Contact sales
SAGEA/Legal

Privacy Policy

Last Updated: May 17, 2026

SectionScope of This Policy

This Privacy Policy explains how SAGEA ("SAGEA", "we", "us", "our") collects, uses, and protects information in connection with its websites, APIs, SDKs, models, enterprise systems, and infrastructure services (collectively, the "Services").

This Policy applies to SAGEA as a company-level framework. Product-specific privacy terms (including Helios deployments) may provide additional detail, granular configuration, and sovereign control options.

01

Scope of This Policy

This Privacy Policy applies to our complete corporate and system framework:

  • SAGEA websites and developer platforms
  • Hosted APIs and inference services
  • Enterprise infrastructure deployments
  • Research and experimental systems
  • SDKs and developer software tools
  • Model and AI-based systems
  • Administrative, billing, and support systems

Certain products, including our Helios identity infrastructure, may operate under separate or additional privacy documentation depending on deployment type and customer configuration.

02

Data Classification Model

To guarantee maximum isolation and privacy credibility, SAGEA distinguishes strictly between three categories of processed data:

1 / Customer Data

Customer Data

Data submitted by customers or processed on their behalf through the Services.

Examples Include
  • API prompts & inputs
  • Application payloads
  • Enterprise files
  • System logs
  • Config profiles
2 / End-User Data

End-User Data

Data belonging to individuals interacting with customer systems powered by SAGEA.

Examples Include
  • Identity verification documents
  • Biometric session media
  • Onboarding records
  • Helios KYC payloads
3 / Operational Data

Operational Data

Data generated by SAGEA systems strictly for reliability, health, and security.

Examples Include
  • API request metadata
  • System latency & loads
  • Diagnostic error traces
  • Abuse detection signals
03

On-Premises Deployments

For on-premises, customer-hosted, or isolated private cloud deployments:

Sovereign Isolation Commitments

Zero Remote Extraction: All Customer Data and End-User Data remain entirely within the customer's physical or logically controlled cloud infrastructure. SAGEA does not collect, access, transfer, or store data from these environments.

No Document Retention: SAGEA does not retain, extract, or mirror biometric details, physical ID scans, or user verification databases processed locally on-prem.

No Remote Visibility: SAGEA maintains zero telemetry, remote log ports, or backdoor visibility into customer production environments after isolated deployment.

Customer Custodianship

Customers retain sole, absolute ownership and responsibility for data storage, retention schedules, privacy policies, statutory compliance obligations, administrative access logs, and overall security configurations.

04

API and Hosted Services

For SAGEA-managed hosted infrastructure, cloud pipelines, and multi-tenant APIs:

4.1 Customer Data Processing

SAGEA processes Customer Data strictly on behalf of the customer, and solely as necessary to:

  • Provide requested model inference, speech synthesis, and verification functions.
  • Operate, scale, maintain, and balance our shared hosted clusters.
  • Secure platform reliability, trace critical server crashes, and isolate malicious payloads.

4.2 Operational Data Collection

SAGEA may collect limited Operational Data to secure, balance, and maintain the reliability of the hosted infrastructure, including:

  • Inbound request timestamps, API payload sizing, and execution latency.
  • Platform error codes, non-identifiable system traces, and cluster performance logs.
  • Aggregated API usage indices and rate limit analytics.
  • Anti-abuse logs and fraud prevention signals.
05

Strict Data Non-Retention Policy (End-User Data)

SAGEA implements a strict non-retention posture for End-User Data submitted through our Services, unless explicitly instructed otherwise under customer configurations:

No Permanent StorageIdentity documents, physical scans, and government credentials are never permanently stored by SAGEA by default. They are purged immediately post-verification.
Transient BiometricsBiometric media, face vectors, and liveness verification records are processed in transient memory and deleted within short processing windows.
No Secondary ExploitationVerification payloads, text extractions, and user profiles are processed solely to complete the requested check, with zero secondary reuse.

* Exceptions apply only to short-lived transient requests required to execute the operational call, legal retention warrants served by sovereign authorities, or customer-configured secure storage in custom enterprise plans.

06

No Training on Customer or End-User Data

Strict Model Training Isolation Commitment

SAGEA implements a zero-trust architecture regarding general-purpose model tuning:

SAGEA DOES NOT use Customer Data or End-User Data to train foundation models, refine parameter weights, or improve general-purpose AI systems without explicit, signed, written consent.

This strict isolation applies to:

  • Prompts & Inputs
  • API Payload extractions
  • Identity document uploads
  • Verification session media
  • Enterprise customized datasets

Operational Data (metadata, request frequency, infrastructure latencies) may be analyzed in aggregated and anonymized form strictly to improve system reliability, balance workloads, and optimize inferencing engine performance.

