What is source-led English learning?

Source-led learning uses a real cultural artifact — a painting, poem, study, philosophical question, or news story — as the spine of a language lesson. Students acquire vocabulary and grammar through the source rather than from a textbook unit.

What CEFR level should I study at?

CEFR levels range from A1 (beginner) to C2 (mastery). Most adult learners returning to English after school are B1 (intermediate). A placement test or a short conversation with a teacher can identify your level in under 10 minutes.

What makes a good ESL conversation lesson?

A clear speaking outcome, a concrete anchor that prevents drift, language pitched at the declared level, and tasks that make every student talk. If only the teacher or the strongest student speaks, the lesson has failed.

Do ESL students need textbooks?

Textbooks provide structure but often lack authentic material and real speaking time. Supplementing or replacing textbook units with source-led lessons gives students richer input and more talk time per hour.

Legal · Privacy

Privacy policy.

The boring-but-important page about the data we collect, why we collect it, and the rights you have over it. We wrote the plain-English gloss so you can skim in sixty seconds.

Effective 22 April 2026Last updated 19 May 2026Home Privacy Terms

Who we are

Sparks (the “Service”) is operated by Soldato Matthew James, an Italian sole trader (ditta individuale). We are the data controller for all personal data processed through sparksesl.com and any subdomain we operate.

Our identification details, as registered with the Italian Chamber of Commerce and Agenzia delle Entrate:

Registered name: Soldato Matthew James
Registered address: Via Torino 2, 20831 Seregno (MB), Italy
Codice Fiscale: SLDMTH99T02B729X
Partita IVA / EU VAT: IT13444260965
Privacy contact: privacy@sparksesl.com
General contact: hello@sparksesl.com

We have not appointed a Data Protection Officer because our processing does not meet the thresholds in GDPR Art. 37. We are established in Italy and process personal data from our Italian establishment, so no representative under EU GDPR Art. 27 is required for processing carried out by Sparks itself. For any privacy question, write to the privacy email above. We respond within thirty days as required by GDPR Art. 12, extendable by up to two further months for complex requests with written notice and reasons.

Because we offer the Service to users in the United Kingdom on an ongoing basis, UK GDPR Art. 27is likely to require us to appoint a UK representative. We are putting this in place ahead of our paid launch; once appointed, the representative’s name and contact address will be published here. Until then, UK users can reach us at the privacy email above and we will honour all UK GDPR rights directly.

Records of Processing (GDPR Art. 30)

We maintain an internal Register of Processing Activities (Registro dei Trattamenti) as required by GDPR Art. 30(1). The Register documents purposes, categories of data, recipients, retention periods, transfer safeguards, and the security measures summarised in §9. It is available to the Garante on request.

Data Protection Impact Assessment (GDPR Art. 35)

We have assessed our processing against the Italian Garante’s list of operations requiring a Data Protection Impact Assessment (Provv. n. 467/2018) and concluded that no DPIA is required: we do not engage in large-scale profiling, systematic monitoring of public areas, processing of special-category or criminal data, evaluation of vulnerable individuals, or other listed high-risk operations. We will reassess if any of those circumstances change.

What data we collect

We collect the minimum data needed to run the Service. We do not buy personal data from third parties, and we do not enrich your profile from data brokers.

Category	Examples	Source
Account data	Email address, password (sent over TLS to our login provider Supabase, which stores it as a salted hash — we do not store or see your password), display name if provided	You, at signup
Authentication session	Signed session token; a coarse browser signal (user-agent string, IP address class, and session-token age) used to detect when a session token is being used from an obviously different device than the one it was issued to. We do not run canvas fingerprinting, font enumeration, audio fingerprinting, or any persistent cross-site identifier. Strictly necessary cookie names and durations are documented in this policy.	Generated when you sign in
Teacher workspace (stored in your browser)	Lessons you save or shortlist, student group labels and notes you define, any class-capture notes you type during a live class, and product preferences. This data is stored only in your browser (localStorage), not on our servers — so you control it directly. Because roster and class-capture notes can contain other people’s personal data, we ask you to keep them minimal (first names at most); you remain responsible for what you record about your students.	Your activity in the product, kept on your device
Browser-side preferences	Theme choice (light/dark), cookie consent record	Your browser, when you change a preference or respond to the cookie banner
Billing metadata (when paid subscriptions launch)	When paid subscriptions launch: subscription plan, start and renewal dates, Paddle customer ID, invoice references	Paddle, as Merchant of Record (when paid subscriptions launch, this will be the only category we receive from a third party under GDPR Art. 14 — see §4)
Technical and security logs	User agent, referring URL, request timestamps, error stack traces, and a salted hash of your IP address(used for rate-limiting and abuse-prevention — we do not retain the raw IP for this purpose)	Your browser when it contacts our servers
Performance & error telemetry	Core Web Vitals (performance metrics), error messages and stack traces, the page URL, and a hashed IP — reported to our own endpoints (`/api/vitals` and `/api/csp-report`) to diagnose faults and keep the Service reliable and secure	Your browser when it loads or reports an error on a page
Support correspondence	Emails you send us and our replies	You, when you write in

