Privacy Policy

Last updated: June 8, 2026

Welcome to SageVox. Your privacy matters to us. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our voice-first learning companion — including our website, web application, conversations with Sage, programs, and mastery features (collectively, the "Services").

Scope. This policy applies when you use the Services as an individual learner or visitor. It does not apply where SageVox processes personal data solely on behalf of another organization as a processor (for example, a future enterprise deployment with a separate contract).

This policy should be read with our Terms of Service, Cookie Policy, and Foundations.

1. Who collects your data?

SageVox is the data controller. SageVox, Inc. ("SageVox", "we", "us", or "our") decides how and why your personal data is collected and used when you use the Services.

Contact: privacy@sagevox.com Legal: legal@sagevox.com

2. What data do we collect?

Data you provide directly

  • Account and identity data — email address and authentication identifiers when you create an account or sign in (handled through Supabase Auth).
  • Profile data — preferences, goals, and other fields you choose to save in your learner profile.
  • Waitlist and marketing sign-ups — email address when you join our pre-launch waitlist or newsletter; used only for SageVox access and product news unless you opt in to broader marketing.
  • Conversation input ("Input") — messages, prompts, and voice transcripts you submit to Sage.
  • Payment and billing data — if you purchase paid programs, billing details processed by our payment provider (we do not store full payment card numbers on our application servers).
  • Support communications — information you send when you contact us.

Data generated when you use the Services

  • Mentor output ("Output") — responses generated by Sage from your Input.
  • Learning state — mastery records, concept progress, spiral metadata, and bounded evidence summaries associated with your account.
  • Technical and usage data — IP address, browser type, device information, request logs, and operational metrics needed to run and secure the Services.
  • Interaction logs — aggregated metadata about requests (for example latency, token usage, retrieval counts) for reliability and cost observability; we design these logs to avoid storing full conversation text in operational dashboards by default.

Cookies — as described in our Cookie Policy (for example sage_theme and Supabase session cookies).

3. Why do we use your personal data?

We use personal data for the following purposes and lawful bases (where GDPR applies):

  • Provide and maintain the Services (contract) — authenticate you, deliver conversations, programs, mastery updates, voice and text features, and account management.
  • Personalize your learning experience (contract / legitimate interests) — adapt pacing and focus using your profile, bounded conversation history, and mastery state; we use summarized recent context, not unbounded full history, in generation prompts.
  • Security and abuse prevention (legitimate interests / legal obligation) — protect accounts, enforce rate limits, detect misuse, and maintain service integrity.
  • Support and debugging (contract / legitimate interests) — respond to your requests and fix errors affecting the Services.
  • Product improvement (legitimate interests) — understand aggregated usage and reliability; we do not use your private conversation threads to train public AI models.
  • Communications (consent or contract) — send product notices, waitlist updates, and (with consent where required) marketing about SageVox.
  • Legal compliance (legal obligation) — comply with law, respond to lawful requests, and resolve disputes.
  • Exercise your privacy rights (legal obligation) — process export, deletion, and other requests.

4. AI generation and curated knowledge

Transient prompts to our AI provider. To generate mentor responses, we send only the minimum context required — system instructions, relevant profile excerpts, summarized recent conversation history, and bounded curated excerpts retrieved for your question — to our AI inference provider (currently xAI). We do not send full corpora or unbounded conversation archives to the model provider.

No training on your private threads. We do not use your private conversations to train public foundation models. Provider terms and data processing agreements govern how inference requests are handled.

Curated curriculum hosting. Expert-vetted learning material used for retrieval may be indexed and stored in xAI Collections (separate from your personal learner database). That corpus is product content, not your private threads. It is hosted under provider contractual terms (including documented restrictions on use of Collections data for training).

Output accuracy. AI-generated Output may be inaccurate. Do not rely on it as professional medical, legal, or financial advice. See our Foundations.

Voice. When you use browser voice features, audio is processed for transcription and playback under the same principles as text, subject to your device and browser capabilities.

5. Cookies

We use a minimal set of cookies as described in our Cookie Policy. We do not currently use analytics or advertising cookies on our domains.

6. How long do we keep your data?

We retain personal data only as long as needed for the purposes above, including:

  • Account and learner state — while your account is active and for a limited period thereafter where needed for backup, security, or legal compliance.
  • Conversations and mastery records — while your account exists unless you delete your account or we delete data as part of a supported export/deletion flow.
  • Waitlist emails — until you unsubscribe or we no longer need the list for its stated purpose.
  • Technical logs — for operational and security periods aligned with our retention practices (typically rolling months, not indefinite).
  • Legal holds — longer where required for tax, billing, disputes, or regulatory obligations.

Not yet available: selective erasure of individual conversations ("forget this thread") is not offered today. Account-level export and deletion are available from Profile.

7. Who do we share your data with?

We do not sell your personal data. We share data only with service providers that help us operate the Services, under contracts that require appropriate safeguards:

  • Supabase — authentication (Supabase Auth) and hosted Postgres for learner state (profile, conversations, mastery, waitlist tables). Supabase processes data on our instructions as a processor. Their terms and privacy policy apply to their platform services: supabase.com/terms, supabase.com/privacy. Under the Supabase Terms of Service, SageVox remains responsible for learner content we store and configure in our project; we implement access controls, encryption in transit, and least-privilege credentials.
  • xAI — AI inference for mentor responses and hosting/search of curated curriculum in Collections. Transient generation prompts and curated corpus hosting are governed by xAI's applicable terms and data processing terms.
  • Payment processors — when you purchase paid access, payment data is handled by the processor we select (not stored as raw card data on our application servers).
  • Professional advisers and authorities — where required by law, court order, or to protect rights, safety, and security.

Authorized SageVox personnel may access personal data strictly on a need-to-know basis to operate and support the Services.

8. International transfers

Our providers may process data in the European Union, the United States, or other countries. Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses and provider commitments, unless an adequacy decision applies.

9. Your rights

Depending on your location (including if you are in the EEA or UK), you may have the right to:

  • Access a copy of your personal data
  • Rectify inaccurate data
  • Delete your data
  • Restrict or object to certain processing
  • Data portability
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with your local supervisory authority

In-app controls. Signed-in learners can:

  • Export learner data from Profile (GET /api/v1/app/account/export)
  • Delete their SageVox account from Profile (DELETE /api/v1/app/account); this removes application data we control. Supabase Auth identity may require a separate support step — see export notes in the app.

To exercise other rights, contact privacy@sagevox.com. We may need to verify your identity before responding.

10. Security

We use administrative, technical, and organizational measures designed to protect personal data, including access controls, encrypted transport, and separation of learner data from curated corpus hosting. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11. Children

The Services are not directed at children under sixteen (16). We do not knowingly collect personal data from children below that age without required parental consent.

12. Changes to this policy

We may update this Privacy Policy when our practices or legal requirements change. Material changes will be reflected by updating the "Last updated" date and, where appropriate, by email or in-product notice. Continued use after the effective date constitutes acceptance where permitted by law.

13. Contact

Questions about this Privacy Policy or your personal data:

SageVox, Inc. Email: privacy@sagevox.com