← Back to home

Privacy Policy

Last updated: 2026

Overview

Sugar Capital (“we,” “our,” or “us”) respects your privacy. This policy describes how we collect, use, and share information when you visit our public website or use our internal team tools (including authentication and CRM features).

Information we collect

  • Account information: When you sign in (for example with Google), we receive identifiers such as your email address and profile details as permitted by your provider.
  • Usage and content: Data you or your organization enters into our systems (such as CRM records, notes, and integrations you connect) is stored to operate the service.
  • Technical data: We may collect standard server and device information (for example IP address, browser type, and approximate region) for security, diagnostics, and reliability.
  • Visitor signals (company-level only): When you visit our public pages, we record the page URL, referrer, user-agent, and an organization-level identifier derived from your IP's autonomous-system owner (for example, Acme Corp or Comcast Cable) — never your name, email, or any person-level identifier. Your raw IP is hashed with a server-side salt and discarded immediately; only the hash is retained, and only long enough to dedupe repeat visits within 24 hours.

How we use information

We use information to provide and improve our services, authenticate users, secure our systems, comply with law, and communicate with you about the product where appropriate.

Cookies and analytics

We set a small number of cookies that are strictly necessary for the site to function (signed-in session, magic-link verification, basic security). These do not require consent.

We also use Google Analytics 4 to understand aggregate traffic patterns. Visitors in the EU, UK, EEA, and Switzerland are shown a banner and analytics is loaded only after you click Accept; choose Reject analytics and no _ga cookie is set. Outside those regions, analytics loads by default. You can clear our cookies at any time from your browser settings.

Subprocessors

We use the following third parties to operate the product. Each processes data on our written instructions under a Data Processing Addendum.

  • Vercel (USA) — application hosting, edge network, request logs.
  • Supabase (USA / EU) — database, authentication, file storage.
  • Cloudflare (USA) — Turnstile bot challenge on public upload forms (no cookie set on success; challenge data retained per Cloudflare’s own policy).
  • Anthropic (USA) — Claude API for memo generation and Arthur replies. Submitted deck text and chat content are sent for inference. Anthropic does not train on API submissions by default.
  • OpenAI (USA) — embeddings for semantic search across our internal CRM and the deck-memo tool. Inputs are not used for model training under the API tier.
  • Resend (USA) — transactional email (magic links, memo-ready notifications) and the Sugar Rush news brief.
  • Sendblue (USA) — iMessage and SMS delivery for Arthur conversations and partner alerts (recipient phone number + message content).
  • Google (USA) — OAuth sign-in, Google Calendar and Gmail read access for connected partner accounts (only when you explicitly grant scope), Google Analytics where consented.
  • Apollo.io (USA) — contact and company enrichment used inside our internal CRM (not invoked from public pages).
  • IPInfo (USA) — autonomous-system / company-level lookup of the IP block your visit originated from. Used to tell a real organization apart from a residential ISP for our visitor-signal logs (above). Person-level identification is neither performed nor available.

We do not sell your personal information and we do not share it for cross-context behavioural advertising.

Retention

  • Decks uploaded to /arthur: retained while the memo is live. Failed or abandoned uploads are auto-purged after 30 days. Hide-on-request via abuse@sugarcap.com.
  • Sugar Rush newsletter list: retained until you unsubscribe. One-click unsubscribe link is in every email.
  • Arthur SMS / email conversations: retained as long as the conversation memory window (currently 48 hours of rolling context plus distilled long-term memories you can ask Arthur to clear).
  • Server logs and rate-limit fingerprints: IP-derived hashes retained 30 days for abuse detection.
  • Visitor-signal logs: page URL, referrer, user-agent, country code, and the autonomous-system owner of the visiting IP block, paired with a salted hash of the IP. Retained 90 days, then deleted. Never shared.
  • CRM records (internal): retained for the life of the business relationship and as needed to meet legal, accounting, and regulatory obligations.

Your rights and choices

Depending on where you live (EU, UK, California, and others), you may have rights to:

  • access the personal data we hold about you;
  • correct or update inaccurate data;
  • delete your data (subject to legal retention obligations);
  • object to or restrict certain processing;
  • port your data in a machine-readable format;
  • opt out of the “sale” or “sharing” of personal information — we do not sell or share, but California residents have the right to confirm this.

To exercise any of these rights, email abuse@sugarcap.com from the address associated with your data, or include enough detail (memo URL, phone number, etc.) for us to verify the request. We respond within one business day on routine requests and within 30 days on formal data-rights requests.

Contact

Questions about this policy can be directed to your Sugar Capital contact or sugarcap.com.

Abuse / takedown: If you uploaded a deck to /arthur and want it removed, or need to report misuse, email abuse@sugarcap.com with the memo URL or your submitting email. We hide on receipt and respond within one business day.

This policy is provided for general information and does not constitute legal advice. Your organization may supplement this with separate agreements.

©2026 Sugar Capital