We do not collect payment-card details, bank information, billing addresses, or tax IDs. When paid subscriptions launch, those will be collected and held by Paddle (see §4). We do not process special-category data (GDPR Art. 9) and do not ask for any.

Is providing this data mandatory?

Under GDPR Art. 13(2)(e) we tell you whether each category is required and what happens if you refuse:

Account data (email and password) is contractually required: if you do not provide it, we cannot create your account and you cannot use the Service.
Billing metadata (when paid subscriptions launch) will be required to process your subscription and to meet Italian tax law (legal obligation under GDPR Art. 6(1)(c)). Paddle will collect it directly.
Authentication session and technical and security logs (including the salted hash of your IP and the performance/error telemetry) are technically necessary to deliver the Service and to keep it reliable and secure; they cannot be opted out of while you use the Service.
Support correspondence is only collected if you write to us; you do not have to.

Source of data received from third parties (GDPR Art. 14)

When paid subscriptions launch, the billing metadata listed above will be received from Paddle (not collected directly from you). Under GDPR Art. 14 the source of this category will be Paddle.com Market Ltd (United Kingdom) acting as Merchant of Record. We do not currently receive any personal data from a third party; we collect everything directly from you and generate the technical logs automatically. The data is not obtained from publicly accessible sources, data brokers, or any other third party.

Why we use it, and on what legal basis

Purpose	Data used	Legal basis (GDPR Art. 6)
Create and maintain your account; deliver the Service you subscribed to	Account, authentication, usage	Performance of a contract (6(1)(b))
When paid subscriptions launch: process subscriptions, renewals, refunds and invoicing through Paddle	Billing metadata	Performance of a contract (6(1)(b)) and legal obligation (6(1)(c))
Keep the Service secure: rate limiting, abuse detection, bot mitigation	Technical and security logs (incl. salted IP hash), session data	Legitimate interests (6(1)(f)) — our interest in preventing fraud, abuse, and security incidents that would harm other users and the integrity of the Service. We have carried out a balancing test (LIA) and concluded that this interest is not overridden by your interests or fundamental rights, given the minimisation, short retention, and absence of profiling
Diagnose faults and keep the Service reliable and secure: performance and error telemetry (`/api/vitals`, `/api/csp-report`)	Core Web Vitals, error messages/stack traces, page URL, hashed IP	Legitimate interests (6(1)(f)) — our interest in keeping the Service reliable and secure. We have carried out a balancing test (LIA), and the data is minimised (no raw IP is retained for this purpose) and short-lived
Answer your support requests	Support correspondence, account	Performance of a contract (6(1)(b)) and legitimate interests (6(1)(f))
Remember your interface preferences (theme, cookie choice)	Browser-side preferences	Legitimate interests (6(1)(f)) for theme (no consent needed; no personal data leaves the browser); legal obligation (6(1)(c)) for the cookie consent record, kept as evidence under the Garante 2021 cookie guidelines
Comply with Italian tax and accounting law (e.g. art. 2220 c.c., DPR 600/1973)	Billing metadata	Legal obligation (6(1)(c))
Send transactional emails you need to receive (sign-up confirmation, password reset, and, when paid subscriptions launch, billing receipts and important service notices)	Email address, account identifier, event context	Performance of a contract (6(1)(b)) and legal obligation (6(1)(c))
Analytics and product measurement, if and when we enable it	Usage, pseudonymised identifiers	Consent (6(1)(a)), collected through the cookie banner

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). If that ever changes, we will update this policy and, where required, ask for your explicit consent.

