Legal

Privacy Policy

Last updated: June 2026 · Sugra Systems, Inc. · Delaware, USA

This Privacy Policy describes how Sugra Systems, Inc. ("Sugra", "we", "our") collects, uses, and protects personal information in connection with:

This policy applies to visitors, prospective customers, account holders, and API Subscribers, collectively referred to as "you". Capitalized terms not defined here have the meanings given in the Sugra Terms of Service.

In addition, Section 14 describes how Sugra processes the personal data of third parties who are the subject of screening signals returned by Sugra Entity (for example individuals named on public sanctions or watchlists, politically-exposed persons, and individuals named in adverse media). Those individuals are not Sugra account holders, and Section 14 sets out their rights and the lawful basis for that processing.

1. Information We Collect

We collect information in the following categories:

1.1 Information you provide directly

  • Website contact. When you contact us through the website or by email, we collect your name, email address, and the content of your message.
  • Account registration. When you create an account at app.sugra.ai, we collect your email address, a password (stored as a bcrypt hash), and optional profile fields such as name, locale, and timezone.
  • Two-factor authentication. If you choose to enable two-factor authentication for your app.sugra.ai account, we store the shared secret used by your authenticator application and a set of single-use recovery codes you can use to regain access if you lose your authenticator. The shared secret is encrypted at rest using application-managed keys (Laravel's encrypted Eloquent attribute cast); the application decrypts it on each sign-in to verify the rotating code generated by your authenticator. Recovery codes, by contrast, are stored only as one-way bcrypt hashes and cannot be read back from our database in plaintext form, which is why we display them to you exactly once at the time you enable two-factor authentication. When you disable two-factor authentication, both the shared secret and the recovery code hashes are deleted from your account record.
  • API Subscribers. When you register for API access, we collect account identifiers, generated API key material, and subscription tier information. API keys are stored as secure hashes; only the final characters are displayed to you after creation.
  • Billing information. For paid subscriptions, we collect billing details necessary for payment, including a Stripe customer identifier, payment method type, and the last four digits of the payment card. We do not receive or store full payment card numbers; these are handled by Stripe, our payment processor.

1.2 Information collected automatically

  • Technical information. IP address, browser type and version, device type, operating system, pages visited, referring URLs, and timestamps, collected through server access logs.
  • API usage metadata. For API Subscribers, we record daily aggregate counts of API requests associated with each API key. We do not record the content of API requests or responses, nor the specific endpoints accessed, within these aggregate counts.
  • Authentication and OAuth data. For the Service and for OAuth connections to third-party clients, we store access tokens, refresh tokens, authorization scopes, and token expiry information.
  • Cookies and similar technologies. Described in Section 4 below.

2. How We Use Your Information

We use the information we collect to:

  1. Provide, operate, secure, and improve the Service.
  2. Authenticate requests to the API and enforce rate limits and subscription quotas.
  3. Process billing, respond to subscription events, and deliver transactional emails (for example, account verification, password reset, subscription status changes, and usage-threshold notifications).
  4. Respond to your inquiries and provide customer support.
  5. Analyze aggregate usage patterns to improve reliability and performance.
  6. Detect, investigate, and prevent fraud, abuse, and security incidents.
  7. Comply with applicable legal obligations and respond to lawful requests.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR:

  • Contractual necessity - to provide the Service to account holders and API Subscribers in accordance with the Terms of Service.
  • Legitimate interests - for website security, fraud prevention, analytics, and service improvement, where such interests are not overridden by your rights and freedoms.
  • Consent - for non-essential cookies and marketing communications, where required by applicable law.
  • Legal obligation - where processing is required by law, regulation, or lawful order.

The lawful basis for processing the personal data of individuals who are the subject of screening signals (sanctions, watchlist, PEP, and adverse-media data processed by Sugra Entity) is described separately in Section 14.

4. Cookies

sugra.systems uses cookies in the following categories:

  • Essential cookies - required for core website functionality, including session management for the contact form and retention of your cookie consent preference.
  • Analytics cookies - Google Analytics 4, used to understand aggregate website usage. These cookies are loaded only after you accept non-essential cookies through the consent banner displayed on your first visit. If you reject non-essential cookies, the analytics tag is disabled.

You may manage your preferences through the consent banner shown on your first visit, through your browser settings, or by contacting us at privacy@sugra.systems. Disabling analytics cookies does not affect website functionality.

