Privacy policy

Last updated: 20 May 2026

Sapvio ("we", "our", "us") is committed to protecting your personal data. This policy explains what we collect, why, the legal basis under which we process it, and how you can exercise your rights.

1. Who is responsible for your data

The data controller is Sapvio, based in Latvia. You can reach us at [email protected] for any privacy-related question.

If you require a Data Processing Agreement (DPA) for business use — for example, if you process your own customers' data through Sapvio — please contact us and we will provide one.

2. What we collect and why

Account data

When you sign up, we collect your email address, a hashed password, and (optionally) the display name you choose. We never store your password in plain text.

Legal basis: performance of contract (Art. 6(1)(b) GDPR) — we need this to give you access to your account.

Brand content

When you create a brand, the website content we extract, the brand profile we generate, your edits to that profile, your starred examples, and any content you generate are stored in our database and linked to your account. This exists so you can return to your brands across sessions.

Legal basis: performance of contract (Art. 6(1)(b) GDPR).

Images you upload

If you upload your own photos (logos or brand images), we store them in object storage hosted by Cloudflare R2. These files are accessible by URL and are referenced from your brand workspace.

Legal basis: performance of contract (Art. 6(1)(b) GDPR).

Payment information

If you subscribe to a paid plan, payment is processed by Stripe. We never see or store your full payment card number. We receive only a Stripe customer ID, your subscription status, and a record of successful payments.

Legal basis: performance of contract (Art. 6(1)(b) GDPR).

Instagram connection (optional)

If you choose to connect your Instagram account to publish posts directly, we store an encrypted Instagram access token and your Instagram username. The token allows us to publish on your behalf. You can disconnect at any time from your account settings, at which point we delete the token.

Legal basis: consent (Art. 6(1)(a) GDPR) — you choose to connect Instagram, and you can withdraw consent by disconnecting.

Collaborator information

If you invite someone to collaborate on a brand, we process their email address to send the invitation. If they accept, they create their own Sapvio account and become governed by this same policy.

Legal basis: performance of contract (Art. 6(1)(b) GDPR) for the inviter; legitimate interests (Art. 6(1)(f) GDPR) for the brief processing of the invitee's email until they accept or decline.

Usage data

We log events related to your brands — generation requests, regenerations, version restores, posts scheduled — to power your activity history and to help us improve the product.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — improving our product and providing you with activity history. You can object to this processing by contacting us.

Technical data

We collect standard server logs (IP address, request timestamps, error traces) for debugging and security. We use Sentry to aggregate error data. These logs are retained for 30 days and are not used for profiling or marketing.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — maintaining the security and reliability of the service.

Communications

We send transactional emails (account verification, password reset, payment receipts, inactivity reminders if you have a brand with recent inactivity).

Legal basis: performance of contract (Art. 6(1)(b) GDPR) for transactional messages. We do not send marketing emails. If we ever introduce a marketing newsletter, it will be opt-in only.

3. Third parties and international transfers

We use the following sub-processors to provide the service. Each is bound by a Data Processing Agreement and, where applicable, by Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EEA.

We do not sell your data. We do not share it with advertisers. We do not use your brand content or generated outputs to train any AI model — ours or anyone else's.

4. Data retention

Your account and brand data are retained for as long as your account is active. If you delete your account, we delete all associated brand data, generated content, uploaded images, and starred examples. Some data may be retained briefly for legal or financial obligations (for example, payment records under EU accounting law typically require retention for 5–7 years).

You can delete your account at any time from your settings, or by emailing [email protected]. We will confirm receipt of your erasure request within 72 hours and complete the deletion within 30 days.

Server logs are retained for 30 days. Sentry error data is retained for 30 days. Email send/open logs at Brevo are retained per Brevo's standard retention policy.

5. Your rights under GDPR

If you are in the EU, EEA, UK, or Switzerland, you have the following rights:

To exercise any of these rights, email [email protected]. We will respond within one month.

You also have the right to lodge a complaint with your national supervisory authority. As we are based in Latvia, the lead supervisory authority for this service is: Datu valsts inspekcija (DVI). You may also contact the supervisory authority in the country where you live or work. In Denmark: Datatilsynet. In Sweden: Integritetsskyddsmyndigheten (IMY). For all other EU/EEA countries, find your authority via the European Data Protection Board.

6. Cookies

We use a single session cookie to keep you logged in. See our Cookie policy for details.

7. Children

Sapvio is not intended for children under the age of 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

8. Security

We take reasonable measures to protect your data: passwords are hashed using industry-standard algorithms, Instagram tokens are encrypted at rest, sessions use secure HTTPS-only cookies, and we apply access controls so only you (and any collaborators you invite) can see your brand data.

No system is perfectly secure. If we ever become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34.

9. Changes to this policy

We may update this policy as the product evolves. For material changes — anything that meaningfully changes how we process your data — we will give you at least 30 days' notice by email before the changes take effect. The date at the top of this page reflects the latest revision.

10. Contact

Questions about this policy? Email [email protected].