Last updated: October 22, 2025

Talentify, Inc., doing business as Sabido.ai (“Sabido,” “we,” “us,” “our”) provides an AI platform and AI agents to help customers work with email and other data sources. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how we protect it, and your choices and rights. It also includes a dedicated section that describes our use of Google API Services (Gmail).

This page is the canonical privacy policy for Sabido and is the URL we link on our homepage and on the OAuth consent screen.

Table of contents

1. Who we are & scope

2. Data we collect

3. Sources of data

4. How we use data (purposes)

5. Legal bases (GDPR/UK GDPR)

6. Sharing & disclosure (including subprocessors and AI providers)

7. International transfers

8. Security

9. Retention & deletion

10. Your choices & rights (GDPR/CPRA and others)

11. Cookies & tracking technologies

12. Automated decision‑making (AI)

13. Children’s privacy

14. Changes to this policy

15. Contact us

16. Google API Services (Gmail) – Detailed section

17. Other Google APIs (if enabled)

18. Data Processing Addendum (DPA)

1) Who we are & scope

This policy applies to personal data we process about visitors, customers, end users, and other individuals who interact with Sabido websites, apps, and services, including our AI agents and integrations (such as Gmail, when you connect it).

Controller/Processor. For most processing here, Sabido is a data controller. For enterprise features where we process data strictly on a customer’s documented instructions, Sabido acts as a processor under the parties’ DPA.

2) Data we collect

Depending on how you interact with Sabido, we may collect:

• Account & contact data: name, email address, company, password hash, role, basic Google profile (name, email, profile picture) when you sign in with Google.
  
  

• Billing data: payment method tokens, billing address, VAT/tax IDs. We do not store full payment card numbers; our PCI‑compliant provider (e.g., Stripe) processes them.
  
  

• Usage & device data: app activity, log files, IP address, device identifiers, browser type, preferences, crash reports.
  
  

• Support data: tickets and any screenshots/files you provide.
  
  

• Content you provide: prompts, files, or instructions given to our agents.
  
  

• Integration data from services you connect (e.g., Gmail — see Section 16).
  
  
  

• 
  

3) Sources of data

• Directly from you (account creation, product use, support).

• Automatically (cookies, SDKs, logs).

• Third‑party services you connect (e.g., Google, if you connect Gmail).

• Service providers (fraud prevention, error monitoring, analytics).

4) How we use data (purposes)

We use personal data to:

• Provide, maintain, and improve the services and features you request (including AI features you enable).
  
  
  

• Authenticate users; secure our platform; prevent abuse and fraud.
  
  
  

• Offer support and communicate about updates, security, and service changes.
  
  
  

• Personalize features you enable (e.g., per‑user writing style).
  
  
  

• Comply with law, enforce terms, and protect rights, safety, and property.
  
  
  

Advertising. We do not use Gmail data for advertising. We do not sell personal data or share it for cross‑context behavioral advertising.

5) Legal bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, our legal bases include:

• Contract (Art. 6(1)(b)): to deliver requested services and integrations you enable.
  
  
  

• Consent (Art. 6(1)(a)): when you connect Gmail or opt into optional features.
  
  
  

• Legitimate interests (Art. 6(1)(f)): securing and improving services, preventing abuse, responding to inquiries—balanced against your rights.
  
  
  

• Legal obligation (Art. 6(1)(c)): tax, accounting, compliance.
  
  
  

You may withdraw consent at any time (see Your choices & rights).

6) Sharing & disclosure (including subprocessors and AI providers)

We do not sell personal data and do not share it with advertisers or data brokers. We disclose data only to:

• Service providers (subprocessors) acting on our instructions (e.g., cloud hosting, storage, logging/monitoring, email delivery, payments, analytics strictly necessary to provide the services). We maintain a current list at https://sabido.ai/legal/subprocessors.
  
  
  

• AI model providers (processors) that help generate the outputs you request (e.g., drafting a reply). When our features require it, we may transmit limited excerpts of content to these providers acting under contract and Limited Use restrictions (see Section 16). Our typical AI processors may include OpenAI, Anthropic, and Google AI/Vertex AI; see the subprocessors page for the current list.
  
  
  

• Compliance & safety: to comply with law, respond to lawful requests, enforce agreements, or address security/abuse.
  
  
  

• Corporate transactions: in a merger, acquisition, or asset transfer, with appropriate safeguards and notice.
  
