Sage.is Privacy

Plain-language privacy policy for sage.is — what we collect, why, how long we keep it, and the rights you have wherever you live.

This policy explains how sage.is, the marketing site you're reading right now, handles information about you. If anything is unclear, email [email protected] and we'll fix the wording.

Last updated: 2026-05-24
Effective: 2026-05-24

1. What this policy covers

This policy covers sage.is and nothing else. It describes what happens when you read a page on the site, submit a form (newsletter, contact, or a hardware order), or email one of our @sage.is addresses.

When you sign in to the Sage app at sage.startr.cloud, that app has its own privacy policy and that one applies. When you use an instance of Sage operated by your school, employer, or another institution, the institution's policy applies. See section 8.

The legal entity behind sage.is is Startr LLC, a Wyoming limited liability company. Contact details are in section 12.

2. What we collect when you visit

When a page loads, we record a page view in our self-hosted analytics. The software is Matomo, running at visitas.startr.cloud. What we record:

  • The page you visited
  • The page that linked here (your referrer)
  • Your user-agent string (browser and OS)
  • A truncated IP address
  • A short-lived cookie on .sage.is so a return visit isn't double-counted

We do not:

  • Fingerprint your browser
  • Track you across other sites
  • Sell, share, or rent this data to anyone
  • Embed third-party ad networks, social pixels, or marketing trackers
  • Use Google Analytics, Mixpanel, Segment, or anything similar

We use the analytics to see which pages get read and where readers come from. That's the whole point of running it.

3. What we collect when you contact us

When you sign up for the newsletter through our self-hosted Mautic at nota.startr.cloud, we record your email address and the list you joined. We send a confirmation, then occasional updates. Every email has an unsubscribe link.

When you fill in an inquiry or support form (also Mautic at nota.startr.cloud), we receive the form fields, usually an email and a message. We use them to reply to you.

Hardware quotes posted at /hardware go to our own database at pb.sage.is (PocketBase). The form sends your name, email, organization, the configuration you picked, and the monthly and annual totals. We use that to send you the quote and follow up; the confirmation email itself goes out through Resend, a transactional email provider.

mailto: links open your email client and send a message to the address listed (such as [email protected] or [email protected]). The message comes straight to us, no third party in the path.

4. What stays in your browser

The site uses local storage to remember which pages you've bookmarked and to keep your place on long pages. It uses session storage to cache short-lived data such as class listings during the page session. Neither of these is sent to any third party. You can clear them at any time through your browser's site-data settings.

5. Who else sees your data (sub-processors)

Two third parties get data because we need them to operate:

  • Cloudflare Pages serves the static pages and images that make up the site. Cloudflare's global edge caches the public HTML, CSS, and JavaScript. See Cloudflare Pages privacy policy.
  • Resend sends transactional emails (the hardware order confirmation is the main one). Resend processes the recipient address and message body to deliver the email. See Resend privacy policy.

The other services sage.is depends on are self-hosted by us, so no third party processes the data:

  • Matomo (analytics) at visitas.startr.cloud
  • Mautic (newsletter, inquiry forms) at nota.startr.cloud
  • PocketBase (hardware order database) at pb.sage.is
  • All fonts (Source Serif 4, JetBrains Mono, Playfair Display, Inter, Graphik, Monaspace Radon, MilkMustacheBB, SharpiePro) are served from sage.is itself, never from a font CDN.

Earlier versions of the site used Google Fonts and Mailchimp. We removed both.

6. How long we keep your data

Data class Default retention Source for the rule we follow
Newsletter subscriber email Until you unsubscribe, plus 30 days for downstream propagation GDPR Art. 17 (right to erasure); CAN-SPAM Act § 7704(a)(3)
Hardware order records 7 years from the order date (tax and warranty period) IRS — Period of Limitations / 26 USC § 6001; GDPR Art. 5(1)(e) storage limitation
Inquiry or contact form submissions 2 years from your last contact with us GDPR Art. 5(1)(e)
Analytics (Matomo) 14 months of aggregated visit data Matomo's retention guidance; aligns with GA4's default 14-month retention
Email correspondence 2 years from the last reply GDPR Art. 5(1)(e), operational support window

If you ask us to delete your data sooner, we'll do it. See section 9.

7. Where your data lives

Our infrastructure runs across multiple regions. For a given workload, your data may sit on a server in:

  • United States (New Jersey)
  • Canada
  • Portugal
  • Germany

If you're an enterprise client, you can ask us to keep your data in a specific region as part of your engagement, and we'll document that with you.

When personal data moves between regions (for example, an EU visitor's form submission stored on a US server) we rely on Standard Contractual Clauses for the EU-to-US transfer, and where it applies, the EU-US Data Privacy Framework. Cloudflare serves cached static content from its global edge, so the public HTML of any page may be cached close to you.

8. Children and Sage.Education

The sage.is marketing site is not directed at children, and we don't intentionally collect personal data from a child through it.

