Legal

Privacy Policy

Last updated: April 2026 · Sugra Systems, Inc. · Delaware, USA

This Privacy Policy describes how Sugra Systems, Inc. ("Sugra", "we", "our") collects, uses, and protects personal information in connection with:

This policy applies to visitors, prospective customers, account holders, and API Subscribers, collectively referred to as "you". Capitalized terms not defined here have the meanings given in the Sugra Terms of Service.

1. Information We Collect

We collect information in the following categories:

1.1 Information you provide directly

  • Website contact. When you contact us through the website or by email, we collect your name, email address, and the content of your message.
  • Account registration. When you create an account at app.sugra.ai, we collect your email address, a password (stored as a bcrypt hash), and optional profile fields such as name, locale, and timezone.
  • API Subscribers. When you register for API access, we collect account identifiers, generated API key material, and subscription tier information. API keys are stored as secure hashes; only the final characters are displayed to you after creation.
  • Billing information. For paid subscriptions, we collect billing details necessary for payment, including a Stripe customer identifier, payment method type, and the last four digits of the payment card. We do not receive or store full payment card numbers; these are handled by Stripe, our payment processor.

1.2 Information collected automatically

  • Technical information. IP address, browser type and version, device type, operating system, pages visited, referring URLs, and timestamps, collected through server access logs.
  • API usage metadata. For API Subscribers, we record daily aggregate counts of API requests associated with each API key. We do not record the content of API requests or responses, nor the specific endpoints accessed, within these aggregate counts.
  • Authentication and OAuth data. For the Service and for OAuth connections to third-party clients, we store access tokens, refresh tokens, authorization scopes, and token expiry information.
  • Cookies and similar technologies. Described in Section 4 below.

2. How We Use Your Information

We use the information we collect to:

  1. Provide, operate, secure, and improve the Service.
  2. Authenticate requests to the API and enforce rate limits and subscription quotas.
  3. Process billing, respond to subscription events, and deliver transactional emails (for example, account verification, password reset, subscription status changes, and usage-threshold notifications).
  4. Respond to your inquiries and provide customer support.
  5. Analyze aggregate usage patterns to improve reliability and performance.
  6. Detect, investigate, and prevent fraud, abuse, and security incidents.
  7. Comply with applicable legal obligations and respond to lawful requests.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under the GDPR:

  • Contractual necessity - to provide the Service to account holders and API Subscribers in accordance with the Terms of Service.
  • Legitimate interests - for website security, fraud prevention, analytics, and service improvement, where such interests are not overridden by your rights and freedoms.
  • Consent - for non-essential cookies and marketing communications, where required by applicable law.
  • Legal obligation - where processing is required by law, regulation, or lawful order.

4. Cookies

sugra.systems uses cookies in the following categories:

  • Essential cookies - required for core website functionality, including session management for the contact form and retention of your cookie consent preference.
  • Analytics cookies - Google Analytics 4, used to understand aggregate website usage. These cookies are loaded only after you accept non-essential cookies through the consent banner displayed on your first visit. If you reject non-essential cookies, the analytics tag is disabled.

You may manage your preferences through the consent banner shown on your first visit, through your browser settings, or by contacting us at privacy@sugra.systems. Disabling analytics cookies does not affect website functionality.

No non-essential cookies are set on sugra.ai or app.sugra.ai at this time.

5. Log Data

We retain server-side access logs for security, fraud prevention, debugging, and operational purposes. Access logs include typical fields such as source IP address, request method, path, status code, and user-agent. They do not include request bodies or query parameters that could expose credentials or personal content.

Access logs are retained for up to thirty (30) days, after which they are rotated and deleted by scheduled log rotation. Application logs produced by the API and app services are written to the system journal and retained subject to the retention policies of the underlying infrastructure.

