Data Privacy & Governance Policy

DATA PRIVACY POLICY

Sapience AI Corporation

Effective Date: September 1, 2025 | Version 3.0

DATA CONTROLLER INFORMATION

Legal Entity: Sapience AI Corporation
Email: dataprivacy@sapienceai.co

DEFINITIONS
For purposes of this Data Privacy Policy, the following terms have the meanings set forth below:

“AI Model” means any artificial intelligence or machine learning model, including but not limited to large language models, neural networks, and other algorithmic systems developed or deployed by Sapience AI.

“Confidentiality” means the protection of information from unauthorized disclosure, as defined in applicable agreements including but not limited to the Letter of Intent (LOI) and Design Partner agreements.

“Design Partner” means an organization that has entered into a formal partnership agreement with Sapience AI to collaborate during the pre-release phase, providing feedback, data access, and testing services in exchange for early access to Sapience AI’s platform and technology.

“Minimum Viable Product” or “MVP” means the initial version of Sapience AI’s platform released to Design Partners during the pre-release phase, containing core functionality sufficient for testing and validation purposes while additional features are under development.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined by applicable privacy regulations including GDPR, CCPA, and CPRA.

“Pre-Release Phase” means the period during which Sapience AI operates in partnership with Design Partners to test, refine, and validate the MVP prior to general commercial availability.

“Processing” means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

“User” means any individual who accesses or uses Sapience AI’s services, whether as an employee or representative of a Design Partner organization or as an individual account holder.

INTRODUCTION AND COMMITMENT
At Sapience AI, we are committed to protecting the privacy and security of all data entrusted to us. This Data Privacy Policy outlines our comprehensive approach to data protection, incorporating industry-leading practices and technologies that define our standard for AI data governance.
Our commitment extends beyond compliance—we implement data protection technologies including encrypted storage, secure access controls, and data access agreements that ensure your data remains secure, private, confidential, and under your control.
Note: This policy describes our current and planned capabilities. Some features described herein may not yet be fully implemented. We commit to updating this policy as capabilities evolve and will notify you of material changes.
CORE PRIVACY PRINCIPLES
Our privacy framework is built on the following fundamental principles:
Data Minimization - We collect only the minimum data necessary to provide our services
Purpose Limitation - Data is used solely for stated, legitimate purposes
Transparency - Clear communication about data collection, processing, and storage
User Control - Secure identity architecture that respects user ownership of their data
Security by Design - End-to-end encryption and secure protection measures
Accountability - Regular audits and continuous improvement of privacy measures
Confidentiality - Protection of information from unauthorized disclosure in accordance with contractual agreements
PRE-RELEASE AND DESIGN PARTNER PHASE DATA PRIVACY
During our Pre-Release Phase, Sapience AI implements data privacy practices leveraging Google Cloud Platform’s enterprise-grade security infrastructure, combined with our protection layers. This phase-specific approach balances data protection with innovation and partner collaboration with our Design Partners working with the MVP.

3.1 Google Cloud Platform(GCP) Security Foundation
Our pre-release infrastructure is built on Google Cloud Platform’s security architecture:
Data Residency and Sovereignty: All Design Partner data is stored in GCP regions compliant with local data residency requirements, with transparency on data location
Google Cloud Armor: DDoS protection and Web Application Firewall (WAF) rules protect against malicious traffic and attacks
Identity and Access Management (IAM): Fine-grained access controls with principle of least privilege, enforced through GCP’s IAM policies
Virtual Private Cloud (VPC) Service Controls: Security perimeters around sensitive data resources prevent unauthorized access and data exfiltration
Cloud Key Management Service (KMS): Hardware Security Module (HSM)-backed encryption keys with automatic rotation and audit logging
Binary Authorization: Ensures only verified and signed container images run in our production environment

3.2 Vertex AI and Gemini Model Controls
Our implementation of Google’s Vertex AI and Gemini models incorporates privacy measures:

