Privacy Policy

1. Introduction

This Privacy Policy explains how Sage ("Sage", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit our website, join our waitlist, create an account, or use our AI-powered creative advertising platform (collectively, the "Service"). "You" means the individual using the Service or, where you are using it on behalf of an organisation, that organisation. By using the Service, you confirm that you have read and understood this Policy. If you do not agree, do not use the Service.

Sage is the data controller for personal data processed in connection with the Service, unless stated otherwise. You can contact us at support@asksage.co.

2. Personal data we collect

Information you provide. When you sign up for the waitlist we collect your email. When you create an account or use the Service, we collect your name, email address, authentication credentials, billing information (processed by our payment provider), brand, product and audience information you add during onboarding, images you upload (including product images and, if you choose to upload them, images containing people), chat messages and prompts, feedback, and any other content you submit.

Information collected automatically. We and our service providers collect technical and usage data such as IP address, device and browser identifiers, operating system, language, referring URL, pages viewed, features used, timestamps, error logs, and similar diagnostics. We use cookies and similar technologies (see Section 4).

Information from third parties. If you sign in through a third-party provider (for example, Google), we receive the information that provider is authorised to share with us (typically name, email, and a unique identifier). We may also receive limited information from analytics, fraud-prevention, and advertising-platform integrations that you or your organisation configure.

Content generated by the AI. When you use our AI features, we also process the inputs you send and the outputs returned by our AI providers, including images and text generated on your behalf.

3. How we use personal data and legal bases

We process personal data for the following purposes and, where the GDPR applies, on the following legal bases:

• Providing the Service — creating and maintaining your account, processing your prompts and inputs, generating outputs, and making features available (performance of a contract).
• Billing and administration — processing payments, invoicing, tax and accounting (performance of a contract and legal obligation).
• Security, abuse prevention, and integrity — detecting and preventing fraud, misuse, abuse, and violations of our Terms of Service, including review of content flagged as potentially illegal, deceptive, or unsafe (legitimate interests and legal obligation).
• Service improvement and analytics — understanding how the Service is used and improving features, models, and reliability (legitimate interests). We do not use your content to train publicly available third-party AI foundation models without a lawful basis and appropriate safeguards; where applicable, we rely on our AI providers' contractual commitments limiting training on customer content.
• Communications — sending transactional messages, product updates, and, where permitted, marketing communications you can unsubscribe from at any time (legitimate interests or consent).
• Legal compliance and defence — complying with law, responding to lawful requests, and establishing, exercising, or defending legal claims (legal obligation and legitimate interests).
• Corporate transactions — in the context of a merger, acquisition, financing, restructuring, insolvency, or sale of assets (legitimate interests), with notice where required.

4. Cookies and similar technologies

We use strictly necessary cookies to run the Service (for example, to keep you signed in), and we may use functional, analytics, and performance cookies to remember preferences and understand usage. Where required by law, non-essential cookies are only set with your consent through our cookie banner. You can manage cookies in your browser settings, but some features may not work correctly if you disable them. We do not use cookies for cross-site behavioural advertising to profile you on unrelated websites, and we do not sell your personal data.

5. How we share personal data

We share personal data only as needed and with appropriate safeguards, including with:

• Service providers (processors) such as cloud hosting, database and authentication providers (e.g. Supabase), AI model providers (e.g. OpenAI), email delivery, analytics, error monitoring, customer support, and payment processors. These providers act on our instructions under data processing agreements.
• Affiliates within our corporate group, under equivalent privacy standards.
• Authorities and third parties where required by law, to enforce our Terms, to protect the rights, property, or safety of Sage, users, or the public, or in connection with investigations of suspected or actual illegal activity.
• Acquirers in connection with a corporate transaction described above.

We do not sell your personal data, and we do not share it for cross-context behavioural advertising.

6. International data transfers

Sage and its providers may process personal data in the European Union and in other countries, including the United States. When we transfer personal data outside the EEA or the UK, we rely on appropriate safeguards recognised under applicable law, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or adequacy decisions. You may request a copy of the safeguards by contacting us.

7. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, including for the duration of your account, to provide and improve the Service, to comply with our legal obligations (for example, tax and accounting records), to resolve disputes, and to enforce our agreements. Technical logs are typically kept for a shorter period unless needed for security or legal reasons. When your account is closed, we delete or anonymise personal data unless we are required or permitted to retain it under applicable law.

8. Your rights

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete personal data;
• request erasure of your personal data ("right to be forgotten");
• request restriction or object to our processing, including direct marketing;
• request data portability of data you provided to us;
• withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal;
• lodge a complaint with your local data protection authority (in Italy, the Garante per la protezione dei dati personali).

To exercise your rights, contact us at support@asksage.co. We may need to verify your identity before responding. We will not discriminate against you for exercising your rights.

9. Content you upload about other people

You are responsible for ensuring that any content you upload — including product images, references, brand assets, and any images depicting identifiable individuals — can lawfully be processed by the Service. You represent and warrant that you have obtained all necessary rights, consents, and authorisations (including under data protection and image-rights laws) before uploading. You must not upload sensitive personal data, children's data, or biometric identifiers unless you have a valid legal basis and have informed us in writing.

10. Automated decision-making

The Service uses AI to generate and refine creative outputs. These outputs are suggestions; we do not make decisions that produce legal or similarly significant effects about you solely by automated means. You are always responsible for reviewing and approving AI outputs before using them.

11. Security

We implement technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration, and disclosure, including encryption in transit, access controls, and vendor due diligence. No system is completely secure; we cannot guarantee absolute security, and you use the Service at your own risk in that regard. You are responsible for keeping your credentials confidential and notifying us promptly of any suspected compromise of your account.

12. Children

The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 16 (or the equivalent minimum age in your jurisdiction). If you believe a minor has provided us with personal data, please contact us and we will take appropriate steps to delete it.

13. Third-party links and services

The Service may contain links to, or integrate with, third-party websites and services (for example, advertising platforms). We are not responsible for their privacy practices. Please review their policies before providing them with personal data.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version on this page and revise the "Last updated" date. Where changes are material, we will provide additional notice (for example, by email or in-app notice) before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

Questions, requests, or complaints about this Policy or our handling of personal data: support@asksage.co.