Privacy Policy

Last Updated: August 3, 2025

Introduction

Welcome to SageTalk. This Privacy Policy outlines how SynapseCore OÜ, an Estonian company ("we," "us," or "our"), collects, uses, and protects your information when you use our SageTalk desktop application (the "Application") and related services (the "Services").

As a company based in the Republic of Estonia, our data processing practices are governed by the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy is designed to ensure our compliance with GDPR and other relevant data protection laws, such as the California Consumer Privacy Act (CCPA).

Information We Collect

Information You Provide to Us

  • Account Information: When you authenticate using your Google account, we receive your email address, first name, last name, and a URL to your profile picture.
  • Payment Information: When you subscribe, our payment processor, Stripe, handles the transaction. We receive a Stripe Customer ID and your subscription status. We do not collect or store your full payment card details.
  • User-Generated Content: We collect and store any custom AI prompts you provide in the Application's settings.

Information Processed for Core Functionality (With Your Explicit Consent)

To provide real-time AI assistance, and only if you provide your explicit, informed consent, the Application captures and processes:

  • Media Data: This sensitive data consists of:
    • Visual Data: Still frames (as JPEGs) from your selected source (entire screen, application window, or webcam).
    • Audio Data: Audio from your microphone, processed into PCM format.

Information Stored Locally on Your Device

  • Authentication Token: A refresh token is stored on your computer to maintain your session. This token is encrypted.
  • Consent Records: Your decision to grant or deny consent for Media Data processing is stored locally. This record is also encrypted.

How and Why We Use Your Information (Legal Basis)

  • To Provide Our Service (Performance of a Contract): We use your Account Information and Payment Information to create and manage your account, process subscriptions, and deliver the core features of the Application as agreed in our Terms and Conditions.
  • For AI-Powered Features (Explicit Consent): We process your Media Data only after you have given your explicit consent. This is the sole legal basis for capturing your screen, webcam, or audio for AI analysis. You can withdraw this consent at any time in the Application's settings.
  • For Security and Service Improvement (Legitimate Interests): We have a legitimate interest in protecting your account, preventing fraud, and analyzing aggregated, non-identifiable usage data to improve our Service. We ensure that our legitimate interests do not override your fundamental rights and freedoms.
  • To Comply with Legal Obligations: We may be required to process certain data to comply with legal or regulatory obligations in the European Union.

Data Sharing and International Transfers

We do not sell your personal information. We share it only with essential third-party service providers ("Data Processors" or "subprocessors") who are contractually bound to protect it.

Our Subprocessors:

  • Google LLC (United States): Used for AI processing of your consented Media Data via the Gemini API and for Google Sign-In authentication.
  • Stripe, Inc. (United States): Used for processing payments and managing subscriptions.
  • Google Cloud Platform (United States): Hosting our backend application and database.

Our Commitment to Lawful International Transfers: Your data is transferred to and processed in the United States. As a company based in the EU, we ensure such transfers are lawful and that your data remains protected through legally-approved mechanisms.

Our primary legal mechanism for these transfers is the Standard Contractual Clauses (SCCs), as approved by the European Commission. These SCCs are integrated into our Data Processing Agreements (DPAs) with all our non-EU subprocessors.

As required by the Schrems II ruling of the Court of Justice of the European Union, we have also conducted a Transfer Impact Assessment (TIA) to evaluate the risks associated with transferring data to the United States. To mitigate the identified risks (such as potential access by U.S. public authorities), we have implemented the following supplementary measures:

  • Technical Safeguards: All data is protected by strong encryption in transit (TLS 1.2+) and at rest (AES-256). Critically, your raw Media Data is processed ephemerally (in-memory) and is never stored on our or our subprocessors' servers, drastically minimizing the data available for access.
  • Contractual Safeguards: Our agreements with subprocessors include robust obligations to challenge government access requests and to notify us of such requests to the extent legally permissible.

By combining the legal framework of the SCCs with these robust supplementary measures, we ensure that your data remains protected, secure, and under your control.

Data Security

  • Encryption in Transit: All data is encrypted using TLS (HTTPS/WSS) during transmission.
  • Encryption at Rest: Your custom AI prompts are encrypted in our database using AES-256-GCM. Refresh tokens and consent records are encrypted on your local device.
  • Hashing: Refresh tokens are additionally hashed on our server using bcrypt.
  • Secure Infrastructure: Our database is isolated within a private VPC on Google Cloud Platform, not exposed to the public internet.

Data Retention

  • Account Information & User Content: Retained for as long as your account is active. This data is permanently deleted from our primary systems within 30 days of you deleting your account.
  • Media Data: We do not store your raw Media Data (screen content, audio) on our servers. This data is streamed for real-time processing and is not retained by us.
  • Backup Archives: Anonymized or pseudonymized data may be kept in secure backup archives for a limited period (e.g., up to 12 months) for disaster recovery and legal compliance, after which it is permanently deleted.

Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right to Access: You can request a copy of your personal data.
  • Right to Rectification: You can correct inaccurate data or complete incomplete data.
  • Right to Erasure ("Right to be Forgotten"): You can request the deletion of your personal data. You can do this directly by deleting your account in the Application's settings.
  • Right to Withdraw Consent: You can withdraw your consent for Media Data processing at any time in the settings, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to Restrict Processing: You have the right to request the restriction of your data's processing under certain conditions.
  • Right to Data Portability: You can request that we transfer your data to another organization or directly to you.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. Our Lead Supervisory Authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon - AKI).

To exercise any of these rights, please contact us at the email address provided below.

Specific Information for California Residents (CCPA)

This section supplements our Privacy Policy and applies solely to residents of California.

Your Rights: California residents have specific rights, including the right to know about the personal information we collect and the right to request its deletion. We do not "sell" or "share" your personal information as defined by the CCPA.

Automated Decision-Making Technology (ADMT): The SageTalk Service is an AI-powered assistant that uses ADMT. You have the right to request meaningful information about the logic involved in our ADMT processes and a description of the likely outcomes. You also have a right to opt out of the use of ADMT for certain profiling purposes. To exercise any of your California privacy rights, please contact us.

Cookie Policy

We use essential and analytical cookies on our website and in our Application. For detailed information on the cookies we use and for instructions on how to manage your consent, please see our standalone Cookie Policy.

Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children.

Contact Us

For any questions or to exercise your rights, please contact us:

  • Company: SynapseCore OÜ
  • Email: support@sagetalk.ai
  • Address: Harju maakond, Tallinn, Põhja-Tallinna linnaosa, Telliskivi tn 57, 10412
  • Lead Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon - AKI)