Right to object to legitimate-interest processing (GDPR Art. 21)

Where we rely on legitimate interests, you have the right to object at any time on grounds relating to your particular situation (GDPR Art. 21(1)). Write to privacy@sparksesl.com and we will stop the processing unless we demonstrate compelling legitimate grounds that override your rights, or the processing is necessary for the establishment, exercise, or defence of legal claims. You can also request a summary of the balancing test (LIA) we performed for any specific purpose.

Who processes your data for us

We rely on a small number of providers chosen after a documented due-diligence assessment against GDPR Art. 28. Each one is bound by a Data Processing Agreement (“DPA”) with us under its standard GDPR Art. 28 processor terms and, where data leaves the EEA, Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and/or relies on the EU–US Data Privacy Framework adequacy decision of 10 July 2023. The current list of subprocessors:

Provider	Role	Where it runs	Safeguard
Vercel Inc.	Hosting, edge runtime, request logs	United States, with EU edge regions	DPF + SCCs
Supabase Inc.	Authentication and identity store (holds your account data, sets the sign-in cookie, and sends our authentication emails)	United States	DPF + SCCs
Resend	Transactional email — delivers the account messages you need (for example, sign-up confirmation and password reset). Wired as Supabase’s custom SMTP provider	United States	DPF + SCCs
Upstash, Inc.	Rate-limiting and abuse-prevention (stores a salted hash of your IP, not your IP address)	United States	DPF + SCCs
Paddle.com Market Ltd (when paid subscriptions launch)	When paid subscriptions launch: Merchant of Record — takes payments, issues invoices, collects and remits VAT and sales tax, handles chargebacks and refunds. Paddle is not wired today	United Kingdom, with US and EU processors	UK IDTA / SCCs; UK adequacy

Email

We send transactional email only— the account and security messages you need, such as sign-up confirmation and password reset. We do not run a newsletter or send marketing email. These messages are delivered by Resend, wired as our login provider Supabase’s custom SMTP.

Paddle as Merchant of Record (when paid subscriptions launch)

When paid subscriptions launch, your counterparty for the purchase transaction will be Paddle.com Market Ltd, not Sparks. Paddle will act as a separate data controller for the payment data it collects (card details, billing address, tax status). Paddle’s own privacy notice applies to that processing and is available at paddle.com/legal/privacy. Sparks will only ever receive a customer reference, the subscription state, and the invoice number from Paddle. We will not see, store, or have access to your card details. Paddle is not wired into the Service today.

Disclosure to authorities

We will disclose personal data to a public authority only when required by Italian or EU law, or by a binding order from a competent court. When legally permitted, we will notify the affected user first.

No sale of personal data

We do not sell, rent, or trade personal data. We do not share personal data with advertising networks or data brokers.

Sub-subprocessors and updates

Our processors rely on infrastructure providers of their own (for example, Supabase and Vercel build on Amazon Web Services and Cloudflare). Each of our processors maintains its own public list of subprocessors, which forms part of the chain we are accountable for under GDPR Art. 28 and EDPB Opinion 22/2024 on processors and sub-processors. We review those lists at least annually. If we add or change a processor that meaningfully affects what we do with your data — in particular if it expands transfers outside the EEA — we will update this page and email registered users at least 30 days in advance, as described in §10.

EU Data Act assessment

We have assessed the EU Data Act (Regulation (EU) 2023/2854, applicable from 12 September 2025) and determined that its provisions on connected products and IoT data sharing do not apply to Sparks, which is a software-as-a-service offering and not a connected product. The Data Act’s cloud-switching provisions in Chapter VIII apply to our infrastructure providers; we will document their portability and termination-assistance commitments in our processor due-diligence file.

International transfers

Personal data is stored in the European Economic Area where we can, but several subprocessors (Vercel, Supabase, Resend, and Upstash) operate from the United States. For those transfers we rely on:

the European Commission’s adequacy decision for the EU–US Data Privacy Framework (10 July 2023), where the provider is DPF-certified; and
Standard Contractual Clauses (Implementing Decision (EU) 2021/914) together with any supplementary technical measures we determine are appropriate, as a fallback and for non-DPF recipients.

