Назад
Sanbao

Privacy Policy

Русская версия →

Service: Sanbao · Website: www.sanbao.ai · Effective date: February 1, 2026 · Last updated: May 8, 2026

1. General provisions

This Privacy Policy (the “Policy”) sets out how Sanbao (www.sanbao.ai) processes and protects users’ personal data. The owner of the Service acts as the data operator.

Personal data is processed in accordance with the Law of the Republic of Kazakhstan “On Personal Data and Its Protection” No. 94-V dated May 21, 2013, and other applicable laws of the Republic of Kazakhstan.

By using the Service the User confirms that they have read this Policy and consent to the processing of their personal data for the purposes described herein.

2. Information we collect

Account data: name, email address, password hash (bcrypt), or social-auth provider identifier.

Usage data: daily message and token counts, selected pricing plan, request timestamps.

Chat content: messages and generated documents are stored to provide chat history and contextual conversation features.

Technical data: IP address, browser type, operating system — for security and diagnostic purposes.

Connected service data: integration tokens and metadata — see sections 4 and 5 below.

3. Purposes of processing

  • Providing and improving Service functionality.
  • Authentication and account management.
  • Enforcing usage limits per the selected pricing plan.
  • Security (preventing unauthorized access, brute-force, DDoS).
  • Sending service notifications by email.
  • Aggregated, de-identified analytics for product improvement.
  • Fulfilment of contractual obligations and applicable law.

4. Use of Google API Services

Sanbao offers optional integrations with Google services (Gmail, Google Calendar, Google Drive) that the User can connect voluntarily under Integrations. The connection uses the standard Google OAuth 2.0 flow; the User explicitly grants the requested scopes on Google’s consent screen before any access is provisioned.

4.1. Requested OAuth scopes

  • gmail.send — send email on the User’s behalf only after they explicitly confirm sending in chat. Reading incoming mail is not requested in the current version.
  • calendar — read, create, edit and delete events in the User’s calendar in response to explicit chat requests.
  • drive.file — access only files that the Sanbao app created or that the User explicitly opened/picked for use with the app; the rest of the User’s Drive is not accessible to Sanbao.

Sanbao’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Email content, calendar events and file content are sent to the User’s selected AI model only to process the current request; full message bodies and file contents are not persistently stored in Sanbao’s database, and only the model’s final reply is kept in chat history. Google data is not used for advertising and is not shared for the training of generalized AI models.

The User can revoke Sanbao’s access to Google at any time: inside Sanbao — IntegrationsGoogleDisconnect (OAuth tokens are immediately deleted), or from Google — myaccount.google.com/permissions→ find Sanbao → Remove access.

5. Other connected services

Sanbao also supports integrations with WhatsApp, Telegram, and 1C accounting systems. The User connects these voluntarily. Credentials and tokens for these services are stored encrypted (AES-256-GCM) and used only for features the User explicitly requests. The Limited Use principles described in section 4 apply symmetrically to all integrations.

6. Retention and deletion

6.1. Data is retained for the lifetime of the User’s account and deleted within 30 calendar days of an account deletion request.

6.2. OAuth tokens for connected integrations are deleted immediately upon disconnect through the Service interface.

6.3. Minimum-necessary service logs (request metadata) are retained for no more than 30 days and used solely for error diagnostics and security purposes.

6.4. After account deletion, aggregated statistical data may be retained in de-identified (anonymized) form that does not allow the User to be identified.

7. Sharing with third parties

7.1. We do not sell and do not transfer personal data to third parties for marketing purposes.

7.2. Message content may be sent to AI providers (Moonshot AI, DeepInfra and others) solely to generate a response to the current request. These providers act as Sanbao’s data processors and are contractually required not to retain prompts beyond immediate processing.

7.3. Data may be disclosed in response to lawful requests by government authorities of the Republic of Kazakhstan in accordance with applicable law.

8. Cookies

The Service uses strictly necessary session cookies for authentication (JWT) and CSRF protection. No third-party advertising or analytics trackers are used.

9. Rights of the data subject

In accordance with the Law of the Republic of Kazakhstan “On Personal Data and Its Protection” No. 94-V dated May 21, 2013, the User has the right to:

  • obtain information about the composition and procedure for processing their personal data;
  • request correction or supplementation of inaccurate or incomplete data;
  • request blocking or destruction of data whose processing is unlawful;
  • withdraw consent to processing and/or disconnect any integration (including Google) at any time;
  • challenge the operator’s acts (or omissions) before the data-protection authority of the Republic of Kazakhstan or in court.

To exercise these rights, contact [email protected]or use your profile settings.

10. Security

  • Encryption in transit (TLS 1.2+).
  • Password hashing (bcrypt, 12 rounds).
  • OAuth tokens and other secrets encrypted at rest (AES-256-GCM).
  • Rate limiting.
  • Brute-force protection (IP blocking on suspicious activity).
  • DDoS protection via Cloudflare.
  • Role-based access controls for staff.

11. Children

Sanbao is not intended for individuals under 16. We do not knowingly collect data from minors. If you believe a minor has provided us data, please contact [email protected]and we will delete it.

12. Policy updates

We may update this Policy. The current version is always available on this page. For material changes — particularly those affecting how Google data is handled — we will notify users by email at least 14 calendar days before the changes take effect.

13. Contact

For privacy and data-handling inquiries:
Email: [email protected]
Website: https://www.sanbao.ai