3.2.1 Vertex AI Implementation
Customer-Managed Encryption Keys (CMEK): All Vertex AI datasets, models, and endpoints are encrypted with customer-controlled keys
Private Endpoints: Model serving through VPC-native private endpoints prevents public internet exposure
Data Isolation: Each Design Partner’s data is processed in isolated Vertex AI pipelines with dedicated compute resources
Explainable AI: Feature attribution and model monitoring ensure transparency in AI decision-making
Model Versioning and Rollback: Complete audit trails of model versions with ability to rollback to previous versions

3.2.2 Gemini Model Safeguards
Data Processing Agreement (DPA): Comprehensive DPA with Google ensuring Gemini processes data solely for agreed purposes
No Model Training on Customer Data: Design Partner data is not used to train or improve Google’s foundation models without explicit consent
Prompt Injection Protection: Filtering and validation to prevent malicious prompt injections and data leakage
Response Filtering: Multi-layer content filtering to minimize sensitive data appearing in model outputs
Grounding and Citation: Responses are grounded in authorized data sources with attribution where technically feasible

3.3 Design Partner Data Segregation
Each Design Partner’s data receives dedicated protection measures:
Dedicated GCP Projects: Each Design Partner operates within an isolated GCP project with separate billing and access controls
Separate Cloud Storage Buckets: Partner data stored in dedicated, encrypted buckets with versioning and audit logging enabled
BigQuery Dataset Isolation: Analytics performed on partner-specific datasets with row-level security and column-level encryption
Firestore Security Rules: Granular access controls ensure partners can only access their own data collections
Workload Identity Federation: Service accounts with minimal permissions operate on behalf of each partner

3.4 Pre-Release Monitoring and Compliance
Comprehensive monitoring supports privacy protection during the Pre-Release Phase:

3.4.1 Security Monitoring
Cloud Security Command Center: Centralized security and risk management across all GCP resources
Cloud Logging and Monitoring: Comprehensive audit trails of data access and API calls with alerting
Sensitive Data Protection (DLP): Discovery and classification of sensitive data with de-identification capabilities
Chronicle Security Operations: SIEM platform for threat detection, investigation, and response
Access Transparency Logs: Visibility into Google support engineer access to systems when required

3.4.2 Compliance Certifications
Our GCP implementation maintains compliance with:
SOC 2 Type II certification
ISO 27001, 27017, and 27018 standards
HIPAA compliance for healthcare partners (where applicable)
PCI DSS for payment data processing (where applicable)
GDPR, CCPA, and CPRA privacy requirements

3.5 Design Partner Privacy and Confidentiality Agreements
All Design Partners operate under privacy and confidentiality agreements:
Mutual NDA: Non-disclosure agreements protecting both partner data and Sapience AI innovations
Data Processing Addendum: Clear delineation of data controller and processor responsibilities
Limited Use Provisions: Partner data used exclusively for agreed-upon pre-release testing and improvement purposes, subject to user consent requirements
Right to Audit: Design Partners may request security audits and compliance verification
Data Deletion: Data deletion upon partnership conclusion if requested, subject to legal retention requirements
User Consent: All data sharing requires appropriate consent from individual users of Design Partner systems, with clear opt-out mechanisms
Data Portability: Design Partners and their users retain rights to data portability under applicable law

3.6 Transition to Production Infrastructure
As we transition from Pre-Release Phase to production, we ensure privacy protection:
Migration Planning: Data migration plans with appropriate safeguards
Progressive Enhancement: Gradual implementation of additional security layers
Partner Choice: Design Partners can work with us on infrastructure preferences where technically feasible
Continuous Protection: No gap in privacy protection during infrastructure transitions
DATA ASSET PROTECTION FRAMEWORK
Sapience AI employs a Data Asset Protection Framework for securing and managing AI training data and user information.

