As stated here, the GDPR specifically prohibits the use of long, convoluted terms and condition statements, particularly statements that contain legalese. Any request for consent, declaration of terms, or statement of privacy must be presented clearly and concisely, and without any ambiguity of meaning.
The classical CIA information security protection goals, i.e. confidentiality (C), integrity (I) and availability (A), have been extended here for privacy protection through 3 concepts and under each one I am putting related questions of the checklist of the amazing site Terms of Service Didn't read.
As separating data and processes:
- How long do they keep your private data and what do they use it for?
- What happens to your data when they get acquired or when they shut down the service?
- Can you export your data (where applicable)?
As adequate level of clarity in the relevant data processing:
- Does the service use first-party and/or third-party cookies?
- Can they change the terms at any time?
- How do they work with third parties (contractors they use)?
- How do they work with government requests?
- How do they handle decisions about suspension of your account when they feel you breached the terms?
- Do they (try to) prohibit you from going to court against them?
One check I would add is: Do they share their business model, how they make money?
For me, the most complicated issue to tackle is the following but at least GDPR covers the most obvious cases:
Right related to automated decision making including profiling
Changing habits like blocking trackers contributes not only to avoiding a dystopian future of big data affecting my ability to get a job, a social Security scheme, or a loan but reduces also my chances of internet addiction.
After all, I don't want trillion dollar companies to make money from my behavior.
As the possibility for parties to be involved in the relevant process:
- Do they claim copyright (or what sort of license) over your content (where applicable)?
- Do you have a right to leave the service?
First of all it makes clear which is the business model:
Spark’s business model is simple: It’s free for individual users, yet it makes money by offering Premium plans for teams and organizations.
They talk about purpose limitation
We don’t use your data for any other purposes. [...] We won’t ask for more data than is needed to provide you with the service.
And they summarize the purpose by saying:
Some of the purposes for processing the data provided by you include:
Providing you with the services
Improving our services
Notifying you of any changes in our services
For example, they say "Your email is safe and we do not use it for profiling or targeting."
They clarify that "We always delete your data once it’s no longer necessary" and the retention period is specified at the section "HOW LONG PERSONAL DATA IS STORED FOR" of the policy.
Note the Security is not Privacy, it is a precondition for Privacy otherwise what the data you provide to the service are also exposed to unethical hackers.
"You can either exercise your rights by deleting your account and all information associated with it from your device or by emailing us at email@example.com." and "Spark is GDPR and CCPA compliant, and you have the right to get access to your data or require its deletion. We are committed to dealing with all privаcy requests promptly and transparently."
The service is located in Germany, a country that cares about Privacy.
So overall, the service gives a good impression as most services have eitheir no information, or have information that you need to pay a lawyer to understand it.