Privacy Policy
Read the Privacy Policy for Sponja, the AI-powered post-event follow-up platform.
Last updated: April 1, 2026
Sponja takes your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it.
1. Who We Are
Sponja is operated by Popup Moments Inc., a Delaware corporation ("Sponja," "we," "us," or "our"). We provide an AI-powered platform that helps event organizers send personalized follow-up emails to webinar and event attendees.
For privacy-related questions, contact us at hi@sponja.ai.
2. What Data We Collect
Data you provide directly
- Account information: name, email address, company name, and password when you register.
- Billing information: payment details processed and stored by Stripe. We do not store raw card numbers.
- Event and attendee data: attendee lists, registration details, and engagement signals (attendance duration, poll responses, Q&A activity, chat messages) that you upload or sync from a connected platform.
- Communications: messages you send to our support team and feedback you share about the product.
Data we collect automatically
- Usage data: pages visited, features used, actions taken in the platform, and session duration.
- Device and browser data: IP address, browser type, operating system, and referring URL.
- Cookies and similar technologies: see Section 8 below.
Data from third-party integrations
When you connect a third-party integration (such as Zoom, HubSpot, Mailchimp, ActiveCampaign, or Kit), we receive the data that integration sends us, subject to your authorization and the third party's own privacy terms. See Section 6 for details.
3. How We Use Your Data
We use your data for the following purposes and on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Provide and operate the service (process attendee data, generate AI drafts and intent scores, deliver results to you) | Contract performance |
| Manage your account (authentication, payments, transactional emails) | Contract performance |
| Improve the platform (analyze aggregated, de-identified usage patterns, debug issues, develop new features) | Legitimate interests |
| Communicate with you (product updates, tips, and — where you have opted in — marketing emails) | Consent (marketing); legitimate interests (product communications) |
| Comply with legal obligations (respond to lawful requests, enforce our Terms of Service) | Legal obligation |
| Protect against fraud and abuse | Legitimate interests |
You can unsubscribe from marketing emails at any time using the link in any email we send.
4. Attendee Data: Your Role and Ours
When you upload or sync attendee data to Sponja, you act as the data controller for that data. Sponja acts as a data processor, handling it only on your instructions and in accordance with this policy.
You are responsible for:
- Obtaining all necessary consents or establishing a lawful basis to process your attendees' data.
- Ensuring your use of Sponja-generated follow-up emails complies with applicable law (CAN-SPAM, CASL, GDPR, and others).
- Responding to any attendee requests to access, correct, or delete their data.
We will not use your attendees' personal data for any purpose other than providing the service to you.
Data Processing Agreement: If you are subject to GDPR, a Data Processing Agreement (DPA) is available upon request at hi@sponja.ai. The DPA governs Sponja's obligations as a data processor under GDPR Article 28.
Attendee rights: If one of your attendees contacts us directly to exercise their data rights, we will refer them to you as the data controller and assist you in fulfilling the request. See Section 11 for more.
5. AI Processing
Sponja uses AI to generate draft follow-up emails and buyer intent scores. We are committed to transparency about how your data interacts with AI systems:
- No third-party model training: We do not permit our AI providers or any other third parties to use your data -- including attendee information, uploaded content, or generated email drafts -- to train their AI models.
- Limited internal use: We may use aggregated, de-identified usage data to improve Sponja's own features and models. This data cannot be linked back to you or your attendees.
- AI providers: We use third-party AI infrastructure to process data and generate outputs. These providers act as sub-processors under data processing agreements with Sponja and are prohibited from using your data for their own purposes.
- AI outputs: Draft emails and intent scores are probabilistic and for your review only. You are responsible for all content you send. See our Terms of Service for more.
6. How We Share Your Data
We do not sell your personal data. We share data only in the following circumstances:
Service providers (sub-processors): We share data with vendors who help us operate the platform. Key sub-processors include:
| Vendor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA |
| Cloud hosting provider | Infrastructure and storage | USA |
| AI infrastructure provider | AI content generation | USA |
| Analytics provider | Usage analytics | USA |
| Email delivery provider | Transactional and product emails | USA |
A current list of sub-processors is available upon request at hi@sponja.ai. We will give you reasonable advance notice of material changes to our sub-processor list.
Integrations you authorize: When you connect a third-party tool (HubSpot, Mailchimp, ActiveCampaign, Kit, or others), you authorize us to share relevant attendee data with that tool in accordance with your instructions. Each integration operates under its own privacy policy, which we encourage you to review.