  
  

Snapshot of key subprocessors (illustrative; see the live page for updates)

Provider (Category)

Purpose

Typical data elements

Google Cloud Platform (cloud infrastructure)

Host app servers/databases, secure storage

Encrypted email snippets when processing, account IDs, encrypted OAuth tokens

OpenAI / Anthropic / Google AI (AI processing)

Generate summaries/drafts you request

Limited text excerpts you select; no use for ads or generalized model training

Stripe (payments)

Process subscription payments

Name, email, billing info; no card storage by Sabido

Google Analytics (analytics)

Improve product experience

Pseudonymized/app usage metrics; no Gmail message content

7) International transfers

We may process data in the United States and other countries. Where required, we use approved transfer mechanisms (e.g., EU Standard Contractual Clauses, UK Addendum) and implement appropriate safeguards. Details are in our DPA.

8) Security

We implement administrative, technical, and physical safeguards appropriate to the risks, including:

• Encryption: TLS in transit; industry‑standard encryption at rest. OAuth tokens are encrypted at rest; keys managed in a hardened KMS/HSM.
  
  
  

• Access controls: least‑privilege, role‑based access, MFA; logging and periodic reviews.
  
  
  

• Secure development: code review, dependency scanning, vulnerability management, and regular testing aligned with OWASP guidance.
  
  
  

• Monitoring & incident response: centralized logging, anomaly detection, incident playbooks, and user notifications where required.
  
  
  

• OAuth only: We use Google OAuth 2.0 for authentication and never see or store your Google password.
  
  
  

Google requirement (security incidents). If a security incident affects Gmail data, we also notify Google at security@google.com in addition to any required user/legal notifications.

9) Retention & deletion

We keep personal data only as long as necessary for the purposes described here or as required by law.

Standard periods

Category

Default retention

Account/profile & subscription data

While account is active + 30 days; archived billing records 7 years (tax/audit).

Usage & operational logs (no message bodies)

30 days for reliability/security; aggregated thereafter.

Security/audit logs

Up to 90 days.

Support tickets

12 months from last activity.

Backups

Rolling backups retained ≤35 days.

Inactive accounts

If your account is inactive for 12 months, we will notify you and then delete your account data unless you take action.

Gmail data

See Section 16 (zero‑retention/ephemeral by design, with a ≤72‑hour cache only if needed for reliability).

Upon account closure or revocation of access, we queue related data for deletion and complete within the timelines below, subject to narrow legal or security holds.

10) Your choices & rights

Access/portability, correction, deletion, restriction, objection, and consent withdrawal. You can exercise rights by emailing privacy@sabido.ai or submitting our request form at https://sabido.ai/legal/privacy-request. We verify requests and respond within applicable timelines.

California (CPRA). We honor the rights to know, delete, correct, and limit use of sensitive personal information. We do not sell personal data and do not share it for cross‑context behavioral advertising. You may use the methods above to exercise rights or designate an authorized agent.

Global Privacy Control (GPC)/Do Not Track. Where required, we treat GPC signals as opt‑out preferences.

Opt‑out of marketing emails. Use the unsubscribe link or email privacy@sabido.ai.

11) Cookies & tracking technologies

We use cookies and similar technologies to operate the service, remember preferences, measure performance, and improve features. Where required, we obtain consent. You can manage preferences in your browser and (where available) in our cookie banner/settings at https://sabido.ai/legal/cookies.

12) Automated decision‑making (AI)

Our AI agent may make automated in‑product assessments (e.g., suggest replies, summarize or categorize emails), but you remain in control and can ignore, edit, or override suggestions. We do not make decisions with legal or similarly significant effects solely by automated means without required notice and your consent.

13) Children’s privacy

Our services are not directed to children under 13 (or the equivalent age of consent in your jurisdiction). We do not knowingly collect data from children.

14) Changes to this policy

We will post updates here and adjust the “Last updated” date. If changes materially affect your rights or how we process data (especially Gmail data), we will provide prominent in‑product notice and obtain new consent when required before applying changes.

15) Contact us

Talentify, Inc. d/b/a Sabido.ai
Email: privacy@sabido.ai | contact@sabido.ai
Mailing address: [Insert mailing address]

16) Google API Services (Gmail) – Detailed section

This section applies only if you connect a Google Account and grant Sabido access to Gmail via Google’s OAuth screen. It explains what Gmail data we access, how we use it, sharing limits, security, and retention, and includes Google’s required statements.

16.1 Scopes we request (least privilege; incremental)

Required for core email features

• https://www.googleapis.com/auth/gmail.readonly (Restricted) — read messages, including subject, sender/recipient, body, attachments, labels, and thread metadata (no write).
  
  
  

• https://www.googleapis.com/auth/gmail.send (Sensitive) — send email on your behalf (no read).
  
  
  

We request scopes incrementally and in context. We do not ask for “future‑proof” or unnecessary permissions.

