SovereignSpark

Legal

Privacy Policy

Last updated: 2026-06-26

1. Who we are

Sovereign Spark is a configuration and deployment service for private AI assistants running on NVIDIA DGX Spark hardware. Our web platform produces a configuration recipe (a .yamlfile) that is used to install software directly on the customer's on-premise device. We do not process, store, or transmit any business documents or end-user data.

2. What data we collect

We collect only the minimum necessary to provide the service:

  • Email address — provided at checkout, used to send the install package download link and order confirmation.
  • Configuration choices — business domain, sector, team size, capability selections, guardrail preferences. These describe how to configure an AI assistant; they contain no business data.
  • Order metadata — order ID, subscription plan, payment status. Payment processing is handled entirely by Stripe; we never see or store card numbers.
  • Basic server logs — IP address, timestamp, HTTP method and path. Retained for 30 days for security and debugging.

We do not collect names, addresses, phone numbers, or any sensitive personal data.

3. What we do NOT collect

  • No business documents, files, or knowledge base content — these are processed locally on the customer's DGX Spark and never transmitted to us.
  • No end-user conversations — the AI assistant runs entirely on-premise.
  • No tracking pixels or advertising cookies.
  • No third-party analytics (no Google Analytics, no Mixpanel).

4. Where data is stored

  • Web application: hosted on Vercel (servers in EU and US regions).
  • Database: order and configuration data stored in an SQLite database on Vercel infrastructure.
  • Email delivery: handled by Resend (resend.com). Your email address is transmitted to Resend solely to deliver your install package link.
  • Payments: processed by Stripe. We store only the Stripe session ID and payment status, not card data.

5. Legal basis (GDPR)

We process your data on the basis of contract performance (Art. 6(1)(b) GDPR): your email and configuration are required to deliver the service you purchased. Server logs are processed on the basis of legitimate interest (Art. 6(1)(f)) for security and operational purposes.

6. Data retention

  • Order and configuration data: retained for the duration of your subscription plus 12 months.
  • Server logs: 30 days.
  • Download tokens: invalidated automatically after 7 days.

7. Your rights

Under GDPR and CCPA you have the right to access, correct, or delete your personal data at any time. To exercise these rights, email us at privacy@sovereign-spark.ai. We will respond within 30 days.

8. Contact

Questions about this policy: privacy@sovereign-spark.ai