Privacy Policy

Effective Date: March 21, 2026  ·  Last Updated: March 21, 2026

SageWay AI, Inc. (“SageWay”, “we”, “our”) takes data protection seriously. This Privacy Policy describes how we collect, use, store, and safeguard information processed through our AI Voice Agent platform. In the enterprise B2B context, SageWay acts as a Data Processor on behalf of its Customers, who are the Data Controllers and responsible for End User consent. For questions, contact support@sageway.ai.

Zero Data Retention (ZDR) Mode: The data collection, storage, and retention practices described in this Policy apply only where SageWay hosts and processes data on the Customer's behalf. Customers operating in Zero Data Retention mode — where all processing occurs within the Customer's own infrastructure or a designated private environment — are not subject to SageWay's hosted retention schedules. In ZDR mode, SageWay retains no Customer Data whatsoever. Contact support@sageway.ai to configure or confirm your deployment mode.

1. What Data We Collect

When an End User interacts with a SageWay-powered AI Voice Agent, the following categories of data may be collected and processed:

Data CategoryExamplesDefault Persistence
Voice & Audio InputSpoken words captured during interactionZero — processed in-memory only
Real-time TranscriptsASR-generated text of the conversationSession only (configurable)
PII — Employee DataName, corporate email, phone, employee ID, departmentPer Customer configuration
CII — IT Request DataTicket details, VPN/access requests, device infoPer Customer configuration
Session MetadataCall duration, timestamps, disposition, routing data90 days (configurable)
Technical DataIP address, session tokens, API logs, telemetry12 months

What SageWay Does NOT Collect

SageWay does not collect Social Security Numbers, government-issued ID numbers, financial account numbers, payment card data, or biometric voiceprint identifiers used for persistent identity authentication. The platform is designed exclusively for IT Help Desk workflow automation.

2. How Voice Data Is Processed & Retained

SageWay is architected for minimal persistent voice data retention. The platform's default operating posture is zero raw audio storage. Processing follows this pipeline:

  1. 1Audio captured via PSTN/VoIP/WebRTC and transmitted over TLS 1.2+
  2. 2Converted to text via automated speech recognition (ASR)
  3. 3Transcript processed by AI reasoning engine to determine intent and action
  4. 4Response generated and converted to synthesized speech via ElevenLabs API
  5. 5IT workflow action triggered via Customer's ITSM integration
  6. 6Session buffers cleared — raw audio is not persisted to disk by default
Data TypeDefault RetentionConfigurable Range
Raw audio inputZero (no persistence)N/A
Customer-enabled call recordings90 days30 – 365 days
Session transcripts (if enabled)90 days30 – 365 days
Session metadata / call logs90 days30 – 180 days
Anonymized aggregated analytics24 monthsNot configurable
Security & audit logs12 monthsNot configurable
Billing records7 yearsNot configurable

No AI Training on Customer Data

SageWay does not use Customer Data, End User voice data, transcripts, or CII to train, fine-tune, benchmark, or improve SageWay's AI models or any third-party AI models without express prior written consent from the Customer.

Zero Data Retention (ZDR) Mode

The retention periods and processing pipeline described above apply only to SageWay-hosted deployments. Customers who have enabled Zero Data Retention mode operate under a fundamentally different architecture — no Customer Data, voice audio, transcripts, or metadata is stored or retained by SageWay at any point. The entire processing lifecycle occurs transiently in-memory and is discarded immediately upon session close. ZDR customers are exempt from all hosted-tier retention schedules in this section.

3. PII Handling & Employee Data

In the context of End User interactions, SageWay acts as a data processor (under GDPR Article 28) and service provider (under CCPA) on behalf of the Customer. SageWay processes End User PII only pursuant to documented Customer instructions, as set forth in the applicable Data Processing Agreement (DPA).

Access Minimization

Employee PII is accessible only to SageWay personnel with a documented need-to-know basis, subject to RBAC controls and quarterly access review.

No Profiling

SageWay does not build behavioral profiles, sentiment profiles, or performance evaluations of individual End Users.

No Secondary Use

Employee name, email, ID, or phone number are not used for any purpose other than fulfilling the specific IT support session for which they were provided.

No Cross-Account Linking

SageWay does not link End User PII across Customer accounts or with third-party identity databases.

Special Category Data

SageWay's Services are not designed to process special category data (health, biometric, or sensitive personal information) unless the Customer is a covered entity under HIPAA with a Business Associate Agreement (BAA) in effect. Customers are advised not to configure Voice Agents in ways that would cause End Users to disclose special category data outside of a properly configured HIPAA workflow.

4. Confidential IT Information (CII)

“Confidential IT Information” (CII) means any information processed through the Services relating to IT infrastructure topology, access credentials, system vulnerability disclosures, security incidents, VPN configurations, privileged access requests, or any other information the Customer designates as confidential.

