Legal
Privacy Policy
Last updated: June 10, 2026
Iskra is a reputation management tool for small businesses. We take your privacy seriously and collect only what we need to provide the service. We do not sell your data.
1. Who we are
Iskra ("we", "us", "our") is operated by Iskra (heyiskra.com), based in Canada. If you have questions about this policy, contact us at support@heyiskra.com.
2. What data we collect
We collect different types of data depending on how you interact with Iskra:
Waitlist signups
- Your email address, collected when you sign up for early access on heyiskra.com.
Account and authentication
- Your Google account name, email address, and profile photo, obtained via Google OAuth when you sign in to the Iskra dashboard.
- A Firebase Authentication UID associated with your account.
Google Business Profile data
- Your business name, location ID, and business type, provided during onboarding.
- Google Business Profile OAuth access and refresh tokens, used to read reviews and post responses on your behalf. These are stored encrypted in our database and are never exposed to the browser.
- Review content fetched from your Google Business Profile, including reviewer names, star ratings, and review text.
Usage data
- Actions you take in the dashboard (approving, dismissing, or editing responses), logged to process your requests.
- Basic analytics on heyiskra.com via Google Analytics (page views, referral sources). No personally identifiable information is collected through analytics.
3. How we use your data
- To provide the Iskra service — monitoring reviews, classifying them, generating response drafts, and sending you alert emails.
- To send transactional emails (waitlist confirmations, review alerts). We do not send marketing emails without your explicit consent.
- To authenticate your account and associate your businesses with your identity.
- To improve the service — aggregated, anonymised usage patterns may inform product decisions.
4. AI processing
Review text and metadata (star rating, business type) are sent to Groq's API for classification and response generation. Groq processes this data as a sub-processor under their own privacy and data handling policies. Review text is not used to train AI models. For more, see Groq's Privacy Policy.
5. Data storage and security
Your data is stored in Google Cloud Firestore (Firebase), hosted in the United States (nam5 region). We apply the following safeguards:
- Google Business Profile OAuth tokens are stored encrypted and never sent to the browser.
- Firestore security rules restrict each user to accessing only their own business data.
- All data in transit is encrypted via HTTPS/TLS.
- API secrets and credentials are stored in Google Cloud Secret Manager, not in application code or environment files.
6. Data sharing
We do not sell your data. We share data only with the following sub-processors, strictly to deliver the service:
- Google Firebase / Firestore — database and authentication
- Google Cloud Functions — serverless backend processing
- Groq — AI classification and response generation
- Resend — transactional email delivery
- Google Analytics — anonymised website analytics
7. Data retention
- Waitlist emails are retained until you ask to be removed.
- Account and business data is retained for as long as your account is active.
- Review data is retained to provide the dashboard history and for audit purposes.
- You may request deletion of your data at any time by emailing support@heyiskra.com. We will process deletion requests within 30 days.
8. Your rights
Depending on where you are located, you may have rights under applicable privacy law (including PIPEDA in Canada and GDPR in the EU/UK) to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data
- Object to or restrict certain processing
- Withdraw consent at any time (this will not affect the lawfulness of prior processing)
To exercise any of these rights, email support@heyiskra.com.
9. Cookies
heyiskra.com uses no tracking cookies beyond Google Analytics. The Iskra dashboard (app.heyiskra.com) uses Firebase Authentication session cookies strictly to keep you signed in. No third-party advertising cookies are used.
10. Children's privacy
Iskra is a business tool intended for adults. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has provided us with personal data, contact us at support@heyiskra.com.
11. Changes to this policy
We may update this policy as the product evolves. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Iskra after changes are posted constitutes acceptance of the updated policy.
12. Contact
Questions, requests, or concerns about this privacy policy? Email us at support@heyiskra.com. We aim to respond within 5 business days.