[Etheryte]

I've actually read their terms of service and rechecked out of curiosity right now — I fail to find anything along the lines of what you mention. In addition, that doesn't make technical sense, how would they store credentials for 2FA?

[gtf21]

It does make technical sense: I haven't looked at Spark for a long time, but there are many mail services which route your email access through their own services so they can add features (e.g. snoozing emails). They don't need 2FA credentials (otherwise, for example, every time you fetched email from the server using a standard IMAP connection you would have to input a TOTP, which you don't). They can either use Oauth for some of these services or generate a token which provides specific access.

[hrbf]

Correct. Gmail is an example for token-based access. And usually there’s not much to object to if such services are upfront about what they’re doing and why.

If they don’t state that explicitly in their terms of service it’s even more problematic.

From their landing page:

> Spark is fully GDPR compliant, and to make everything as safe as possible, we encrypt all your data and rely on the secure cloud infrastructure provided by Google Cloud.

Why would they even need a “cloud infrastructure” if they weren’t providing additional services?

This could lead to issues with an employer if you chose to use Spark and, without recognizing it, exported your company login information to a third party, probably even to a different legal jurisdiction.