Privacy Policy
This Privacy Policy describes how BizTransit Sdn Bhd, operating as Sprapp ("we", "us", "our"), collects, uses, and protects information when you use our services at sprapp.com (the "Service").
Our privacy commitment: Sprapp is built CPU-first and on-device first. Public chat runs entirely in your browser on our own models — those conversations never reach our servers. For account-based services (hosted inference, training, and the marketplace) we collect only what we need to run them, and we never sell your data.
1. On-Device vs Hosted
Sprapp has two modes, and they handle data differently:
- On-device (public chat): Our models run in your browser via WebAssembly. Your prompts and the model's replies are processed locally and are not sent to us. There is no per-token third-party AI provider involved.
- Hosted (inference, training, marketplace): When you sign in and use hosted features, your requests are processed on our own inference engine (serve-native) running our own models. We do not route your prompts to third-party LLM providers.
2. Information We Collect
2.1 Information You Provide
- Account information: When you sign in (Google OAuth or email), we receive your name, email address, and profile picture from the identity provider. We never receive your password.
- Training data: When you train an agent, the persona, examples, or dataset you submit are processed to fine-tune a LoRA adapter. We store the resulting adapter so you can use it; we retain submitted training data only as needed to produce and support it.
- Hosted inference inputs: When you use hosted chat or the API, the prompts you send are processed by our engine to generate a response. We keep only minimal operational logs (see 2.2).
- Payment information: Marketplace and subscription payments are processed by Stripe. We do not store card numbers.
- Feedback and correspondence: If you contact us, we retain your messages and our responses.
2.2 Information Collected Automatically
- Geo-location (country level): We use Cloudflare's geo-detection to determine your country code for pricing tiers — a country-level value only (e.g., "MY"), stored as a short-lived cookie (
sprapp-country, 24-hour expiry). - Operational logs: Our infrastructure (Cloudflare and our compute providers) may log IP addresses, timestamps, and request metadata to run, secure, and rate-limit the Service.
2.3 Information We Do Not Collect
- On-device chat content (it never leaves your browser).
- Analytics/advertising trackers (no Google Analytics, pixels, or cross-site tracking cookies).
- Device fingerprints or persistent tracking IDs.
3. How We Use Your Information
- Service delivery: To run hosted inference, fine-tune your adapters, operate the marketplace, and serve the correct pricing tier.
- Account management: To create and maintain your account, authenticate sessions, and provide support.
- Communications: To respond to inquiries and send essential service notices (e.g., terms updates).
- Security: To detect and prevent abuse, fraud, and policy violations.
4. Third-Party Processors
We use a small set of service providers to operate Sprapp. They process data on our behalf under their own terms:
| Provider | Purpose |
|---|---|
| Cloudflare | Hosting, CDN, storage (R2/D1), DNS, DDoS/WAF |
| Stripe | Payments and marketplace payouts (Stripe Connect) |
| Exa | Live web search, only when you enable web grounding |
| OAuth sign-in (name, email, profile picture) | |
| Compute providers | Hosted CPU/GPU capacity that runs our own models |
When you enable web search, the query is sent to Exa to retrieve cited results. We do not route your prompts to third-party LLM providers.
5. Data Storage and Security
- Trained adapters and account data are stored on Cloudflare infrastructure (R2/D1) in our control.
- Authentication session tokens are short-lived and expire automatically.
- All connections use HTTPS/TLS encryption.
- Hosting on Cloudflare provides DDoS protection and a Web Application Firewall. Payments run through PCI-DSS-compliant Stripe.
6. Data Sharing
We do not sell, rent, or trade your personal information. We share data only with the processors in Section 4, and where required by law, regulation, or valid legal process.
7. Cookies and Local Storage
We use minimal cookies for essential functionality only. See our Cookie Policy for details.
sprapp-country: country code for pricing (24-hour expiry)- No advertising, analytics, or third-party tracking cookies
8. Your Rights
- Access & portability: Request a copy of your account data and trained adapters.
- Deletion: Delete specific adapters or request deletion of your account and associated data.
- Minimization: Use on-device chat without an account to minimize data collection.
- Account deletion: Contact privacy@sprapp.com to request deletion of your account data.
9. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact privacy@sprapp.com.
10. International Data Transfers
BizTransit Sdn Bhd is based in Malaysia. Your data may be processed in Malaysia and in jurisdictions where our infrastructure and payment providers operate. By using the Service, you consent to these transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the Service. The "Effective" date indicates when this policy was last revised. Continued use after changes constitutes acceptance of the updated policy.
Contact
For privacy-related inquiries, contact us at:
Privacy Officer
BizTransit Sdn Bhd
Level 28, Lingkaran Syed Putra
Mid Valley City, Kuala Lumpur 59200, Malaysia
Email: privacy@sprapp.com