Sanvia

Privacy Policy

Last Updated: December 23, 2025

1. Introduction

Sanvia ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our sales forecasting platform.

2. Data Controller

Sanvia acts as the data controller for account information and usage data. For sales data you upload, you remain the data controller and Sanvia acts as a data processor processing data on your behalf and according to your instructions.

3. Data We Collect

3.1 Information You Provide

  • Account Information: Email address, name, password (hashed)
  • Sales Data: Historical sales data you upload for forecasting
  • Payment Information: Processed by Stripe (we don't store card details)
  • Communications: Support requests, feedback, emails

3.2 Automatically Collected Data

  • Usage Data: Pages visited, features used, time spent
  • Device Information: Browser type, IP address, operating system
  • Cookies: Essential cookies for authentication and preferences
  • Log Data: Server logs, error reports, performance metrics

4. Your Responsibilities for Uploaded Data

⚠️ Important: Data Upload Warranties

By uploading data to Sanvia, you represent and warrant that:

  • You have all necessary rights, permissions, and legal authority to upload and process the data
  • The data does not violate any third party's privacy, intellectual property, or other rights
  • If the data contains personal information of third parties (e.g., your customers), you have obtained all required consents and have a lawful basis for sharing it with us
  • You have provided any required notices to data subjects whose information is included
  • Your use of our service complies with all applicable laws and regulations

4.1 Prohibited Data

You agree NOT to upload:

  • Protected health information (PHI) subject to HIPAA
  • Payment card data (PCI-DSS scope data)
  • Social security numbers, government IDs, or national identifiers
  • Children's personal data (under 16 years old)
  • Biometric or genetic data
  • Data revealing racial/ethnic origin, political opinions, religious beliefs, sexual orientation, or trade union membership (GDPR special categories)
  • Data obtained illegally or without proper consent
  • Data subject to specific regulatory requirements (e.g., FERPA, GLBA) unless you ensure compliance

4.2 Indemnification

You agree to indemnify, defend, and hold harmless Sanvia from any claims, damages, losses, or expenses (including legal fees) arising from your breach of these data warranties, your violation of third-party rights, or your failure to comply with applicable data protection laws.

5. How We Use Your Data

  • Provide and maintain our forecasting service
  • Process your sales data to generate forecasts
  • Authenticate your account and prevent fraud
  • Send service updates and security alerts
  • Improve our models and features based on aggregated usage
  • Provide customer support
  • Monitor and analyze usage patterns and trends
  • Comply with legal obligations

6. Aggregated & Anonymized Data

We may create aggregated, anonymized, or de-identified data from your information by removing identifiers that would allow it to be linked back to you or any individual. This data is no longer considered personal data under applicable law.

We may use aggregated/anonymized data to:

  • Improve and train our forecasting models and algorithms
  • Conduct research and development
  • Generate industry benchmarks and statistics
  • Create marketing materials (e.g., "customers achieve 95% forecast accuracy")
  • Publish research or white papers
  • Any other lawful business purpose

We retain the right to use aggregated and anonymized data indefinitely, even after account deletion, as it is no longer personal data.

7. Machine Learning & Automated Processing

7.1 How We Use ML

Our service uses machine learning models to generate sales forecasts. These models analyze patterns in your historical data to predict future values. The forecasts are generated automatically without human review of individual predictions.

7.2 Model Training

Our core forecasting models are trained on publicly available datasets and synthetic data. We do not use your raw, identifiable sales data to train models that would be used for other customers. However, we may use aggregated, anonymized insights derived from usage patterns to improve our algorithms generally.

7.3 Automated Decision-Making (GDPR Art. 22)

Our forecasts are informational outputs, not automated decisions with legal or similarly significant effects. You retain full control over any business decisions made based on forecasts. If you believe automated processing significantly affects you, you may contact us to request human review.

8. Legal Basis for Processing (GDPR)

  • Contract Performance: Processing necessary to provide our service
  • Legitimate Interest: Improving our service, fraud prevention, security, analytics
  • Consent: Marketing communications (opt-in only)
  • Legal Obligation: Tax, accounting, legal compliance, responding to lawful requests

9. Data Sharing & Disclosure

We do NOT sell your personal data. We may share data with:

9.1 Service Providers (Sub-processors)

We use the following categories of service providers:

  • Cloud Infrastructure: Supabase (database, authentication, storage)
  • Payment Processing: Stripe
  • Email Services: Transactional email providers
  • Analytics: Usage analytics providers
  • Error Monitoring: Application monitoring services

All sub-processors are bound by data processing agreements with appropriate safeguards. A current list of sub-processors is available upon request.