6. Data Sharing

We share personal information with:

  • Infrastructure providers. Microsoft Corporation provides cloud infrastructure (Microsoft Azure), primarily in the East US region, hosting our servers, databases, and shared cache. Personal information stored in our systems resides on Azure infrastructure.
  • Payment processor. Stripe, Inc. processes payments, subscriptions, and related billing events. Stripe receives the information necessary to process payments, including your name, billing address, and payment method details. Stripe operates under its published Data Processing Addendum (stripe.com/legal/dpa). We do not receive or store full payment card numbers.
  • Email provider. Resend, Inc. transmits transactional emails on our behalf. Resend processes recipient email addresses and the content of the transactional messages we send.
  • Legal authorities. Where required by law, regulation, or legal process, or where we in good faith consider disclosure necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

We do not share personal information with advertisers, data brokers, or marketing networks.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Specific retention periods include:

  • Account data (users, authentication, API keys, OAuth clients): retained for the duration of the account. On account deletion, personal data is initially marked as deleted and then hard-deleted approximately ninety (90) days thereafter by a scheduled process, except where retention is required for billing records, legal obligations, or the defense of legal claims.
  • API usage metadata (daily aggregate request counts): retained for up to fourteen (14) months, enabling annual Subscribers to review their usage history. Older records are removed by a scheduled purge.
  • OAuth access and refresh tokens: retained for the active lifetime of the token, plus approximately ninety (90) days after token expiry for security audit purposes, then purged. Tokens you explicitly revoke (for example, by disconnecting a connected application in Settings) are purged promptly on the next scheduled cleanup.
  • Access logs: up to thirty (30) days, as described in Section 5.
  • Contact form submissions and email correspondence: up to three (3) years.
  • Billing records: retained as required by applicable tax, accounting, and payment regulations (typically at least seven years in the United States).

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Right to access - request a copy of your data.
  • Right to rectification - request correction of inaccurate data.
  • Right to erasure - request deletion of your data.
  • Right to restriction - limit how we process your data.
  • Right to data portability - receive your data in a machine-readable format.
  • Right to object - object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent - where processing is based on consent.
  • Right to lodge a complaint - with your national data protection authority.

Self-serve erasure. You may delete your account at any time from the Settings page at app.sugra.ai. Deletion triggers the retention schedule described in Section 7.

Other requests. To exercise any other right, including requests for access, rectification, or portability, contact us at privacy@sugra.systems. We will respond within thirty (30) days, extendable where the request is complex, in accordance with applicable law. A self-service data export is planned for a future release. We may request information reasonably necessary to verify your identity before acting on a request.

9. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit over public networks, encryption at rest where supported by the underlying storage, role-based access controls, network segmentation between public-facing and internal systems, private endpoints for shared datastores, logging of administrative events, and documented incident response procedures.

No method of transmission over the Internet or of electronic storage is perfectly secure. While we strive to protect your information, we cannot guarantee absolute security.

10. International Transfers

Sugra Systems, Inc. is incorporated in Delaware, USA, and its primary processing operations occur in the United States. If you are located outside the United States, your information may be transferred to, stored in, and processed in the United States or in other jurisdictions where our sub-processors operate.

Where required by applicable law, we rely on appropriate safeguards for such transfers, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms recognized by other jurisdictions. Further detail is set forth in the Data Processing Agreement.

11. Children's Privacy

The Service is not directed to children. We do not knowingly collect personal information from individuals under sixteen (16) years of age. If we learn that we have collected personal information from a child under this age without verifiable parental consent, we will delete it promptly.

Access to paid subscriptions and acceptance of the Terms of Service require the user to be at least eighteen (18) years of age or otherwise have legal capacity to contract under applicable law.

12. Business Transfers

In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, personal information held by Sugra may be transferred as part of such transaction. We will notify you through the Service and, where practical, by email of any change in ownership or use of your personal information, as well as any choices you may have.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice by email to active account holders and a prominent notice at sugra.systems, and will update the "Last updated" date above. Continued use of the Service after the effective date of a change constitutes acceptance.

14. Contact

For privacy-related questions, requests, or concerns: