SageWiz

Privacy Policy

Last Updated: October 30, 2025

1. Introduction

SageWiz ("we," "us," or "our") is committed to protecting your privacy and handling your personal information with care and respect. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, mobile application, and related services (collectively, the "Service").

Your Privacy Rights

This Privacy Policy addresses your rights under GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). SageWiz is not a HIPAA-covered entity, and your data is not protected under HIPAA.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide when you:

  • Create an account (email address, password)
  • Complete your user profile (allergies, medical conditions, optional age range and gender)
  • Contact customer support (email, support inquiry details)
  • Subscribe to our services (billing information through Stripe)
  • Opt-in to marketing communications (email preferences)
  • Two-factor authentication (2FA) data: If you enable 2FA, we store your preferred authentication method, verification status, and encrypted backup recovery codes

2.2 Health Information

Important: SageWiz is an educational platform and NOT a healthcare provider or HIPAA-covered entity. We treat health information as sensitive and apply strong security controls. Do not submit protected health information (PHI) on behalf of a healthcare provider or for clinical care.

We collect health-related information including:

  • Symptom descriptions and health concerns
  • Duration and severity of symptoms
  • Medical history (conditions, allergies, medications)
  • Lifestyle factors (diet, exercise, sleep patterns, stress levels)
  • Assessment responses and follow-up questions
  • Notes and journal entries about your health journey

2.3 Automatically Collected Information

  • Device information (IP address, browser type, operating system)
  • Usage data (pages visited, features accessed, time spent)
  • Log data (access times, error logs, performance data)
  • Cookies and tracking technologies (see our Cookie Policy)
  • Geographic location (approximate location based on IP address)
  • Session tracking data: Active session information, login timestamps, device identifiers for security purposes
  • Account status logs: If your account is suspended or locked, we log the reason, timestamp, and administrative action taken

Analytics & Product Tracking:

✓ Privacy-First Approach: We currently do not use third-party analytics or user tracking services. Product improvement is based on server-side application logs and user feedback, ensuring maximum privacy protection.

2.4 Information from Third Parties

We may receive information from third-party services when you:

  • Process payments through Stripe (payment method, transaction details)
  • Use analytics services (aggregated usage statistics)
  • Sign up through authentication providers (if applicable in the future)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

  • Provide AI-powered symptom analysis and educational recommendations
  • Generate personalized natural health information
  • Maintain your assessment history and user profile
  • Enable AI coaching and follow-up questions
  • Deliver tier-appropriate features and content

3.2 Service Improvement

  • Analyze usage patterns to improve user experience
  • Train and refine our AI models (using anonymized, aggregated data)
  • Conduct research on natural health education effectiveness
  • Debug technical issues and optimize performance

3.3 Communication

  • Send transactional emails (assessment results, subscription confirmations)
  • Provide customer support and respond to inquiries
  • Send subscription renewal reminders and usage notifications
  • Deliver educational content and health tips (if opted-in)
  • Notify you of policy changes or important updates

3.4 Legal and Security

  • Comply with legal obligations and regulatory requirements
  • Enforce our Terms of Service and prevent abuse
  • Protect against fraud, security breaches, and unauthorized access
  • Respond to legal requests (subpoenas, court orders)

3.5 Marketing (Opt-In Only)

  • Send promotional emails about new features or educational content
  • Offer personalized recommendations for tier upgrades
  • Share wellness tips and natural health research

You can opt-out of marketing communications at any time using the unsubscribe link in emails or by updating your preferences in your account settings.

3.6 Email Communications & Preferences

SageWiz sends different types of emails, and you have control over which you receive:

Types of Emails We Send:

  • Transactional Emails (Cannot be disabled): Critical account and security notifications including password resets, email verification, payment receipts, subscription confirmations, emergency health alerts, and assessment results. These emails are necessary for the operation of your account and your safety.
  • Marketing & Promotional Emails (Optional): Tips, wellness advice, special offers, promotional content, and trial expiration reminders. You can unsubscribe from these at any time.
  • Product Updates (Optional): Announcements about new features, platform improvements, and tier changes. You can unsubscribe from these at any time.
  • Health Updates (Recommended but Optional): Follow-up reminders, protocol check-ins, and personalized health insights related to your assessments. While highly recommended for health tracking continuity, you can disable these if desired.

