Back to home

Legal

Privacy Policy

SAGEOBOT website and app

Last updated: May 2, 2026

Introduction

This Privacy Policy explains how SAGEOBOT collects, uses, and protects personal data when you visit sageobot.com, sign in to the SAGEOBOT web application, or use the SAGEOBOT SEO content platform, including the authenticated UI app.

Data controller

The data controller responsible for SAGEOBOT data is SAGEOBOT. Formal company and postal details will be published in the website imprint or customer order materials when available. For privacy questions, objection requests, or data subject requests, contact hello@sageobot.com.

Data we collect

Account and authentication data

The SAGEOBOT UI uses Firebase Authentication. We process your email address, Firebase user ID, sign-in state, role, assigned site IDs, and legal acceptance records for the current Terms of Use and Privacy Policy.

Legal basis: contract performance and legitimate interest for security and access control.

Site, content, and integration data

Customers enter or generate site profiles, domains, target markets, CMS configuration, Google Search Console settings, article drafts, headlines, publishing preferences, uploaded assets, prompts, source material, and editorial feedback. If you connect integrations, we process credentials, OAuth tokens, API keys, webhook URLs, and configuration needed to operate those integrations. Google Search Console integrations may include the connected Google account email, property permissions, query and page performance rows, sitemaps, URL inspection data, and snapshots used for strategy and reporting.

Legal basis: contract performance and legitimate interest in providing and securing the service.

Billing data

Paid plans are processed through Stripe. SAGEOBOT stores billing status, subscription identifiers, entitlement data, and related account metadata. Stripe processes payment details according to its own privacy and security terms.

Legal basis: contract performance and compliance with legal and financial obligations.

Analytics data

With your consent, SAGEOBOT uses PostHog for product analytics on app pages where PostHog is loaded, including login/legal pages and the authenticated UI. PostHog may collect sanitized page views, browser and device metadata, session identifiers, product events, Firebase user ID, and email address after sign-in. Session replay, autocapture, page-leave tracking, and dead-click tracking are disabled by default.

Legal basis: for analytics cookies, local storage, and analytics events, our legal basis is your consent under GDPR and applicable ePrivacy rules. You can reject or withdraw consent at any time without affecting use of SAGEOBOT.

Technical and security data

We process IP address, request timestamps, requested paths, HTTP status codes, device/browser metadata, audit logs, API logs, error diagnostics, and App Check or abuse-prevention signals where configured.

Legal basis: legitimate interest in security, fraud prevention, troubleshooting, and reliable operation.

Cookies and local storage

The SAGEOBOT UI uses an essential firebase-auth cookie for up to 14 days so middleware can route signed-in users to protected pages. The app may also use browser storage for language preference, theme state, Firebase authentication state, Firebase App Check, Google Search Console OAuth return state, Stripe Checkout wizard drafts for up to one hour, and an essential local consent record for cookie preferences. PostHog analytics state is used only after you accept analytics cookies. You can change or withdraw analytics consent using the Cookie preferences control in the app. For signed-in users, we keep a server-timestamped record of the analytics cookie choice, including the displayed consent version and whether analytics was accepted, rejected, or withdrawn.

Third-party services

  • Firebase and Google Cloud for authentication, hosting, infrastructure, Firestore, App Check, and Google Search Console integrations.
  • PostHog for product analytics, using the EU cloud host where configured.
  • Stripe for checkout, subscriptions, invoices, payment processing, and billing webhooks.
  • OpenAI, Gemini, OpenRouter, DeepSeek, or other configured AI providers for content generation, image generation, classification, and quality checks based on customer-provided prompts, drafts, source material, and configuration.
  • Customer CMS providers, such as WordPress, Webflow, Ghost, or webhook destinations, when connected for publishing.

Processors and subprocessors

We use service providers as processors or independent controllers depending on the service. PostHog acts as our processor for product analytics. We configure the EU cloud host by default; if this changes, we will update this policy and ensure appropriate transfer safeguards. Firebase/Google Cloud, Stripe, AI providers, and connected CMS providers process data for the purposes listed above under their applicable data processing terms, privacy terms, standard contractual clauses, adequacy decisions, or equivalent safeguards where required.

How we use information

We use information to provide, maintain, and secure SAGEOBOT; authenticate users; enforce admin/client roles and site access; generate, improve, schedule, and publish SEO content; process subscriptions and invoices; analyze product usage; debug issues; detect abuse; comply with legal obligations; and enforce agreements.

Data retention

Account, site, billing, content, integration, audit, and operational data is kept for as long as needed to provide SAGEOBOT, meet security and legal obligations, resolve disputes, and enforce agreements. The latest recorded Terms acceptance and Privacy Policy acknowledgement are retained to evidence the applicable versions. Billing and invoice records may be retained for statutory accounting periods. Connected integration tokens are kept while the integration remains connected. Google Search Console snapshots, generated content, and site configuration are kept while the site or account is active unless deleted earlier. Analytics retention depends on the configured PostHog workspace settings. We delete or anonymize data when it is no longer needed, unless retention is required for legal, billing, security, backup, or operational reasons.

Your rights under GDPR

Where GDPR applies, you may have the following rights:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of personal data.
  • Restrict or object to certain processing.
  • Request data portability.
  • Withdraw consent where processing is based on consent.
  • Object to processing based on legitimate interests.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact hello@sageobot.com. You may also complain to your local data protection authority.

International transfers

SAGEOBOT and its service providers may process data in countries outside your jurisdiction, including countries outside the European Economic Area and the United States. Where required, transfers are handled through appropriate safeguards such as provider data processing terms, standard contractual clauses, adequacy decisions, or equivalent mechanisms.

Data security

We use technical and organizational measures designed to protect personal data, including HTTPS, authenticated API access, role-based access controls, Firebase token verification, audit logging, secret management, and provider security controls. No system is perfectly secure, and users are responsible for keeping account credentials and integration credentials safe.

Children's privacy

SAGEOBOT is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us so we can address it.

Changes to this policy

We may update this policy to reflect product, provider, or legal changes. The Last updated date shows when it was last revised.