Encryption in Transit: All CII encrypted via TLS 1.2 or higher between all parties (TLS 1.3 preferred).
Encryption at Rest: CII stored in SageWay infrastructure encrypted using AES-256; keys managed via dedicated KMS with annual rotation.
Tenant Isolation: CII processed in one Customer's environment is strictly isolated from other Customers via Supabase Row Level Security (RLS).
Credential Non-Persistence: Actual credentials (passwords, MFA codes, API keys) provided verbally are processed transiently and are never logged, stored, or transmitted outside the active session.
Audit Logging: All access to CII by SageWay personnel is logged and subject to periodic access review. Logs retained for 12 months.
No Third-Party Disclosure: CII is not disclosed to any third party except listed Sub-processors, and only to the extent necessary to perform the Services.

5. Third-Party Sub-Processors

SageWay engages the following Sub-processors to deliver the Services. A current Sub-processor list is maintained at sageway.ai/legal/sub-processors. SageWay provides Customers with 30 days' advance notice of material Sub-processor changes.

Sub-processorFunctionData ProcessedCertifications
Deepgram, Inc.Speech-to-text / ASRReal-time audio streams (transient, in-memory only); no audio retained post-sessionSOC 2 Type II; HIPAA-eligible; DPA in place
ElevenLabs, Inc.AI voice synthesis (TTS)Outbound response text only — no End User audio, PII, or transcripts transmittedSOC 2 Type II; DPA in place
Cartesia AI, Inc.AI voice synthesis (TTS)Outbound response text only — no End User audio, PII, or transcripts transmittedDPA in place
LiveKit, Inc.Real-time audio infrastructure (WebRTC)Real-time audio streams (transient relay only); no persistent media storageSOC 2 Type II; DPA in place
n8n GmbHWorkflow automation & orchestrationSession-level workflow trigger data; ITSM routing payloads; no raw audio or PII beyond what Customer configuresGDPR-compliant; DPA in place
Microsoft AzureCloud infrastructure & AI servicesCompute, networking, and AI model inference; data processed per Customer's selected regionSOC 2 Type II; ISO 27001; HIPAA BAA available; DPA in place
Amazon Web Services (AWS)Cloud infrastructure & storageHosting, storage, and compute; data residency per Customer's selected region (default: us-east-1)SOC 2 Type II; ISO 27001; HIPAA BAA available; DPA in place
Supabase, Inc.Database, auth, storageCustomer account data; session metadata; transcript logs (if enabled by Customer)SOC 2 Type II; DPA in place; RLS enforced

Voice Synthesis Providers (ElevenLabs & Cartesia) — Important Clarification

Requests to voice synthesis providers contain only the outbound response text to be synthesized (the AI agent's spoken reply). End User raw audio, transcripts of End User speech, PII, and CII are never transmitted to these providers. The same principle applies to Deepgram and LiveKit — only transient audio streams are relayed; no content is stored by these providers post-session.

6. Data Residency & Security

Data Residency

By default, Customer Data is stored in the United States (AWS us-east-1 via Supabase). Enterprise Customers may negotiate alternate regions (EU, Canada) via a custom Order Form. GDPR/UK GDPR cross-border transfers are covered by Standard Contractual Clauses (SCCs) incorporated in the DPA.

Compliance Certifications

SOC 2 Type II (report available under NDA)
HIPAA-eligible architecture
GDPR Article 32 technical measures
Annual third-party penetration testing
Continuous vulnerability scanning

Security Controls

Access Controls

MFA required for all SageWay personnel accessing production; RBAC with least privilege; PAM with session recording for admin access; quarterly access reviews.

Encryption

All data in transit via TLS 1.2+ (TLS 1.3 preferred); all data at rest via AES-256; KMS key management with annual rotation.

Infrastructure

WAF and DDoS mitigation; IDS/IPS; critical security patches within 72 hours; BCP/DR with RTO < 4 hours, RPO < 1 hour.

Operational

Background checks for all production-access employees; annual security awareness training; documented incident response plan.

7. HIPAA Business Associate

BAA Required for PHI Processing

Customers in healthcare verticals must execute a Business Associate Agreement (BAA) with SageWay prior to using the Services in any manner involving Protected Health Information (PHI). SageWay's standard BAA is available upon request at support@sageway.ai.

Where a BAA is in effect, SageWay will:

  • Implement administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 C.F.R. §164.306) with respect to ePHI
  • Not use or disclose PHI in a manner that would violate HIPAA if done by the covered entity
  • Report any use or disclosure of PHI not provided for by the BAA without unreasonable delay
  • Report any Breach of Unsecured PHI no later than 60 calendar days from discovery (45 C.F.R. §164.410)
  • Make its internal practices available to the Secretary of HHS for compliance purposes

Scope Note: SageWay's platform is designed to support IT Help Desk functions for healthcare organizations. It is not intended as a clinical decision support tool or patient-facing medical service.

8. GDPR & CCPA Compliance

GDPREEA / UK / Switzerland

Roles: Customer = Data Controller; SageWay = Data Processor (Article 28).

