Privacy Policy

We collect information you provide directly and data generated through your use of Sufi AI:

• Account information — email, name, and (optionally) company.
• Agent configurations — prompts, blueprints, templates, and settings.
• Conversations — messages exchanged between your agents and end users.
• Usage data — agent runs, execution logs, and lead captures.
• Technical data — IP address, browser type, device information from server logs.

We use the information we collect to:

• Deliver the Service, including generating AI responses and routing messages across channels.
• Manage your account, billing, and support requests.
• Improve the Service using anonymized and aggregated analytics.
• Protect against abuse, fraud, and security threats.
• Comply with legal obligations and platform policies (e.g., Meta / WhatsApp).

We do NOT train our own models on your conversations.Your agent prompts and end-user messages are processed by Anthropic’s Claude API to generate replies. Anthropic processes this data subject to their own privacy policy. We use Anthropic’s API under terms that restrict the use of your data for model training.

Where GDPR applies, we process your personal data on the following bases:

• Contract — to provide the Service you’ve signed up for.
• Legitimate interests — improving reliability, security, and analytics.
• Legal compliance — to meet regulatory obligations.
• Consent — where you’ve opted in (e.g., non-essential communications).

We do not sell your personal information. We share limited data with service providers strictly as needed to operate the Service:

• Supabase — database and auth (USA / EU regions).
• Anthropic — AI model inference (USA).
• Resend — transactional email (USA).
• Stripe — payments (USA / UAE). Not yet active; will be enabled when billing launches.
• Meta (WhatsApp Business API) — only when you use WhatsApp as a channel.
• Google — only if you enable Sheets, Calendar, or Drive integrations.

We may also disclose data in response to a lawful request by public authorities, when required to comply with law, or to protect the safety of our users.

We retain data only as long as necessary:

• Active accounts — we retain your data for as long as your account is active.
• Deleted accounts — a 30-day grace period during which your data can be restored, followed by full deletion.
• Conversations — 90 days by default, unless you configure a different retention window.
• Billing records — retained as long as required by tax and accounting laws.

Depending on your location, you may have the right to:

• Access the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Deletion — request erasure of your personal data.
• Portability — receive your data in a machine-readable format.
• Restriction — ask us to limit processing in certain cases.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent.
• File a complaint — with your local data-protection authority.

To exercise these rights, email privacy@sufiai.net. We respond within 30 days.

We use only essential cookies — specifically, an authentication session cookie required to keep you signed in. We do not use tracking cookies, advertising cookies, or third-party analytics that identify individuals.

Sufi AI is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

Your data may be transferred to and processed in the United States and the European Union where our providers operate. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to protect your data during international transfers.

We implement industry-standard safeguards, including:

• Encryption at rest and in transit (TLS / HTTPS).
• Secure authentication and session management.
• Row Level Security (RLS) policies in our database to isolate accounts.
• Audit logging for sensitive operations.
• Regular security reviews (formal audits planned as we scale).

No system is perfectly secure. If you discover a vulnerability, please report it to security@sufiai.net.

If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours, as required by GDPR and UAE PDPL.

We may update this Policy from time to time. For material changes, we will give at least 30 days’ notice by email (if you have an account) or through a prominent notice on the Service.

Questions or requests? Email privacy@sufiai.net.