4.1 Data Access Controls
We implement access control measures:
Contractual Protections: We secure agreements with partner organizations that designate Sapience AI as an authorized AI provider with access to specified data categories. These agreements include:
Confidentiality provisions
Data use restrictions aligned with privacy regulations
Regular compliance verification procedures
User consent requirements and opt-out provisions
Access Control Matrix: Multi-layered authentication and authorization protocols ensure only authorized Sapience AI systems can access partner data
User Rights: Individual users maintain the right to:
Access their personal data
Request data deletion (right to be forgotten)
Data portability
Opt-out of data processing for specific purposes
Object to processing based on legitimate interests

4.2 Data Ownership and Intellectual Property
User Data Ownership: All Personal Data provided by users remains the property of the user. Users retain full rights to access, modify, export, or delete their Personal Data at any time, subject to technical limitations and legal retention requirements.
Sapience AI Intellectual Property: Sapience AI retains ownership of:
AI models and their parameters
Algorithms and processing methodologies
Aggregated, anonymized insights that cannot be attributed to any individual or organization
Software, interfaces, and platform technology
Derivative Works: When we create embeddings, transformations, or other derivative works from user data:
The original user data remains user property
Anonymized, non-identifiable derivatives may be retained for model improvement with appropriate consent
Identifiable derivatives are treated as Personal Data subject to user rights
We maintain clear records of data lineage and processing

4.3 Encrypted Storage
Our storage infrastructure implements protection measures:
Encryption Standards: AES-256 encryption for data at rest; TLS 1.3 for data in transit
Cryptographic Hashing: Secure hashing algorithms protect sensitive identifiers
Pseudonymization: Personal identifiers are pseudonymized where technically feasible
Secure Processing: Data is processed in secure, isolated environments

4.4 Data Integrity and Audit Trails
Our infrastructure provides audit capabilities:
Access Logging: Customer data access is logged with user authentication details, timestamps, and actions performed
Automated Monitoring: Monitoring systems track and flag unusual access patterns
Retention of Logs: Audit logs are retained for compliance periods as required by applicable law
Tamper Protection: Logs are protected against unauthorized modification
DATA COLLECTION AND PROCESSING

5.1 Types of Data Collected
We collect the following categories of Personal Data:
Account Information:
Name
Email address
Organization affiliation
Securely hashed authentication credentials (passwords are never stored in plain text; only cryptographic hashes are maintained)
Account preferences and settings
Interaction Data:
Queries and prompts submitted to AI systems
Feedback provided on system responses
Usage patterns and feature interactions
Session information
Technical Information:
IP addresses
Device information (device type, operating system)
Browser type and version
Log data and error reports
Partner Organization Data:
Business data provided under data sharing agreements, subject to individual user consent
Organizational metadata and configuration settings
Performance Metrics:
Model performance data
Accuracy metrics
System optimization parameters (aggregated and anonymized)

5.2 Legal Basis for Processing
We process Personal Data based on the following legal grounds under GDPR Article 6:
Consent (Article 6(1)(a)):
Processing data for AI model training (where you have provided explicit consent)
Marketing communications (where you have opted in)
Optional feature usage requiring additional data processing
Contractual Necessity (Article 6(1)(b)):
Providing access to the Sapience AI platform
Delivering AI-powered services
Account management and authentication
Customer support
Legitimate Interests (Article 6(1)(f)): We process data based on legitimate interests where:
Interest: Improving AI model accuracy and performance
Balancing Test: Conducted and documented in our legitimate interest assessments
Your Rights: You have the right to object to processing based on legitimate interests
Safeguards: We implement technical and organizational measures to protect your data and limit processing to what is necessary
Legal Obligation (Article 6(1)(c)):
Compliance with applicable laws and regulations
Responding to lawful requests from authorities
Maintaining records required by law
Right to Object: You have the right to object to processing based on legitimate interests. Contact us at dataprivacy@sapienceai.co to exercise this right.

