Legal
Privacy Policy
Effective date: March 24, 2026
Sprala (“we,” “our,” or “us”) operates the compliance automation platform available at sprala.com and app.sprala.com. This Privacy Policy explains what information we collect, how we use it, and what rights you have with respect to it. By using our services, you agree to the collection and use of information as described here.
1. Information We Collect
Account information
When you create an account, we collect your name, email address, and company name. Authentication is handled by Clerk; we do not store your password.
Workspace and company data
We store information you provide about your company, including your compliance framework selections, control assessments, attestations, and the evidence files you upload.
Integration credentials
When you connect integrations (AWS, GitHub, Google Workspace, etc.), we store the credentials required to access those services on your behalf. All credentials are encrypted at the application layer before storage and are never logged or transmitted in plaintext.
Compliance scan results
We store the results of automated compliance checks run against your connected infrastructure. This includes findings, control statuses, and remediation history.
Usage data
We collect standard web application logs including IP addresses, browser type, pages visited, and timestamps. This information is used to maintain service reliability and diagnose issues.
Communications
If you contact us, we retain the content of that communication in order to respond and improve our service.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Sprala platform
- Run automated compliance checks against your connected integrations
- Send you transactional notifications related to your account and compliance status
- Respond to your questions and support requests
- Monitor for security incidents and prevent abuse
- Comply with legal obligations
We do not sell your personal information. We do not use your data to train machine learning models. We do not share your data with third parties for their marketing purposes.
3. Data Sharing
Service providers
We share data with a limited set of third-party service providers who help us operate the platform: AWS (infrastructure and storage), Clerk (authentication), and Resend (transactional email). These providers process data only on our behalf and under appropriate data processing agreements.
Auditors you invite
When you invite an auditor to your workspace, that auditor can access the compliance data and evidence files you have made available in your workspace. You control who receives invitations and can revoke access at any time.
Legal requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Sprala, our users, or the public.
Business transfers
If Sprala is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.
4. Data Retention
We retain your account and workspace data for as long as your account is active. If you cancel your subscription, we retain your data for 90 days to allow for reactivation, after which it is permanently deleted. Compliance scan history is subject to the retention period configured in your workspace settings. You may request deletion of your data at any time by contacting us.
5. Security
We implement technical and organizational measures to protect your information against unauthorized access, loss, or disclosure. This includes encryption at rest and in transit, private network architecture, role-based access controls, and regular security reviews. A detailed description of our security practices is available on our security page. No method of transmission or storage is 100% secure. We will notify you promptly in the event of a breach that affects your personal information.
6. Your Rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Request deletion of your personal information
- Object to or restrict certain processing activities
- Receive a copy of your data in a portable format
- Withdraw consent where processing is based on consent
To exercise any of these rights, contact us using the form below. We will respond within 30 days.
7. Cookies
Sprala uses cookies and similar technologies to maintain your authenticated session and remember your preferences. We do not use third-party advertising cookies or tracking pixels. You can configure your browser to refuse cookies, but doing so may prevent certain features from functioning correctly.
8. Children’s Privacy
Sprala is a business-to-business service not directed at children. We do not knowingly collect personal information from anyone under the age of 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page and, for material changes, notify registered users by email. Your continued use of the service after a change constitutes acceptance of the updated policy.
10. Contact
If you have questions about this Privacy Policy or how we handle your data, please reach out using the form below.