← Back to Sage Business OS

Privacy Policy

Effective: June 8, 2026 · Sage Business OS (operated by Wavenstone Limited, a company registered in Hong Kong) · sageailab.com

1. Introduction

Wavenstone Limited, a company incorporated in the Hong Kong Special Administrative Region of the People's Republic of China, trading as "Sage Business OS" ("Wavenstone", "we", "us", or "our"), operates the website sageailab.com and the Sage Business OS application (collectively, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we retain it, and the rights you have over it. By using the Service you agree to the practices described below.

Sage Business OS is an enterprise AI productivity suite for small & medium businesses. It bundles tools that help teams run customer support and bookings (WhatsApp Bot, TeamHub), create marketing assets (Creative Suite, Presentation+, EDM+, Lead Finder, WebDNA), run finance & accounting (Invoice+, Accounting+), build internal apps (App Studio), and answer questions over the company's own knowledge base (Company Brain AI, Workspaces & Docs, Drive, QA Generator).

Data controller / operator: Wavenstone Limited, Hong Kong. Contact: admin@sageailab.com.

2. Information We Collect

2.1 Information you provide directly

  • Account information: name, email address, password (hashed with bcrypt), preferred language, time zone.
  • Profile information: profile picture, display name, role, and bio.
  • Enterprise information: business name, business contact email, team-member roles and permissions.
  • Uploaded content: files you place into Drive, Workspaces, Knowledge Bases, Creative assets, Presentation+ decks, Invoice templates & logos, App Studio project files. Supported formats include PDF, DOCX, XLSX, CSV, TXT, MD, JPG/PNG/WebP/GIF, MP3/WAV/M4A, MP4/MOV/WebM, and ZIP archives.
  • Chat & conversation data: messages you exchange with our AI tools, including Company Brain AI, Ask Sage, Creative prompts, Presentation+ prompts, App Studio prompts, and WhatsApp Bot training turns.
  • WhatsApp Bot data (only when you connect a bot): the WhatsApp account JID, contact phone numbers (JIDs), partner display names, inbound/outbound message bodies and media, booking slots, and booking lifecycle metadata.
  • Customer / lead data you enter: contact details you add through Lead Finder, EDM+, Invoice+ customers, or imports from WebDNA.
  • Payment information: purchases of plans or Sage Credits are processed by Stripe, Inc. We receive your billing email and the subscription / charge metadata Stripe returns. We do not see or store your full card number — that data is held by Stripe (PCI DSS Level 1).

2.2 Information collected automatically

  • Device & usage: IP address, browser type, OS, device type, pages visited, time spent, interaction events.
  • Cookies & local storage: see Section 6 below.
  • Sage Credits ledger: a per-action log of what AI calls you ran, when, and how many credits each consumed — used to render your usage dashboard and to bill correctly.

2.3 Information from connected third-party services

  • Google (OAuth + Workspace APIs) — see Section 3 for the full Google API disclosure.
  • WhatsApp / Meta — see Section 4.
  • OpenRouter, Hedra, Replicate, Anthropic, OpenAI, Google AI: when you generate text, images, video or speech, we forward the necessary inputs to the chosen AI provider. These providers process the input under their own terms and return the result to us. We do not share account-identifying information beyond what is required to run the request.

3. Google API Services — Limited Use Disclosure

When you click Connect Google Drive (Invoice+ tab) or Connect Google Calendar (WhatsApp Bot booking calendar), Sage Business OS uses Google's OAuth 2.0 flow to obtain a limited-scope access token for the Google account you choose. We request only the following scopes:

  • openid — to confirm sign-in.
  • .../auth/userinfo.email and .../auth/userinfo.profile — to identify which Google account you connected and show it in the dashboard.
  • .../auth/drive.file — Drive scope limited to files that Sage Business OS itself creates or that you explicitly open with Sage Business OS. We use it only to upload generated invoice PDFs and accounting paperwork into a folder named "SageAI Invoices" / "SageAI Accounting" in your Drive. We cannot read, list, modify, or delete any other file in your Drive.
  • .../auth/calendar.events — Calendar scope used only to create, update, and delete event entries that correspond to bookings made through your connected WhatsApp Bot. We do not read events you created elsewhere.

