Privacy Policy
Last updated: 2026-05-12
This is the privacy policy for Sauvrn, the maker of the Retrace browser extension. Sauvrn is operated from Toronto, Ontario, Canada. Until Sauvrn's incorporation is finalized, Sauvrn is operated as a sole proprietorship by Cameron Langs.
We've tried to write this in plain English. If anything is unclear, email privacy@sauvrn.ai and we'll fix it.
TL;DR
- Retrace runs entirely on your device. We do not receive your browsing data, your search queries, your captured pages, your embeddings, your model invocations, your workspace/Space data, or any derivative of those things. The only network activity is license verification (every 6 hours) and the initial model weights download. See Retrace's privacy commitment for the technical detail.
- Account data (your email address, name, and license/subscription state) does live on our servers because that's how accounts work. We store it on Google Cloud in Canada and the US. We do not sell it, share it for ads, or use it for analytics profiling.
- Support messages you send us (via the in-extension feedback form, or by emailing support) are stored in our help-desk system (HubSpot) so we can reply to you. We scrub tokens before they land. We do not feed support content to any AI training pipeline.
- You can ask us to delete your account and everything we have on you at any time. Email privacy@sauvrn.ai. We aim to action requests within 7 days.
What information we collect
We collect the minimum information needed to run an account-based product. Specifically:
Account information you give us
- Email address. Required to create an account, sign in, and recover access.
- Name (if you choose to provide one).
- Authentication identifiers from your sign-in provider (Google), used to verify it's actually you on subsequent sign-ins. We store an opaque identifier; we do not store your Google password.
- Billing information (when paid plans launch): handled by Stripe. We never see or store your full card number. Stripe stores it under their PCI compliance regime.
Information generated by your use of our service
- License state — whether your license is active, on which plan, when it expires.
- License verification timestamps — when each connected extension last verified its license. Used to detect anomalies (e.g., a single license appearing on many devices simultaneously).
- Subscription events from Stripe (subscription created, upgraded, downgraded, cancelled). Used to keep your license state in sync with what you've actually paid for.
- Operational logs — basic request logs (timestamp, route, response code, anonymized IP). Used to diagnose outages and abuse. We do not log request bodies or query parameters that could contain personal content. Retained for 30 days, then deleted.
Information your browser extension generates but never sends to us
This is the load-bearing part. Retrace is designed so the following information never leaves your device: the pages you visit, the contents of those pages, the embeddings Retrace computes from them, the questions you Ask, the answers Retrace generates, the Ask conversations you have, your reading timeline, your Find history, the URLs of tabs you have open, your Space organization, your Tool configuration, your Space tab groupings, and your rail state preferences.
If you find any of the above being transmitted from the extension to a network destination, that is a bug. Please report it to security@sauvrn.ai — we will treat it as a P0 incident.
The technical guarantees behind this commitment are documented in detail at Retrace's privacy commitment.
What we do with the information we collect
Strict need-to-know basis:
- Run your account. Authenticate you, enforce your subscription state, route license checks from the extensions, send billing receipts and license confirmation emails.
- Respond to your support requests. Read what you wrote to us, reply, follow up.
- Keep the service running. Diagnose outages, investigate abuse (e.g., a leaked license being used by 50 people).
- Comply with the law. If we receive a valid legal request for data, we respond — but the technical architecture means we have nothing about your browsing to hand over.
We do not:
- Sell your personal information to anyone, ever.
- Share your personal information with advertising networks.
- Use your information to train AI models. (We don't have your browsing data in the first place, and even your support messages stay out of training.)
- Build behavioral profiles of you for marketing.
- Run third-party analytics or tracking pixels on our marketing site, app, or extensions.