5.3 CPRA/CCPA Specific Disclosures
Categories of Personal Information Collected:
Identifiers: Name, email address, IP address, account credentials
Commercial Information: Subscription information, payment data (processed by third-party payment processors)
Internet Activity: Browsing behavior on our platform, interaction with features
Professional Information: Job title, company name (if provided)
Inferences: Preferences derived from usage patterns
Business Purposes:
Service Provision: Operating and maintaining the platform
Security: Detecting and preventing fraud, security incidents
Improvement: Analyzing usage to improve services
Communication: Responding to inquiries and providing support
Compliance: Meeting legal obligations
Categories of Third Parties with Whom We Share Data:
Service Providers: Cloud infrastructure providers (Google Cloud Platform), AI model providers (Google Gemini API), payment processors
Professional Advisors: Legal, accounting, consulting services (only aggregated/anonymized data or as required by law)
Authorities: Law enforcement and regulatory bodies (only when legally required)
Sale/Sharing of Personal Information:
We do not sell Personal Information as defined by CPRA/CCPA.
We do not share Personal Information for cross-context behavioral advertising
Right to Opt-Out: Although we do not sell or share Personal Information, you have the right to opt out if our practices change. We will provide clear mechanisms to exercise this right.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond what is necessary to provide services you request. If this changes, we will provide notice and opt-out mechanisms.
USER RIGHTS AND CONTROL
Users maintain comprehensive rights over their Personal Data:

6.1 Access and Portability
Right to Access: Request access to your Personal Data
Data Export: Export your data in machine-readable formats (JSON, CSV) upon request
Data Portability: Receive your data in a structured, commonly used format
How to Exercise: Email dataprivacy@sapienceai.co with subject “Data Access Request”

6.2 Rectification and Erasure
Correction: Request correction of inaccurate or incomplete Personal Data
Erasure: Request deletion of your Personal Data (right to be forgotten)
Limitations: Some data may need to be retained for legal compliance, dispute resolution, or technical necessity
How to Exercise: Email dataprivacy@sapienceai.co with subject “Data Correction/Deletion Request”
Response Time: We will respond to requests within one month (or two months for complex requests, with notification).

6.3 Consent Management
Granular Controls: Manage consent for different data processing purposes
Withdrawal: Withdraw consent at any time through your account settings or by contacting us
Ease of Withdrawal: Withdrawing consent is as simple as providing it (no unreasonable barriers)
Effect of Withdrawal: Does not affect lawfulness of processing before withdrawal

6.4 Restrictions and Objections
Restrict Processing: Request restriction of processing in certain circumstances
Object to Processing: Object to processing based on legitimate interests or for direct marketing
Automated Decision-Making: Right to not be subject to solely automated decisions with significant effects (see Section 9.2.3)
DATA SHARING AND INTERNATIONAL TRANSFERS

7.1 Third-Party Service Providers
We engage the following categories of third-party processors:
Cloud Infrastructure Provider:
Name: Google LLC
Service: Google Cloud Platform (compute, storage, AI/ML services)
Location: United States, with data residency options
Contact: https://cloud.google.com/contact
Purpose: Platform hosting, data storage, AI model inference
Data Shared: All categories listed in Section 5.1
Safeguards: Standard Contractual Clauses (SCCs), DPA, technical and organizational measures
AI Model Provider:
Name: Google LLC
Service: Google Gemini API (via Vertex AI)
Location: United States
Purpose: Natural language processing, AI model inference
Data Shared: User prompts and interaction data (not used for Google model training)
Safeguards: DPA prohibits training on customer data, SCCs for international transfers
Additional Sub-Processors: A complete, up-to-date list of sub-processors is available at: [URL to be provided]
We will notify Design Partners at least 30 days before adding new sub-processors with the opportunity to object.

7.2 International Data Transfers
Transfer Mechanisms:
Standard Contractual Clauses (SCCs): We use the European Commission’s SCCs (2021 version) for transfers from the EU/EEA to countries without adequacy decisions
UK Addendum: We use the UK International Data Transfer Addendum for transfers from the UK
Supplementary Measures: We implement additional technical and organizational measures including:
Encryption in transit and at rest
Access controls and authentication
Monitoring and incident response
Regular security assessments
Contractual restrictions on government access
Countries of Transfer:
United States (primary processing location)
Additional locations as specified in your service agreement
Schrems II Compliance: We have conducted transfer impact assessments for transfers to the United States and implement supplementary measures to address risks identified.