No non-essential cookies are set on sugra.ai or app.sugra.ai at this time.

5. Log Data

We retain server-side access logs for security, fraud prevention, debugging, and operational purposes. Access logs include typical fields such as source IP address, request method, path, status code, and user-agent. They do not include request bodies or query parameters that could expose credentials or personal content.

Access logs are retained for up to thirty (30) days, after which they are rotated and deleted by scheduled log rotation. Application logs produced by the API and app services are written to the system journal and retained subject to the retention policies of the underlying infrastructure.

6. Data Sharing

We share personal information with:

  • Infrastructure providers. Microsoft Corporation provides cloud infrastructure (Microsoft Azure), primarily in the East US region, hosting our servers, databases, and shared cache. Personal information stored in our systems resides on Azure infrastructure.
  • Payment processor. Stripe, Inc. processes payments, subscriptions, and related billing events. Stripe receives the information necessary to process payments, including your name, billing address, and payment method details. Stripe operates under its published Data Processing Addendum (stripe.com/legal/dpa). We do not receive or store full payment card numbers.
  • Email provider. Resend, Inc. transmits transactional emails on our behalf. Resend processes recipient email addresses and the content of the transactional messages we send.
  • Analytics provider. Google LLC operates Google Analytics 4 on sugra.systems. Google receives aggregate page-view telemetry, anonymized IP, browser and device characteristics, and a randomly generated client identifier. The Google Analytics tag is loaded only after you accept non-essential cookies through the consent banner; if you reject, no analytics telemetry is sent to Google. Note that sugra.systems also embeds Google Fonts hosted on `fonts.googleapis.com` and `fonts.gstatic.com` for typography; those font requests share basic browser metadata (IP, user-agent) with Google as part of standard HTTP delivery and are independent of analytics consent. Google operates under its Ads Data Processing Terms, and IP anonymization is enabled by default for GA4.
  • Legal authorities. Where required by law, regulation, or legal process, or where we in good faith consider disclosure necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

We do not share personal information with advertisers, data brokers, or marketing networks.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Specific retention periods include:

  • Account data (users, authentication, API keys, OAuth clients): retained for the duration of the account. On account deletion, personal data is initially marked as deleted and then hard-deleted approximately ninety (90) days thereafter by a scheduled process, except where retention is required for billing records, legal obligations, or the defense of legal claims.
  • API usage metadata (daily aggregate request counts): retained for up to fourteen (14) months, enabling annual Subscribers to review their usage history. Older records are removed by a scheduled purge.
  • OAuth access and refresh tokens: retained for the active lifetime of the token, plus approximately ninety (90) days after token expiry for security audit purposes, then purged. Tokens you explicitly revoke (for example, by disconnecting a connected application in Settings) are purged promptly on the next scheduled cleanup.
  • Access logs: up to thirty (30) days, as described in Section 5.
  • Contact form submissions and email correspondence: up to three (3) years.
  • Billing records: retained as required by applicable tax, accounting, and payment regulations (typically at least seven years in the United States).

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Right to access - request a copy of your data.
  • Right to rectification - request correction of inaccurate data.
  • Right to erasure - request deletion of your data.
  • Right to restriction - limit how we process your data.
  • Right to data portability - receive your data in a machine-readable format.
  • Right to object - object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent - where processing is based on consent.
  • Right to lodge a complaint - with your national data protection authority.

Self-serve erasure. You may delete your account at any time from the Settings page at app.sugra.ai. Deletion triggers the retention schedule described in Section 7.

Other requests. To exercise any other right, including requests for access, rectification, or portability, contact us at privacy@sugra.systems. We will respond within thirty (30) days, extendable where the request is complex, in accordance with applicable law. A self-service data export is planned for a future release. We may request information reasonably necessary to verify your identity before acting on a request.

9. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit over public networks, encryption at rest where supported by the underlying storage, role-based access controls, network segmentation between public-facing and internal systems, private endpoints for shared datastores, logging of administrative events, and documented incident response procedures.

No method of transmission over the Internet or of electronic storage is perfectly secure. While we strive to protect your information, we cannot guarantee absolute security.

10. International Transfers

Sugra Systems, Inc. is incorporated in Delaware, USA, and its primary processing operations occur in the United States. If you are located outside the United States, your information may be transferred to, stored in, and processed in the United States or in other jurisdictions where our sub-processors operate.

