First of all, thank you to everyone who has asked us question about use of your account information in Spark. Below, you can find a description of how Spark works as of now.
Almost all things in Spark happen on the device itself. However, there are some functions that require server side email processing to work. In Spark, these are:
1. Push Notifications about new emails.
2. Read Receipts.
3. Sending emails from Apple Watch.
Spark’s server needs to check and send emails from your email account for these functions to work. And to achieve this, we need to store your email account’s access token. For services with OAuth authentication, like Gmail or Outlook, it’s special application specific token that you can revoke at any moment from your email account in the web. For services like Yahoo, AOL and Exchange accounts, this access token is your email login and password.
Given a choice, we would prefer to not have access to your login and password information, because it’s a huge responsibility to store them safely. However, since many email services still haven’t implemented OAuth, we have to.
To make everything as safe as possible, we are not using our own servers or any overhyped cheap hosting provider but rely on the most advanced and secure solution available in the industry – Amazon AWS. This is where almost any well known tech company – Dropbox and AirBnB, for example – is storing and processing their users’ data.
All connections to our servers are protected with TLS. The Amazon AWS databases are encrypted, and to make things even more secure we additionally encrypt your password in the database. It makes it totally unreadable by a human being.
Some people raised a question about why do we store access tokens even if you have decided not to use Push Notifications. It’s a valid question and, in the next update of Spark, we will change this behaviour. Spark will not send your account information to our servers if you decide to not use Push Notifications when adding your account for the first time. Please note that this will disable other VPS server side features as well. Also, if you enabled Push Notification on first launch, we will transfer the information needed to access your account to our server. To delete it, you can either disable “Allow Notifications” switch in Spark Settings or delete Spark from your iPhone.
When you delete Spark from all your devices, we remove all your account information from our database as soon as we are aware.
This is pretty much it.