Spark Mail by Readdle promised privacy but didn’t deliver it.
[My original blog post](https://supertachyon.wordpress.com/2019/07/13/short-review-of-privacy-policies-of-spark-mail/)
> (1) **Spark Application (the “App”) and Spark for Teams Service (the “Service”)** are brought to you by Readdle, Inc. (the “Data Controller” of your personal data). Consequently, “We”, “Us” and “Ours” refers to the Data Controller.
> (2) OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” **we use Spark Services.** Without using these services, none of the features mentioned above will function.
> (3) **Email content while using Spark Services**: We allow you and your colleagues to create teams within the Service. It allows you to have a secure space where you share information such as email conversations, shared email drafts, have private discussions, or create links to specific emails. **This information is stored on our secure servers** in order to make Services available to you, so you can collaborate with your teammates around email.
The technical terms are defined in (1). The ‘bad guy’ here is the so-called Spark Services, which is not even explicitly defined anywhere. We can see that the email content while using Spark Services is stored on their server from (3). From the first sight, we might mistake Spark Services with Team Services due to the wording in (3). However, Spark Services are *always* used regardless if we the team features, as indicated in (2).
**To summarise these concerning paragraphs, our email account credentials and email contents are *always* stored on their server for *some* features to function, even if we do not opt into these features, such as Team Services and Push Notifications.**
In the [official blog post](https://blog.readdle.com/how-we-handle-your-account-information-in-spark-1b42f4acef73) by their co-founder Alex Tyagulsky, they promised to give users the option to not storing account credentials on their servers, as quoted below:
> Some people raised a question about why do we store access tokens even if you have decided not to use Push Notifications. It’s a valid question and, in the next update of Spark, we will change this behaviour. Spark will not send your account information to our servers if you decide to not use Push Notifications when adding your account for the first time. Please note that this will disable other server side features as well. Also, if you enabled Push Notification on first launch, we will transfer the information needed to access your account to our server. To delete it, you can either disable “Allow Notifications” switch in Spark Settings or delete Spark from your iPhone.
However, since they introduced Team Services in Spark 2.0, there has been no such option anywhere. Spark just silently upload all credentials to their servers without any ‘explicit consent’ and without opting into Team Services. The real update in 2.0 was to enforce the data exploitation. This issue was also discussed in a [blog post](https://jan.rychter.com/enblog/spark-email-app-why-i-dont-use-it-anymore-2018-07-20) last year.
In my opinion, if not for privacy concerns, Spark is probaby one of the best third-party email clients on iOS, along with Canary and Airmail. But both of Canary and Airmail offer fetch notifications to not storing credentials on servers. Spark should also offer similar option as a premium feature. Users should have the choice to pay with “private data” or just money.