7.3 No Sale or Rental of Data
We do not sell or rent Personal Data to third parties
We share data only with verified service providers under strict Data Processing Agreements
We cooperate with law enforcement only with valid legal process (subpoena, court order, warrant)
We publish transparency reports regarding data requests (see Section 10.3)
SECURITY MEASURES
Our security architecture includes multiple protective layers:

8.1 Technical Safeguards
Encryption: Industry-standard encryption algorithms for data protection
Anomaly Detection: AI-powered systems to detect unusual access patterns and potential threats
Network Security: Firewalls, intrusion detection/prevention systems, network segmentation
Continuous Monitoring: 24/7 security monitoring with automated alerting
Regular Testing: Penetration testing and security audits by independent third parties

8.2 Organizational Measures
Employee Training: Comprehensive privacy and security training for all employees handling Personal Data
Access Controls: Strict access controls and principle of least privilege
Background Checks: Background verification for employees with access to sensitive systems
Confidentiality Agreements: All employees sign confidentiality agreements
Privacy by Design: Privacy considerations integrated throughout system development lifecycle
Security Operations Center: Dedicated team monitoring security 24/7

8.3 Incident Response
Response Plan: Documented incident response procedures
Response Team: Designated incident response team with defined roles
Detection: Systems designed to detect security incidents promptly
Containment: Procedures to contain and mitigate incidents
Notification: Commitment to notify affected individuals and authorities as required by law within legally required timeframes
AI-SPECIFIC PRIVACY CONSIDERATIONS
As an AI-first company, Sapience AI implements specialized privacy protections for AI systems.

9.1 Model Training and Data Usage

9.1.1 Data Minimization in Training
Limited Collection: We collect only data necessary for model functionality
Privacy Techniques: We employ privacy-preserving techniques where feasible, including differential privacy and federated learning approaches
Synthetic Data: We may use synthetic data generation to reduce reliance on real Personal Data
Regular Audits: Quarterly audits assess models for unintended data retention

9.1.2 Training Data Governance
Data Lineage: Documentation of data sources used in model training
Consent Verification: Systems verify appropriate consent for AI training purposes
Partner Data Isolation: Training data from different sources is appropriately segregated
Retention Limits: Training data is retained only as long as necessary and in accordance with retention schedules

9.1.3 Bias Detection and Mitigation
Fairness Evaluation: Regular evaluation of model outputs for potential bias
Diverse Data: Efforts to ensure training data represents diverse populations
Bias Audits: Periodic third-party audits to identify discriminatory outcomes
Continuous Monitoring: Ongoing monitoring of model predictions for fairness concerns

9.2 Explainability and Transparency

9.2.1 Model Documentation
Model Cards: Documentation for AI models including intended use, limitations, and performance characteristics
Training Data Sources: General description of training data types (specific data not disclosed to protect privacy)
Version Control: Tracking of model versions and changes

9.2.2 Decision Transparency
Explanations: Where technically feasible, we provide explanations for AI-generated outputs
Confidence Scores: Indication of model confidence levels where appropriate
Audit Trails: Logging of AI interactions for accountability

9.2.3 Human Review Rights
Right to Human Review: For decisions that produce legal effects or similarly significantly affect you, you have the right to:
Obtain human intervention
Express your point of view
Contest the decision
Request reconsideration
To Exercise: Contact dataprivacy@sapienceai.co with “Human Review Request” in subject line

9.3 Prompt and Query Privacy

9.3.1 Prompt Handling
Limited Training Use: User prompts are not used to train foundation models without explicit, separate consent
Ephemeral Processing: Prompts are processed and then removed from active systems according to retention schedules
PII Minimization: Automated processes to detect and minimize personally identifiable information in prompts where technically feasible

9.3.2 Query Security
Injection Protection: Filtering to prevent malicious prompt injections
Content Filtering: Screening to detect potentially harmful content
Rate Limiting: Protection against data exfiltration through excessive querying
Anomaly Detection: Monitoring for suspicious query patterns

9.4 Model Output Privacy

9.4.1 Output Filtering
PII Detection: Automated scanning to detect personally identifiable information in outputs
Sensitive Data Screening: Detection of credit card numbers, social security numbers, and other sensitive data types
Accuracy Efforts: Measures to reduce generation of false information

