Privacy Policy

Last updated: April 26, 2026

1. Who we are and what this Policy covers

This Policy explains how PHOTON SPARK S.R.L., a company established and operating under Romanian law, with its registered office at Aleea Arutela No. 2, Bl. M18, Sc. 1, 4th floor, apt. 25, Sector 6, Bucharest, Romania, 061902, processes the data of Users and Customers who access the website photonspark.com and our digital services (including hosting, VPS, game hosting, web hosting, cloud infrastructure, software solutions, OCR, transcription and related services). This Policy uses the terminology from the Terms and Conditions of Use and is supplemented by them and by the Cookie Policy.

In this Policy, "PHOTON SPARK", "we" or "the Company" refers to PHOTON SPARK S.R.L., and "user", "customer" or "you" refers to the individual accessing the website, the person creating an account, the representative of a legal entity, the contractual customer, the end user of the Services or any other person whose data may be processed in connection with our Services.

In the event of any inconsistencies regarding the protection of personal data, this Policy shall prevail with respect to the information provided to data subjects, without affecting the validity of the contractual obligations assumed under the Terms and Conditions of Use.

2. Our role: data controller vs. data processor

Controller. PHOTON SPARK acts as a data controller when it determines the purposes and means of processing (e.g. managing user accounts, entering into and executing contracts, processing orders, issuing invoices, managing payments, providing support, administering the website, ensuring infrastructure security, preventing fraud, sending our own commercial communications, fulfilling legal obligations).

Processor. PHOTON SPARK acts as a data processor when it processes data on behalf of and for a Client, particularly in the context of hosting, VPS, game hosting, web hosting, storage, technical processing, cloud infrastructure, OCR, transcription, or other functionalities through which the Client uploads, stores or processes data belonging to its own users, employees, collaborators or other data subjects.

Obligations as a processor.When we act as a processor, the Client remains the data controller and is responsible for the legal basis, information, consent, and respect for the rights of data subjects, and we process the data only in accordance with the Client's lawful, clear and documented instructions, to the extent necessary to provide the Services, ensure security, provide technical support, perform backups, prevent incidents, investigate misuse, and fulfill applicable legal obligations.

For such services, it may be necessary to enter into a separate Data Processing Agreement (DPA) under the terms of Article 28 of the GDPR.

3. The categories of data we process

• Identification and contact information: first name, last name, company name, representative status, email address, phone number, billing address, country, city, postal code, and other information provided in account, order, contact or support forms.
• Account data: username, internal account ID, password in encrypted form, login history, account preferences, service settings, subscribed plans, active/suspended/cancelled services, information regarding platform usage.
• Contractual / commercial data: orders placed, selected services, transaction history, active subscriptions, recurring services, cancellation requests, refunds, discounts, vouchers, commercial communications, history of the contractual relationship.
• Payment data: order amount, currency, selected payment method, payment status, transaction ID, payment date, limited information provided by the payment processor and data required for invoicing. Full card details are typically processed directly by payment processors (e.g. Stripe, PayPal) under their own policies; PHOTON SPARK only receives the information necessary to confirm and manage the transaction.
• Technical data and logs: IP address, date and time of access, device type, operating system, browser, technical identifiers, pages accessed, actions performed in the account, system errors, session data, traffic, security events, server and authentication logs, administration logs, resources used, instance/server/service/subscription identifiers, and other data automatically generated through the use of our infrastructure.
• Support and communications: data from requests submitted via email, contact forms, ticketing systems, Discord-type channels or other means (including message content, screenshots, attached files, technical diagnostic data and conversation history).
• Contributions / Uploaded Content: files, content, databases, configurations, user-uploaded materials, data hosted on servers, texts, documents, images, recordings, log data, data related to applications installed by the Client or other information transmitted, uploaded, stored or generated through the use of the Services. With respect to this data, PHOTON SPARK does not, as a rule, determine the content/original purpose and legal basis for processing, but rather provides the technical infrastructure.
• Special categories of data: we do not request or encourage uploading special categories of data (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, sexual life or orientation), unless such use is permitted by law, necessary for the purpose pursued by the Client and covered by an appropriate legal basis. The Client remains responsible for the heightened legal requirements applicable to such data.

