SageSage
Back to home

Privacy Policy

Last updated: June 11, 2026

1. Introduction

Friday Technologies SRL ("we", "our", or "us") operates the Sage mobile application and the sageacademy.app website (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By using Sage, you agree to the collection and use of information in accordance with this policy.

Data Controller: Friday Technologies SRL, Romania, EU. Contact: contact@sageacademy.app

2. Information We Collect

2.1 Account Information

The following information is collected when you create and manage your account:

  • Email address (required)
  • Password (stored as a cryptographic hash — we never see your plaintext password)
  • Display name (required)

2.2 Health and Fitness Data

To provide our AI fitness coaching service, we collect the following data that you provide during onboarding and ongoing use:

  • Weight and height
  • Age and biological sex
  • Fitness and body-composition goals (e.g., weight loss, muscle gain, maintenance)
  • Food photos and text meal descriptions you submit for AI analysis
  • Calorie and macronutrient data derived from logged meals
  • Progress photos (if you choose to use this feature, including when you ask Sage to compare two of them).
  • Daily check-in responses and habit-tracking data
  • “My Why” voice recording — an optional voice note captured during onboarding. This audio is sent to OpenAI for transcription; the resulting text is stored and used to personalise your coaching experience.

Important: Health-related data is classified as a special category of personal data under GDPR Article 9. We process this data on the basis of your explicit consent, which you provide when setting up your account and using the app.

2.3 Device Information

The following device-level information is collected to operate and improve the app:

  • Device model and manufacturer
  • Operating system and version (iOS or Android)
  • App version
  • Device language and locale settings
  • Push notification token (only if you enable notifications)

2.4 What We Do Not Collect

We do not collect the following:

  • Dietary preferences or restrictions — these are not part of the app's onboarding or data model
  • Location data
  • Contacts or calendar data
  • Advertising identifiers or ad-targeting data

2.5 Product Analytics

We use PostHog (EU-hosted) to understand how the app is used so we can improve it. We collect behavioural events on an anonymised basis — for example, which features and screens are used, and onboarding and paywall funnel steps.

We do not send any of the following to analytics:

  • Your health values (e.g., your weight, calorie counts, macro intake)
  • Your meal photos or progress photos
  • Your chat content with the AI coach or your “My Why” recording

We also do not record your screen — there is no session replay. PostHog acts as our processor under a Data Processing Agreement (DPA) and is hosted in the EU, so this data does not leave the European Economic Area.

3. How We Use Your Information

We use the information we collect solely for the following purposes:

  • To provide the AI fitness coaching service:Food photos and text meal descriptions are sent to OpenAI's vision models for nutritional analysis. When you choose to compare two of your progress photos, those photos are sent to OpenAI's vision models so Sage can describe the visible changes and offer encouragement. This happens only when you actively request a comparison — your progress photos are never sent for AI analysis automatically. Your goals, check-in responses, and conversation history are processed by OpenAI to generate personalised coaching replies. OpenAI also transcribes your “My Why” voice recording and maintains durable memory of key facts about you so that Sage remains contextually aware across sessions.
  • To personalise your experience: Your profile data, goals, and history are used to tailor coaching advice, meal feedback, and habit recommendations to you specifically.
  • To send important account notifications: We send transactional emails related to your account (e.g., subscription confirmations, password resets). We will only send marketing communications with your explicit consent.
  • To manage your subscription: RevenueCat manages in-app subscriptions processed through Apple App Store or Google Play Store. We receive subscription status and entitlement data; we do not receive or store full payment card details.
  • To deliver push notifications:If you opt in, your device push token is used via Expo's notification infrastructure to send reminders and check-in prompts.
  • To comply with legal obligations: We may process your data where required by applicable law or regulation.