9.4.2 Data Leakage Prevention
Training Data Protection: Measures to prevent models from reproducing memorized training examples
Cross-User Isolation: Technical controls to prevent one user’s data from appearing in another user’s outputs
Usage Monitoring: Detection systems to identify potential unauthorized reproduction of model outputs

9.5 AI System Security
Model Access Controls: Authentication and authorization for model endpoints
Model Protection: Encryption of model parameters and secure serving infrastructure
Adversarial Testing: Testing against adversarial examples and attack vectors
Secure Deployment: Controlled deployment processes with security reviews
COMPLIANCE AND GOVERNANCE

10.1 Regulatory Compliance
Sapience AI maintains compliance with applicable privacy regulations:
EU General Data Protection Regulation (GDPR)
EU AI Act requirements for AI systems
California Consumer Privacy Act (CCPA) as originally enacted
California Privacy Rights Act (CPRA) amendments and enhanced requirements
Children’s Online Privacy Protection Act (COPPA) - see Section 13
Sector-specific regulations (HIPAA, FERPA) where applicable
Emerging AI governance frameworks

10.2 Privacy Governance Structure
Sapience AI maintains a privacy governance structure:
Data Protection Officer: Designated DPO responsible for privacy compliance and user rights
Privacy Team: Cross-functional team addressing privacy matters
Privacy Reviews: Privacy impact assessments conducted for new products and features
Regular Audits: Internal and external privacy compliance audits
Certifications: Pursuing ISO 27001 and ISO 27701 certifications
Privacy by Design: Privacy integrated into product development
Incident Response: Documented procedures for privacy incident management
Vendor Management: Due diligence and monitoring of third-party processors

10.3 Transparency Reporting
We are committed to transparency about data requests:
Transparency Reports: We publish reports on government and law enforcement data requests (frequency: annually or as appropriate)
Notice: We will notify affected users of data requests unless legally prohibited
Legal Review: All data requests are reviewed by legal counsel before compliance
DATA RETENTION AND DELETION
We implement purpose-driven retention policies:
Active User Data:
Retained during active account period and for 30 days after account closure
After 30 days, Personal Data is deleted or anonymized unless legal retention is required
Training Data:
Anonymized derivatives may be retained for model improvement if consent provided
Identifiable training data is deleted according to retention schedules
Backup Data:
Encrypted backups are maintained for 90 days for disaster recovery
Backups are deleted on schedule unless covered by legal hold
Compliance Data:
Data required for legal or regulatory compliance is retained as legally required
Financial records: 7 years (or as required by applicable law)
Tax records: As required by applicable law
Legal dispute records: Duration of dispute plus applicable statute of limitations
Deletion Verification: Upon request, we can provide confirmation of data deletion (subject to technical limitations)
Legal Holds: Data subject to legal proceedings or investigations may be retained beyond normal schedules
INCIDENT RESPONSE AND BREACH NOTIFICATION
Our incident response framework:
Detection:
We employ monitoring systems designed to detect security incidents
We investigate potential incidents promptly upon detection
Assessment:
Incidents are assessed for scope, impact, and required response
We work to contain incidents as quickly as reasonably possible
Notification:
Under GDPR: We will notify supervisory authorities within 72 hours of becoming aware of a breach likely to result in risk to individuals’ rights and freedoms
Affected Individuals: We will notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
Under CPRA/CCPA: We will notify affected California residents and the California Attorney General as required by law
Content: Notifications will include nature of breach, likely consequences, and measures taken
Documentation: We maintain records of security incidents and response actions
Continuous Improvement: Post-incident analysis and implementation of preventive measures
CHILDREN’S PRIVACY
Age Restrictions:
United States: We do not knowingly collect Personal Information from children under 13 without verifiable parental consent (COPPA compliance)
EU/EEA: We do not knowingly collect Personal Information from children under 16 without parental consent (or lower age set by member state) (GDPR compliance)
Other Jurisdictions: We comply with applicable local age requirements
Verification: Age verification mechanisms are implemented during account creation
Parental Consent: Where required, we obtain verifiable parental consent before collecting data from children. Parents may review, request deletion of, and refuse further collection of their child’s information.
Discovery of Unauthorized Collection: If we learn we have collected data from a child without required consent, we will delete it immediately.
UPDATES TO THIS POLICY
We may update this Privacy Policy to reflect changes in our practices or legal requirements:
Notification Methods:
Email notification to registered users for material changes
Prominent notice on our website
In-app notifications
30-day advance notice for material changes that reduce your rights
Version Control:
Policy version number and effective date are clearly indicated
Previous versions available upon request
Material Changes Defined:
Changes to purposes of processing
Changes to categories of data collected
Changes to third parties with whom we share data
Changes to user rights or how to exercise them
Changes to retention periods
Continued Use: Continued use of services after changes become effective constitutes acceptance. If you disagree with changes, you may close your account.
CONTACT INFORMATION AND RIGHTS REQUESTS
Email: dataprivacy@sapienceai.co
Mail: 1420 NW Gilman Blvd, Ste 2 #6014, Issaquah, WA 98207

