Privacy Policy
AeroSpark ("we," "our," or "us") provides AI-powered legal review, deal exception triage, and contract lifecycle workflows through applications for Slack and Microsoft Teams, a web dashboard, and optional storage integrations with Microsoft SharePoint (via Microsoft Graph) and Google Drive (via Google OAuth 2.0). This Privacy Policy explains how personal data is processed when you use the AeroSpark services, applications, and platforms, and what rights individuals may have under the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other applicable privacy laws.
1. Controller and processor roles
AeroSpark acts in different roles depending on the data and context:
- Customer workspace content — for documents, request metadata, reviewer assignments, approvals, audit history, and other content processed on behalf of a customer workspace, the customer organization is typically the data controller and AeroSpark acts as its processor or service provider.
- Our own business operations data — for website usage, support requests, billing records, security logs, and account administration data, AeroSpark is typically the data controller.
If you use AeroSpark through your employer's or organization's Slack workspace or Microsoft Teams tenant and want to exercise rights relating to data submitted by that workspace or tenant, you should usually contact your workspace administrator or employer first. We will assist our customers with GDPR requests as required under our contractual and legal obligations.
2. Contact details
The controller for AeroSpark-operated website, support, billing, and account administration data is:
AeroSpark.ai Inc.
7511 Greenwood Ave N, Num: 4062 Seattle, WA 98103
Email: legal@aerospark.ai
3. Categories of personal data we process
For purposes of this policy, "personal data" or "personal information" means information relating to an identified or identifiable natural person. Not all customer workspace content is personal data. For example, a workspace ID, company name, contract term, or purely corporate contract metadata is only covered by this section where it relates to or can reasonably be used to identify an individual.
Depending on how AeroSpark is used, we may process the following categories of personal data:
- User account and identity data — platform user identifiers (Slack user IDs, Microsoft Teams / Azure AD object IDs), display names, email addresses where disclosed by the platform, role assignments, and authenticated web session information relating to individual users.
- Submitted content containing personal data — documents, form entries, comments, notes, change requests, and links to revised documents to the extent they contain names, signatures, contact details, job titles, addresses, or other information about identifiable individuals.
- Integration credentials and access tokens — when a workspace or tenant administrator connects an optional storage integration (Microsoft SharePoint via Microsoft Graph, or Google Drive via Google OAuth 2.0), we store an OAuth token identifying the connecting administrator. Google OAuth refresh tokens are encrypted at rest using AES-256-GCM. These tokens are scoped to the specific SharePoint site / document library or Google Drive folder selected during the connection flow, and are used solely to push approved documents to that customer-designated location.
- Support and feedback data — support tickets, satisfaction feedback, feature requests, and related correspondence submitted by or about identifiable individuals.
- Billing and commercial contact data — customer billing contacts, Stripe customer and subscription identifiers, invoice status, and customer communications to the extent they relate to identifiable individuals. Payment card data is handled by Stripe and is not stored by AeroSpark.
- Website and security data — session cookies, authentication state, request metadata, and security logging associated with an identifiable user or device.
4. Sources of personal data
We collect personal data:
- directly from customers, workspace admins, tenant admins, reviewers, and other users who interact with AeroSpark;
- from Slack or Microsoft Teams when users authenticate, submit content, or interact with the app;
- from Microsoft (Microsoft Graph) and Google (Google Identity) when a workspace or tenant administrator connects the optional SharePoint or Google Drive storage integrations and grants consent to their organizational account;
- from documents and form submissions uploaded into the service;
- from billing providers and service providers involved in account administration; and
- from customers or their users where personal data about counterparties, employees, or other individuals is included in submitted documents or metadata.
5. Purposes of processing and legal bases
| Purpose | Typical legal basis |
|---|---|
| Provide the Slack application, workflow automation, and web dashboard | Performance of a contract (GDPR Article 6(1)(b)) |
| Manage customer accounts, invoicing, and service administration | Performance of a contract and compliance with legal obligations (Articles 6(1)(b) and 6(1)(c)) |
| Secure the service, investigate misuse, maintain logs, and prevent fraud | Legitimate interests (Article 6(1)(f)) |
| Respond to support requests and customer communications | Performance of a contract and legitimate interests (Articles 6(1)(b) and 6(1)(f)) |
| Process customer workspace content on behalf of customers | Processed under the customer's instructions; the customer is typically the controller |
| Comply with applicable law, accounting, tax, and regulatory obligations | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interests, those interests generally include operating and improving a secure B2B software service, supporting customers, preventing abuse, and protecting our legal rights. We do not sell personal data or use customer content for third-party advertising.