When paid subscriptions launch, for transfers to Paddle in the United Kingdom we will rely on the European Commission’s UK adequacy decision(28 June 2021). Paddle’s own onward-transfer mechanisms to its US and EU subprocessors (DPF and SCCs) and its full subprocessor list are published at paddle.com/legal/dpa.

We verify the DPF certification status of each US recipient at least annually via the official US Department of Commerce list at dataprivacyframework.gov/list. If a recipient’s certification lapses, we fall back to SCCs with supplementary measures while we evaluate alternatives. A copy of the SCCs or DPA for any recipient is available on request to privacy@sparksesl.com.

How long we keep your data

We apply the storage-limitation principle (GDPR Art. 5(1)(e)): personal data is kept in identifiable form only for as long as necessary for the purpose for which it was collected, or as required by Italian or EU law. The table below sets the maximum retention for each category.

Category	Retention	Why
Account data, saved lessons, group labels, preferences (excluding open support tickets and items below)	While your account is active, plus 30 days after deletion request	Allow recovery of an accidentally deleted account
Browser-side UI preferences (theme)	Until you change it or clear browser storage	Remember your light/dark selection
Technical and security logs (salted IP hash, user agent, request URL)	30 days under normal operation; up to 6 months if needed for a live security investigation	Abuse detection and incident response
Billing metadata and invoices (when paid subscriptions launch)	10 years from the end of the fiscal year	Italian civil code art. 2220 and DPR 600/1973
Support correspondence	24 months from last reply	Quality, dispute-handling, and improving our support knowledge base
Cookie consent record	Up to 6 months, or until you withdraw it	Prove consent and avoid re-prompting (Garante 2021 guidelines)
Performance & error telemetry (Core Web Vitals, error traces)	Not retained — our telemetry endpoint processes these reports in memory and does not currently store them	Diagnose faults and keep the Service reliable and secure

When a retention period expires, we delete or irreversibly anonymise the data. Backups containing personal data roll over within 35 days.

Your rights

Under GDPR Articles 15 to 22 and Italian D.Lgs. 196/2003 as amended, you have the right to:

Access the personal data we hold about you, and receive a copy in a commonly used format;
Rectify inaccurate or incomplete data;
Eraseyour data (“right to be forgotten”), subject to the retention periods in §6 where we are legally required to keep records;
Restrict our processing while a request is being handled;
Be told who we told— have any rectification, erasure, or restriction communicated to each recipient your data was disclosed to, unless that proves impossible or disproportionate (GDPR Art. 19);
Object to processing based on our legitimate interests, including for direct marketing;
Port data you have provided to us to another service, where processing is based on consent or contract and carried out by automated means;
Withdraw consent at any time (without affecting the lawfulness of processing carried out before withdrawal);
Not be subjectto a decision based solely on automated processing that produces legal effects — we do not carry out such processing today.

How to exercise them

Email privacy@sparksesl.com from the address on your account. For formal communications, you may also write by registered post to the address in §1. Standard email is sufficient for rights requests and is treated by us as an equivalent channel under GDPR Art. 12. We may ask for reasonable proof of identity if there is doubt about who is making the request. We answer within 30 days (extendable by up to two further months for complex requests, with written notice and reasons). Requests are free. We may refuse or charge a reasonable fee only if requests are manifestly unfounded or excessive, and we will explain why in writing (GDPR Art. 12(5)).

Data portability mechanism

For portability requests, we provide an export of your account data, saved lessons, group labels, and preferences in a machine-readable JSON archive within 30 days. When paid subscriptions launch, the Paddle billing metadata will be exportable directly from Paddle’s customer portal.

Right to lodge a complaint

You can complain to the Italian supervisory authority, Garante per la protezione dei dati personali— Piazza Venezia 11, 00187 Roma; email protocollo@gpdp.it; PEC protocollo@pec.gpdp.it; complaint form at garanteprivacy.it/modulistica/reclamo. You may also complain to the supervisory authority in your EU country of habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77). You do not have to contact us first.