Our sister service Sage.Education helps institutions (schools, districts, learning organizations) run their own in-house instance of the Sage.is AI-UI for their students. In that arrangement:

  • The institution is the data controller for any student personal data.
  • Most deployments are fully self-hosted on the institution's own infrastructure, which means no student data ever reaches us.
  • Where we do process student data, we act as a processor under the institution's written instructions.

If you're a parent or student with a question about how your school's instance handles data, ask the institution first. They hold the records. If we ever learn that we collected personal data from a child through the sage.is marketing site by mistake, we'll delete it. We follow COPPA for children under 13 in the US and GDPR Art. 8 for children under 16 in EU member states that apply that threshold.

9. Your rights

No matter where you live, you can ask us to:

  • Give you access to the personal data we hold about you
  • Correct anything that is wrong
  • Delete it (with the caveat that we may need to keep some records for the tax and legal periods in section 6)
  • Export what we have in a portable format
  • Withdraw consent for anything you previously opted in to (such as the newsletter)
  • Object to processing where we rely on legitimate interest
  • Lodge a complaint with your local data-protection regulator

Send requests to [email protected]. We'll respond within the time your jurisdiction requires (usually 30 days; some regions allow 45). We may need to verify who you are before handing over data, so we don't accidentally give it to someone else.

The sections below add the rules that apply if you live in a specific region.

European Union and EEA (GDPR)

Our legal bases for processing are:

  • Legitimate interest for the self-hosted analytics in section 2 and for replying to your inquiries
  • Consent for the newsletter. You opt in, and you can withdraw any time through the unsubscribe link or by writing to us
  • Contract for processing hardware orders, because we need the data to deliver the quote and follow up

You have the right to lodge a complaint with the data protection authority in the EU member state where you live, where you work, or where the alleged infringement happened. A directory of authorities is at edpb.europa.eu/about-edpb/about-edpb/members_en.

Our EU representative under Article 27 of the GDPR is M.A. Luigi Somma, on-site at the European contact address in section 12. They can receive data-subject requests and supervisory-authority correspondence on our behalf.

United Kingdom (UK GDPR)

The same rights and legal bases as the EU section above apply. For now, UK data subjects should send requests to our European contact in section 12. We haven't appointed a separate UK representative under UK GDPR Article 27 yet, and we'll update this section once we do. You can complain directly to the Information Commissioner's Office (ICO) at any time at ico.org.uk/make-a-complaint.

Switzerland (FADP)

The Swiss Federal Act on Data Protection (FADP) gives you the same rights to access, correct, delete, and object. You can contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

California (CCPA / CPRA)

Under the California Consumer Privacy Act as amended by the CPRA, you have the right to:

  • Know what personal information we collect and how we use it (this document covers that)
  • Delete the personal information we hold
  • Correct inaccurate information
  • Limit our use and disclosure of sensitive personal information. We don't collect anything we'd classify as "sensitive" under the law.
  • Opt out of "sale" or "sharing" of your personal information. We don't sell or share personal information for advertising or any other purpose.
  • Non-discrimination. We won't deny service, charge a different price, or give you a worse experience because you exercised any of these rights.

Send California requests to [email protected]. We don't have a "Do Not Sell or Share My Personal Information" toggle because we don't do either of those things.

Canada (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act, you can ask for access, correction, and deletion through the rights in section 9. You can complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca/en/report-a-concern.

India (Digital Personal Data Protection Act 2023)

If you are in India, the Digital Personal Data Protection Act 2023 gives you the right to information, correction, erasure, grievance redressal, and to nominate someone to act on your rights after death.

For grievances under the Act, write to [email protected] and we'll respond within the period the Act requires. If that doesn't resolve it, you can escalate to the Data Protection Board of India.

Australia (Privacy Act 1988 + APPs)

We follow the Australian Privacy Principles when we handle personal information of Australian residents. You can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints.

New Zealand (Privacy Act 2020)

We follow the Information Privacy Principles under the New Zealand Privacy Act 2020. You can complain to the Office of the Privacy Commissioner at privacy.org.nz/your-rights/making-a-complaint.

10. Security

We encrypt data at rest (256-bit AES), in transit (TLS 1.2 or higher), and authenticate with OAuth 2.0 where applicable. Backups run several times a day across geographically separated locations. The full security write-up is in the security questions on the home page.

If you spot a security issue, write to [email protected] or [email protected] and we'll come back to you quickly.

11. Changes to this policy

When we change this policy, we update the Last updated date at the top. If a change materially expands what we collect or who we share it with, we email newsletter subscribers and post the change in our updates feed (also available as an Atom feed). The current version of this policy lives at sage.is/privacy.

12. Contact

For privacy questions, requests, or complaints, write to [email protected].

European contact (operational; EU GDPR Art. 27 representative):
M.A. Luigi Somma
Startr LLC
Lomba Dos Frades, No. 44
Praia do Almoxarife, 9900-451
Portugal

United States (principal address):
Startr LLC, a Wyoming limited liability company
1309 Coffeen Avenue STE 4572
Sheridan, Wyoming 82801

If you'd rather write to a human directly, Alex or Izzy will answer.