Privacy policy
Sapvio ("we", "our", "us") is committed to protecting your personal data. This policy explains what we collect, why, the legal basis under which we process it, and how you can exercise your rights.
1. Who is responsible for your data
The data controller is Sapvio, based in Latvia. You can reach us at [email protected] for any privacy-related question.
If you require a Data Processing Agreement (DPA) for business use — for example, if you process your own customers' data through Sapvio — please contact us and we will provide one.
2. What we collect and why
Account data
When you sign up, we collect your email address, a hashed password, and (optionally) the display name you choose. We never store your password in plain text.
Legal basis: performance of contract (Art. 6(1)(b) GDPR) — we need this to give you access to your account.
Brand content
When you create a brand, the website content we extract, the brand profile we generate, your edits to that profile, your starred examples, and any content you generate are stored in our database and linked to your account. This exists so you can return to your brands across sessions.
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
Images you upload
If you upload your own photos (logos or brand images), we store them in object storage hosted by Cloudflare R2. These files are accessible by URL and are referenced from your brand workspace.
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
Payment information
If you subscribe to a paid plan, payment is processed by Stripe. We never see or store your full payment card number. We receive only a Stripe customer ID, your subscription status, and a record of successful payments.
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
Instagram connection (optional)
If you choose to connect your Instagram account to publish posts directly, we store an encrypted Instagram access token and your Instagram username. The token allows us to publish on your behalf. You can disconnect at any time from your account settings, at which point we delete the token.
Legal basis: consent (Art. 6(1)(a) GDPR) — you choose to connect Instagram, and you can withdraw consent by disconnecting.
Collaborator information
If you invite someone to collaborate on a brand, we process their email address to send the invitation. If they accept, they create their own Sapvio account and become governed by this same policy.
Legal basis: performance of contract (Art. 6(1)(b) GDPR) for the inviter; legitimate interests (Art. 6(1)(f) GDPR) for the brief processing of the invitee's email until they accept or decline.
Usage data
We log events related to your brands — generation requests, regenerations, version restores, posts scheduled — to power your activity history and to help us improve the product.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — improving our product and providing you with activity history. You can object to this processing by contacting us.
Technical data
We collect standard server logs (IP address, request timestamps, error traces) for debugging and security. We use Sentry to aggregate error data. These logs are retained for 30 days and are not used for profiling or marketing.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — maintaining the security and reliability of the service.
Communications
We send transactional emails (account verification, password reset, payment receipts, inactivity reminders if you have a brand with recent inactivity).
Legal basis: performance of contract (Art. 6(1)(b) GDPR) for transactional messages. We do not send marketing emails. If we ever introduce a marketing newsletter, it will be opt-in only.
3. Third parties and international transfers
We use the following sub-processors to provide the service. Each is bound by a Data Processing Agreement and, where applicable, by Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EEA.
- OpenAI (United States) — generates brand profile content and copy from the data you provide. Subject to SCCs. OpenAI privacy policy. We do not allow OpenAI to use your data to train their models.
- Railway (United States) — application hosting. Subject to SCCs.
- Cloudflare (global, EU-region for R2 object storage) — DNS, CDN, and image storage. Cloudflare's standard data processing terms apply.
- Stripe (Ireland for EU customers) — payment processing. Stripe acts as an independent data controller for payment data. Stripe privacy policy.
- Brevo (Sendinblue) (France, EU) — sends transactional emails. Brevo privacy policy.
- Sentry (United States) — error monitoring. Subject to SCCs. Sentry privacy policy.
- Meta Platforms (only if you connect Instagram) — required to publish posts on your behalf. Meta's privacy policy applies to interactions with their APIs.
We do not sell your data. We do not share it with advertisers. We do not use your brand content or generated outputs to train any AI model — ours or anyone else's.
4. Data retention
Your account and brand data are retained for as long as your account is active. If you delete your account, we delete all associated brand data, generated content, uploaded images, and starred examples. Some data may be retained briefly for legal or financial obligations (for example, payment records under EU accounting law typically require retention for 5–7 years).
You can delete your account at any time from your settings, or by emailing [email protected]. We will confirm receipt of your erasure request within 72 hours and complete the deletion within 30 days.
Server logs are retained for 30 days. Sentry error data is retained for 30 days. Email send/open logs at Brevo are retained per Brevo's standard retention policy.
5. Your rights under GDPR
If you are in the EU, EEA, UK, or Switzerland, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct any inaccurate data.
- Right to erasure (Art. 17) — delete your data, subject to legal retention obligations.
- Right to restrict processing (Art. 18) — pause processing while you contest its accuracy or legality.
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format, and transmit it to another service.
- Right to object (Art. 21) — object to processing based on legitimate interests, including for usage data.
- Right to withdraw consent — where processing is based on consent (such as the Instagram connection), you can withdraw at any time.
To exercise any of these rights, email [email protected]. We will respond within one month.
You also have the right to lodge a complaint with your national supervisory authority. As we are based in Latvia, the lead supervisory authority for this service is: Datu valsts inspekcija (DVI). You may also contact the supervisory authority in the country where you live or work. In Denmark: Datatilsynet. In Sweden: Integritetsskyddsmyndigheten (IMY). For all other EU/EEA countries, find your authority via the European Data Protection Board.
6. Cookies
We use a single session cookie to keep you logged in. See our Cookie policy for details.
7. Children
Sapvio is not intended for children under the age of 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
8. Security
We take reasonable measures to protect your data: passwords are hashed using industry-standard algorithms, Instagram tokens are encrypted at rest, sessions use secure HTTPS-only cookies, and we apply access controls so only you (and any collaborators you invite) can see your brand data.
No system is perfectly secure. If we ever become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34.
9. Changes to this policy
We may update this policy as the product evolves. For material changes — anything that meaningfully changes how we process your data — we will give you at least 30 days' notice by email before the changes take effect. The date at the top of this page reflects the latest revision.
10. Contact
Questions about this policy? Email [email protected].