Managing Your Email Preferences

You have full control over which types of emails you receive from SageWiz:

  • Visit your Email Preference Center to manage subscriptions
  • Click the "Unsubscribe" link at the bottom of any marketing or promotional email
  • One-click unsubscribe instantly disables marketing and product update emails
  • Changes take effect immediately

CAN-SPAM Compliance: All our marketing emails comply with the CAN-SPAM Act. Every marketing email includes a clear unsubscribe link, our physical mailing address, and accurate "From" and "Subject" lines. We honor all unsubscribe requests within 10 business days.

Email Service Provider: We use Resend (resend.com) to send emails. Resend processes email data (recipient addresses, email content) solely for the purpose of delivering emails on our behalf and does not use this data for any other purpose.

4. How We Share Your Information

We Do NOT Sell Your Personal Data

SageWiz does not sell, rent, or trade your personal information to third parties for their marketing purposes. Your health data is never shared with advertisers or data brokers.

4.1 Service Providers

We share limited information with trusted third-party service providers who assist in operating our Service:

  • Supabase (PostgreSQL Database): Stores your account information, assessment history, and user profile data. Supabase is SOC 2 Type II certified and provides enterprise-grade security.
  • Stripe (Payment Processing): Processes subscription payments and manages billing. Stripe is PCI DSS Level 1 certified and handles payment data securely.
  • Resend (Email Service): Sends transactional and marketing emails on our behalf. Resend complies with GDPR and CAN-SPAM regulations.
  • Grok AI / XAI API (AI Analysis): Processes symptom data to generate educational recommendations. We send anonymized health information for analysis and do not share personally identifiable information unless necessary for service delivery.
  • Upstash Redis (Rate Limiting): Temporarily stores rate limiting data to prevent abuse. No health information is stored in Redis.
  • Vercel (Hosting & Infrastructure): Hosts our application and provides CDN services. Vercel complies with SOC 2 Type II and GDPR.

All service providers are bound by strict data processing agreements and are prohibited from using your data for any purpose other than providing services to SageWiz.

4.2 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal processes (subpoenas, court orders, warrants)
  • Respond to government or regulatory requests
  • Protect the rights, property, or safety of SageWiz, our users, or the public
  • Enforce our Terms of Service and prevent fraud or abuse

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you provide explicit consent, such as when you choose to share assessment results with your healthcare provider (Guardian tier feature).

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. Retention periods vary based on your subscription tier:

Tier-Based Retention Policy:

  • Explorer (Free Tier): 7 days after assessment completion
  • Seeker Tier: 60 days of rolling history
  • Healer Tier: Unlimited retention while account is active
  • Guardian Tier: Unlimited retention while account is active

Automated Enforcement: These retention periods are automatically enforced by our system. Data older than your tier's retention period is automatically deleted daily at 3:00 AM UTC. You can manually delete your data at any time through your account settings.

5.1 Account Closure

When you close your account or request data deletion:

  • Your account is marked for deletion immediately upon closure
  • Personal data is automatically deleted 30 days after account closure (grace period for account recovery)
  • During the 30-day grace period, you can reactivate your account and restore your data
  • After 30 days, all personal data is permanently deleted and cannot be recovered
  • Some data may be retained for legal compliance (e.g., financial records for 7 years)
  • Anonymized, aggregated data may be retained for research and analytics
  • Backups may contain your data for up to 90 days before automatic deletion

How to Close Your Account: You can close your account at any time by contacting support or using the account closure feature in your account settings. Please cancel any active subscriptions before closing your account.

5.2 Legal Hold

We may retain your information longer if required by law, legal proceedings, investigations, or to prevent fraud and abuse.

