Privacy Policy

This Privacy Policy explains how Sapeum, Inc. ("Sapeum," "we," "us") collects, uses, shares, and protects information in connection with our websites (including sapeum.com), our software-as-a-service product, and related services (collectively, the "Services"). It applies to visitors of our marketing websites, users of our product, and individuals whose personal information our customers submit to the Services.

We do not sell personal information. We do not show third-party advertising on our Services. We do not use customer content to train foundation AI models, and our AI providers are contractually prohibited from doing so using data sent through our API requests.

1) Our Role

Sapeum plays two distinct roles depending on the context:

• Controller. For information we collect from visitors of our marketing websites, individuals who contact us, and individuals who administer a customer account, Sapeum is the "controller" (or "business" under California law). This Privacy Policy governs that processing.
• Processor. When our customers use the Services, they submit information about their own contacts, employees, and operations ("Customer Data"). With respect to Customer Data, Sapeum acts as a "processor" (or "service provider") on the customer's behalf. Our handling of Customer Data is governed by the customer's written agreement with us and any applicable data processing terms, which take precedence over this Privacy Policy in the event of a conflict. Individuals with questions about Customer Data should contact the applicable customer (the data controller).

2) Information We Collect

Information you provide

• Account information: name, work email, company, job title, and password or authentication credentials.
• Communications: content of support requests, sales inquiries, demo requests, and other correspondence.
• Billing information: billing contact, billing address, and tax identifiers. Sapeum is primarily invoice-billed; we do not directly store payment card numbers.
• Content you submit: workflows, documentation, notes, uploads, and other content you or your organization creates in the Services.

Information from connected services

With your authorization, you may connect third-party accounts to the Services (for example, Google Workspace for Gmail, Calendar, or Drive; or Slack). When you do, we receive information from those services as permitted by the scopes you grant, which may include your profile information, message metadata and content, calendar events and attendees, files, and channel activity. You can revoke these authorizations at any time in the connected account's settings or within the Services.

Information collected automatically

• Device and log data: IP address, browser type, operating system, referring page, pages viewed, and timestamps.
• Product usage: features used, actions taken, and diagnostic events needed to operate, secure, and improve the Services.
• Marketing analytics: anonymous and pseudonymous identifiers from analytics tools on our marketing websites (see "Cookies and Analytics" below).

Information from other sources

We may receive information about you from business partners, resellers, event sponsors, and publicly available sources in connection with sales, marketing, and security activities (for example, confirming a company domain or detecting fraud).

3) How We Use Information

We use information to:

• Provide, maintain, secure, and improve the Services;
• Authenticate users and prevent fraud, abuse, and unauthorized access;
• Process transactions and send related administrative messages;
• Respond to inquiries and provide customer support;
• Send service updates, product announcements, and, where permitted, marketing communications (you can opt out at any time);
• Generate aggregated and de-identified analytics to understand and improve the Services;
• Comply with legal obligations and enforce our agreements.

For individuals in the European Economic Area and Switzerland, we rely on the following legal bases: performance of a contract (to provide the Services you or your organization requested); our legitimate interests (to secure, improve, and market the Services in ways that do not override your rights); your consent (where required, for example for certain cookies or marketing communications); and compliance with legal obligations.

4) Artificial Intelligence and Automated Processing

The Services use large language models and other machine learning systems to analyze, summarize, and transform content you or your organization submit. We want to be clear about how this works:

• AI providers we use. We route inference requests to third-party AI providers, currently OpenAI and Anthropic.
• No training on Customer Data. We do not use Customer Data to train foundation or base AI models. We send inference requests to our AI providers under commercial API terms that prohibit those providers from using our API inputs or outputs to train their models.
• Retention at AI providers. Our AI providers may retain API request data for a short period to detect abuse or comply with law, in accordance with their commercial API terms.
• Service improvement and aggregated insights. Consistent with our agreement with customers, we may aggregate, anonymize, or de-identify information (including Customer Data) so that it no longer reasonably identifies any individual, and use the resulting data to operate, secure, and improve the Services, to evaluate and tune our prompts, retrieval pipelines, and model selection, and to research and develop new Sapeum products and features. We do not attempt to re-identify individuals from this data.
• Automated decisions. The Services may present AI-generated recommendations, drafts, summaries, and rankings. These outputs support human decision-making; they do not replace it. We do not use the Services to make decisions that produce legal or similarly significant effects about individuals without meaningful human review.
• Human review. Access to Customer Data, including AI inputs and outputs, is restricted to authorized personnel with a need to know. We use such access only (i) with the customer's instruction (for example, to resolve a support request), (ii) to investigate a suspected violation of our policies or law, (iii) to perform engineering, debugging, and product improvement activities subject to our internal access controls, or (iv) as otherwise required by law.

