visual identification in the matchmaker | Contract performance | Account lifetime + 30 days |
| Disciplines practiced, goals, availability | Matchmaker filters | Contract performance | Account lifetime + 30 days |
| Training session data (duration, rounds, disciplines, notes) | Log feature, personal statistics | Contract performance | Account lifetime + 30 days |
| Post-match chat messages | Communication between matched users | Contract performance | While match is active + 2 years (for dispute handling) |
| Structured feedback between users | Feedback feature, SparLink Score calculation | Contract performance | Account lifetime + 30 days |
| Affiliate / referral code | Referral and commission system | Contract performance | 10 years (tax obligation) |
| Affiliate commission history | Payment management for affiliates | Legal obligation (Art. 6.1.c) — Italian tax law | 10 years (Art. 2220 Italian Civil Code) |
| Billing data (name, address, VAT if applicable) | Invoice issuance, tax compliance | Legal obligation (Art. 6.1.c) | 10 years (Art. 2220 Italian Civil Code) |
| Payment data (card number, CVV, etc.) | Not collected by us — handled directly by Stripe | — | See Stripe's privacy policy |
| IP address, user-agent, access logs | Security, abuse prevention, debugging | Legitimate interest (Art. 6.1.f) | 180 days |
| Technical cookies (session, CSRF) | Service operation | Contract performance — no consent required | Session or up to 1 year |
3.2 Data NOT processed
- We do not collect health data within the meaning of Art. 9 GDPR (medical reports, diagnoses). Weight and height are data declared by the user for sports matchmaking purposes, not health data.
- We do not profile users for automated marketing purposes without consent.
- We do not sell data to third parties.
4. Purposes of processing
We use your data to:
- Deliver the Service — registration, login, use of matchmaker/timer/log features.
- Match users — the matchmaker compares profiles to propose compatible partners.
- Service communications — transactional emails (verification, password reset, match notifications, payment confirmations). These do NOT require consent because they are necessary for contract performance.
- Billing and tax compliance — for paying users.
- Security — fraud prevention, abuse prevention, fake-profile detection.
- Customer support — responding to email requests.
- Service improvement — aggregate, anonymous usage analysis (see Cookie Policy).
We do NOT use your data for automated marketing, advertising profiling, or sale to third parties.
5. Sub-processors (external processing providers)
To deliver SparLink we rely on the following providers. Each is bound by a Data Processing Agreement (DPA) compliant with Art. 28 GDPR.
| Provider | Service | Data processed | Location | Non-EU transfer |
|---|---|---|---|---|
| Railway | PostgreSQL database hosting (with PostGIS extension for geolocation) | All user data except payments and photos | EU region (Amsterdam) | No |
| Supabase | Profile photo storage (CDN) | Profile photos, file metadata | EU region (Frankfurt) | No |
| Vercel | Web application hosting, edge functions | Access logs, data in transit | EU region (fra1) | No |
| Stripe | Payment processing, subscription management | Email, name, payment data (card, CVV) — collected directly by Stripe | USA (Delaware) | Yes — Standard Contractual Clauses (SCC) + DPF |
| Resend | Transactional email delivery | Email, email content | USA / EU | Yes (if US instance) — SCC |
Note on Stripe. Your payment card data does not transit through our servers: it is entered directly into a secure form hosted by Stripe (Stripe Elements). We only receive an anonymous identifier (token) and the transaction metadata (amount, date, status).
Non-EU transfers. Stripe and, depending on the instance, Resend may process data in the United States. In that case the transfer is safeguarded by:
- Standard Contractual Clauses (SCC) approved by the European Commission;
- any adherence to the provider's Data Privacy Framework (DPF).
6. How we share your data with other users
SparLink is, by nature, a social service. Some of your profile data is visible to other authenticated users:
- Visible to all authenticated users: display name, bio, disciplines, city (not precise coordinates), profile photo, experience level.