Right to a judicial remedy (GDPR Art. 79)

Separately from the right to complain to the Garante, you have the right to an effective judicial remedy against us or against any of our processors before the Italian ordinary courts (GDPR Art. 79; D.Lgs. 196/2003 art. 152). You can also bring proceedings in the courts of your EU country of habitual residence. Choosing to complain to the Garante does not prevent you from also bringing court proceedings.

Your US privacy rights (California & other states)

We offer the Service in the United States. Depending on your state of residence (for example California under the CCPA/CPRA, and the comparable laws of Virginia, Colorado, Connecticut, Utah, and other states), you may have the right to:

Know and access the personal information we have collected about you;
Delete the personal information we hold about you;
Correct inaccurate personal information;
Port a copy of your personal information in a portable, machine-readable format;
Opt out of the sale or sharing of your personal information, of targeted (cross-context behavioural) advertising, and of profiling for decisions that produce legal or similarly significant effects;
Appeal a refused request, in states that grant an appeal right; and
Use an authorized agent to submit a request on your behalf.

We do not sell or share your personal information, and we do not use it for cross-context behavioural advertising or for profiling. There is therefore nothing for you to opt out of today, and we have no “Do Not Sell or Share My Personal Information” obligation. If that ever changes, we will honour Global Privacy Control (GPC) signals and add the required opt-out link. We do not discriminate against you for exercising any of these rights.

Categories we collect (CCPA)

In the terms of the CCPA, the categories of personal information we collect are: identifiers (email address, display name, hashed IP), internet or other network activity (technical and security logs, performance and error telemetry), and the content you save (the lessons you save, download, or create, and the student group labels you define). The business and commercial purposes for which we collect each category, and how long we keep it, are set out in §3 and §6. We disclose these categories only to the service providers listed in §4, and only so they can perform services for us.

How to exercise your US rights

Email privacy@sparksesl.com. We will verify your identity in a manner proportionate to the sensitivity of the request and the risk of harm, respond within the timeframe your state law requires, and will not discriminate against you for asking.

Children

The Service is intended exclusively for adult ESL teachers. It is not directed at children. You must be at least 18 years old to create an account. We do not knowingly collect personal data from children. If you believe a child has created an account, please write to privacy@sparksesl.com and we will delete the account and the associated data promptly.

Italian law sets the minimum age for valid consent to information-society services at 14 (D.Lgs. 196/2003 art. 2-quinquies). Our 18+ requirement is contractual and stricter, since the Service is intended for professional adult ESL teachers.

Security

We take technical and organisational measures appropriate to the risk (GDPR Art. 32), including:

TLS 1.2+ for all traffic between you and us, and between us and our subprocessors;
encryption at rest for databases and backups;
authentication is handled by our processor Supabase: your password is sent over TLS to Supabase, which stores it as a salted hash — Sparks does not store your password;
least-privilege access controls for the one-person operations team, with hardware-key-based 2FA;
audit logging on administrative actions;
dependency and vulnerability review at least quarterly, plus continuous automated scanning;
email correspondence is delivered over TLS-encrypted SMTP between our mail provider and most major email hosts; the body of email is not end-to-end encrypted — if you need to send sensitive information, write to us first and we will agree a secure channel (ePrivacy confidentiality of communications, D.Lgs. 196/2003 artt. 122–123).

No system is perfectly secure. If we ever detect a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Garante within 72 hours and, where the risk is high, notify you directly through the email address on file for your accountwithout undue delay (GDPR Art. 33–34).

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page always reflects the current version. For materialchanges — a new purpose, a new subprocessor that expands international transfers, a change of legal basis — we will notify registered users by email at least 30 days before the change takes effect, and re-surface the cookie banner where the change affects non-essential processing. Continued use of the Service after the effective date means you accept the updated policy; if you do not, you can cancel and request erasure per §7.

The version in force on the date you signed up governs our handling of your data unless and until we notify you of a material change and the change takes effect as described above. Prior versions are archived and can be requested from privacy@sparksesl.com.

Contact

Privacy questions, rights requests, and complaints: privacy@sparksesl.com.

Postal mail: Soldato Matthew James — Via Torino 2, 20831 Seregno (MB), Italy.