Who we share information with
The third parties who process your data on our behalf:
| Service | What they handle | Why | Where |
|---|---|---|---|
| Google Cloud (GCP) | Hosts our backend and database | Backend infrastructure | us-central1 (Iowa, USA) |
| HuggingFace | Hosts the model weights (Qwen3-4B-q4f16_1-MLC) that Retrace downloads on first use of Ask |
Model artifact distribution | USA (HF CDN) |
| WorkOS | Sign-in (OIDC) provider | Authentication | USA |
| Stripe | Subscription and payment processing (when paid plans launch) | Billing | USA + Ireland |
| Resend | Sends transactional email (sign-in confirmations, license notifications, receipts) | Email delivery | USA |
| HubSpot | Help desk for support tickets | Support inbox | USA |
| BetterStack | Status page and uptime monitoring | Operational | USA |
| Cloudflare | DNS for sauvrn.ai and subdomains |
DNS | Global |
Each provider has its own privacy policy. We pick providers who themselves don't sell data and who let us delete records on request.
We do not share your information with anyone else outside this list, except: - If you explicitly tell us to (e.g., "please share my support thread with my teammate"). - If we're legally required to (e.g., a valid court order). - In the event of a business transfer (acquisition, etc.), in which case we'll notify you in advance and you'll have the option to delete your data first.
International transfers
Sauvrn operates from Canada, but our infrastructure is primarily in the United States (Google Cloud us-central1). If you sign up from outside the United States, your account information will be transferred to and processed in the US.
For users in the European Economic Area (EEA), UK, or Switzerland: this transfer occurs under Standard Contractual Clauses with our processors. If you'd like a copy of the SCC documents, email privacy@sauvrn.ai.
For users in California: the disclosures required by CCPA are throughout this policy. You also have the rights listed in Your rights and choices below.
For users in Canada: this policy is consistent with PIPEDA, Ontario's PIPA, and Quebec's Law 25. We are happy to provide additional disclosure on request.
Your rights and choices
You can, at any time:
- Access the personal information we hold on you. Email privacy@sauvrn.ai and we'll provide an export.
- Correct inaccurate information by editing your account profile, or by emailing us.
- Delete your account and all associated data. Sign-in → Settings → Delete account, or email us. We aim to action deletion within 7 days; the data is purged from active systems immediately, and falls out of backups within 30 days.
- Object to specific processing if you have legal grounds (e.g., under GDPR Article 21). Email us with the specifics and we'll respond.
- Port your data to another service. We will export it in a machine-readable format on request.
- Withdraw consent you've previously given. Note that this may make some features unusable.
You do not need to give us a reason. "I want to" is sufficient.
For users in jurisdictions with regulated data-protection authorities, you also have the right to lodge a complaint with that authority. For Canadian users: the Office of the Privacy Commissioner of Canada at priv.gc.ca. For Ontario users: the Information and Privacy Commissioner of Ontario at ipc.on.ca.
Children
Sauvrn is not directed at children under 13 (under 16 in the EEA/UK). We do not knowingly collect information from children. If you believe a child has signed up, email privacy@sauvrn.ai and we will delete the account.
Security
We follow standard industry practice for security:
- Encrypted data in transit (TLS 1.2+) on all endpoints, enforced by HSTS.
- Encrypted data at rest in our database and bucket storage.
- Secret material (API keys, signing keys) stored in Google Cloud Secret Manager with strict IAM scoping.
- Least-privilege access — the founder is the only human with production write access at this stage.
- A documented audit logging trail for every administrative action.
If you discover a vulnerability, please report it via security@sauvrn.ai. We don't yet have a formal bug-bounty program but we will publicly credit researchers who report responsibly.
Data retention
- Active account data: retained while your account is active.
- Deleted account data: purged from active systems on deletion. Purged from backups within 30 days.
- Support tickets: retained for 2 years after the ticket is resolved, then deleted, unless you ask us to delete sooner.
- Operational logs: 30 days, then deleted.
- Billing records: retained for 7 years as required by Canadian and US tax law.
Changes to this policy
If we make material changes to this policy, we'll email you (using the address on your account) at least 14 days before the changes take effect. The current version is always at https://docs.sauvrn.ai/privacy; the date at the top reflects the last revision.
Contact
- Privacy questions, requests, and complaints: privacy@sauvrn.ai
- Security issues: security@sauvrn.ai
- General support: support@sauvrn.ai
- Mailing address: Available on request to privacy@sauvrn.ai. (Sole proprietor address; will be updated to a registered corporate address once Sauvrn's incorporation is finalized.)
The person responsible for privacy at Sauvrn is Cameron Langs, founder.