4. How We Share Your Information

We do not sell your personal data to any third party. We share data only with the following processors, each bound by a Data Processing Agreement (DPA) and permitted to process your data solely for the stated purpose:

4.1 Data Processors

ProcessorPurposeLocation
SupabaseDatabase storage and user authenticationEU (Frankfurt, Germany)
OpenAIMeal photo & text analysis, progress-photo comparison analysis, AI coaching replies, durable user memory, and "My Why" voice transcriptionUSA
RevenueCatSubscription management and entitlement trackingUSA
AppleApp Store distribution and payment processing (iOS)USA
GooglePlay Store distribution and payment processing (Android)USA
ExpoApp build infrastructure and push notification deliveryUSA
PostHogAnonymised behavioural product analytics — screens viewed, features used, onboarding and paywall funnel steps. No health values, no photos, no chat content, no session replay.EU

4.2 Legal Requirements

We may disclose your information where required by applicable law, a court order, subpoena, or governmental request. We will notify you of such requirements where legally permitted.

4.3 Business Transfers

If Friday Technologies SRL is acquired or merges with another company, your information may be transferred as part of that transaction. You will be notified before this occurs and your rights under this policy will continue to apply.

5. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All data is encrypted in transit using TLS 1.3
  • Data at rest is encrypted using AES-256
  • User authentication is handled by Supabase, which stores passwords using bcrypt hashing — we never have access to your plaintext password
  • Food photos and voice recordings are transmitted to OpenAI for processing and are not stored beyond the retention terms of our agreement with OpenAI
  • Access to production systems is restricted to authorised personnel and requires multi-factor authentication

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

Right of Access

You may request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Rectification

You may correct inaccurate or incomplete personal data at any time via your account settings or by contacting us.

Right to Erasure (“Right to be Forgotten”)

You may request deletion of all your personal data. We will delete your account and all associated data within 30 days of receiving a valid request, subject to legal retention obligations.

Right to Data Portability

You may request an export of your data in a structured, machine-readable format (JSON or CSV). Contact us at contact@sageacademy.app.

Right to Object

You may object to the processing of your personal data for direct marketing purposes or where we rely on legitimate interests as the legal basis for processing.

Right to Withdraw Consent

Where we process your data based on consent (e.g., health and fitness data), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your national Data Protection Authority. As Friday Technologies SRL is established in Romania, the competent supervisory authority is:

ANSPDCP — National Supervisory Authority for Personal Data Processing: www.dataprotection.ro

To exercise any of the above rights, contact us at contact@sageacademy.app.

7. International Data Transfers

Our processors OpenAI, RevenueCat, Apple, Google, and Expo are based in the United States. When we transfer personal data to the US, we rely on one or more of the following safeguards:

  • EU–US Data Privacy Framework (DPF): Where a processor is certified under the DPF, we rely on this framework for the transfer.
  • Standard Contractual Clauses (SCCs): Where DPF certification is not in place, we execute EU Commission-approved SCCs with the processor.

Supabase stores all primary data within the EU (Frankfurt, Germany) and does not transfer your data outside the EEA.

You may request a copy of the applicable SCCs by contacting us at contact@sageacademy.app.

8. Data Retention

  • Account data: Retained for as long as your account is active.
  • Meal logs, progress photos, and health data: Retained for the duration of your account. You may delete individual entries at any time within the app.
  • Upon account deletion: All personal data is permanently deleted from our systems within 30 days of your request.
  • Encrypted backups: Backup snapshots may retain data for up to 90 days after deletion, after which they are overwritten.
  • Financial records: Transaction and subscription records may be retained for up to 7 years to comply with Romanian and EU accounting laws.

9. Children's Privacy

Sage is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has created an account or submitted personal data, please contact us at contact@sageacademy.app and we will delete the relevant data promptly.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information — we do not sell personal information
  • The right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact us at contact@sageacademy.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address and/or via a prominent in-app notice at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact Us

For any questions or requests relating to this Privacy Policy:

We aim to respond to all privacy-related requests within 30 days.