16.2 What data we access (categories, points, purpose)

Data category

Specific data points accessed

Purpose of access

Email content

Body text of messages in threads you select; inline content; attachments you select (e.g., PDF/DOCX/TXT)

Generate summaries or write replies you request; show context for features you enable

Email metadata

From/To/Cc/Bcc, subject, timestamps, message‑ID, thread ID, labels/folders

Provide context, organize mail (optional), enable search/triage

User account info

Primary Gmail address; basic Google profile (name, picture)

Authenticate via OAuth; personalize the interface; show sender identity

Email actions

Sending emails

Execute your explicit commands

We translate these technical needs into plain‑language disclosures in‑product so your consent is informed and specific.

16.3 How we use Gmail data

We use Gmail data solely to provide user‑visible features you request, such as:

• Reading messages you select to summarize or write replies you can review and send.
  
  
  

• Sending replies or new messages you instruct.
  
  
  

Prohibited uses & commitments

• No advertising or ad personalization with Gmail data.
  
  
  

• No sale of Gmail data; no sharing with data brokers.
  
  
  

• No credit‑worthiness or lending uses.
  
  
  

• No generalized model training: We do not use Gmail data to train or improve generalized AI/ML models. Any per‑user personalization is confined to your experience.
  
  
  

• Limited human access only: (i) with your explicit direction for specific items (e.g., a support ticket), (ii) for security/abuse investigations, or (iii) where required by law.
  
  
  

Limited Use commitment (Google‑required)
Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

16.4 Sharing & disclosure for Gmail data

• No selling; no ads sharing.
  
  
  

• Service providers (subprocessors). We may disclose limited Gmail data to vetted providers (e.g., cloud hosting, secure storage, logging/monitoring) acting on our instructions to deliver the features you use. See /legal/subprocessors for the current list.
  
  
  

• AI model providers (processors). To generate the outputs you request, Sabido may transmit limited Gmail‑derived text to AI processors such as OpenAI, Anthropic, and Google AI/Vertex AI, acting only on our instructions and bound by contract to Limited Use (no human reading except narrow cases; no use for ads; no training of generalized models with your Gmail data).
  
  
  

• Other transfers are restricted to what Limited Use permits (providing/improving the user‑facing feature with your consent, security/abuse, legal compliance, or a corporate transaction with your explicit prior consent).
  
  
  

16.5 Security (Gmail)

• TLS in transit and encryption at rest; OAuth tokens encrypted at rest; keys in KMS/HSM.
  
  
  

• Access controls: least‑privilege, MFA, logging, periodic reviews.
  
  
  

• Secure SDLC and vulnerability management aligned with OWASP.
  
  
  

• Incident response with user/legal notices where required; if Gmail data is affected, we also notify Google at security@google.com.
  
  
  

• Restricted scopes assessment. If our features store or transmit data from Restricted Gmail scopes, Sabido undergoes Google’s annual third‑party security assessment (CASA/App Defense Alliance) and maintains a Letter of Validation.
  
  
  

16.6 Retention & deletion (Gmail)

We design for data minimization and short retention:

• Default: We retain email bodies/attachments we’ve sent and their replies as long as the user account connection is active.
  
  
  

• Derived artifacts you enable (summaries, classifications, per‑user writing style signals): retained 30 days strictly to provide the feature, then deleted or anonymized; never used to train generalized models.
  
  
  

• Operational logs & audit records (metadata only; no message bodies): retained 30 days for reliability/security, then deleted or aggregated.
  
  
  

• OAuth tokens & connection data: Stored encrypted; when you revoke access or disconnect, we queue deletion immediately and complete within 7 days, subject to narrow legal/security holds.
  
  
  
  

16.7 Your choices & controls for Gmail

• Granular consent & incremental auth (narrowest scopes, in context).
  
  
  

• Just‑in‑time notices appear before a feature requests Gmail access.
  
  
  

• Revoke access anytime: Visit your Google Account permissions at
  https://myaccount.google.com/permissions → remove Sabido’s access.
  You can also disconnect in‑product. When you revoke, we delete Sabido‑held Gmail‑derived data per the schedule above.
  
  
  

• Data export & deletion: Request via privacy@sabido.ai or https://sabido.ai/legal/privacy-request. We respond within applicable timelines.
  
  
  

17) Other Google APIs (if enabled)

If you connect other Google services (e.g., Calendar, Drive, Contacts), we will disclose on this page the scopes we request, the data we access, how we use it, sharing limits under Limited Use, security measures, and retention/deletion timelines—using the same principles as Gmail. We will also seek verification and, where applicable, complete any required security assessments.

18) Data Processing Addendum (DPA)

For enterprise customers, our DPA (including SCCs where needed) governs our processing of personal data as a processor on your documented instructions. Contact privacy@sabido.ai for a copy or visit https://sabido.ai/legal/dpa.