Privacy Policy
Last updated: June 10, 2026
The Short Version
TomSparkBox is a privacy-first product built by a privacy-first company. We don't want your data, we don't collect your data, and we don't sell your data. The software runs entirely on your hardware. We have no access to what runs on your server, who uses it, or what they do with it.
This policy explains the small amount of data we do collect — exclusively to run the website, deliver licenses, and provide support.
What We Don't Collect
- No tracking, profiling, or ads in the TomSparkBox software. The dashboard, modules, and apps don't build a profile of you, serve ads, or carry any per-install identifier. When you update, the software sends an anonymous release-health ping — which version you moved to, whether it succeeded, and which (if any) apps failed to come back healthy, with no identifier and nothing tied to your box — so we can catch a bad release. Crash reporting is separate, opt-in, and off by default; if you turn it on, crash reports carry a random per-install ID (a UUID generated on your box, not derived from anything about you) so we can tell whether ten reports are one box or ten. License activation is described below. That's the whole of it.
- No data from your self-hosted apps. Your Pi-hole logs, Vaultwarden passwords, Jellyfin library, Nextcloud files, and everything else stays on your server. We never see it.
- Sanitized logging of AI Troubleshooting conversations for product improvement. The AI Troubleshooting feature routes through our Anthropic API to provide diagnostic help. Before any message leaves your TomSparkBox server, an on-device sanitizer strips credential-shaped strings (API keys, passwords, tokens, SSH/PGP keys). The resulting credential-free conversation — your question and the assistant's reply — is logged on our side for up to 90 days and used to find class-level TomSparkBox bugs faster and turn recurring problems into shipped patches, guides, and docs updates. Your raw, unsanitized chat history stays only on your own server (
state/chat-sessions/) and is never collected. We never sell these conversations and never share them for third-party AI training. See the "When you use AI Troubleshooting" section below for details.
- Sanitized fix outcomes for product improvement. When Tom AI's agentic mode proposes a fix you choose to run (e.g. restarting a service or repairing permissions), it records — for the same diagnostic-improvement purpose above — which fix ran, whether it resolved the issue, and a credential-free, truncated description of the symptom. This carries no conversation text and no
.env values. We use it to learn which fixes actually work and to stop recommending ones that don't. You can opt a server out entirely by setting SB_AGENT_TELEMETRY=0.
- No analytics on the website beyond basic privacy-respecting hit counts. We do not use Google Analytics or any tracking scripts.
- No tracking pixels, no third-party cookies, no ad networks.
What We Do Collect
When you visit tomsparkbox.com
- Anonymous request logs. Our hosting provider (Cloudflare) receives standard web request logs: IP address, timestamp, page requested, user agent. These are retained by Cloudflare for security purposes and are not used for tracking.
- A preference cookie only if you interact with features that need it. No tracking cookies.
When you activate a free license
- Email address. Required to mint your free personal-use license key. We use it only to deliver the key, to look it up if you lose it, and to send a one-time legal notice if anything important changes about your license.
- License key history. We store your license key associated with your email so we can re-send it or help recover access if you lose it.
When TomSparkBox checks for updates
- An anonymous HTTP request to get.tomsparkbox.com to check the latest version. This request includes no identifying information beyond a standard HTTP user agent and your server's IP address (visible to any HTTP request).
When TomSparkBox validates your license
- On activation and periodically thereafter (roughly once per week), your TomSparkBox dashboard makes an HTTPS request to
webhook.tomsparkbox.com. The request contains: your license key, a random install ID (generated once per install, used only to count activations against the 3-install cap), and optionally your email if you're activating on a second or third install. No container names, no module list, no usage data, no IP-geo info beyond what any HTTPS request reveals.
- Our service responds with whether the key is valid and how many activations remain. The response is cached on your server so day-to-day dashboard use continues to work offline.
- License activation is optional. TomSparkBox runs without it; activation only enables auto-updates with rollback.
Support
- Product support is delivered through the public d/sparkbox community forum on demox.world (email at [email protected] handles billing and refunds only). Posts in d/sparkbox are public — anyone (including search engines) can read them. Do not include passwords, API keys, license keys, or other sensitive data in your post.