6. Data Security

We implement industry-standard security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction:

6.1 Technical Safeguards

  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256). Certain sensitive fields (dietary preferences, custom health notes) are individually encrypted using AES-256 encryption for additional security.
  • Authentication: Secure password hashing (bcrypt) and session management
  • Access Controls: Role-based access controls (RBAC) and least privilege principles
  • Database Security: Supabase Row Level Security (RLS) policies ensure users can only access their own data
  • Rate Limiting: Protection against brute force attacks and abuse
  • Monitoring: Real-time security monitoring and intrusion detection

6.2 Organizational Safeguards

  • Limited employee access to personal data (need-to-know basis only)
  • Mandatory security training for all staff
  • Regular security audits and penetration testing
  • Incident response plan for data breaches
  • Vendor security assessments and data processing agreements

No Absolute Security

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access beyond our reasonable control.

6.3 Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify you within 72 hours via email and provide details about the breach, affected data, and steps you should take to protect yourself.

7. Your Privacy Rights

Depending on your location, you have specific rights regarding your personal data:

7.1 General Rights (All Users)

  • Right to Access: Request a copy of your personal data
  • Right to Correction: Request correction of inaccurate data
  • Right to Deletion: Request deletion of your personal data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to certain processing of your data (e.g., marketing)
  • Right to Withdraw Consent: Withdraw consent for data processing at any time

7.2 GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to Restriction: Request restriction of processing your data
  • Right to Lodge a Complaint: File a complaint with your local data protection authority
  • Right to be Informed: Receive clear information about data processing
  • Automated Decision-Making: Right to not be subject to decisions based solely on automated processing (including AI)

Legal Basis for Processing (GDPR): We process your data based on consent (assessment completion), contract performance (subscription services), legitimate interests (service improvement), and legal obligations (compliance).

7.3 CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you these rights:

  • Right to Know: Request disclosure of personal information collected, used, and shared
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale of personal information (we do not sell data)
  • Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise
  • Right to Correct: Request correction of inaccurate personal information

Categories of Data Collected (CCPA): Identifiers (email), health information (allergies, medical conditions, symptoms, age range, gender), internet activity, geolocation data, commercial information (subscription history), and inferences (health preferences).

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Privacy Rights Request

Email: privacy@sagewiz.org

Subject: "Privacy Rights Request"

We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before processing your request.

8. Children's Privacy

SageWiz is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@sagewiz.org.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information from our servers as quickly as possible.

9. International Data Transfers

SageWiz is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For EU/EEA Users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for international data transfers. Our data processing agreements with service providers include these clauses.

By using the Service, you consent to the transfer of your information to the United States and other countries that may have different data protection laws than your country of residence.

10. HIPAA Notice (Not Covered Entity)

Important: SageWiz is NOT a Covered Entity

SageWiz is an educational platform and is NOT a healthcare provider, health plan, or healthcare clearinghouse. We are not a HIPAA covered entity or business associate, and HIPAA does not apply to the Service.

We recognize the sensitive nature of health information and use reasonable administrative, technical, and physical safeguards, including:

  • Encryption of health data in transit and at rest
  • Access controls and authentication mechanisms
  • Audit logs and security monitoring
  • Employee training on data privacy
  • Incident response and breach notification procedures

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on the Service. For detailed information about our use of cookies, please see our Cookie Policy.

You can control cookies through your browser settings. Note that disabling cookies may affect your ability to use certain features of the Service.

12. Third-Party Links

The Service may contain links to third-party websites, plugins, and applications. We are not responsible for the privacy practices or content of these third parties.

We encourage you to read the privacy policies of any third-party sites you visit. This Privacy Policy applies solely to information collected by SageWiz.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy on this page with a new "Last Updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice on the Service

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes acceptance of the changes. If you do not agree to the changes, you should stop using the Service and may request deletion of your account.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

SageWiz Privacy Team

Privacy Inquiries: privacy@sagewiz.org

Data Protection Officer: dpo@sagewiz.org

General Support: support@sagewiz.org

Billing Support: billing@sagewiz.org

Legal Matters: legal@sagewiz.org

Response Time: We aim to respond to all privacy inquiries within 2 business days and complete data rights requests within 30 days.

By using SageWiz, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.

Last Updated: October 30, 2025 | Effective Date: October 30, 2025

Related Legal Documents

Terms of Service

Our terms and conditions

Cookie Policy

Our use of cookies and tracking

Medical Disclaimer

Important health information notice