Privacy Policy
Effective date: May 1, 2026
Last updated: May 1, 2026
This Privacy Policy explains how Karlandco ("SparLab," "we," "us," or "our") collects, uses, shares, and protects personal information when you use SparLab.ai and related services (together, the "Service"). It applies to users worldwide, with specific provisions for users in the United Arab Emirates and the United States.
We are committed to handling your information in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"), applicable US state privacy laws (including the California Consumer Privacy Act / California Privacy Rights Act, the Virginia Consumer Data Protection Act, and similar laws in other states), and other applicable data protection regulations.
1. Who we are
The Service is operated by Karlandco, a company licensed in the United Arab Emirates (trade licence [pending — to be updated upon issuance]), with its registered address at Meydan Free Zone, Meydan Grandstand Building, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, Dubai, United Arab Emirates. For purposes of the PDPL and applicable US laws, Karlandco acts as the data controller (or "business" under CCPA/CPRA) of the personal information described in this Policy.
For privacy questions, contact us at: support@sparlab.ai
2. Information we collect
We collect the following categories of personal information:
Account information. When you sign up, we collect your name, email address, password (stored hashed), and (optionally) profile photo.
Professional context. To tailor scenarios to your background, we collect optional information you provide such as industry, role, experience level, and primary market. You may decline to provide these and still use the Service.
Subscription and billing information. When you subscribe to a paid tier, our payment processor (Stripe) collects your payment card and billing details. We do not store your card number; we receive only a tokenised reference, your subscription status, and limited billing metadata (last four digits, country, expiry, customer ID).
Session content. When you use the Service, we collect:
- Text you type in chat-based negotiation simulations
- Voice recordings, when you use voice mode
- Transcripts generated from those recordings
- Performance scores, feedback, and analytics derived from your sessions
- Notes and deal-prep content you choose to save
Usage and device information. We automatically collect IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, time spent, and similar log data.
Cookies and similar technologies. See Section 11.
Communications. Records of emails, support tickets, and other messages you send us.
Information from third parties. If you sign up via a third-party identity provider (e.g., Google), we receive your basic profile information from that provider in line with the permissions you grant.
We do not knowingly collect "sensitive personal information" as defined under CCPA/CPRA or "special categories" under similar laws. Voice recordings are biometric-adjacent in some interpretations; see Section 5 for how we handle them.
3. Sources of information
We collect personal information directly from you, automatically through your use of the Service, and from third parties such as identity providers, payment processors, and analytics vendors.
4. How we use your information
We use personal information for the following purposes:
| Purpose | Legal basis (PDPL / GDPR-style) |
|---|---|
| Provide, operate, and maintain the Service | Performance of contract |
| Generate negotiation scenarios, scoring, and feedback | Performance of contract |
| Process payments and manage subscriptions | Performance of contract |
| Send transactional emails (account, billing, security) | Performance of contract; legitimate interest |
| Send product updates and marketing | Consent (you may opt out anytime) |
| Improve the Service, debug issues, conduct analytics | Legitimate interest |
| Detect, prevent, and respond to fraud or abuse | Legitimate interest; legal obligation |
| Comply with legal obligations and enforce our Terms | Legal obligation; legitimate interest |
We do not sell your personal information for monetary consideration, and we do not use your session content (your conversations, voice recordings, or transcripts) to train our own AI models or those of third parties.
5. AI processing and third-party models
The Service uses third-party large language model providers (currently including Anthropic and OpenAI) to generate scenario content, score your sessions, and produce feedback. To do this, we transmit text and, where applicable, voice transcripts to those providers via their commercial APIs.
These providers, under their commercial terms applicable to us, do not use API content to train their models and retain content only for limited periods for abuse monitoring. We list our current AI sub-processors at sparlab.ai/subprocessors (or available on request).
Important: because session content leaves our infrastructure during AI processing, we strongly recommend you do not include in sessions any genuinely confidential commercial information, real client names, real pricing, trade secrets, or personal data of third parties. Use representative or anonymised facts instead.
6. How we share your information
We share personal information only as described below:
Service providers (sub-processors). Vendors that help us operate the Service, including:
- Hosting and database: Vercel, Supabase
- Payments: Stripe
- AI providers: Anthropic, OpenAI (and others as listed in our sub-processor list)
- Email delivery: Resend
- Analytics and error tracking: PostHog
Each sub-processor is bound by contractual obligations to protect your information and use it only for the purposes we instruct.
