Privacy Policy

Last updated: July 13, 2026

1. Introduction

Litmus Labs, Inc., doing business as Sparkles ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered coding assistant service at sparkles.dev.

2. Information We Collect

Account Information

When you create an account, we collect information provided through our authentication provider (WorkOS), including your name, email address, and profile picture. Authentication is handled via RS256-signed JWT tokens verified against WorkOS's public keys.

Third-Party Integrations

When you connect third-party services such as GitHub, Google, Slack, Linear, Notion, or Sentry, we access only the data necessary to provide our services. OAuth authorization is managed through WorkOS Pipes: provider access tokens are vended on demand for tool calls and are not stored locally in our database, except for the native Slack bot installation fallback described in our security documentation. For GitHub, this includes repository names, file contents, and commit history for repositories you explicitly grant us access to.

Google Account Data

If you connect a Google account, we may access your Google profile information (such as your name and email address) and any Google API data you authorize through the requested scopes, such as Google Drive or Google Calendar content. We use this data only to provide the features you request, do not sell it, and do not use it to train AI models. You can revoke Sparkles' access at any time through your Google Account security settings or by disconnecting the integration in Sparkles.

Code and Project Data

Your code is processed in isolated, per-user sandbox environments powered by Modal. Each user receives their own dedicated container with complete filesystem isolation. Project files are stored temporarily within your sandbox, and project metadata and history are persisted to our database to ensure service continuity when your sandbox becomes inactive.

Environment Secrets

If you store environment variables or secrets for your projects, these are encrypted using AES-256-GCM encryption with per-user keys derived via PBKDF2 (100,000 iterations, SHA-256). Encrypted secrets are stored in our database and can only be decrypted within your isolated sandbox environment.

Conversation Data

We store your conversations with the AI assistant to provide context-aware assistance and enable conversation history features. Conversations are scoped to your projects and cannot be accessed by other users.

Usage Information

We automatically collect certain information about your device and usage patterns, including IP address, browser type, operating system, and interaction data with our service.

3. How We Use Your Information

  • To provide, maintain, and improve our AI coding assistant services
  • To process your code in secure, isolated sandbox environments
  • To generate AI-powered code suggestions and modifications
  • To create pull requests on your behalf when requested
  • To communicate with you about your account and our services
  • To ensure the security and integrity of our platform
  • To comply with legal obligations

4. AI Processing

Your code and conversations are processed by AI models (including Claude by Anthropic) to provide coding assistance. Code snippets and conversation context are sent to AI providers for processing. We do not use your code to train AI models without your explicit consent.

5. Data Sharing

We do not sell your personal information. We may share your information with:

  • Service Providers: Third-party services that help us operate our platform (e.g., Cloudflare for infrastructure, Modal for sandbox isolation, Anthropic for AI processing, WorkOS for authentication, PostgreSQL for database services)
  • GitHub: To perform actions on repositories you've authorized
  • Legal Requirements: When required by law or to protect our rights

6. Data Security

We implement comprehensive security measures to protect your data:

  • Sandbox Isolation: Each user receives a dedicated Modal sandbox container with complete memory, storage, and execution isolation. There is no cross-user data access possible at the infrastructure level.
  • Encryption in Transit: All data transmission uses TLS 1.2 or higher. API calls between services use Cloudflare service bindings (direct RPC) rather than network requests where possible.
  • Encryption at Rest: Environment secrets are encrypted using AES-256-GCM with per-user derived keys (PBKDF2, 100,000 iterations). Database and cloud storage providers implement their own encryption at rest.
  • Authentication: JWT tokens are verified using RS256 asymmetric signatures against WorkOS's JWKS endpoint. Every API request validates token authenticity, expiration, and user ownership.
  • Ownership Verification: All database queries and API requests verify that the requesting user owns the requested resource before returning any data.
  • Rate Limiting: API endpoints are rate-limited per user to prevent abuse (e.g., 10 chat requests/minute, 60 general requests/minute).

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your account information and conversation history for as long as your account is active. Sandbox project metadata and history are persisted to our database when a sandbox becomes inactive and restored when you return. You may request deletion of your data at any time, which triggers removal of all associated data including database records and sandbox environments.

8. Your Rights

Depending on your location, you may have the following rights:

  • Access and receive a copy of your personal data
  • Rectify inaccurate personal data
  • Request deletion of your personal data
  • Object to or restrict processing of your data
  • Data portability
  • Withdraw consent at any time

9. Cookies and Tracking

We use essential cookies for authentication and session management. We may use analytics tools to understand how our service is used. You can control cookie preferences through your browser settings.

10. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own via Cloudflare's global edge network. We ensure appropriate safeguards are in place for such transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at dan@sparkles.dev

Dev build

Commit
6a1de6
Built
3 hours ago
Database
local
Schema
public