- The forum is monitored daily by the TomSparkBox team and by other community members — every thread gets an answer, usually within a day; community members often jump in faster.
- Support replies are AI-assisted. Replies from the @tomspark account are a mix of Tom and an AI support agent running under his guidance (this is also noted on the account's profile). If you ask whether you're talking to the AI, it will tell you honestly.
- For legal, privacy, or DMCA matters only, you may contact [email protected]. This address is not for product support.
Third Parties We Use
We use a small number of third-party services to run the product. Each only receives the minimum data needed:
- Cloudflare — hosts the website, serves release files, provides CDN and DDoS protection. Receives standard web traffic metadata.
- Resend (transactional email service) — used to deliver license keys to your email address on activation. Subject to their own privacy policy.
- Email — license keys and one-time legal notices are delivered via Resend (above); [email protected] receives billing/refund emails you choose to send.
- Anthropic — powers the AI Troubleshooting feature. When you use AI Troubleshooting, your messages are sent through our account to Anthropic's Claude API for response generation. Anthropic does not train their models on customer API data. On our side, we log the sanitized (credential-free) conversation for up to 90 days for diagnostic improvement, and keep a short-lived rate-limit counter per license (see "When you use AI Troubleshooting" above).
- Amazon Associates / affiliate networks — if you click an affiliate link on our website (UGREEN, Corsair, Hostinger, Surfshark, Incogni), you are taken to that third party's site, where their own privacy policy applies. We receive anonymous commission tracking data from these networks.
Cookies
The tomsparkbox.com website uses minimal cookies:
- Essential cookies required for basic site functionality (e.g., remembering mobile menu state).
- Cloudflare security cookies used for DDoS protection and bot detection.
We do not use analytics cookies, advertising cookies, or social media tracking pixels. You can block all cookies in your browser without breaking the site.
Data Retention
- License key records: retained indefinitely so we can re-send lost keys (the license is perpetual).
- Payment records: retained as required by tax and accounting law (typically 7 years).
- Legal/privacy emails (legal@): retained for 2 years after the matter is resolved, then deleted.
- Product support emails (support@): retained for 1 year after the conversation closes so we can reference prior threads if the same customer reaches out again. Deleted after that.
- AI Troubleshooting conversations: the sanitized, credential-free version of each conversation is logged on our servers for up to 90 days and used to improve TomSparkBox (finding bugs, shipping patches, writing better guides). We never sell it and never share it for third-party AI training. Your raw, unsanitized chat history lives only on your own TomSparkBox server in
state/chat-sessions/, is never collected, and you control its lifecycle (delete the files or run sparkbox reset --soft). We also keep a per-license request counter for rate-limiting.
- Web server logs: retained by Cloudflare according to their policy (typically 7-30 days).
Your Rights
You have the right to:
- Access any personal data we hold about you (primarily your email and license record).
- Correct inaccurate data.
- Delete your data. Note: deleting your email from our records will make it impossible for us to re-send a lost license key in the future. Your license itself continues to work because it validates offline on your server.
- Export your data in a machine-readable format.
- Opt out of any non-essential communications.
To exercise any of these rights, email [email protected]. For product support, ask d/sparkbox on Demox — replies in seconds.
Children
TomSparkBox is not directed at children under 13. We do not knowingly collect personal information from children.
International Users
TomSparkBox is distributed globally. The small amount of data we collect (email, license records) may be stored on servers located outside your country. By activating a license, you consent to this transfer.
If you are in the EU or UK, you have rights under GDPR. We consider ourselves bound by GDPR principles globally, regardless of your location.
Security
We take reasonable security precautions to protect the data we hold: encrypted transport (HTTPS), encrypted storage where appropriate, and limited access to sensitive records. However, no system is perfectly secure. We will notify affected users of any data breach as required by applicable law.
Changes to This Policy
We may update this policy from time to time. Material changes will be announced on the website. Continued use of TomSparkBox after changes constitutes acceptance.