Features Download Docs Bug Bounty FAQ Download

Privacy Policy

Last updated: May 2026

The Short Version

SparkBox is a privacy-first product built by a privacy-first company. We don't want your data, we don't collect your data, and we don't sell your data. The software runs entirely on your hardware. We have no access to what runs on your server, who uses it, or what they do with it.

This policy explains the small amount of data we do collect — exclusively to run the website, deliver licenses, and provide support.

What We Don't Collect

  • No tracking, profiling, or ads in the SparkBox software. The dashboard, modules, and apps don't build a profile of you, serve ads, or carry any per-install identifier. The only thing the software sends us is an anonymous release-health ping when you update — which version you moved to and whether it succeeded, with no identifier and nothing tied to your box — so we can catch a bad release. Crash reporting is separate, opt-in, and off by default. That's the whole of it.
  • No data from your self-hosted apps. Your Pi-hole logs, Vaultwarden passwords, Jellyfin library, Nextcloud files, and everything else stays on your server. We never see it.
  • Sanitized logging of AI Troubleshooting conversations for product improvement. The AI Troubleshooting feature routes through our Anthropic API to provide diagnostic help. Before any message leaves your SparkBox server, an on-device sanitizer strips credential-shaped strings (API keys, passwords, tokens, SSH/PGP keys). The resulting credential-free conversation — your question and the assistant's reply — is logged on our side for up to 90 days and used to find class-level SparkBox bugs faster and turn recurring problems into shipped patches, guides, and docs updates. Your raw, unsanitized chat history stays only on your own server (state/chat-sessions/) and is never collected. We never sell these conversations and never share them for third-party AI training. See the "When you use AI Troubleshooting" section below for details.
  • No analytics on the website beyond basic privacy-respecting hit counts. We do not use Google Analytics or any tracking scripts.
  • No tracking pixels, no third-party cookies, no ad networks.

What We Do Collect

When you visit tomsparkbox.com

  • Anonymous request logs. Our hosting provider (Cloudflare) receives standard web request logs: IP address, timestamp, page requested, user agent. These are retained by Cloudflare for security purposes and are not used for tracking.
  • A preference cookie only if you interact with features that need it. No tracking cookies.

When you activate a free license

  • Email address. Required to mint your free personal-use license key. We use it only to deliver the key, to look it up if you lose it, and to send a one-time legal notice if anything important changes about your license.
  • License key history. We store your license key associated with your email so we can re-send it or help recover access if you lose it.

When SparkBox checks for updates

  • An anonymous HTTP request to get.tomsparkbox.com to check the latest version. This request includes no identifying information beyond a standard HTTP user agent and your server's IP address (visible to any HTTP request).

When SparkBox validates your license

  • On activation and periodically thereafter (roughly once per week), your SparkBox dashboard makes an HTTPS request to webhook.tomsparkbox.com. The request contains: your license key, a random install ID (generated once per install, used only to count activations against the 3-install cap), and optionally your email if you're activating on a second or third install. No container names, no module list, no usage data, no IP-geo info beyond what any HTTPS request reveals.
  • Our service responds with whether the key is valid and how many activations remain. The response is cached on your server so day-to-day dashboard use continues to work offline.
  • License activation is optional. SparkBox runs without it; activation only enables auto-updates with rollback.

Support

  • SparkBox does not provide support over email. All support is delivered through the public d/sparkbox community forum on demox.world. Posts in d/sparkbox are public — anyone (including search engines) can read them. Do not include passwords, API keys, license keys, or other sensitive data in your post.
  • The forum is monitored by Tom Spark personally and by other community members. Tom reads every thread and answers as he can, usually within a day; community members often jump in faster.
  • For legal, privacy, or DMCA matters only, you may contact legal@tomsparkbox.com. This address is not for product support.

Third Parties We Use

We use a small number of third-party services to run the product. Each only receives the minimum data needed:

  • Cloudflare — hosts the website, serves release files, provides CDN and DDoS protection. Receives standard web traffic metadata.
  • Resend (transactional email service) — used to deliver license keys to your email address on activation. Subject to their own privacy policy.
  • Email provider — delivers license keys and one-time legal notices. Receives your email address and the content of those messages. Not used for support.
  • Anthropic — powers the AI Troubleshooting feature. When you use AI Troubleshooting, your messages are sent through our account to Anthropic's Claude API for response generation. Anthropic does not train their models on customer API data. On our side, we log the sanitized (credential-free) conversation for up to 90 days for diagnostic improvement, and keep a short-lived rate-limit counter per license (see "When you use AI Troubleshooting" above).
  • Amazon Associates / affiliate networks — if you click an affiliate link on our website (UGREEN, Corsair, Hostinger, Surfshark, Incogni), you are taken to that third party's site, where their own privacy policy applies. We receive anonymous commission tracking data from these networks.

Cookies

The tomsparkbox.com website uses minimal cookies:

  • Essential cookies required for basic site functionality (e.g., remembering mobile menu state).
  • Cloudflare security cookies used for DDoS protection and bot detection.

We do not use analytics cookies, advertising cookies, or social media tracking pixels. You can block all cookies in your browser without breaking the site.

Data Retention

  • License key records: retained indefinitely so we can re-send lost keys (the license is perpetual).
  • Payment records: retained as required by tax and accounting law (typically 7 years).
  • Legal/privacy emails (legal@): retained for 2 years after the matter is resolved, then deleted.
  • Product support emails (support@): retained for 1 year after the conversation closes so we can reference prior threads if the same customer reaches out again. Deleted after that.
  • AI Troubleshooting conversations: the sanitized, credential-free version of each conversation is logged on our servers for up to 90 days and used to improve SparkBox (finding bugs, shipping patches, writing better guides). We never sell it and never share it for third-party AI training. Your raw, unsanitized chat history lives only on your own SparkBox server in state/chat-sessions/, is never collected, and you control its lifecycle (delete the files or run sparkbox reset --soft). We also keep a per-license request counter for rate-limiting.
  • Web server logs: retained by Cloudflare according to their policy (typically 7-30 days).

Your Rights

You have the right to:

  • Access any personal data we hold about you (primarily your email and license record).
  • Correct inaccurate data.
  • Delete your data. Note: deleting your email from our records will make it impossible for us to re-send a lost license key in the future. Your license itself continues to work because it validates offline on your server.
  • Export your data in a machine-readable format.
  • Opt out of any non-essential communications.

To exercise any of these rights, email legal@tomsparkbox.com. For product support, ask d/sparkbox on Demox — replies in seconds.

Children

SparkBox is not directed at children under 13. We do not knowingly collect personal information from children.

International Users

SparkBox is distributed globally. The small amount of data we collect (email, license records) may be stored on servers located outside your country. By activating a license, you consent to this transfer.

If you are in the EU or UK, you have rights under GDPR. We consider ourselves bound by GDPR principles globally, regardless of your location.

Security

We take reasonable security precautions to protect the data we hold: encrypted transport (HTTPS), encrypted storage where appropriate, and limited access to sensitive records. However, no system is perfectly secure. We will notify affected users of any data breach as required by applicable law.

Changes to This Policy

We may update this policy from time to time. Material changes will be announced on the website. Continued use of SparkBox after changes constitutes acceptance.

Contact

Privacy questions or data requests: legal@tomsparkbox.com

Product support (community forum, not email): d/sparkbox on demox.world

Website: https://tomsparkbox.com