Legal

Privacy Policy.

How Sangnan AI handles personal data — for visitors of asthra.ai, prospective customers we engage with, and authorized users of the Asthra service. Customer documents are governed separately by the Data Processing Addendum that accompanies every enterprise contract.

Scope

This Privacy Policy describes how Sangnan AI, Inc. (“Sangnan”) processes personal data in three contexts: (1) when you visit asthra.ai or interact with our marketing communications; (2) when we engage with you as a prospect or partner; (3) when you are an authorized user of the Asthra service.

Customer documents are not in scope here. Source documents and drafts processed by Asthra on behalf of an enterprise customer are governed by the Data Processing Addendum (DPA) executed with that customer, where Sangnan acts as a processor and the customer as controller. See the Data Security page for the operational picture.

Data we collect

From website visitors

Pages viewed, referring URL, approximate location derived from IP, and basic device information for analytics;
Information you submit through forms (name, business email, company, role, message contents);
Cookie preferences and consent state.

From prospects and partners

Contact information you provide directly or that we obtain from publicly available business sources;
Records of meetings, demos, and pilot scoping conversations;
Procurement and security review correspondence.

From authorized users of the Asthra service

Account identifiers (name, business email, organization, role) provisioned via SSO/SCIM by the customer;
Activity logs (sign-ins, drafting actions, ledger entries) needed to operate and support the Service;
Support tickets and the contents of communications you send to our support team.

How we use it

To operate, support, secure, and improve the Asthra service;
To respond to inquiries and provide demos, pilots, and onboarding;
To send service notifications, security advisories, and product communications you opt into;
To meet our legal, regulatory, and contractual obligations;
To investigate and prevent fraud, abuse, or violations of our Terms.

What we don't do

We do not sell personal data. We do not use customer source documents or drafts to train models. We do not share personal data with third parties for their own marketing.

Legal bases (GDPR)

Activity	Legal basis
Operating the Service for authorized users	Performance of a contract with the customer; legitimate interest in delivering the Service to the user.
Sales and marketing outreach	Legitimate interest in B2B engagement with appropriate professional contacts; consent where required.
Analytics and product improvement	Legitimate interest in operating and improving the Service.
Compliance and security	Legal obligation; legitimate interest in protecting the Service.
Marketing emails to non-customers	Consent (with opt-out in every message).

Sharing & subprocessors

We share personal data with vetted subprocessors who support the Service or our business operations, under written agreements that require confidentiality and data-protection commitments equivalent to ours.

Category	Examples
Cloud infrastructure	Amazon Web Services (US, EU regions)
Model providers	Anthropic (no training on customer data)
Identity & SSO	Customer-elected IdP via SAML / OIDC
Customer support	Help-desk and ticketing platform
Analytics	Privacy-preserving website analytics

The current subprocessor list, including legal entity and processing region, is maintained on the Trust center and updated when we add or remove a subprocessor.

International transfers

Where personal data leaves the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses with appropriate supplementary measures, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

EU-resident customers can elect EU-only hosting for the Asthra service; in this configuration, customer source documents and drafts do not leave the EU region.

Retention

Marketing & prospect data — retained while engagement is active, plus 24 months unless you ask us to delete sooner;
Customer user accounts — retained for the term of the customer's subscription, plus 30 days for export, then deleted;
Activity logs — retained for up to 13 months for security and operations, then aggregated or deleted;
Support tickets — retained for 36 months for service-quality and audit purposes;
Records under legal obligation — retained as required by applicable law.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. EU/UK residents may lodge a complaint with a supervisory authority.

To exercise rights, contact privacy@asthra.ai. Where Sangnan processes personal data on behalf of an enterprise customer, we will route the request to that customer for handling.

California residents

Sangnan does not sell personal information and does not share it for cross-context behavioral advertising as defined under the CCPA/CPRA. California residents have the rights described above, exercisable through the same channel.

Security

We maintain administrative, technical, and physical safeguards designed to protect personal data — including encryption in transit and at rest, role-based access control, audit logging, and continuous monitoring. Our compliance posture and program details live on the Trust center.

Contact

Privacy questions and requests:

Sangnan AI, Inc.
Attn: Privacy Officer
1209 Orange Street, Wilmington, DE 19801, USA
privacy@asthra.ai

EU representative under Article 27 GDPR:

Sangnan AI Europe B.V.
Herengracht, 1015 BS Amsterdam, Netherlands
eu-privacy@asthra.ai