4. Purposes of processing and legal bases

• Accounts and access: creating, managing and securing the account, granting access to the Services, verifying logins, maintaining account settings, preventing unauthorized access; legal basis: performance of the contract and, where applicable, legitimate interest.
• Orders, subscriptions and payments: processing orders, activating Services, managing subscriptions, billing, recurring payments, transaction confirmations, resolving payment issues, refunds; legal basis: performance of the contract, legal obligations and, where applicable, legitimate interest (managing the commercial relationship, preventing fraud).
• Technical support: resolving requests, troubleshooting errors, investigating incidents, managing complaints and communicating with users; legal basis: performance of the contract, pre-contractual steps, legitimate interest and, where applicable, legal obligation to retain certain records.
• Security and abuse prevention: processing of technical data/logs to protect the website, accounts, servers and infrastructure against unauthorized access, fraud, cyberattacks, misuse, spam, violations of the Terms and other risks; legal basis: legitimate interest and, in certain situations, compliance with legal obligations.
• Administrative / contractual notifications: account confirmations, order notifications, payment messages, notices regarding suspension/modification/ termination of Services, updates to the Terms, policy changes, security alerts; legal basis: performance of the contract, legal obligations or legitimate interest.
• Commercial communications: newsletters, offers, information about similar products or Service updates, only in accordance with the law; if the law requires consent, communications are sent only after obtaining it; in cases of legitimate interest or an existing commercial relationship, the right to object/unsubscribe is ensured at any time.
• Cookies: strictly necessary cookies may be used without consent, to the extent permitted by law; analytics/marketing cookies or similar non-essential technologies are used, where required by law, only on the basis of consent — see the Cookie Policy and the consent mechanism on the website.
• Consent: when we rely on consent, it is obtained separately, freely, specifically, in an informed manner and unambiguously; consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

5. Recipients and disclosures

Processors and service providers. We may disclose data to third-party service providers acting on our behalf, solely to the extent necessary: payment processors (e.g. Stripe, PayPal), providers of IT infrastructure/servers/hosting/cloud/storage/cybersecurity/backup/monitoring, email services, ticketing, communication and support platforms (e.g. Discord-type channels), OCR/transcription/automated processing providers, as well as tax consultants/accountants/auditors/lawyers. Their selection takes into account data protection, security and confidentiality requirements; the list may vary over time.

Subprocessors. When acting as a processor, we may use subprocessors for technical services (e.g. cloud, data centers, network, security, monitoring, backup, support, automated processing), in accordance with the contract with the Client and GDPR requirements; reasonable information regarding the categories of subprocessors may be made available to Clients under the applicable contractual terms.

Authorities. We may disclose data to public authorities, courts, law enforcement agencies, tax/regulatory authorities, bailiffs or other authorized entities when disclosure is required by law or necessary to defend our rights or those of third parties, or to prevent, investigate or punish fraudulent, abusive, unauthorized or illegal activities.

6. Online payments and recurring services

Regarding online payments, we process data necessary for managing transactions (e.g. order amount, payment method, payment status, transaction ID, payment date), while full card details are typically processed directly by payment processors (e.g. Stripe, PayPal), in accordance with their policies; PHOTON SPARK usually receives only the information strictly necessary for confirming and recording the transaction.

We manage subscriptions and recurring services and process data related to billing and recurring payments for the purpose of performing the contract and complying with legal obligations.

7. Technical logs and data generated by the use of the Services

We process technical data and logs (including IP addresses, timestamps, technical identifiers, pages accessed, account actions, system errors, sessions, traffic, security events, server/authentication/administration logs, resources used, instance/server/service/subscription identifiers) for the operation of the Services, security, diagnostics, abuse prevention and the protection of our rights, those of our Customers and of other users.

The basis for processing logs is PHOTON SPARK's legitimate interest and, in certain situations, compliance with legal obligations related to the security of processing and infrastructure.

8. International data transfers

The Services may be accessed by users in multiple jurisdictions, including those outside the European Union/European Economic Area; consequently, data may be processed, stored or accessed from such jurisdictions depending on the location of the technical infrastructure, suppliers, data centers, payment processors, support platforms or other involved providers.

When we transfer data outside the EEA to countries without an adequacy decision, we use appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, additional technical and organizational measures, transfer assessments, contractual rules applicable to suppliers, or other mechanisms permitted by law; in limited situations, the transfer may also take place pursuant to the exceptions provided for by the GDPR (e.g. the performance of a contract or explicit consent).

9. Retention period

We retain data only for as long as necessary for the purposes for which it was collected, for the performance of the contract, the provision of Services, account maintenance, compliance with legal obligations, dispute resolution, fraud prevention, infrastructure security and the defense of our rights.

• Account data: retained for the duration of the account and thereafter for the period necessary to fulfill contractual, tax, accounting or litigation obligations.
• Order/payment/billing data: retained for the period required by applicable financial, accounting and tax laws.
• Support data: retained for as long as necessary to resolve the request and, thereafter, for as long as it may be needed to defend our rights or improve the Services.
• Technical logs and security data: retained for periods commensurate with the purpose, the nature of the Services and the technical risks; in the event of incidents, retention may be extended to the extent necessary for investigation and documentation.
• Content uploaded to hosting/VPS/game hosting/web hosting/OCR/transcription Services:retained in accordance with the Service settings, the applicable contract and the Client's instructions, in compliance with technical backup, restoration, suspension or deletion cycles.