07

Data Use Principles

SAGEA processes all data categories under a strict system design containing five core principles:

Data Minimization

We process only the exact volume of data mathematically required to complete the specific Services.

Purpose Limitation

We process data solely for the explicit delivery of the requested operations, with zero secondary repurposing.

Logical & Physical Isolation

Customer data databases, caches, and inferences are isolated logially and run in distinct virtual workloads.

Non-Exploitation

SAGEA does not sell, lease, or commercially exploit personal information, biometrics, or company data.

Sovereign Transparency

We provide enterprise customers with maximum tools to control log visibilities and on-premises isolations.

08

Data Retention

SAGEA's data retention intervals depend strictly on the selected deployment model and contractual agreements:

Hosted & Managed Services

Operational Data (diagnostic logs, metadata) may be retained for limited administrative windows (typically 30 days) strictly for debugging, crash analytics, and fraud monitoring. Customer Data is retained strictly during the active service execution window and deleted immediately thereafter.

Enterprise Deployments

Retention parameters are entirely governed by the customer's administrative settings and SLA contracts. SAGEA does not override or delay custom, customer-defined retention and automatic deletion policies.

On-Premises Deployments

SAGEA does not collect, host, or possess physical custody over on-premises processing databases, and thus maintains zero retention capacity.

09

Data Sharing

SAGEA DOES NOT SELL PERSONAL INFORMATION.

We maintain a zero-sharing commercial architecture. We will never sell, distribute, trade, or monetize personal details, document scans, or model outputs to brokers, advertisers, or third-party networks.

We may share extremely limited information strictly in the following scenarios:

  • Infrastructure Partners: With trusted, vetted cloud hosting or security infrastructure providers required to operate our hosted clusters. They are bound by identical, rigorous data protection contracts.
  • Legal Mandates: To comply with valid, lawful search warrants, court orders, or statutory regulations served by recognized judicial authorities.
  • Security Incident Response: To contain security breaches, defend against active infrastructure attacks, or mitigate structural platform abuses.
  • Customer Mandate: In custom enterprise environments, with your explicit authorization.
10

Security

SAGEA implements rigorous, commercially reasonable technical and organizational security controls designed to guard system integrites, including:

AES-256 EncryptionAll data stored within SAGEA systems is encrypted at rest using industry-standard Advanced Encryption Standard with 256-bit keys.
TLS 1.3 in TransitAll network traffic to and from SAGEA endpoints is encrypted in transit using the latest Transport Layer Security protocols.
Privilege IsolationInternal system accesses operate under a strict least-privilege matrix, requiring multi-factor hardware keys.
Continuous AuditingWe implement continuous network intrusion tracing, regular vulnerabilities scanning, and quarterly third-party penetration audits.

While we utilize high-end protective layouts, no system can guarantee absolute safety. We encourage developers to manage and secure their own API credentials with extreme care.

11

International Data Processing

Depending on customer configuration, data residency choices, and SLA requirements, SAGEA may process and store hosted data in different geographic regions.

Enterprise customers are responsible for selecting the appropriate region and ensuring full compliance with applicable cross-border data transfer laws when routing queries to SAGEA.

12

Customer Responsibilities

When integrating SAGEA Services, enterprise customers remain the sole data controllers under many privacy jurisdictions and are responsible for:

  • Obtaining lawful, explicit consents from End-Users where biometrics or document processing are required.
  • Ensuring a valid legal basis for all submitted data and identity payloads.
  • Providing clear, complete, and legally compliant privacy disclosures directly to their users.
  • Configuring SAGEA data retention intervals and deployment models appropriately for their industry standard compliance.
  • Securing all local systems, network endpoints, developer credentials, and API access tokens.

SAGEA acts strictly as a data processor for Customer Data in all applicable contexts.

13

Children’s Data

SAGEA Services are not intended for direct use by children under applicable legal age thresholds (such as 14 years old under local Nepalese privacy mandates) unless integrated within regulated institutional environments by authorized, vetted enterprise customers.

14

Changes to This Policy

SAGEA may update this Privacy Policy from time to time.

Updated versions will be published on SAGEA's legal pages and become effective immediately upon posting. Your continued use of the Services after changes are published constitutes acceptance of the revised policy.

15

Contact

For legal, enterprise compliance, and security inquiries related to our Privacy Policy:

Legal & Compliance[email protected]Data Protection & Privacy[email protected]Security Operations & SOC[email protected]

Additional SAGEA Resources

SAGEA Trust Centertrust.sagea.spaceEnterprise Security Overviewsagea.space/legal/enterpriseHelios Identity Infrastructuresagea.space/enterprise/helios

Our research

Products

Helios

Initiatives

Models

API

Company

Terms & policies

Others

Contacts

© SAGEA 2026