Moss and Spark LogoMoss & Spark

Legal

Privacy Policy

Effective date: May 19, 2026

This Privacy Policy describes how Moss and Spark LLC, a California limited liability company (“Moss and Spark,” “we,” “us,” or “our”), collects, uses, and discloses personal information when you visit mossandspark.com and any related subdomains (including client portals at *.mossandspark.com), engage us for services, or otherwise interact with us (collectively, the “Services”).

We aim to be straightforward about what we collect and why. If anything here is unclear, email support@mossandspark.com and we’ll explain.

1. Information we collect

1.1 Information you provide directly

  • Contact and inquiry information. When you contact us, book a discovery call, request a proposal, or submit a form, we collect your name, email address, phone number, company, role, and anything you choose to write in your message.
  • Engagement and billing information. If you become a client, we collect information needed to deliver and bill for our Services, including business contact details, billing address, project scope, deliverables, and order references (e.g., MS-YYYY-NNN).
  • Portal account information. If we provision a client portal account, we collect a username, email address, password (stored hashed), and any data you upload or generate inside the portal (project files, comments, configuration).
  • Communications. Records of emails, support tickets, meeting notes, and chat messages exchanged with us.

1.2 Information collected automatically

  • Usage and device data. When you visit the Services, our hosting and application infrastructure may log your IP address, browser type and version, referring and exit pages, operating system, date/time stamps, and pages viewed.
  • Cookies and similar technologies. We use a small number of strictly necessary cookies and equivalent storage to keep you signed in to the client portal, remember security tokens, and prevent abuse. We also use product analytics (currently PostHog) to understand how visitors use our website — for example, which pages are viewed and which features are used. We do not run advertising or cross-site tracking cookies.

1.3 Information from third parties

  • Payment processors. When you pay an invoice, our payment processor (Stripe) collects your payment details directly and shares limited information with us (such as your name, billing address, last four digits of the card or bank account, transaction status, and invoice metadata). We do not receive or store full card numbers.
  • CRM and scheduling tools. Information you submit through our scheduling tool, intake forms, or partner referrals may be synchronized into our customer relationship management system.

2. How we use information

We use the information we collect to:

  • provide, operate, maintain, and improve the Services;
  • respond to inquiries, proposals, and support requests;
  • deliver contracted work, manage projects, and produce deliverables;
  • issue invoices and process payments;
  • send service communications, including authentication emails, transactional notices, invoice notifications, and changes to terms;
  • secure the Services, including detecting and preventing fraud, abuse, and security incidents;
  • comply with our legal obligations and enforce our agreements; and
  • with your consent or where otherwise permitted by law, send you occasional updates about our work. You can opt out at any time.

3. Legal bases for processing (EU/UK visitors)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR or UK GDPR:

  • Contract. To perform a contract with you or take pre-contractual steps at your request.
  • Legitimate interests. To operate and improve the Services, secure them against abuse, and communicate with prospective clients, where our interests are not overridden by your rights and freedoms.
  • Consent. Where we ask for it, such as for optional marketing emails. You may withdraw consent at any time.
  • Legal obligation. To comply with applicable law, regulation, or lawful request.

4. How we share information

We do not sell personal information. We share it only as follows:

  • Service providers. We share information with vendors who help us run our business under written agreements that restrict their use of the information. Categories include hosting and infrastructure, database and authentication, email delivery, payment processing, customer relationship management, scheduling, file storage, analytics, and AI tooling used to deliver client work.
  • Professional advisers. Lawyers, accountants, and insurers, when reasonably necessary.
  • Legal and safety. When required by law, subpoena, or court order, or where we believe in good faith that disclosure is necessary to protect rights, safety, or property.
  • Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to standard confidentiality protections.
  • With your direction or consent. For example, when you ask us to integrate with a third-party system on your behalf.

5. International data transfers

We are based in the United States, and our service providers may process information in the United States and other countries. Where required, we rely on appropriate safeguards (such as the Standard Contractual Clauses) for transfers of personal information out of the European Economic Area, United Kingdom, or Switzerland.

6. Data retention

We keep personal information for as long as needed to provide the Services, meet our legal, accounting, and tax obligations, resolve disputes, and enforce our agreements. Project files and client-portal data are typically retained for the duration of the engagement plus a reasonable archive period; financial records are retained for the period required by law (generally at least seven years).

7. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, hashed credentials, and limited staff access on a need-to-know basis. No system is perfectly secure; we cannot guarantee absolute security but we work to address vulnerabilities promptly.

8. Your rights and choices

8.1 California residents (CCPA/CPRA)

Subject to certain exceptions, California residents have the right to:

  • know what categories and specific pieces of personal information we have collected;
  • request deletion of personal information we collected from you;
  • request correction of inaccurate personal information;
  • opt out of the “sale” or “sharing” of personal information — we do not sell or share personal information as those terms are defined under California law;
  • limit the use of sensitive personal information — we do not use sensitive personal information for purposes that would trigger this right; and
  • be free from discrimination for exercising these rights.

You may exercise these rights by emailing support@mossandspark.com. We will verify your request and respond within the time required by law. Authorized agents may submit requests on your behalf with written authorization.

8.2 EU/UK/Swiss residents

You have the right to access, correct, delete, or port your personal information, to restrict or object to certain processing, and to withdraw consent at any time. You also have the right to lodge a complaint with your local supervisory authority.

8.3 Marketing emails

You can opt out of marketing emails using the unsubscribe link in any such email. Even if you opt out, we may still send you transactional or service messages (e.g., invoices, security alerts).

9. Children

The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Do Not Track

Our Services do not respond to “Do Not Track” browser signals because there is no consistent industry standard for them. We do, however, honor the limited data choices described above.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Effective date” above and, if the changes are material, we will provide additional notice (such as an email or a banner on the Services). Continued use of the Services after an update means you accept the revised Policy.

12. Contact us

If you have questions about this Privacy Policy or our handling of your personal information, contact us at:

Moss and Spark LLC
Attn: Privacy
Email: support@mossandspark.com

See also our Terms of Service.