Legal requirements: We may disclose data if required by law, court order, or regulatory authority, or to protect the rights and safety of Sponja, our users, or the public.
Business transfers: If Popup Moments Inc. is acquired, merges with another company, or transfers assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.
7. Data Retention
We retain data for as long as necessary to provide the service and comply with legal obligations. Specific retention periods:
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account, then deleted within 30 days of account closure |
| Attendee data you upload | Until you delete it, or until account closure (then deleted within 30 days) |
| AI-generated email drafts | Until you delete them, or until account closure (then deleted within 30 days) |
| Billing and payment records | 7 years (tax and financial compliance) |
| Usage logs and analytics | 12 months, then aggregated/anonymized |
| Support communications | 3 years from last contact |
Residual copies in backup systems may persist for up to an additional 30 days before being overwritten in the normal course of operations.
Where you exercise a deletion right, we will action the request within 30 days. We may retain data longer where required by law or to resolve open disputes.
8. Cookies
We use cookies and similar technologies to keep you logged in, remember your preferences, and understand how the platform is used.
| Type | Purpose | How to opt out |
|---|---|---|
| Strictly necessary | Authentication, security, core functionality | Cannot be disabled |
| Analytics | Usage statistics to improve the product | Via your browser settings |
| Marketing | Tracking effectiveness of our own ads | Via your browser settings |
You can manage cookie preferences by adjusting your browser settings. Disabling strictly necessary cookies will affect core functionality.
We honor Global Privacy Control (GPC) signals for users in jurisdictions where required by law.
9. Security
We implement industry-standard safeguards including:
- Encryption in transit (TLS) and at rest
- Role-based access controls limiting employee access to data
- Regular security reviews and vulnerability assessments
No system is perfectly secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law.
10. International Data Transfers
Popup Moments Inc. is based in the United States. If you are located outside the US, your data will be transferred to and processed in the US.
For transfers from the EU, EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs): approved by the European Commission for controller-to-processor transfers.
- Data Privacy Framework (DPF): where applicable, transfers are covered by DPF principles or equivalent mechanisms.
Contact us at hi@sponja.ai for a copy of our transfer safeguards or to request our DPA.
11. Your Rights (Account Users)
Depending on where you live, you may have the following rights over your personal data:
- Access: request a copy of the data we hold about you.
- Correction: request that we fix inaccurate or incomplete data.
- Deletion: request that we delete your data, subject to legal retention requirements.
- Portability: receive your data in a structured, machine-readable format.
- Objection or restriction: object to or ask us to limit certain processing.
- Withdraw consent: where we rely on consent, withdraw it at any time without affecting prior processing.
- Non-discrimination: we will not discriminate against you for exercising any of these rights (applicable to California residents under CCPA).
To exercise any of these rights, email hi@sponja.ai. We will respond within 30 days (or 45 days for complex requests). We may need to verify your identity before acting on your request.
EU/EEA residents: you also have the right to lodge a complaint with your local data protection authority.
California residents: you may also submit a request via the contact details in Section 14. For CCPA purposes, we do not sell personal information or share it for cross-context behavioral advertising.
12. Attendee Rights
If you are an event attendee whose data has been uploaded to Sponja by an event organizer, the organizer is the data controller for your personal data and is primarily responsible for responding to your rights requests.
However, you may also contact us at hi@sponja.ai. We will acknowledge your request promptly and work with the relevant organizer to ensure it is fulfilled. If we receive a deletion request we cannot refer to an organizer, we will delete your data from our systems within 30 days.
13. CAN-SPAM and Email
Sponja helps event organizers draft and send personalized follow-up emails to their attendees. The event organizer is the sender of record for all emails generated through the platform. Organizers are responsible for:
- Including a valid physical mailing address in emails sent through or with the assistance of Sponja.
- Honoring unsubscribe requests within 10 business days, as required by the CAN-SPAM Act.
- Ensuring all recipients have a legitimate relationship with the organizer (attendees of their events) and that any applicable consent requirements under CASL, GDPR, or other laws are met.
Sponja does not send commercial email to your attendees on its own behalf.
14. Children's Privacy
Sponja is a professional tool designed for business use. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, contact us at hi@sponja.ai and we will delete it promptly.
15. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or by posting a notice in the platform at least 14 days before changes take effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes take effect constitutes your acceptance of the updated policy.
16. Contact
For privacy-related questions, data subject requests, or information about our sub-processors or DPA:
Email: hi@sponja.ai
Company: Popup Moments Inc., Delaware, USA
We aim to respond to all privacy inquiries within 5 business days.
