Sabido.ai Privacy Policy

Last updated: December 20, 2025

Talentify, Inc., doing business as Sabido.ai ("Sabido", "we", "us", "our") provides an AI platform and AI agents to help customers work with email and other data sources. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how we protect it, and your choices and rights. It also includes a dedicated section that describes our use of Google API Services (Gmail).

Table of contents

1. Who we are & scope
2. Data we collect
3. Sources of data
4. How we use data (purposes)
5. Legal bases (GDPR/UK GDPR)
6. Sharing & disclosure
7. International transfers
8. Security
9. Retention & deletion
10. Your choices & rights
11. Cookies & tracking technologies
12. Automated decision-making (AI)
13. Children's privacy
14. Changes to this policy
15. Contact us
16. Google API Services (Gmail)
17. Google API Services (Google Analytics)
18. Data Processing Addendum

1) Who we are & scope

This policy applies to personal data we process about visitors, customers, end users, and other individuals who interact with Sabido websites, apps, and services, including our AI agents and integrations (such as Gmail, when you connect it).

Controller/Processor. For most processing here, Sabido is a data controller. For enterprise features where we process data strictly on a customer's documented instructions, Sabido acts as a processor under the parties' DPA.

2) Data we collect

Depending on how you interact with Sabido, we may collect:

• Account & contact data: name, email address, company, password hash, role, basic Google profile (name, email, profile picture) when you sign in with Google.
• Billing data: payment method tokens, billing address, VAT/tax IDs. We do not store full payment card numbers; our PCI-compliant provider (e.g., Stripe) processes them.
• Usage & device data: app activity, log files, IP address, device identifiers, browser type, preferences, crash reports.
• Support data: tickets and any screenshots/files you provide.
• Content you provide: prompts, files, or instructions given to our agents.
• Integration data from services you connect (e.g., Gmail — see Section 16).

3) Sources of data

• Directly from you (account creation, product use, support).
• Automatically (cookies, SDKs, logs).
• Third-party services you connect (e.g., Google, if you connect Gmail).
• Service providers (fraud prevention, error monitoring, analytics).

4) How we use data (purposes)

We use personal data to:

• Provide, maintain, and improve the services and features you request (including AI features you enable).
• Authenticate users; secure our platform; prevent abuse and fraud.
• Offer support and communicate about updates, security, and service changes.
• Personalize features you enable (e.g., per-user writing style).
• Comply with law, enforce terms, and protect rights, safety, and property.

Advertising. We do not use Gmail data for advertising. We do not sell personal data or share it for cross-context behavioral advertising.

5) Legal bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, our legal bases include:

• Contract (Art. 6(1)(b)): to deliver requested services and integrations you enable.
• Consent (Art. 6(1)(a)): when you connect Gmail or opt into optional features.
• Legitimate interests (Art. 6(1)(f)): securing and improving services, preventing abuse, responding to inquiries—balanced against your rights.
• Legal obligation (Art. 6(1)(c)): tax, accounting, compliance.

You may withdraw consent at any time (see Your choices & rights).

6) Sharing & disclosure (including subprocessors and AI providers)

We do not sell personal data and do not share it with advertisers or data brokers. We disclose data only to:

• Service providers (subprocessors) acting on our instructions to provide the services (including cloud hosting, storage, email delivery, and payments). Key subprocessors include:
  • Infrastructure: Amazon Web Services
  • Payments: Stripe
  • Analytics: Google Analytics
• AI model providers (processors) that help generate the outputs you request.
  • General Data: We may use various AI providers to process non-Google data.
  • Google User Data (Gmail & Analytics): We enforce strict isolation. We transmit Google User Data only to AI providers that contractually agree not to use data for model training (e.g., OpenAI Enterprise/API, Google Vertex AI). We explicitly exclude the use of AI models that train on user data (specifically xAI/Grok and DeepSeek) for any feature connecting to Google Workspace APIs.
• Compliance & safety: to comply with law, respond to lawful requests, enforce agreements, or address security/abuse.
• Corporate transactions: in a merger, acquisition, or asset transfer, with appropriate safeguards and notice.

7) International transfers

We may process data in the United States and other countries. Where required, we use approved transfer mechanisms (e.g., EU Standard Contractual Clauses, UK Addendum) and implement appropriate safeguards. Details are in our DPA.

8) Security

We implement administrative, technical, and physical safeguards appropriate to the risks, including:

• Encryption: TLS in transit; industry-standard encryption at rest. OAuth tokens are encrypted at rest; keys managed in a hardened KMS/HSM.
• Access controls: least-privilege, role-based access, MFA; logging and periodic reviews.
• Secure development: code review, dependency scanning, vulnerability management, and regular testing aligned with OWASP guidance.
• Monitoring & incident response: centralized logging, anomaly detection, incident playbooks, and user notifications where required.
• OAuth only: We use Google OAuth 2.0 for authentication and never see or store your Google password.

