SASEA Privacy Policy

Effective Date: March 26, 2026

Sturm Advisory Services LLC, a Connecticut limited liability company, together with its wholly-owned subsidiary SAS Energy Analytics LLC, a Connecticut limited liability company (collectively, "Company," "we," "us," or "our"), operates the SASEA platform ("Platform"). This Privacy Policy describes how we collect, use, store, disclose, and protect your personal information when you access or use the Platform. This Privacy Policy is incorporated into and forms part of our Terms of Service.

By creating an account or using the Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, you must not use the Platform.

1. Information We Collect

1.1 Information You Provide

Account Information: Name, email address, and authentication credentials provided during account creation (processed by Clerk).
Conversation Data: Questions, prompts, and messages you submit through the Platform's chat interface, and the corresponding responses generated by the Platform.
Uploaded Files: Documents (e.g., Excel workbooks) you upload for analysis or workbook updates.
Communications: Content of emails or messages you send to our support address.

1.2 Information Collected Automatically

Usage Analytics: Queries submitted, features used, response times, AI model selection, token counts, tool invocations, session duration, and computed cost per query. Stored in our chat_analytics database table.
Device Information: Browser type, operating system, device type, screen resolution, and language preferences.
Log Data: IP address, access timestamps, referring URLs, and pages viewed.
Cookies & Similar Technologies: See Section 5 (Cookies) for details.

1.3 Information from Third Parties

Clerk: Authentication events, session status, and OAuth provider data (if you sign in via Google, GitHub, etc.).
Stripe: Subscription status, billing events, and payment confirmation (we do not receive or store full payment card numbers).

2. How We Use Your Information

We process your information for the following purposes and on the following legal bases:

Purpose	Legal Basis
Provide, operate, and maintain the Platform	Performance of contract
Process queries and generate analytics	Performance of contract
Manage subscriptions, billing, and tier enforcement	Performance of contract
Improve model accuracy, response quality, and reliability	Legitimate interest
Diagnose technical issues and monitor performance	Legitimate interest
Send service-related notifications and security alerts	Performance of contract
Detect, prevent, and address fraud, abuse, or security incidents	Legitimate interest; legal obligation
Comply with legal obligations, regulatory requirements, or legal processes	Legal obligation
Website analytics (Google Analytics)	Consent (via cookie banner)

3. Third-Party Service Providers

We engage the following third-party service providers ("Sub-processors") to operate the Platform. Each Sub-processor processes data solely on our behalf and in accordance with their own privacy policies and our contractual obligations:

Provider	Purpose	Data Processed	Location
Clerk	Authentication & identity	Email, name, OAuth tokens, sessions	US
Stripe	Payment processing	Payment method, billing address, transactions	US
Supabase	Database & backend	Conversations, analytics, subscriptions	US
Vercel	Hosting & CDN	Request logs, uploaded files (temporary)	US/Global
Anthropic	AI model inference	Query text (not retained for training per API TOS)	US
Google (GA4)	Website analytics	Anonymized browsing data, page views, sessions	US

We require each Sub-processor to maintain appropriate security measures and to process personal data only as instructed by us for the purposes described in this Privacy Policy.

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties. We may disclose your information only in the following limited circumstances:

Sub-processors: To the service providers identified in Section 3, solely to operate and improve the Platform.
Legal Process: In response to a subpoena, court order, regulatory inquiry, government request, or as otherwise required by applicable law.
Protection of Rights: To enforce our Terms of Service, protect the rights, property, or safety of the Company, our users, or the public, and to detect, prevent, or address fraud, security, or technical issues.
Business Transfer: In connection with a merger, acquisition, reorganization, asset sale, or bankruptcy proceeding, your information may be transferred to the successor entity, subject to comparable privacy protections.
With Your Consent: In any other circumstance where you have provided explicit consent.

5. Cookies & Tracking Technologies

The Platform uses the following categories of cookies:

Category	Purpose	Provider	Required?
Essential / Authentication	User login sessions, CSRF protection	Clerk	Yes
Preferences	Cookie consent choice, UI settings	SASEA	Yes
Analytics	Anonymized usage metrics, page views	Google Analytics 4	No (consent)

Analytics cookies are loaded only after you provide consent via the cookie banner. You may withdraw consent at any time by clearing your browser cookies, which will cause the consent banner to reappear.

Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. The Platform does not currently respond to DNT signals because there is no industry-standard protocol for DNT compliance. However, you can control analytics tracking through the cookie consent banner.

6. Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law:

Account & conversation data: Retained for the duration of your active account. Upon account deletion request, all personal data and conversation history are permanently deleted within thirty (30) days. Certain anonymized, aggregated data may be retained for analytical purposes.
Usage analytics: Retained in aggregated, de-identified form for service improvement. Individual-level analytics logs are retained for up to twenty-four (24) months, then anonymized.
Payment records: Retained by Stripe in accordance with their data retention policy. Transaction records necessary for tax and legal compliance are retained for seven (7) years.
Uploaded files: Automatically deleted within twenty-four (24) hours or at the end of your session, whichever occurs first. No uploaded file content is retained beyond this period.
Support communications: Retained for as long as your account is active, plus twelve (12) months after account closure.

7. Data Security

We implement administrative, technical, and physical security measures designed to protect your personal information, including:

Encryption in transit (TLS 1.2+/HTTPS for all connections)
Encryption at rest for database storage (Supabase)
Row-level security (RLS) policies ensuring users can only access their own data
API key management and environment variable isolation
Access controls limited to authorized personnel
Regular dependency updates and security patching

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security and are not responsible for the security of information transmitted over networks we do not control.

8. Data Breach Notification

In the event of a security breach that compromises your personal information, we will notify affected users via email and, where required by applicable law, notify the relevant regulatory authorities. Notifications will be made without unreasonable delay and in accordance with applicable data breach notification laws, including Connecticut's data breach notification statute (Conn. Gen. Stat. § 36a-701b).

9. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete personal data.
Deletion: Request deletion of your personal data and account, subject to legal retention obligations.
Portability: Request your data in a structured, commonly used, machine-readable format.
Restriction: Request that we restrict processing of your personal data under certain circumstances.
Objection: Object to processing of your personal data based on our legitimate interests.
Withdraw Consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact support@sasea.ai. We will verify your identity before processing your request and respond within thirty (30) days. If we require additional time, we will notify you of the extension and the reasons therefor.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), provides you with additional rights:

Categories of Personal Information Collected

CCPA Category	Examples
Identifiers	Name, email address, IP address
Commercial information	Subscription tier, billing history, purchase records
Internet or electronic network activity	Browsing history on Platform, search queries, usage logs
Inferences drawn	Subscription tier recommendation, usage patterns

Your CCPA Rights

Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to exceptions permitted by law.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share (as defined by the CCPA) your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

We have not sold or shared personal information in the preceding twelve (12) months and do not intend to do so.

To submit a CCPA request, email support@sasea.ai with the subject line "CCPA Request." You may also designate an authorized agent to submit a request on your behalf.

10A. Connecticut Data Privacy Rights (CTDPA)

If you are a Connecticut resident, the Connecticut Data Privacy Act ("CTDPA"), effective July 1, 2023, provides you with the following rights regarding your personal data:

Right to Access: You have the right to confirm whether we are processing your personal data and to access that data.
Right to Correction: You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and the purposes of the processing.
Right to Deletion: You have the right to request deletion of personal data provided by or obtained about you.
Right to Portability: You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
Right to Opt Out: You have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not currently sell personal data or engage in targeted advertising as defined by the CTDPA.

To exercise any of these rights, contact us at support@sasea.ai with the subject line "CTDPA Request." We will respond to verified requests within 45 days. If we decline to take action on a request, you may appeal by emailing us with the subject line "CTDPA Appeal." If your appeal is denied, you may contact the Connecticut Attorney General at portal.ct.gov/AG.

We will not discriminate against you for exercising your CTDPA rights. We do not use consent management platforms that process universal opt-out signals at this time; as our processing activities expand, we will implement such mechanisms as required by the CTDPA.

11. International Users

The Platform is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Platform, you explicitly consent to the transfer of your data to the United States. We will apply the protections described in this Privacy Policy to all users regardless of location. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on your explicit consent and the performance of our contract with you as the legal basis for international data transfers.

12. Children's Privacy

The Platform is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to promptly delete that information. If you believe a child has provided us with personal information, please contact support@sasea.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least fourteen (14) days' prior notice via email or a prominent notice on the Platform before the changes take effect. The revised policy will be posted on this page with an updated Effective Date. Your continued use of the Platform after the effective date of changes constitutes your acceptance of the revised Privacy Policy.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Connecticut, consistent with the Governing Law and Dispute Resolution provisions of our Terms of Service.

15. Contact

For privacy questions, data requests, or concerns about this Privacy Policy:

Sturm Advisory Services LLC
SAS Energy Analytics LLC (subsidiary, operator of SASEA™)
Connecticut, United States
support@sasea.ai