6. Recipients and sub-processors
| Processor | Purpose |
|---|---|
| Slack Technologies | Platform, authentication, and event delivery when the Slack app is installed |
| Microsoft (Teams, Microsoft Graph, SharePoint) | Platform, authentication, and event delivery when the Microsoft Teams app is installed. Microsoft Graph and SharePoint additionally receive approved documents and related metadata when a customer connects the optional SharePoint storage integration; documents are written only to the site, document library, or folder the customer designates during setup. |
| Google LLC (Google Drive via Google OAuth 2.0) | Storage of approved documents in the Google Drive folder the customer designates, only when the optional Google Drive integration is connected. AeroSpark stores an AES-256-GCM-encrypted refresh token scoped to the customer-selected folder. |
| Anthropic (Claude API) | AI extraction and analysis of submitted documents |
| Amazon Web Services (S3) | Encrypted document file storage |
| Stripe | Billing and subscription management |
| DocuSign | Electronic-signature envelope creation, delivery, and status tracking when a reviewer sends an approved document for signature. DocuSign receives the document content and the signer names and email addresses specified in the Send for Signature form. |
| Resend | Transactional email delivery for support tickets, satisfaction feedback, feature requests, and web contact-form submissions. Resend receives the sender's email address, the message body, and any related metadata supplied in the feedback form. |
| Railway | Application hosting and managed database |
We may also disclose personal data to professional advisers, auditors, insurers, law enforcement, regulators, courts, or counterparties where necessary to comply with law, enforce our rights, or protect the service and its users.
7. International data transfers
AeroSpark and some of its service providers may process personal data outside the European Economic Area, the United Kingdom, or Switzerland, including in the United States. Where required, we use appropriate transfer safeguards such as adequacy decisions, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other valid transfer mechanisms.
You may request more information about applicable transfer safeguards by contacting legal@aerospark.ai.
8. Retention
| Category | Typical retention approach |
|---|---|
| Workspace installation and configuration data | Retained while the customer account is active and for a limited period afterward as needed for security, billing, and legal compliance |
| Submitted requests, extracted data, and audit records | Retained for the period set by the customer relationship and our contractual retention schedule; after uninstall, data is typically retained for up to 90 days unless a different contractual or legal requirement applies |
| Support and feedback records | Retained as needed to respond, improve the service, and maintain business records |
| Billing and tax records | Retained as required by applicable accounting, tax, and legal obligations |
We may retain data for longer where required by law, to resolve disputes, to enforce agreements, or to establish, exercise, or defend legal claims.
9. Security
We use technical and organizational measures designed to protect personal data, including:
- Encryption at rest for sensitive credentials, including platform bot tokens and Google OAuth refresh tokens, using AES-256-GCM;
- TLS in transit for all requests to our application, hosted database, and third-party APIs;
- Role-based access controls enforced on every administrative and reviewer action;
- Strict tenant scoping on every database query so that one customer's data is not returnable to another customer;
- Audit logging of reviewer decisions and administrative actions;
- Least-privilege scoping of optional storage integrations — AeroSpark requests access only to the specific SharePoint site or document library, or Google Drive folder, that the customer selects during setup, and never to the customer's full Microsoft or Google account.
No system is completely secure, and we cannot guarantee absolute security.
10. Your GDPR rights
Subject to applicable law and any relevant exemptions, individuals may have the right to:
- request access to personal data;
- request correction of inaccurate or incomplete personal data;
- request deletion of personal data;
- request restriction of processing;
- object to certain processing, including processing based on legitimate interests;
- receive personal data in a portable format where GDPR data portability applies; and
- withdraw consent where processing is based on consent, without affecting prior lawful processing.
You also have the right to lodge a complaint with your local supervisory authority in the EEA, the UK Information Commissioner's Office, or another competent data protection regulator, depending on your location.
If we process personal data solely as a processor for a customer workspace, we may direct the request to that customer or act only on that customer's instructions, as required by GDPR.
11. California privacy rights (CCPA/CPRA notice)
If you are a California resident and the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), applies to the relevant processing, you may have the right to:
- know the categories of personal information we collect, the sources of that information, the business or commercial purposes for collecting, using, disclosing, selling, or sharing it, and the categories of third parties to whom it is disclosed;
- request access to the specific pieces of personal information we collected about you;
- request deletion of personal information, subject to legal exceptions;
- request correction of inaccurate personal information;
- opt out of the sale or sharing of personal information, if applicable;
- limit the use and disclosure of sensitive personal information, if applicable; and
- receive equal service and pricing without discrimination for exercising your privacy rights.
To submit a California privacy request, contact legal@aerospark.ai. Authorized agents may submit requests on behalf of California residents where permitted by law, and we may require proof of authorization and identity verification before fulfilling certain requests.
We do not sell personal information or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. We also do not use or disclose sensitive personal information for purposes that would trigger a right to limit beyond the purposes permitted by California law.
In the preceding 12 months, we have collected the categories of personal information described in Section 3 only to the extent they relate to identifiable California residents, and disclosed the relevant categories to the service providers and processors identified in Section 6 for the business purposes described in Section 5.
12. Automated decision-making
AeroSpark uses automated systems, including AI-assisted extraction and rule-based classification, to support document review workflows. These outputs are intended to assist human users and are not intended to produce solely automated decisions with legal or similarly significant effects on individuals under GDPR Article 22 without human involvement.
13. Providing data is generally necessary to use the service
If required personal data is not provided, some features of AeroSpark may not function, including workspace installation, authentication, routing, document analysis, and review workflows.
14. Changes to this policy
We may update this policy from time to time. When we do, we will update the effective date above. For material changes, we will notify workspace admins and users via email at least 14 days before the change takes effect.
15. Contact and privacy requests
Questions, privacy requests, deletion requests, or data inquiries:
legal@aerospark.ai
Before fulfilling certain requests, we may need to verify your identity and your authority to make the request.