Privacy Policy

Last updated: June 28, 2026

My Creativity Box, Inc., a Delaware corporation ("Spok", "we", "us") operates the Spok platform at spok.vc. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and profile picture via Google OAuth. We do not store your Google password.

Content You Provide

We store the data you create within the Service: companies, notes, documents, investments, LP records, and other fund-related content. This is your data and you retain full ownership.

Email Data

If you use our email agent feature (forwarding emails to agent@app.spok.vc) or Gmail import, we process email content to extract company information, contacts, and attachments. Email content is processed and stored within your fund's data.

Google API Services Disclosure

Spok's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect your Google account, Spok may access:

  • Gmail messages (read-only) to identify deal-related emails and extract company information, contacts, and meeting details for your pipeline.
  • Gmail attachments, to download and analyze pitch decks, financial documents, and other deal materials.
  • Email metadata (sender, recipient, subject, date) to classify and organize communications by company.
  • Google Drive folders and files you choose (read-only), to import selected company data-room materials, preserve nested folder context, export Google Docs, Sheets, and Slides to PDF when needed, classify document types, and extract deal information for authorized members of your fund.

If you connect Google Drive, Spok imports only the Drive folder you choose for a company data room, including nested files in that selected folder. Spok does not scan your entire Drive outside the folder you choose.

Spok does not:

  • Send, modify, or delete your emails or Drive files.
  • Use Gmail or Google Drive data for advertising or marketing purposes.
  • Sell Gmail or Google Drive data.
  • Share Gmail or Google Drive data with third parties except as needed to provide the Service (AI analysis via Anthropic and Google, as described below), for security or abuse investigation, as required by law, or with your explicit consent.
  • Allow human review of Gmail or Drive content except with your explicit consent, for security or abuse investigation, or as required by law.

You can disconnect your Google account or Google Drive and delete imported email or Drive data at any time from your account, fund, or company data-room settings.

Usage Data

We collect anonymous usage analytics via Plausible Analytics, a privacy-focused analytics service that does not use cookies or track personal information. We may also collect error logs and performance metrics to improve the Service.

2. How We Use Your Information

  • To provide and maintain the Service.
  • To process your Content through AI features (research reports, document extraction, email classification).
  • To send transactional emails (account notifications, billing).
  • To improve the Service based on aggregate usage patterns.
  • To comply with legal obligations.

3. AI Processing

When you use AI features, your Content may be sent to third-party AI providers:

  • Anthropic (Claude), for research report generation and document extraction.
  • Google (Gemini), for email classification, thread categorization, and content analysis of Gmail data.

These providers process data under their enterprise terms and do not use your data for model training. AI processing is performed on-demand only when you trigger specific features.

4. Data Sharing

We do not sell or share your personal data. We may share data:

  • With AI providers as described above, to deliver AI features.
  • With infrastructure providers (hosting, database, file storage) as necessary to operate the Service.
  • When required by law, court order, or governmental authority.
  • With your consent, such as when you use share links to share company profiles externally.

5. Data Security

  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • Multi-fund data isolation ensures complete separation between funds.
  • Role-based access control (GP/Ops roles) limits data visibility within your organization.
  • We conduct regular security reviews of our infrastructure and codebase.

6. Cookies

We use essential cookies only for authentication (session management). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Our analytics provider (Plausible) is cookie-free.

7. Data Retention

  • Your Content is retained for as long as your account is active.
  • After account cancellation, data is retained for 30 days then permanently deleted.
  • You may export all data at any time in CSV or JSON format.
  • Backup copies may persist for up to 90 days after deletion.

8. Your Rights

You have the right to:

  • Access your data at any time through the Service or data export.
  • Correct inaccurate data.
  • Delete your account and all associated data.
  • Export your data in a portable format.
  • Object to processing of your data.

9. International Data Transfers

The Service is hosted on infrastructure that may process data in multiple regions. We ensure appropriate safeguards are in place for any international data transfers.

10. Children's Privacy

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email at least 30 days in advance.

12. Contact

Questions about this Privacy Policy? Contact us at hendrik@nzvc.co.nz.