5) How We Share Information

Subprocessors and service providers

We share information with vendors who process it on our behalf to deliver the Services, including cloud hosting, networking, authentication, AI inference, speech-to-text, analytics, and customer support. These vendors are contractually required to protect the information and use it only to provide services to us. Customers may request our current subprocessor list by contacting [email protected], and we will provide advance notice of material subprocessor changes by email to account administrators.

Within your organization

Content you submit to the Services may be visible to other users within your organization's account based on the permissions set by your administrators.

Legal, safety, and compliance

We may disclose information if we believe in good faith that disclosure is necessary to comply with a law, regulation, legal process, or governmental request; to enforce our agreements or policies; or to protect the rights, property, or safety of Sapeum, our customers, or others.

Business transfers

If Sapeum is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections. Any acquirer will be bound by the commitments in this Privacy Policy or will provide notice before making material changes.

With your direction or consent

We share information in any other way you direct or to which you consent.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

6) Cookies and Analytics

We use cookies and similar technologies (pixels, local storage, SDKs) to keep you signed in, remember your preferences, secure the Services, and understand how our websites and product are used. We use product analytics on our marketing websites (including PostHog) to measure engagement and improve content. We do not use cookies or similar technologies for third-party advertising.

You can control cookies through your browser settings. In jurisdictions that require consent for non-essential cookies, we request your consent before setting them. Because we do not use advertising cookies, we do not respond differently to browser "Do Not Track" signals. To the extent Global Privacy Control ("GPC") signals apply to our processing, we treat them as a valid opt-out request under U.S. state privacy laws that recognize them.

7) International Data Transfers

We host the Services on infrastructure located in the United States. If you access the Services from outside the United States, information about you will be transferred to, stored in, and processed in the United States and other countries where we or our subprocessors operate. Where required, we rely on the European Commission's Standard Contractual Clauses and equivalent mechanisms to safeguard transfers out of the European Economic Area and Switzerland, and we will make the applicable transfer mechanism available to customers who require one.

8) Data Retention

We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. In practice:

• Account and Customer Data are retained for the duration of the customer's subscription. Upon termination, we make Customer Data available to the customer for export for thirty (30) days, after which we may delete it, consistent with our Terms.
• Marketing and sales contacts are retained until you unsubscribe or request deletion, plus a short period required to honor your suppression preferences.
• Logs, audit trails, and backups are retained for a limited period appropriate to their purpose (for example, security, debugging, and disaster recovery).
• Aggregated or de-identified data may be retained indefinitely.

9) Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, least-privilege access controls, multi-factor authentication, monitoring, and regular backups. More detail is available in our Trust Center, which publishes our security program, policies, and audit status. No system is completely secure; if we become aware of a security incident affecting your information, we will notify affected parties as required by law and our customer agreements.

10) Your Privacy Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you;
• Request that we correct inaccurate personal information;
• Request that we delete personal information;
• Request a portable copy of personal information you provided;
• Object to, or request restriction of, certain processing;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with your data protection authority.

To exercise these rights, contact us at [email protected]. We will verify your request in a manner proportionate to its sensitivity and respond within the period required by applicable law. We do not discriminate against individuals who exercise their privacy rights. If our customer submitted the personal information to the Services, we will refer your request to that customer.

11) U.S. State Privacy Notices

Residents of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and other U.S. states with comprehensive privacy laws have the rights described in Section 10 above, as applicable under their state law. You may designate an authorized agent to submit a request on your behalf.

For California residents: in the preceding twelve months, we have collected the categories of personal information described in Section 2 (identifiers; commercial information; internet or other electronic network activity; geolocation inferred from IP; professional or employment-related information; and inferences drawn from the above). We collect, use, and disclose these categories for the purposes described in Section 3. We do not "sell" personal information and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

12) Children's Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will take appropriate steps to delete it.

13) Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date, and, where appropriate, by email or in-product notice. Your continued use of the Services after the update takes effect constitutes acceptance of the revised policy.

14) Contact Us

For privacy questions or to exercise your rights, contact us at [email protected]. For security questions, contact [email protected]. Our postal address is Sapeum, Inc., c/o Gaussian Holdings, LLC, 54 State Street, Suite 804, Albany, NY 12207.