Privacy Policy

Who is responsible

Saya is multi-tenant. For most personal data we touch, the organization that subscribes is the controller (or “business” under CCPA/CPRA), and we are the processor (or “service provider”). A Data Processing Addendum, available on request, sets the processor obligations. We are the controller for data we collect for our own purposes — account holder information, billing, security logs, marketing-page visits, and aggregated, de-identified telemetry. This Policy is also the transparency notice for individuals whose data we process on a customer's behalf.

What we collect

• Account and identity — name, email, profile image, identifiers from your identity provider (currently Clerk), Workspace membership and role, authentication and integration tokens.
• Customer Content you provide — the Slack messages and conversations Saya can access in channels you add it to, prompts and instructions, files and links you share, the memories and knowledge you ask it to keep, comments, reactions, settings, and metadata.
• Content the Service generates — Outputs of AI features, embeddings derived from your content, and aggregated, de-identified telemetry.
• Integration data — Slack events and metadata accessible to the app, OAuth claims, plugin and skill activity, and webhook payloads to endpoints you configure.
• Billing — plan, billing contact, history, and limited card metadata that Stripe returns to us. Stripe collects full payment instrument data.
• Device, log, and security — IP, device and browser identifiers, OS, time zone, language, request metadata, application and audit logs.
• Marketing pages — visitor analytics, form submissions, and email subscriptions on the marketing pages of saya.computer.
• Communications — messages you send to support, sales, abuse, security, or legal, and our responses.

We don't knowingly collect personal data of children under 13 (US) or under 16 (EEA, where the local minimum is 16). The Service is for businesses and other organizations.

How we use it

• To provide the Service — authenticate, store, generate Outputs, route to subprocessors, operate within your Slack workspace, and send transactional notices.
• To secure it and prevent abuse — detect and respond to incidents and policy violations, with limited human review under appropriate confidentiality obligations. Content flagged for safety or security review may be analyzed to improve abuse detection and enforcement.
• To improve the Service through telemetry — compute aggregated, de-identified telemetry on usage, performance, and errors.
• To improve AI features through Data contribution — unless you opt out in writing, we may use Customer Content to improve Saya's AI features, prompts, evals, response quality, model routing, and models. You may opt out by emailing help at creative-int dot com. We will apply your opt-out prospectively within 30 days.
• To bill and account — payments through Stripe, usage metering, invoicing, taxes, and enforcement.
• To communicate — support, sales, security, abuse, and (where you've opted in or where permitted) marketing. You can unsubscribe from marketing any time.
• To comply with law — respond to lawful requests and defend legal claims.

Legal bases (UK and EEA)

• Contract — to provide the Service.
• Legitimate interests — to secure it, prevent abuse, compute aggregated telemetry, and operate the business.
• Consent — for non-essential cookies, marketing, and anything else where we ask. You can withdraw consent any time.
• Legal obligation — for tax, accounting, security, and law-enforcement obligations.

How we share it

• Subprocessors listed below.
• Within your Slack workspace, as your Admin, channel membership, and settings allow.
• Through integrations you authorize — for example, a connected tool receiving an Output at your direction.
• Professional advisors under confidentiality.
• Government, law enforcement, and others as required by law — we'll notify the affected customer first where we're permitted.
• In a corporate transaction — merger, acquisition, financing, reorganization, or sale of assets — with notice as required.

We don't sell personal data and don't share it for cross-context behavioral advertising under CCPA/CPRA and similar US state laws.

International transfers

We operate from the United States and use subprocessors elsewhere. For transfers out of the EEA, UK, and Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK IDTA, and the EU-U.S. Data Privacy Framework (and the UK and Swiss Extensions) where CIC or the relevant subprocessor is certified. Where required, we run transfer impact assessments and apply additional measures.

Retention

We may keep limited information after deletion to defend legal claims, comply with law, or enforce the Terms.

Security

We use administrative, technical, and physical safeguards — encryption in transit and at rest where supported by our infrastructure, role-based access, audit logging, and vendor reviews. No method is perfectly secure.

If we confirm a security incident affecting your Customer Content, we'll notify the affected Workspace Admin without undue delay and, where feasible, within 72 hours of confirmation. Report vulnerabilities to help at creative-int dot com; we won't pursue good-faith research conducted in line with our coordinated disclosure policy.

Cookies

We use a small number of strictly necessary cookies and storage entries to operate the Service, plus limited analytics on the marketing pages of saya.computer. We don't use cookies for cross-context behavioral advertising. We honor the Global Privacy Control signal as a request to opt out of “sale” or “share” under US state privacy laws.

Subprocessors

We give 30 days' notice before adding a new subprocessor by updating this list and emailing the subscribers of our subprocessor change list — email help at creative-int dot com to be added. You can object to a new subprocessor as the Data Processing Addendum describes.

We also engage routine business subprocessors for customer support tooling and corporate IT.

Your rights

To exercise a right, use the in-product controls or email help at creative-int dot com. We may need to verify your identity. Where CIC is a processor for a customer, we route your request to that customer.

You generally have the right to access, correct, delete, port, and restrict your personal data; to withdraw consent; to object to processing based on legitimate interests (including direct marketing); not to be subject to a decision based solely on automated processing with legal or similarly significant effects (the Service doesn't make those); and to lodge a complaint with your supervisory authority or state attorney general — though we encourage you to contact us first.

California (CCPA / CPRA). You also have the right to know, port, correct, limit the use of sensitive personal information, non-discrimination for exercising rights, and to opt out of “sale” or “share” or cross-context behavioral advertising. We don't sell or share in those senses. We honor the Global Privacy Control signal. You can designate an authorized agent — we'll require evidence of authorization.

Other US states. If you reside in a state with a comprehensive privacy law, you have substantially the same rights, including the right to appeal a denial.

We respond to verified requests within the period required by law — generally 30 days for GDPR and 45 days for US state requests, with one extension where reasonable.

Changes

We may update this Policy. We'll post the new version with a new Last updated date and, for material changes, give 30 days' notice through the Service or to your Workspace Admin. Continued use after the effective date is acceptance.

Contact

For anything — privacy and data subject requests, security disclosures, subprocessor change notifications, legal — email help at creative-int dot com.

Creative Intelligence Company, [CIC mailing address]. EEA / UK representative and Data Protection Officer to be appointed if CIC falls within scope of GDPR Article 27 / UK GDPR Article 27.