  • Process personal data only on documented Customer instructions
  • Engage Sub-processors only with Customer authorization
  • All SageWay personnel bound by confidentiality obligations
  • Implement Article 32 technical and organizational measures
  • Assist Customer with Data Subject Requests (Articles 15–22)
  • Notify Customer of breaches within 72 hours (Article 33)
  • Support DPIAs and compliance audits

DPA incorporating EU SCCs and UK Addendum available at sageway.ai/legal/dpa.

CCPACalifornia / CPRA

Roles: Customer = Business; SageWay = Service Provider.

  • SageWay does not "sell" or "share" Customer Data or End User personal information
  • Does not retain, use, or disclose PI for any commercial purpose beyond contracted services
  • Does not combine End User data from Customer with data from other sources
  • Certifies compliance with CCPA service provider restrictions

9. Your Data Rights

End Users seeking to exercise data subject rights should contact the Customer in the first instance. Upon receiving a verified Customer request, SageWay will respond as follows:

RightSageWay's ActionTimeline
Access / PortabilityExport all stored data associated with the End User identifier provided5 business days
Deletion / ErasureDelete all stored personal data; provide written confirmation5 business days
Correction / RectificationUpdate stored data as directed by Customer5 business days
Restriction of ProcessingRestrict processing pending Customer instructionImmediate
Object to ProcessingCease processing as directed by CustomerAs directed

Zero-Storage Note: SageWay's default zero-persistent-storage architecture for voice data means that where raw audio is not stored (the default), there is no audio to return, export, or delete.

10. Data Retention & Deletion

SageWay retains Customer Data for the minimum period necessary to deliver contracted services. The table below reflects default retention periods; Customers may configure shorter periods within the ranges shown.

Data CategoryDefault RetentionConfigurable?
Raw audio (default: no retention)0 daysN/A
Raw audio (Customer-enabled recording)90 daysYes (30–365 days)
Session transcripts (Customer-enabled)90 daysYes (30–365 days)
Session metadata / call logs90 daysYes (30–180 days)
Customer account dataContract duration + 90 daysNo
Anonymized aggregated analytics24 monthsNo
Security and audit logs12 monthsNo
Billing records7 yearsNo

Deletion Upon Termination

Within 30 days of termination, SageWay will delete or return (at Customer's election) all Customer Data, except as required to be retained by applicable law. SageWay will provide written certification of deletion upon request.

Zero Data Retention (ZDR) Mode — Not Applicable

All retention schedules in the table above apply exclusively to SageWay-hosted deployments where SageWay stores and manages Customer Data on the Customer's behalf. They do not apply to Customers operating in Zero Data Retention (ZDR) mode.

In ZDR mode: no voice audio, transcripts, session metadata, or PII is written to SageWay storage at any point. All processing occurs transiently in-memory and is purged upon session termination. SageWay holds zero residual Customer Data, and no retention, deletion, or data subject request procedures under this section are applicable. To confirm or configure ZDR mode for your deployment, contact support@sageway.ai.

11. Security Incident & Breach Response

Upon discovery of a confirmed or reasonably suspected security incident involving Customer Data, SageWay will follow this structured response timeline:

0 – 24 hrs

Detect & Contain

Confirm the incident, contain the threat, preserve forensic evidence, classify severity level.

≤ 72 hrs

Customer Notification

Notify affected Customer(s) via designated security contact with: nature of incident, categories and volume of data affected, and immediate containment measures taken.

Ongoing

Regulatory Assistance

Assist Customer with GDPR (Article 33/34), HIPAA Breach Notification (45 C.F.R. §164.400–414), and applicable state breach notification requirements.

≤ 15 biz days

Written Incident Report

Deliver comprehensive written incident report including root cause analysis and remediation steps.

Post-Incident

Lessons Learned

Implement post-incident improvements; share summary of corrective actions with affected Customers upon request.

HIPAA: For Customers with a BAA in effect, notification of Breach of Unsecured PHI will occur no later than 60 calendar days from discovery (45 C.F.R. §164.410). SageWay's breach notification obligations run to the Customer. Customer retains responsibility for notifying affected End Users, regulators, and other required parties.

12. Contact & DPA Requests

For privacy inquiries, data processing agreements, security reports, or legal requests, contact us via the appropriate channel below:

All Privacy & Legal Inquiries

support@sageway.ai

Use this address for all privacy matters — include your topic in the subject line.

Privacy & DPA Requests

support@sageway.ai

Data subject requests, DPA execution, privacy program inquiries

Security Reports

support@sageway.ai

Vulnerability disclosures, incident reporting, security assessments

GDPR / DPO Matters

support@sageway.ai

GDPR Article 37 / EU data protection, SCCs, transfer impact assessments

Legal & BAA Requests

support@sageway.ai

BAA requests, legal process, court orders, government inquiries

Zero Data Retention Setup

support@sageway.ai

Configure or confirm ZDR mode for your deployment

Disclaimer: This Privacy Policy is provided for informational purposes. SageWay recommends that all Customers work with qualified legal counsel to ensure compliance with applicable privacy laws in their jurisdiction. This document does not constitute legal advice.