Limited Use commitment. Sage Business OS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve the user-facing features you connected the account for (invoice/document upload to Drive, booking event sync to Calendar).
  • We do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
  • We do not sell Google user data, and we do not transfer Google user data to third parties except (a) to provide or improve the user-facing features, (b) to comply with applicable law, or (c) as part of a merger / acquisition / sale of assets with notice to you.
  • We do not allow humans to read Google user data unless (a) we have your explicit consent for specific data, (b) it is necessary for security purposes such as investigating abuse, (c) it is required by applicable law, or (d) the data has been aggregated and anonymised for internal operations.

How tokens are stored. OAuth refresh tokens are encrypted in transit (TLS) and stored at rest in our PostgreSQL database with restricted application-only access. We cache short-lived access tokens for a few minutes to avoid unnecessary token-refresh calls.

How to revoke. You can revoke our access at any time at https://myaccount.google.com/permissions or from inside Sage Business OS (Invoice+ → Settings → Disconnect; WhatsApp Bot → Booking → Turn off Calendar sync). Revocation immediately disables Drive upload and Calendar sync; any files we already wrote to your Drive remain owned by you.

4. WhatsApp / Meta Platform Disclosure

The WhatsApp Bot feature lets a Sage Business OS enterprise link a single WhatsApp account so the AI can answer incoming messages on the business's behalf, hold bookings, and forward leads. The integration uses an officially supported WhatsApp client (Baileys) running on our servers and is operated by you, on your own WhatsApp account; Sage Business OS is the technology operator, not the WhatsApp account holder.

  • Data received from WhatsApp: contact JIDs (the WhatsApp internal id) and the dialable phone number when WhatsApp exposes it, partner display names, message bodies, attached media (images / audio / video), message timestamps and ids.
  • Why: to render an inbox in the dashboard, to feed the AI with conversation context so it can answer accurately, to log Sage Credits spent, to track bookings, and to send replies you (or the AI on your behalf) compose.
  • How long: messages and media are kept while your enterprise account is active so the AI has historical context for follow-ups. You can delete the bot at any time, which cascades and permanently removes every message, booking, and uploaded media file associated with it.
  • Sharing: we forward message content to the AI provider you selected (OpenRouter / Anthropic / OpenAI / Google AI / etc.) only when an AI reply is being generated, and only the minimum context window required. Providers process the data under their own terms.
  • End-user expectations. If you are a customer messaging a business that runs Sage Business OS, the business is the data controller for your messages. Contact that business directly for access, correction, or deletion requests; we will work with them on your behalf.
  • WhatsApp / Meta compliance. We adhere to the WhatsApp Business Solution Terms and the Meta Platform Terms. We do not use WhatsApp data to build cross-business profiles, do not sell WhatsApp data, and do not use it for advertising.
  • Data deletion. See Section 11. The User Data Deletion endpoint required by Meta for connected platforms is documented at sageailab.com/data-deletion.

5. How We Use Your Information

We process the information above to:

  • Provide, operate, and maintain Sage Business OS and each of its modules.
  • Run AI features you invoke (Company Brain AI answers, Creative Suite generations, Presentation+ decks, App Studio builds, WhatsApp Bot replies, Lead Finder queries, EDM+ campaigns, Invoice+ extraction, Accounting+ posting, QA Generator, etc.).
  • Synchronise documents into your connected Google Drive and bookings into your connected Google Calendar (when you have authorised it).
  • Process subscription and Sage Credits payments through Stripe.
  • Send transactional emails (verification, security alerts, invoice receipts, important product updates). We do not send marketing email unless you have opted in.
  • Provide customer support and respond to your inquiries.
  • Detect, prevent, and address fraud, abuse, security incidents, and policy violations.
  • Analyse aggregate usage to improve the Service.
  • Comply with legal obligations (tax records for Invoice+, response to lawful requests, etc.).

We do not sell your personal data. We do not use the contents of files you uploaded, your WhatsApp messages, your Drive files, your Calendar events, or any other Google / Meta-sourced data to train third-party AI models without your explicit consent.

6. Cookies & Tracking Technologies

  • Essential cookies: next-auth.session-token — required for sign-in and session management (HTTP-only, secure, same-site lax).
  • Preference storage: language, dashboard theme, and Drive panel layout are stored in your browser's localStorage.
  • Analytics: we use privacy-friendly server-side analytics. We do not set third-party advertising cookies.