Response Time: We respond to privacy inquiries within reasonable timeframes, typically within 30 days (or as required by applicable law)
Supervisory Authority: If you are in the EU/EEA, you have the right to lodge a complaint with your local data protection authority. You can find your authority at: https://edpb.europa.eu/about-edpb/board/members_en
California Residents: For CPRA/CCPA requests, you may also email us at dataprivacy@sapienceai.co.

LIMITATION OF LIABILITY AND DISCLAIMERS
Services Provided “As Is”: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SAPIENCE AI SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
No Guarantee of Security: While we implement reasonable security measures, no system is completely secure. We cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. We disclaim liability for any such events to the extent permitted by law.
Limitation of Damages: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SAPIENCE AI BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES.
Maximum Liability: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SAPIENCE AI’S TOTAL LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS PRIVACY POLICY OR OUR SERVICES SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU HAVE PAID TO SAPIENCE AI IN THE 12 MONTHS PRECEDING THE CLAIM, OR (B) $100 USD.
Exceptions: Nothing in this section limits our liability for (a) death or personal injury caused by our negligence, (b) fraud or fraudulent misrepresentation, (c) gross negligence or willful misconduct, or (d) any other liability that cannot be limited under applicable law.
Indemnification: You agree to indemnify and hold harmless Sapience AI, its affiliates, officers, directors, employees, and agents from any claims, losses, damages, liabilities, and expenses (including attorneys’ fees) arising out of your use of our services or violation of this policy.
GOVERNING LAW AND DISPUTE RESOLUTION
Governing Law: This Privacy Policy shall be governed by and interpreted in accordance with the laws of the State of Washington, United States, excluding its conflict of law provisions.
Jurisdiction: Subject to the arbitration provisions below, any legal action or proceeding arising under this Privacy Policy shall be brought exclusively in the federal or state courts located in King County, Washington, and the parties irrevocably consent to the personal jurisdiction and venue therein.
Arbitration: Any dispute arising out of or relating to this Privacy Policy shall be resolved through binding arbitration in accordance with the Arbitration Association rules, except that either party may seek injunctive relief in court for intellectual property infringement or violation of confidentiality obligations.
Class Action Waiver: To the extent permitted by applicable law, all claims must be brought in the parties’ individual capacity and not as a plaintiff or class member in any purported class or representative proceeding.
EU and UK Users: Nothing in this section affects your statutory rights under EU or UK data protection law, including your right to lodge a complaint with a supervisory authority.
SEVERABILITY
If any provision of this Privacy Policy is found to be unenforceable or invalid by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary so that this Privacy Policy shall otherwise remain in full force and effect and enforceable.
ENTIRE AGREEMENT
This Privacy Policy, together with our Terms of Service and any applicable agreements with Design Partners, constitutes the entire agreement between you and Sapience AI regarding the processing of your Personal Data and supersedes all prior or contemporaneous communications and proposals, whether oral or written.

Document Information:
Version: 3.0
Effective Date: September 1, 2025
Previous Version: 2.1
Last Reviewed: December 8, 2025

Important Notice: This Privacy Policy applies to the Sapience AI platform and services. Separate privacy policies may apply to third-party services integrated with our platform. We encourage you to review the privacy policies of any third-party services you use.