Privacy Statement

Our promises

• No emails about your activity. SugarSense will never email you about who you read, who you wrote about, your archetype matches, or the substance of any advisor read. Activity is surfaced only when you sign in.
• No advertising. No third-party advertising trackers, no behavioural advertising, no remarketing tags, no audience-segment sharing.
• No sale of data. We never sell or rent your personal data. Period.
• Anonymisation before AI. Before any of your text touches an AI model, identifying details (names, aliases, locations, identifiers) are routed through our anonymisation pipeline. The model never sees the original names you wrote.
• Encrypted at rest where it matters. Sensitive credentials such as payment-provider tokens are encrypted with industry-standard symmetric encryption (AES) before being persisted.

What we store

• Your email and an irreversibly-hashed password (bcrypt, cost 12).
• An optional display name / alias.
• The substance of any situation you describe to the AI advisor, the archetype match the advisor returned, and the next-move draft it generated — kept as your private journal.
• An anonymised, de-identified vector of each interaction in our internal memory store, used to improve continuity and pattern-recognition across your own future reads.
• An audit log of security-relevant events (logins, password resets, payment events) retained for 365 days for fraud prevention.

How we use what you write

The content you write into SugarSense is used solely to deliver the features you've asked for: the advisor read, the archetype match, your private journal, and longitudinal pattern tracking across your own situations. We do not surface your content to other users. Anonymised, de-identified data may be used to refine the internal behavioural ontology; identifiable content is never shared, sold, or used for any other purpose.

Sub-processors

• Square Inc. — processes membership payments and receives the minimum information required to complete a checkout.
• OpenAI / Anthropic / Google AI — receive only anonymised text (no names, no aliases, no contact details) when an AI read is generated. They are bound by their own enterprise data-handling commitments and may not use this data to train public models.
• SendGrid — used only for transactional / security emails (password reset, login alerts) where enabled by the administrator.

Your rights

Under Australian privacy law, and under equivalent laws in other jurisdictions (e.g. GDPR for EU residents), you may request a copy of the personal information we hold about you, correct it, restrict its processing, or request deletion. The dashboard provides a one-click export of your data and a one-click delete-all option. You can also contact the administrator via the email address on the deployed instance to exercise these rights manually. We will respond substantively within 30 days.

Security

We implement industry-standard protections: HTTPS in transit (TLS), bcrypt password hashing, symmetric at-rest encryption for sensitive secrets, a strict Content Security Policy in production, CSRF double-submit tokens on all state-changing requests, rate-limited authentication endpoints, structured audit logging, and routine security review. No system is perfectly secure; we will notify affected users without undue delay in the event of a data breach involving personal information.

Children

SugarSense is strictly for users 18+ (or the local age of majority where that is higher). We do not knowingly collect personal information from minors. Any account belonging to a minor will be terminated and the information deleted on notification.

Jurisdiction

This statement is governed by the laws of New South Wales, Australia, and the Australian Privacy Act 1988 (Cth). For users outside Australia, additional rights under your local law (e.g. GDPR for EU users) apply where mandatory; we will honour valid requests under those frameworks.

Contact

For privacy enquiries, use the Contact form on this site. We aim to acknowledge requests within 5 business days and respond substantively within 30 days.