Privacy Policy

Spar is operated by Cuped Inc. ("Cuped," "Spar," "we," "us"), based in Canada. This policy covers the Spar web app, our Shopify and Spar Connect apps, the embed and theme scripts we ship to storefronts, and our marketing site. We are accountable under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our Privacy Officer can be reached at privacy@cuped.ai.

We collect data in a few broad categories:

• Account information. Name, email, hashed password (if you use password-based login), team and workspace settings, and sign-in metadata.
• Connected store and analytics data. When a merchant connects Shopify, Google Analytics, or a similar analytics or commerce source, we read storefront, product, and aggregated traffic data needed to run audits and tests.
• Storefront events. When our embed or theme extension is installed, we record A/B test assignments and commerce events and related test-assignment data on the storefronts our merchants operate.
• Content you create. Audits, ideas, tests, notes, files, and other content saved in your workspace.
• Billing data. Subscription, invoice, and payment status. Payment methods are handled by Stripe; we do not see card numbers.
• Product usage and diagnostics. Standard product analytics, error reports, and session metadata so we can operate and improve the service.

We aim to collect the minimum we need to deliver the service. A current list of the vendors that help us store and process this data is available on request.

Spar processes different categories of data in different roles. For account information, billing information, product usage data, and our own service operations, Cuped is generally the controller. For store, analytics, shopper, and commerce data processed through merchant integrations, we generally act as a processor or service provider on behalf of the merchant.

We minimize our use of shopper-level data. Where Shopify scopes or connected integrations expose customer information, we work with aggregated, de-identified, or pseudonymous ecommerce metrics wherever possible. We do not sell shopper data or share it for cross-context behavioral advertising.

If you are a shopper on a storefront that uses Spar and want to exercise a privacy right, contact the merchant first. The merchant controls that relationship, and we will support requests they route to us.

We use the data described above to:

• Operate, secure, and improve the Spar product.
• Run audits, generate ideas, ship A/B tests, and report on results.
• Authenticate users, manage teams, and enforce permissions.
• Process subscriptions and send invoices.
• Send transactional and product communications such as account, billing, and security notices.
• Investigate abuse, debug errors, and monitor reliability.
• Comply with our legal obligations and enforce our Terms of Service.

We do not sell personal data.

We use AI model providers under commercial or API terms intended for business use. We do not permit providers to use your data to train general-purpose models where provider controls allow us to disable that use. We review provider terms before enabling a new model route and may restrict providers for specific workloads.

The current list of AI providers is available on request.

We share personal data with a small set of vendors that help us run the service: hosting and infrastructure, our database and cache, error and product analytics, AI model providers, Stripe for billing, our email provider for transactional mail, and the integrations a merchant chooses to connect (for example Shopify, Asana, Jira, or Google Analytics).

A current vendor list is available on request. We may also disclose data to comply with the law or to protect our users and the service, and personal data may be transferred as part of a future merger, acquisition, or sale of assets, subject to this policy or a comparably protective successor.

On the Spar app and marketing site, we set first-party cookies for authentication, basic preferences (such as dark mode), and product analytics. On storefronts where our embed or theme extension is installed, we store an A/B test assignment in localStorage so the right variation is served on repeat visits. We do not set advertising or cross-site tracking cookies.

Most browsers let you manage cookies in their settings. Where local law requires opt-in consent for optional cookies, we honor that choice.

We retain personal data while your account is active and for a reasonable period after to support restoration, security investigations, billing records, and routine backup rotation. You can request deletion at any time from your account settings or by emailing us. Some data may be retained where required by law (for example tax and billing records).

When a merchant uninstalls our Shopify app, or when Shopify sends privacy webhooks such as customers/data_request, customers/redact, or shop/redact, we process those requests on the timeline Shopify requires.

Under PIPEDA and applicable provincial privacy laws (including Quebec Law 25, Alberta PIPA, and British Columbia PIPA), Canadian residents have the right to access the personal information we hold about you, to request correction of inaccurate information, to withdraw consent for our processing (subject to legal or contractual restrictions), and to file a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial commissioner. Quebec residents may also have additional rights, including data portability and information about certain automated decision-making where applicable.

Residents outside Canada may have additional rights under their local laws. EU and UK residents have rights under the GDPR and UK GDPR to access, correct, delete, port, restrict, or object to processing, and to lodge a complaint with a supervisory authority. California residents have rights under the CCPA/CPRA, including the right to know, delete, and correct personal information. We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

To exercise a right, email our Privacy Officer at privacy@cuped.ai from the address on file for your account. We may verify your identity before responding and will reply within the time required by applicable law.

We use reasonable technical and organizational measures to protect data, including encryption in transit, scoped access controls, hashed passwords, and continuous monitoring. For details, see our Security page. No system is perfectly secure; if we learn of a breach affecting your personal data, we will notify you in line with applicable law.

Cuped is based in Canada. Personal data may be processed in Canada, the United States, and other countries where our service providers operate. This means personal data may be accessible to courts, law enforcement, or regulators in those jurisdictions.

Canadian privacy law generally permits cross-border processing, but we remain accountable for personal information transferred to service providers and require safeguards designed to provide comparable protection. Where required for transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or the EU-U.S. Data Privacy Framework, as applicable.

For questions, requests, or complaints about this policy or our processing of your personal data, email our Privacy Officer at privacy@cuped.ai. You can also reach us about general matters at founders@cuped.ai. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.