Privacy Policy

Sponsy Ltd. ("Sponsy," "we," "us," or "our") has prepared this Privacy Policy to explain what information we collect, how we use and share that information, and your choices concerning our privacy and information practices.

1. Applicability

This Privacy Policy applies to information collected through:

• sponsyai.com (marketing site),
• app.sponsyai.com (Publisher Portal),
• api.sponsyai.com (Serving API),
• our SDK packages (@sponsy/sdk-js, @sponsy/sdk-react), and
• related Services.

For Publisher customers

If you are a Publisher customer, this Privacy Policy applies to information we collect directly from you. Data that we process on your behalf as a service provider may also be governed by your Publisher agreement and your own privacy policy presented to end users.

2. Information We Collect

A) Publisher account information

When you create an account in the Publisher Portal, we collect:

• email address,
• password (hashed; never stored in plain text),
• company name (optional),
• workspace names and configurations.

B) Payment information

For Publishers receiving revenue payouts, we collect:

• PayPal email address for payouts,
• minimum payout threshold preferences,
• auto-payout settings.

C) Waitlist information

When you join our waitlist, we collect your email address to notify you when we launch or provide access updates.

D) Automatically collected information

We may collect:

• Device information: browser type, device type, operating system, IP address,
• Usage data: pages viewed, navigation paths, interactions,
• Log data: IP addresses, timestamps, request information.

3. End User Data Processing (via Publisher integrations)

When Publishers integrate our SDK into their chatbots, we process limited information about end users for intent detection and serving sponsored messages.

Key privacy principles:

• No PII collection: We do not collect end-user names, email addresses, or direct personal identifiers.
• Minimal context: We process only the conversation context necessary for intent detection and eligibility.
• No full transcripts: Complete conversation histories are not stored; only aggregated analytics are retained for reporting.
• Session-based: Data is processed in real time and not retained beyond the session except as aggregated analytics and limited logs for security/debugging.

What we process may include:

• user messages and assistant responses (for intent detection),
• anonymous session identifiers,
• impression, click, and conversion events,
• device/browser metadata (for analytics and fraud prevention).

Publishers should avoid sending sensitive personal data through the SDK/API.

4. How We Use Information

We use information to:

• provide and maintain the Sponsy platform,
• detect commercial intent and serve relevant sponsored messages (which may include affiliate and/or direct advertiser offers),
• process Publisher payments and commissions (including the 70/30 split where applicable),
• generate analytics dashboards (impressions, clicks, CTR, revenue),
• send service updates and marketing communications (you may opt out of marketing),
• detect and prevent fraud and abuse, and
• comply with legal obligations.

5. Information Sharing

We may share information with:

• Offer/attribution partners: such as affiliate networks (click/conversion data for attribution),
• Payment processors: PayPal (for Publisher payouts),
• Service providers: Hosting (Vercel), Database (Supabase), Analytics (ClickHouse, PostHog), Monitoring (Sentry),
• Legal requirements: when required by law or valid legal process.

We do not sell end-user personal information in the ordinary sense. We limit sharing to what is necessary to operate the Services, provide attribution, prevent fraud, and complete payouts.

6. Data Storage and Security

We implement technical and organizational measures to protect information, including:

• Database: Supabase PostgreSQL with Row Level Security (RLS),
• Authentication: Supabase Auth with secure password hashing,
• API keys: hashed storage; only a prefix may be shown after creation,
• Analytics: ClickHouse Cloud for high-volume event storage,
• Caching: Upstash Redis for serving index and rate limiting.

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Data Retention

We retain data as follows:

• Account data: while your account is active and for 30 days after deletion,
• Analytics events: aggregated data retained for reporting purposes,
• Payment records: 7 years for legal and accounting requirements,
• SDK request logs: 30 days for debugging, then deleted.

8. Your Rights

Depending on your location, you may have the right to:

• access the information we hold about you,
• correct inaccurate information,
• delete your information,
• export your data (portability),
• object to or restrict processing,
• withdraw consent (where applicable),
• opt out of marketing communications.

To exercise these rights, contact contact@sponsyai.com.

9. Cookies and Tracking

We use:

• essential cookies (authentication and security),
• analytics (PostHog for product analytics; may be opted out where available),
• performance monitoring to improve reliability.

You can control cookies through your browser settings.

10. International Transfers

Your data may be processed in countries where our service providers operate, including the United States and the European Union. We take steps designed to ensure appropriate safeguards are in place for such transfers.

11. Children's Privacy

Our Services are not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have collected such information, contact us immediately at contact@sponsyai.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy and updating the "Last Updated" date.

13. Contact Us

For privacy-related questions or to exercise your rights:

Email: contact@sponsyai.com
Website: sponsyai.com