You can clear or block cookies via your browser. Blocking the essential cookie will prevent sign-in.

7. Legal Bases for Processing (EEA / UK)

  • Contract: processing necessary to deliver the Service you signed up for.
  • Consent: when you explicitly connect Google Drive / Calendar, link a WhatsApp Bot, or opt in to marketing email.
  • Legitimate interest: security, fraud prevention, debugging, and product improvement, balanced against your rights.
  • Legal obligation: tax record-keeping, response to lawful requests.

8. Data Sharing & Sub-processors

We share data only with the following categories of sub-processors, each bound by their own privacy policy:

  • Hosting: Hostinger International (VPS, Lithuania / EU data centres).
  • Payments: Stripe, Inc.
  • Authentication: Google LLC (Sign in with Google), our own email/password store.
  • Productivity APIs: Google Drive API, Google Calendar API (only when you connect them).
  • AI model providers: OpenRouter, Anthropic, OpenAI, Google AI Studio, Hedra, Replicate (forwarded only when an AI call is run).
  • Email delivery: Hostinger SMTP (transactional email).
  • Speech & TTS: our own MeloTTS server (self-hosted, EU).

We may also disclose information when required by law, regulation, court order, or governmental request, or to protect the rights, property, or safety of Sage Business OS, our users, or the public, or in connection with a business transfer (merger, acquisition, sale of assets) with notice to you.

9. International Data Transfers

Our servers are located in the EU (Lithuania). When AI processing is delegated to a provider whose data centres are in the United States or elsewhere, transfers are made under the provider's Standard Contractual Clauses or equivalent safeguards.

10. Data Storage & Security

  • In transit: all traffic is encrypted with TLS 1.2+ (HTTPS).
  • At rest: PostgreSQL with restricted application-only access; OAuth refresh tokens are stored in a database column with restricted reads. Filesystem uploads sit on the same VPS.
  • Passwords: hashed with bcrypt; we never see or store plain text passwords.
  • Payments: handled entirely by Stripe (PCI DSS Level 1).
  • Operational access: restricted to a small number of administrators bound by confidentiality.

No system is perfectly secure. We will notify affected users without undue delay if a personal-data breach is likely to result in a high risk to their rights and freedoms, as required by GDPR.

11. Data Retention & Deletion

We retain your account and its content for as long as your account is active. If you request account deletion (see below) we permanently delete your personal data within 30 days, except where we are required to retain specific records by law (e.g. invoices issued from Invoice+ may be retained for the statutory period in your jurisdiction).

How to delete your data:

  • Self-service: Sign in → Dashboard → Settings → Delete account (cascades and permanently removes every workspace, document, bot, chat thread, and Sage Credit history we hold for you).
  • Per-feature: delete a single bot, workspace, or Drive file from inside the corresponding panel — the data is removed immediately.
  • By email: send a deletion request to admin@sageailab.com from the address on file and we will action it within 30 days.
  • Programmatic (Meta-required): the User Data Deletion endpoint required by Meta is documented at sageailab.com/data-deletion.

Deletion of your Sage Business OS account does not delete files we previously wrote to your own Google Drive — those remain yours; revoke our app at myaccount.google.com/permissions.

12. Your Rights (GDPR / UK GDPR / CCPA)

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Delete your data (see Section 11).
  • Port your data to another service in a machine-readable format.
  • Restrict or object to certain processing.
  • Withdraw consent at any time (e.g. disconnect Google Drive, disable a WhatsApp Bot).
  • Lodge a complaint with your local data protection authority.

To exercise any right, email admin@sageailab.com. We respond within 30 days.

California residents (CCPA): we do not sell personal data. You have the same access / deletion / non-discrimination rights as above.

13. Children's Privacy

The Service is intended for business users aged 16 and over. We do not knowingly collect data from children under 16. If we learn that we have, we delete it promptly.

14. Third-Party Links

The Service may link to third-party sites. We are not responsible for their privacy practices; please review their own policies.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be highlighted on this page with a revised "Effective" date and, where appropriate, by email to your account address. Continued use after a change constitutes acceptance.

16. Contact Us

Privacy questions, data-rights requests, and deletion requests:

Last updated: June 8, 2026

← Sage Business OSTerms of ServiceData Deletion