After the termination of the contractual relationship, account deletion or expiration of retention periods, data is deleted, anonymized or archived (as applicable), except where retention is required by law, necessary to defend rights or to investigate an incident. Backup data may persist for a limited time until the deletion rotation, used exclusively for restoration, security or continuity purposes.

10. Security measures and incidents

We implement reasonable technical and organizational measures to protect data against unauthorized access, disclosure, loss, destruction, alteration, misuse or unlawful processing (e.g. access control, authentication, encryption/pseudonymization where appropriate, access segregation, technical monitoring, logging, backup, security updates, internal procedures, access restrictions, training of authorized personnel, vendor assessment).

If a security incident involving personal data occurs, we assess the nature and the risks and implement the necessary measures; where required by law, we notify the competent authority and, where appropriate, the data subjects; when acting as a processor, we inform the controller Client, in accordance with the contract and the law.

11. Data subjects' rights and how to exercise them

Rights include: access, rectification, completion, erasure (subject to legal requirements), restriction, portability, objection, withdrawal of consent (where applicable), and the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significantly affects you. These rights may be subject to conditions, exceptions or limitations provided for by applicable law.

Exercising rights: you may contact us at contact@photonspark.com; to protect your data and prevent abusive or unauthorized requests, we may ask for reasonable additional information to verify your identity. We respond within the timeframe provided by law, typically within one month, which may be extended in complex cases. If processing is carried out by us as a processor, we may redirect the request to the data controller or advise you to contact them directly.

Complaints: you have the right to file a complaint with the competent authority; in Romania, the authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP). We encourage you to contact us first to try to resolve any concerns.

12. Minors

The PhotonSpark website and Services are not intended for children under the age of 13; minors may use the Services only with the permission and supervision of a parent or guardian, in accordance with the Terms; when the processing of a child's data is based on consent and the child is under 16 years of age, consent must be given or authorized by the holder of parental responsibility; if we learn that we have collected a child's data without authorization or legal basis, we will take reasonable steps to delete or restrict its processing.

13. Automated decisions

PHOTON SPARK does not typically use personal data to make decisions based solely on automated processing that produce legal effects on users or significantly affect them. There may be automated technical mechanisms designed for security, fraud prevention, infrastructure protection, abuse detection, limiting malicious traffic or enforcing technical operating rules, without the purpose of personal assessment with legal effect.

14. Third-party services and links

If you access third-party websites, applications, platforms or services via links available on our website or through the integration of external services, processing of data by those third parties is governed by their privacy policies; PHOTON SPARK does not control and assumes no responsibility for how third parties manage their own services, policies, cookies, tracking technologies, authentication mechanisms or data processing, except as required by law.

15. Policy updates

PHOTON SPARK may update this Policy to reflect legislative, technical, operational, commercial or security changes; the updated version will be posted on the website with the date of the last update indicated. In the event of substantial changes, we may notify users via account notifications, email or announcements on the website; continued use of the Services following the publication of changes constitutes acceptance of the updated version, without affecting rights that require separate consent under the law.

16. Contact information

PHOTON SPARK S.R.L.
Aleea Arutela No. 2, Bl. M18, Sc. 1, Et. 4, Ap. 25, Sector 6, Bucharest, Romania, 061902
Email: contact@photonspark.com

17. Express references to the Terms and Conditions

Terminology. This Policy uses the same operational terminology as the Terms and Conditions (User, Customer, Services, Contributions/Uploaded Content) so that the sections regarding accounts, payments, Services, user contributions and support are aligned and consistent with the contractual rights and obligations.

Accounts. Processing related to creating and managing accounts is described in Sections 3 and 4, in accordance with the operational workflows for authentication, settings and security outlined within the Services.

Payments. The Policy details aspects of online and recurring payments (including the involvement of Stripe/PayPal processors) and that PHOTON SPARK does not store full card details, but receives only the information strictly necessary for managing transactions, in accordance with the contractual and technical provisions in the Terms.

Support. Support channels (email, ticketing, Discord) are reflected in Sections 3 and 4, to align with the support mechanisms described in the Terms.

Contributions.Content, files and materials uploaded by users are governed by this Policy in accordance with our roles (controller/processor) and the Client's responsibility to ensure the legality of the content, without infringing on the rights of data subjects or other legal provisions.

Cookies and notifications. The use of cookies and the consent mechanism are aligned with the Cookie Policy and the administrative/contractual notifications set forth in the Terms.

18. Final provisions

The Customer is responsible for ensuring that data uploaded, stored or processed through PhotonSpark Services is collected and used lawfully and does not violate the rights of data subjects, intellectual property rights, confidentiality obligations, legislation regarding the protection of minors or other applicable legal provisions.

This Policy applies to all Users and Customers who access or use PhotonSpark Services and forms an integral part of the contractual framework published on the website with regard to the provision of information to data subjects and the transparency of processing activities.