- Visible only after a mutual match: chat, precise availability details.
- Never shared with other users: email, password, payment data, exact GPS coordinates (we only use an approximate radius), affiliate commission history.
You can make your profile less visible from the settings (where available in your version of the Service).
7. Cookies
SparLink uses technical cookies (session, CSRF) necessary for operation, and anonymous analytics cookies. For details see the Cookie Policy.
8. Your rights
As a data subject, you can exercise the following rights at any time (Art. 15–22 GDPR):
- Access — obtain a copy of your data.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — delete your account and associated data. You can do so directly from the app settings ("Delete account") or by writing to
privacy@sparlink.app. - Restriction — temporarily restrict processing in case of dispute.
- Portability — receive your data in a machine-readable, exportable format (JSON). You can do so from the settings ("Export my data") or via email to
privacy@sparlink.app. - Objection — object to processing based on legitimate interest.
- Withdrawal of consent — if processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
How to exercise your rights
Write to privacy@sparlink.app specifying:
- The right you wish to exercise.
- The email associated with your SparLink account.
- Any details useful to identify the data covered by the request.
We will respond within 30 days of receipt (extendable by a further 60 days for complex requests, as allowed by the GDPR).
Complaint to the supervisory authority
If you believe processing violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, www.garanteprivacy.it) or with the supervisory authority of the EU Member State in which you reside.
9. Data retention
Retention periods are indicated in the table at § 3.1. In summary:
- Profile and session data: retained for the account lifetime + 30 days after deletion (to allow recovery from accidental deletion).
- Billing data: 10 years from issuance of the invoice (obligation under Art. 2220 Italian Civil Code and Presidential Decree 633/1972).
- Chat and feedback: during the active match + 2 years (for handling disputes or abuse reports).
- Technical logs: 180 days.
After account deletion, profile data is anonymized (no longer traceable to the user) where possible, and erased where not useful.
10. Data security
We adopt appropriate technical and organizational measures to protect your data:
- Hashed passwords with the bcrypt/argon2 algorithm — we never store passwords in clear.
- HTTPS/TLS mandatory on all connections.
- Privileged access to the database limited to the controller and hosting tooling.
- Encrypted daily backups of the database.
- Audit logs of administrative accesses.
In the event of a personal-data breach, we will notify the Italian Data Protection Authority within 72 hours and, if the risk to users' rights is high, we will also notify the affected users pursuant to Art. 33–34 GDPR.
11. Minors
SparLink is intended for users aged 16 and over. This threshold corresponds to the minimum age to independently give consent to data processing in Italy under Art. 8 GDPR and Art. 2-quinquies of the Italian Privacy Code.
At registration we ask the user to confirm they are at least 16. We do not knowingly collect data from minors under 16. If we become aware of an account belonging to a minor below this threshold, we will proceed with immediate deletion.
Parents or guardians of minors under 16 who believe their child has created an account can write to privacy@sparlink.app to request deletion.
12. Automated decisions
We do not make decisions solely based on automated processing that produce legal effects or significantly affect users (Art. 22 GDPR).
The matchmaking algorithm proposes pairings based on parameters declared by the user (weight, level, disciplines), but the final choice is always up to the user. The SparLink Score and the specialization label are informational statistical indicators, not binding decisions.
13. Changes to this policy
We may update this policy to:
- align it with regulatory changes;
- reflect new features or sub-processors;
- improve clarity.
In case of substantial changes (e.g., new purposes, new sub-processors, change of legal basis), we will notify you by email with at least 30 days' notice and, where required by law, ask for renewed consent. Non-substantial changes (corrections, clarifications) will be published without notice, with the date updated at the top of the document.
14. Contacts
For any question or request about privacy:
- Privacy email:
privacy@sparlink.app - Legal email:
legal@sparlink.app - Data controller: SparLink
- Registered office: [to be defined]
Document version 1.0 — April 21, 2026