9.2 Legal & Government Requests

We may disclose your data:

  • To comply with applicable law, regulation, legal process, or governmental request
  • To enforce our Terms of Service or protect our rights, privacy, safety, or property
  • To protect against legal liability
  • To investigate potential violations or fraud

We may be prohibited by law from notifying you of certain disclosures (e.g., national security requests, court orders with gag provisions). Where legally permitted, we will attempt to notify you of such requests.

9.3 Business Transfers

In connection with a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

10. External Data Sources

Our service incorporates economic indicators and external data from third-party sources, including but not limited to:

  • World Bank Open Data
  • International Monetary Fund (IMF)
  • Central banks and government statistical agencies
  • Other publicly available economic databases

Disclaimer: We do not control, verify, or guarantee the accuracy, completeness, or timeliness of external data. This data is provided "as is" and may be delayed, revised, or contain errors. We are not liable for any decisions made based on external data incorporated into forecasts.

11. Data Retention

We retain your data for as long as your account is active or as needed to provide services.

11.1 After Account Deletion

  • Account data: Deleted within 30 days
  • Sales data: Permanently deleted within 30 days
  • Backups: Purged within 90 days
  • Aggregated/anonymized data: Retained indefinitely
  • Legal/tax records: Retained as required by law (typically 7-10 years)
  • Dispute/litigation data: Retained until resolution plus applicable statute of limitations

11.2 Extended Retention

We may retain data longer if required for legal compliance, dispute resolution, fraud prevention, or enforcement of our agreements.

12. Your Rights (GDPR/CCPA)

Subject to applicable law, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion ("right to be forgotten")
  • Portability: Receive your data in machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Opt out of marketing at any time
  • Non-Discrimination: Exercise rights without discriminatory treatment (CCPA)

12.1 Limitations on Rights

These rights are not absolute. We may decline requests where:

  • We cannot verify your identity
  • The request is manifestly unfounded or excessive
  • Compliance would infringe on others' rights
  • Data must be retained for legal compliance or legitimate business purposes
  • Data is subject to legal privilege

12.2 How to Exercise Rights

To exercise these rights, visit your Account Settings or contact us at support@sanvia.ai. We will respond within 30 days (or as required by applicable law). We may charge a reasonable fee for manifestly unfounded or excessive requests.

13. Data Security

13.1 Security Measures

  • Encryption in transit (TLS/SSL) and at rest
  • Regular security assessments
  • Access controls and authentication
  • SOC 2 Type II compliant infrastructure (Supabase)
  • Regular backups with encryption
  • Employee security training

13.2 Security Disclaimer

NO SYSTEM IS 100% SECURE. While we implement industry-standard security measures, we cannot guarantee absolute security. We are not liable for unauthorized access, hacking, data breaches, or other security incidents beyond our reasonable control. You acknowledge that you provide data at your own risk.

13.3 Data Breach Notification

In the event of a personal data breach, we will notify affected users and relevant supervisory authorities as required by applicable law (including GDPR Articles 33-34). Such notification does not constitute an admission of fault or liability.

14. International Data Transfers

Your data may be processed in the United States, European Union, or other countries where our service providers operate.

For transfers outside the EEA, we rely on:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Other lawful transfer mechanisms

15. Cookies & Tracking

We use cookies and similar technologies for:

  • Strictly Necessary: Authentication, security, load balancing (no consent required)
  • Functional: Preferences, language settings
  • Analytics: Usage statistics, performance monitoring (consent required where applicable)

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect service functionality.

16. Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately and we will delete it.

17. Data Processing Agreement (DPA)

For enterprise customers or where required for your compliance obligations, we offer a Data Processing Agreement that governs our processing of personal data on your behalf. Contact support@sanvia.ai to request a DPA.

18. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to Know: Categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information
  • Right to Non-Discrimination: Equal service regardless of exercising rights

To exercise these rights, contact support@sanvia.ai.

19. Changes to This Policy

We may update this policy periodically. For material changes, we will provide notice via:

  • Email to the address associated with your account
  • Prominent notice on our website or within the application
  • At least 30 days before changes take effect

Continued use of the service after changes take effect constitutes acceptance of the updated policy.

20. Contact & Complaints

Email: support@sanvia.ai

Website: https://sanvia.ai

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. For Slovenia, this is the Information Commissioner (Informacijski pooblaščenec).

We encourage you to contact us first so we can address your concerns directly.