Privacy & Cookie Policy

This policy explains how Sanvy AB ("Sanvy", "we") collects, uses and protects personal data when you visit sanvy.ai or use our services. We act as the data controller for visitor and customer data described here.

Controller: Sanvy AB, Stockholm, Sweden · Org. nr [Insert Org Nr] · Contact: privacy@sanvy.ai

We only collect what we need to operate the site and the service:

• Contact data you submit (name, work email, company, team size) when you join the waitlist or contact us.
• Account & billing data when you subscribe (handled by Stripe; we never store full card numbers).
• Project content you upload to the product (drawings, specifications, bid data).
• Technical data: IP address, device & browser type, pages viewed, referrer — collected via cookies and analytics only with your consent.

We use personal data to:

• Provide, secure and improve the Sanvy platform and website.
• Respond to enquiries, manage the waitlist and onboard customers.
• Process payments, invoicing and prevent fraud.
• Measure aggregate traffic and product usage to improve the experience (analytics — only if you consent).

Each processing activity is based on one of the following legal grounds:

• Consent (Art. 6(1)(a)) — for analytics and marketing cookies, and any optional communications.
• Performance of a contract (Art. 6(1)(b)) — to deliver the service you subscribed to.
• Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, and respond to enquiries.
• Legal obligation (Art. 6(1)(c)) — for accounting, tax and other regulatory requirements.

We use a small number of first-party and third-party cookies. Non-essential cookies fire only after you accept them. Google Analytics runs in Consent Mode v2 and transmits no measurement data until consent is granted.

Manage cookie preferences

We never sell personal data. We share it only with vetted sub-processors that help us run the service:

• Google Ireland Ltd. — Google Analytics 4, for aggregated traffic measurement (only with analytics consent).
• Supabase / Lovable Cloud — managed database, authentication and edge functions hosting our backend.
• Stripe Payments Europe Ltd. — payment processing, invoicing and fraud prevention.
• Resend — sending transactional and waitlist emails on our behalf.

Some sub-processors are located outside the EU/EEA (notably the United States). When we transfer personal data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses and supplementary safeguards as required by GDPR Chapter V.

We keep personal data only as long as needed for the purposes above. Waitlist contact data is kept until you ask us to delete it or for up to 24 months of inactivity. Customer account data is retained for the duration of your subscription plus the period required by accounting law (typically 7 years in Sweden). Analytics data is aggregated and retained per Google Analytics defaults (up to 14 months).

Under the GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion ("right to be forgotten") where applicable.
• Receive your data in a portable, machine-readable format.
• Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent at any time — use the cookie settings link in the footer.
• Lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local data protection authority.

To exercise any of these rights, contact us at privacy@sanvy.ai.

We may update this policy as the service and the regulatory landscape evolve. Material changes will be announced on this page with a new effective date. Continued use of the site after changes take effect constitutes acceptance of the updated policy.