Legal and safety. We may disclose information to comply with applicable law, enforce our Terms, respond to lawful requests from public authorities (including UAE and US authorities), or protect the rights, safety, or property of Karlandco, our users, or others.
Business transfers. In connection with a merger, acquisition, financing, or sale of assets, your information may be transferred, subject to confidentiality and to your rights under applicable law.
With your consent. Any other sharing is done only with your prior consent.
We do not share personal information with advertisers, data brokers, or third parties for their own marketing purposes.
7. International transfers
Karlandco is based in the UAE. Many of our sub-processors operate in the United States and other countries. As a result, your personal information may be transferred to, stored in, and processed in jurisdictions outside the UAE, including the US and the European Union.
When we transfer personal information outside the UAE, we rely on:
- Adequacy decisions issued by the UAE Data Office, where applicable
- Contractual safeguards (data processing agreements, including standard contractual clauses where required)
- Your explicit consent, where appropriate
For US-based users, your information may be processed both inside and outside the United States.
8. Data retention
We retain personal information only as long as needed for the purposes described in this Policy:
- Account data: for as long as your account is active, plus up to 24 months after closure
- Session content (transcripts, scores, recordings): until you delete it, or up to 24 months after account closure, whichever comes first
- Voice recordings: retained only for the duration needed to generate transcripts and feedback, then deleted within 30 days unless you save them
- Billing records: retained for the period required by tax and accounting laws (typically 5–7 years)
- Logs and analytics: typically up to 12 months
You can delete individual sessions and recordings at any time from your account settings.
9. Security
We use technical and organisational measures designed to protect your information, including encryption in transit (TLS) and at rest, access controls, audit logging, secure software development practices, and routine vulnerability monitoring. No system is perfectly secure; we cannot guarantee absolute security, and you use the Service at your own risk.
If we become aware of a personal data breach affecting you, we will notify you and the relevant supervisory authority (UAE Data Office and, where applicable, US state attorneys general) in accordance with applicable law.
10. Your rights
10.1 Rights for users in the UAE (PDPL)
Subject to PDPL conditions and exceptions, you have the right to:
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Lodge a complaint with the UAE Data Office
10.2 Rights for users in the United States
Depending on your state of residence, you may have rights under the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and similar laws, including:
- The right to know what personal information we collect, use, disclose, and "share" (as defined under those laws)
- The right to access and obtain a copy of your personal information
- The right to delete personal information
- The right to correct inaccurate personal information
- The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising. We do not sell or share personal information in this sense.
- The right to limit the use of sensitive personal information
- The right to non-discrimination for exercising your rights
10.3 How to exercise your rights
Email support@sparlab.ai or use the controls in your account settings. We will respond within the timeframes required by applicable law (typically 30 days under PDPL; 45 days under CCPA, extendable once). We may need to verify your identity before responding.
You may designate an authorised agent to act on your behalf, subject to verification. We will not discriminate against you for exercising your rights.
11. Cookies and similar technologies
We use cookies and similar technologies for:
- Strictly necessary purposes: authentication, session management, security
- Functional purposes: remembering your preferences
- Analytics: understanding how the Service is used
- Payments: Stripe Checkout and customer portal flows
You can control cookies through your browser settings. Disabling strictly necessary cookies may break parts of the Service. We do not use cookies for advertising or cross-site tracking.
12. Children's privacy
The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us at support@sparlab.ai and we will delete it.
13. Marketing communications
We send marketing emails only with your consent (or, where allowed, on a soft opt-in basis to existing customers about similar products). Every marketing email contains an unsubscribe link. You can also adjust your preferences in your account settings.
14. Automated decision-making
The Service uses automated processing to score your performance and generate feedback, but these outputs are advisory and intended for training. They do not produce legal effects or similarly significant effects on you within the meaning of applicable data protection law.
15. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The "Last updated" date at the top reflects the most recent version.
16. Contact us
Karlandco
Meydan Free Zone, Meydan Grandstand Building, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, Dubai, United Arab Emirates
Email: support@sparlab.ai
General contact: support@sparlab.ai
For UAE residents: you have the right to lodge a complaint with the UAE Data Office (https://u.ae/en/about-the-uae/digital-uae/data/data-office).
For California residents: you may also contact the California Attorney General.