Where required by applicable law, we rely on appropriate safeguards for such transfers, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms recognized by other jurisdictions. Further detail is set forth in the Data Processing Agreement.

11. Children's Privacy

The Service is not directed to children. We do not knowingly collect personal information from individuals under sixteen (16) years of age. If we learn that we have collected personal information from a child under this age without verifiable parental consent, we will delete it promptly.

Access to paid subscriptions and acceptance of the Terms of Service require the user to be at least eighteen (18) years of age or otherwise have legal capacity to contract under applicable law.

12. Business Transfers

In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, personal information held by Sugra may be transferred as part of such transaction. We will notify you through the Service and, where practical, by email of any change in ownership or use of your personal information, as well as any choices you may have.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice by email to active account holders and a prominent notice at sugra.systems, and will update the "Last updated" date above. Continued use of the Service after the effective date of a change constitutes acceptance.

14. Screening Data (Sugra Entity)

This section describes a specific processing activity that involves the personal data of individuals who are not Sugra account holders or Subscribers. Sugra Entity returns screening signals that compare a name, identifier, or entity against public sanctions, watchlist, politically-exposed-person ("PEP"), and adverse-media sources. To do so, Sugra processes personal data about the individuals who appear in those sources.

14.1 Personal data processed and its sources

  • Sanctions and watchlist subjects. Names and name-parts, aliases, jurisdiction, listing program and dates, and any secondary public identifiers present on the official list (for example passport, national ID, tax ID, vessel or aircraft identifier), processed from official government and intergovernmental sources.
  • Politically-exposed persons. Names and name-parts, public position or role, jurisdiction, and associated dates, processed from public records.
  • Adverse-media subjects. Names and references to publicly-available news in which the individual is linked to defined financial-crime risk categories (for example fraud, corruption, sanctions evasion, terrorist financing).

Sugra processes only personal data already contained in public, sovereign, intergovernmental, or openly-licensed sources. Sugra does not use leaked or covertly-obtained data, does not add contact details or behavioural data, and does not perform people-search or build profiles of individuals beyond the screening purpose.

14.2 Lawful basis

For sanctions and watchlist screening, Sugra and its Customers process personal data primarily to comply with legal obligations relating to sanctions and the prevention of financial crime (GDPR Article 6(1)(c)), supported by legitimate interests (Article 6(1)(f)).

For PEP and adverse-media screening, Sugra relies on its legitimate interests and those of its Customers and the public interest in preventing financial crime, corruption, and sanctions evasion (Article 6(1)(f)), having carried out a legitimate-interest assessment that weighs those interests against the rights and freedoms of the individuals concerned. Because the sources are public and the safeguards in Section 14.4 apply, Sugra considers that those interests are not overridden by the individuals' interests in this context. Consent is not used as the basis for this processing, because the individuals concerned are not Sugra's customers.

14.3 Retention

Screening reference data is refreshed from its public sources on a recurring schedule, and superseded entries are replaced as the sources change, so Sugra mirrors the current public state rather than building a long-lived historical record of any individual. Point-in-time snapshots used for audit queries reflect the public state of the lists on a given date. Sugra does not retain screening reference data about an individual beyond what is necessary for the screening purpose and any applicable legal-retention requirement.

14.4 Rights of screened individuals and safeguards

Individuals who are the subject of screening data may exercise their rights of access, rectification, erasure, restriction, and objection by contacting privacy@sugra.systems. Because this processing relies on legitimate interests, individuals have a right to object under Article 21; Sugra will assess each objection and will stop processing unless it demonstrates compelling legitimate grounds or the processing is necessary for the establishment, exercise, or defence of legal claims or for compliance with a legal obligation. Where data Sugra holds mirrors an authoritative public source, Sugra will, where feasible, correct or suppress the entry on its side and direct the individual to the authoritative source for upstream correction.

No solely-automated decisions by Sugra. A screening signal is a technical signal, not a determination. Sugra does not make any decision producing legal effects, or similarly significant effects, about a screened individual within the meaning of Article 22 of the GDPR. Screening signals are intended to be reviewed and independently verified by a human before any decision is taken, and the Sugra Acceptable Use Policy requires Customers to apply that independent verification and prohibits using a screening signal as the sole basis for decisions about an individual.

15. Contact

For privacy-related questions, requests, or concerns: