Privacy Policy

Friday Technologies SRL ("we", "our", or "us") operates the Sage mobile application and the sage.app website (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By using Sage, you agree to the collection and use of information in accordance with this policy.

Data Controller: Friday Technologies SRL, Romania, EU. Contact: privacy@sage.app

2.1 Account Information

• Email address (required to create and manage your account)
• Password (stored as a hashed value — we never see your plaintext password)
• Display name (optional)

2.2 Health and Fitness Data

To provide our AI nutrition coaching service, we collect:

• Weight and height
• Age and biological sex
• Dietary preferences and restrictions (e.g., vegan, gluten-free)
• Health goals (e.g., weight loss, muscle gain, maintenance)
• Meals logged, including food photos you submit
• Calorie and macro nutritional data derived from your meals
• Progress photos (if you choose to use this feature)
• Daily check-in responses and habit data

Important: Health data is classified as a special category of personal data under GDPR Article 9. We process this data based on your explicit consent, which you provide when setting up your account and using the app.

2.3 Device Information

• Device model and manufacturer
• Operating system version (iOS or Android)
• App version
• Device language and locale settings
• Push notification token (if you enable notifications)

2.4 Usage Analytics

We collect anonymous usage analytics via PostHog (self-hosted, EU region) to understand how users interact with the app and improve the Service. This includes:

• Feature usage patterns (e.g., which screens are visited)
• Session duration and frequency
• Crash reports and error logs
• Performance metrics

PostHog analytics are anonymised and do not include personally identifiable information. You can opt out of analytics in your account settings.

We use the information we collect for the following purposes:

• To provide the AI coaching service:Your meal photos are sent to OpenAI (GPT-4o Vision) for food recognition and nutritional analysis. Your goals, preferences, and context are used by Anthropic's Claude model to generate personalised coaching responses.
• To personalise your experience: We use your profile data, goals, and history to tailor coaching advice, meal suggestions, and habit recommendations to you specifically.
• To improve the Service: Anonymised usage data helps us understand what features are working well and what needs improvement.
• To send important account notifications: We send transactional emails related to your account (e.g., subscription confirmations, password resets). We will only send marketing emails with your explicit consent.
• To manage your subscription: We use RevenueCat to process and manage in-app subscriptions via Apple App Store and Google Play Store.
• To comply with legal obligations: We may process your data to comply with applicable laws and regulations.

We do not sell your personal data to third parties. We share data only with trusted service providers necessary to operate the Service:

4.1 Service Providers

Each service provider is bound by a Data Processing Agreement (DPA) and is only permitted to process your data for the specified purpose.

4.2 Legal Requirements

We may disclose your information where required by law, such as to comply with a subpoena, legal proceedings, or governmental request. We will notify you of such requests where legally permitted.

4.3 Business Transfers

If Friday Technologies SRL is acquired or merges with another company, your information may be transferred as part of that transaction. You will be notified before this occurs.

We implement strong technical and organisational measures to protect your data:

• All data is encrypted in transit using TLS 1.3
• Data at rest is encrypted using AES-256
• User authentication data is handled by Supabase with bcrypt password hashing
• Food photos are processed by AI models and are not permanently stored beyond your account history
• Access to production systems is restricted to authorised personnel only, with MFA required
• Regular security audits and vulnerability assessments

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee its absolute security.

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

Right of Access

You have the right to request a copy of all personal data we hold about you. We will provide this within 30 days.

Right to Rectification

You can correct inaccurate personal data or complete incomplete data at any time via your account settings.

Right to Erasure ("Right to be Forgotten")

You can request deletion of all your personal data. We will delete your account and all associated data within 30 days of receiving your request, subject to legal retention obligations.

Right to Data Portability

You can request an export of your data in a structured, machine-readable format (JSON or CSV). Contact us at privacy@sage.app.

Right to Object

You can object to the processing of your personal data for direct marketing purposes or where we rely on legitimate interests as our legal basis.

Right to Withdraw Consent

Where we process your data based on your consent (e.g., health data), you can withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro.

To exercise any of these rights, contact us at privacy@sage.app.

Some of our service providers (OpenAI, Anthropic, RevenueCat, Apple, Google) are based in the United States. When we transfer your personal data to the US, we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework (DPF): Where service providers are certified under the DPF, we rely on this framework for transfers.
• Standard Contractual Clauses (SCCs): For providers not certified under the DPF, we use EU Commission-approved SCCs as the legal mechanism for data transfer.

You can obtain a copy of the applicable SCCs by contacting us at privacy@sage.app.

• Account data: Retained for as long as you maintain an active account.
• Meal logs and health data: Retained for the duration of your account. You can delete individual logs at any time within the app.
• Account deletion: When you delete your account, all personal data is permanently deleted within 30 days.
• Backup retention: Encrypted backups may retain data for up to 90 days after deletion, after which they are overwritten.
• Legal retention: Some data (e.g., transaction records) may be retained for up to 7 years to comply with financial record-keeping laws.

Sage is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@sage.app and we will delete such information promptly.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and share
• The right to delete personal information we have collected
• The right to opt-out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact us at privacy@sage.app.

We may update this Privacy Policy from time to time. We will notify you of significant changes by sending an email to your registered address and/or displaying a prominent notice in the app at least 14 days before the changes take effect. Your continued use of the Service after the changes take effect constitutes your acceptance of the revised policy.

If you have any questions about this Privacy Policy, please contact us:

• Email: privacy@sage.app
• Company: Friday Technologies SRL, Romania, EU
• Data Protection Officer: Available on request at privacy@sage.app

We aim to respond to all privacy-related requests within 30 days.