Privacy Policy
Last updated: May 4, 2026 Effective date: May 4, 2026
⚠️ Draft notice (delete before going live): This document is a first draft assembled from standard SaaS templates and tailored for Sparcgen, Inc. and the Throttle product. It has not been reviewed by an attorney. GDPR, CCPA, and other privacy regimes have specific disclosure requirements that vary by your actual data flows. Take this to a startup lawyer or use a generator (Termly, Iubenda, OneTrust) before you publish.
This Privacy Policy describes how Sparcgen, Inc., a Delaware corporation (“Sparcgen”, “we”, “us”), collects, uses, and shares information when you use the Throttle service (“Service”). By using the Service, you agree to the practices described here.
1. Information We Collect
1.1 Information you provide
- Account information: email address (required), display name (optional), avatar URL (when signing in via Google or Apple)
- Authentication tokens: provider-specific identifiers from Google and Apple Sign In; one-time magic link tokens we issue
- Trip data: waypoints (latitude/longitude), trip names, route preferences (curviness profile, target leg distance, tank range, break preferences)
- Invite request submissions (if you submit one): email, optional name, optional message text
- Account preferences: theme, units, rider defaults
1.2 Information collected automatically
- IP address: used for approximate geolocation (city-level) to center the initial map view, for rate-limit keying, and for security audit. Stored in transient logs (not associated with accounts) and in in-memory caches that expire within 1 hour.
- Device information: browser type, viewport size, time zone — used to render the appropriate UI.
- Usage events: timestamps of routes computed, trips saved, and exports generated. Used for service improvement and abuse detection.
- Cookies and similar technologies: see our Cookie Policy.
1.3 Information from third parties
- OAuth providers (Google, Apple): when you choose to sign in via Google or Apple, we receive the email address, display name, avatar URL, and provider subject identifier they share with us under the scopes you approve.
2. How We Use Your Information
We use the information described above to:
- Operate, maintain, and improve the Service
- Authenticate you and secure your account
- Generate and store your saved trips
- Send service-related emails (sign-in links, account approval, security notifications)
- Detect, prevent, and respond to fraud, abuse, or security incidents
- Comply with legal obligations
- Communicate with you about product updates, when you opt in (we do not currently send promotional email)
We do not sell your personal information. We do not use your trip data to target advertising. We do not share your trip data with anyone except as described in Section 4.
3. Legal Bases (EU/EEA users)
For users in the EU/EEA, our legal bases under GDPR are:
- Contract performance (Article 6(1)(b)): operating the account you signed up for
- Legitimate interests (Article 6(1)(f)): security, fraud prevention, basic service analytics
- Consent (Article 6(1)(a)): cookies that are not strictly necessary, marketing emails (when applicable)
- Legal obligation (Article 6(1)(c)): tax, accounting, regulatory requests
4. How We Share Your Information
We share information only as follows:
Service providers (data processors)
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Edge networking, TLS termination, bot protection (Turnstile) | Global |
| Resend | Transactional email delivery (sign-in links, admin notifications) | USA |
| Google Cloud (OAuth) | Authentication if you use Google Sign In | Global |
| Apple (OAuth) | Authentication if you use Apple Sign In | Global |
| ip-api.com | Approximate IP geolocation for initial map centering (no PII stored) | Global |
These providers process information only on our instructions and are contractually required to protect it.
Aggregated and anonymized data
We may publish aggregated, anonymized statistics about Service usage (e.g., “Users planned X miles of routes this month”). This data cannot be used to identify any individual.
Legal disclosures
We may disclose information when required by law (subpoena, court order, lawful government request) or to protect our rights, the rights of users, or public safety.
Business transfers
If Sparcgen is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction. You will be notified by email and via a prominent notice on the Service before any material change in this policy.
What we do NOT share
- We do not sell your personal information.
- We do not rent, lease, or trade your contact list.
- We do not share trip data with marketing networks.
5. Data Retention
| Data type | Retention |
|---|---|
| Account email and profile | Until you close your account |
| Saved trips | Until you delete them or close your account; deleted trips are anonymized (owner association removed) and may be retained for service analytics |
| Magic-link tokens | 15 minutes (expiry) |
| OAuth session cookies | 30 days from last sign-in |
| Invite request submissions | 90 days after admin review (approved or rejected) |
| IP geolocation cache | 1 hour (in-memory; not persisted) |
| Server logs | 30 days |
| Backups containing PII | 30 days rolling |
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: request a copy of the personal data we hold about you
- Correction: request that we correct inaccurate data
- Deletion: request that we delete your personal data
- Portability: receive your data in a portable format
- Objection: object to certain processing (legitimate-interests basis)
- Restriction: request that we limit how we process your data
- Withdrawal of consent: where processing is consent-based
You can exercise rights to access, deletion, and portability directly in the Service via the “My Account” page. For other rights, or if you prefer to email, contact privacy@throttlerides.com. We will respond within 30 days.
California (CCPA/CPRA)
California residents have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact privacy@throttlerides.com.
Quebec (Law 25)
Quebec residents have additional rights regarding the processing of personal information by businesses operating in Quebec. To exercise those rights, contact privacy@throttlerides.com.
7. International Transfers
We may transfer your information to, and process it in, countries other than your country of residence (including the United States). When we transfer personal data out of the EU/EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.
8. Security
We use reasonable administrative, technical, and physical safeguards to protect your information, including:
- TLS/HTTPS for all data in transit (terminated at Cloudflare’s edge)
- At-rest encryption for the database
- Hashed magic-link tokens (raw tokens never stored)
- Bcrypt-equivalent treatment of any future password material
- Network isolation (application services not exposed to the public internet; only Cloudflare Tunnel terminates)
- Rate limiting and bot protection on signup-side endpoints
- Regular security updates of host OS and dependencies
No system is completely secure. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authorities as required by law.
9. Children
The Service is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact privacy@throttlerides.com and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date. For material changes that affect your rights, we will notify registered users by email at least 30 days before the changes take effect.
11. Contact
To exercise your rights, ask questions, or report a privacy concern:
Sparcgen, Inc. [Registered office address — fill in] Email: privacy@throttlerides.com
For EU/EEA users, you also have the right to lodge a complaint with your local data protection authority. A list of authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.