Google requirement (security incidents). If a security incident affects Gmail data, we also notify Google at security@google.com in addition to any required user/legal notifications.

9) Retention & deletion

We keep personal data only as long as necessary for the purposes described here or as required by law.

Standard periods

Upon account closure or revocation of access, we queue related data for deletion and complete within the timelines below, subject to narrow legal or security holds.

10) Your choices & rights (GDPR/CPRA and others)

Access/portability, correction, deletion, restriction, objection, and consent withdrawal. You can exercise rights by emailing privacy@sabido.ai or submitting our request form at https://sabido.ai/legal/privacy-request. We verify requests and respond within applicable timelines.

California (CPRA). We honor the rights to know, delete, correct, and limit use of sensitive personal information. We do not sell personal data and do not share it for cross-context behavioral advertising. You may use the methods above to exercise rights or designate an authorized agent.

Global Privacy Control (GPC)/Do Not Track. Where required, we treat GPC signals as opt-out preferences.

Opt-out of marketing emails. Use the unsubscribe link or email privacy@sabido.ai.

11) Cookies & tracking technologies

We use cookies and similar technologies to operate the service, remember preferences, measure performance, and improve features. Where required, we obtain consent. You can manage preferences in your browser and (where available) in our cookie banner/settings at https://sabido.ai/legal/cookies.

12) Automated decision-making (AI)

Our AI agent may make automated in-product assessments (e.g., suggest replies, summarize or categorize emails), but you remain in control and can ignore, edit, or override suggestions. We do not make decisions with legal or similarly significant effects solely by automated means without required notice and your consent.

13) Children's privacy

Our services are not directed to children under 13 (or the equivalent age of consent in your jurisdiction). We do not knowingly collect data from children.

14) Changes to this policy

We will post updates here and adjust the "Last updated" date. If changes materially affect your rights or how we process data (especially Gmail data), we will provide prominent in-product notice and obtain new consent when required before applying changes.

15) Contact us

Talentify, Inc. d/b/a Sabido.ai
Email: privacy@sabido.ai | contact@sabido.ai
Mailing address: [Insert mailing address]

16) Google API Services (Gmail) -- Detailed section

This section applies only if you connect a Google Account to our Data Agent or Deploy & Engage products and grant Sabido access to Gmail.

16.1 Scopes we request

• https://www.googleapis.com/auth/gmail.readonly (Restricted): Used by our Data Agent to read messages, providing analysis, summaries, and cross-referencing with other data sources to generate intelligence.
• https://www.googleapis.com/auth/gmail.send (Restricted): Used by our Deploy & Engage feature to draft and send emails on your behalf based on your approved content.

16.2 How we use Gmail data

We use Gmail data solely to provide the user-facing features you request (e.g., email reporting, monitoring, and productivity).

Prohibited Uses: We do not use Gmail data for advertising, credit checks, or to train generalized AI models.

AI Model Training Restriction: We do not share Gmail data with third-party AI tools that use your data to train their foundational models. Integrations with xAI (Grok) and DeepSeek are strictly disabled for any data originating from Gmail.

16.3 Sharing & Disclosure (Gmail)

• AI Providers: To provide features like email summarization or drafting, we may transmit data to AI providers (such as OpenAI or Google Vertex AI) that contractually agree to Limited Use and Zero Retention for training purposes.
• Limited Use Commitment: Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

16.4 Security & Retention (Gmail)

• Security: TLS in transit and encryption at rest. OAuth tokens are encrypted; keys managed in a hardened KMS.
• Retention: We retain email bodies only as long as necessary to perform the active task. Derived artifacts (summaries) are retained for 30 days strictly to provide the feature, then deleted. We do not retain data for model training.

17) Google API Services (Google Analytics)

This section applies if you connect your Google Analytics account to our Data Agent.

17.1 Scopes we request

• https://www.googleapis.com/auth/analytics.readonly (Sensitive): Used to download and analyze your traffic, revenue, and metrics.

17.2 Purpose of Access

We access this data to power the Data Agent, allowing it to analyze your website traffic and performance metrics, generating insights and intelligence as requested by you.

17.3 Data Protection & AI Models

• Usage: Analytics data is processed solely to generate the reports and insights you request.
• No Training on Analytics Data: Similar to our Gmail policy, we do not use Google Analytics data to train generalized AI models. We do not share this data with xAI (Grok), DeepSeek, or any other provider that claims rights to train on user data.
• Sharing: Data is only shared with vetted AI processors (e.g., OpenAI, Google Vertex AI) under strict confidentiality and non-training agreements.

18) Data Processing Addendum (DPA)

For enterprise customers, our DPA (including SCCs where needed) governs our processing of personal data as a processor on your documented instructions. Contact privacy@sabido.ai for a copy or visit https://sabido.ai/legal/dpa.