Privacy Policy

When you create and use a BrightSpark account, we collect:

• Account information — your email address, phone number, display name, and (if provided) date of birth, country, and gender.
• Authentication data — your password (stored as a salted bcrypt hash, never in plain text), one-time passcodes, two-factor authentication secrets (encrypted at rest with AES-256), and identifiers from social login providers (Google, Facebook) when you choose to use them.
• Session and device data — IP address, browser, device, and approximate location used to issue and validate session tokens and detect suspicious activity.
• Sparks ledger data — the amount, time, source application, and stated reason for every Sparks transaction on your account.
• Connected applications — the OAuth grants you have given to client apps (Fanzone, Club.co.zw, partner platforms) and the scopes those grants cover.
• Communications — records of emails and SMS we send you (e.g. verification codes, security alerts, transactional notifications).

• Operate the BrightSpark service — create and authenticate your account, issue tokens to client applications you sign in to, and maintain the Sparks ledger.
• Verify your identity (email and phone confirmation, two-factor authentication, fraud and abuse detection).
• Send you transactional messages (verification codes, password resets, security alerts, important changes to the service).
• Enforce the BrightSpark Terms of Service and applicable law.
• Aggregate and de-identify data to understand product usage and improve the service. We do not sell or rent your personal information to third parties.

We share information only in these circumstances:

• With client applications you sign in to. When you choose "Sign in with BrightSpark" on a partner application, we share only the data covered by the scopes you approve on the consent screen (typically your name, email, and a Sparks balance reference). You can revoke any client's access at any time from your dashboard.
• With service providers acting on our behalf. Our hosting (Vercel), database (Neon), cache (Upstash), email delivery (Sendmail.co.zw), SMS delivery (Gikko, Africa's Talking), and payment processing (Paynow). These providers process your data only to deliver the BrightSpark service.
• For legal compliance. When required by Zimbabwean law, court order, or to protect the rights, property, or safety of users, the public, or Kirby Browne.
• Business transfers. If Kirby Browne is involved in a merger, acquisition, or sale of assets, your information may be transferred — we will notify you before any such transfer takes effect.

We use a small number of essential cookies and local storage entries to keep you signed in, remember your consent decisions, and protect against cross-site request forgery. We do not use third-party advertising or analytics trackers on BrightSpark.

We retain your account information for as long as your account is active. When you delete your account, we remove your profile and revoke all OAuth grants immediately. We retain Sparks transaction records and security audit logs for up to seven years to meet financial-record obligations and to detect fraud across the ecosystem; these records are dissociated from your profile after deletion where possible.

You have the right to:

• Access the personal information we hold about you and request a copy in a portable format.
• Correct inaccurate or incomplete information from your dashboard or by contacting us.
• Delete your account and associated personal data, subject to the retention rules above.
• Revoke any client application's access to your data from the Apps section of your dashboard.
• Object to or restrict certain uses of your information.

To exercise any of these rights, contact privacy@brightspark.co.zw or use the controls in your dashboard.

BrightSpark is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

BrightSpark is operated from Zimbabwe but uses cloud infrastructure providers that may process data in other countries. By using BrightSpark, you understand that your information may be transferred to and processed in jurisdictions outside Zimbabwe, subject to safeguards consistent with this policy.

We protect your information using industry-standard measures: passwords are stored as salted bcrypt hashes; two-factor secrets are encrypted at rest with AES-256; OAuth tokens are signed with RS256 keys; all traffic between you and BrightSpark is encrypted with TLS. No system is perfectly secure — if you become aware of a security issue, please report it to security@brightspark.co.zw.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a prominent notice in your dashboard at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the current version.

Questions, concerns, or requests about this Privacy Policy:

Kirby Browne (Pvt.) Ltd
Email: privacy@brightspark.co.zw