Privacy Policy
Last updated: March 2026 · ← Back to SARA
1. Data Controller
SIRP Labs, Inc., a Delaware corporation, is the data controller for personal data processed through SARA Open. Contact: [email protected]
2. What We Collect
When you use SARA Open, we may collect the following data:
- Account data (Google sign-in only): your email address and display name, as provided by your Google account
- Chat messages: the content of your conversations with SARA, used to generate responses and improve the service
- IP addresses: collected per request for abuse prevention and rate limiting
- Browser fingerprint: a non-identifying token stored as a cookie, used to track anonymous session continuity
- IOC lookup values: indicators of compromise (IP addresses, file hashes, domains, URLs) submitted for enrichment
- Billing data (paid plans): payment information is processed by Stripe. We store your plan type and subscription status but never store credit card numbers
- API keys (Pro/Team): stored as irreversible SHA-256 hashes. The plaintext key is shown once at creation and never stored
- Plugin configurations (Pro/Team): endpoint URLs, trigger phrases, and authentication credentials (encrypted at rest) for custom integrations you create
We do not collect passwords. Authentication is handled entirely through Google OAuth.
3. Why We Collect It
We process data under the following legal bases (GDPR Art. 6):
- Contract performance: to provide the SARA conversational service, generate responses, and maintain your account
- Legitimate interest: to prevent abuse, enforce rate limits, improve the service through aggregate usage analysis, and maintain security
- Consent: for optional features like IOC enrichment, plugin integrations, and third-party LLM provider connections
4. Data Retention
- Chat logs: retained for 90 days from creation, then automatically purged. Free users: 7 days
- Account data: retained until you request deletion
- IP and fingerprint data: retained for up to 90 days for abuse detection purposes
- IOC enrichment results: retained for up to 90 days for caching and analytics
- Pipeline traces: retained for 30 days for performance monitoring
- Billing records: retained as required by tax and financial regulations
5. Third-Party Services
SARA Open uses the following third-party services that may process your data:
- Google OAuth: for user authentication. Google's privacy policy applies to the sign-in process
- OmniSense: IOC enrichment data you submit is sent to SIRP's OmniSense threat intelligence platform for analysis
- Anthropic (Claude): your queries are processed by Anthropic's Claude AI model to generate responses. Pro and Team users use Claude by default. See Anthropic's privacy policy
- Stripe: payment processing for paid plans. See Stripe's privacy policy
- User-configured LLM providers (BYOK): if you connect your own API key (OpenAI, Gemini, Mistral, etc.), your queries are sent to the provider you chose. Their respective privacy policies apply
- Custom plugins (Pro/Team): when you create webhook actions or A2A agents, data is sent to endpoints you configure. SIRP Labs is not responsible for data handling by those endpoints
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.
6. Data Deletion & Your Rights
You can delete your account and all associated data directly from Settings → Privacy → Delete Account. This permanently removes your chat history, sessions, integrations, API keys, and plugins.
You may also email [email protected]. We will process deletion requests within 30 days.
Under applicable privacy laws (GDPR, CCPA), you have the right to:
- Access: request a copy of your personal data
- Rectification: correct inaccurate data
- Deletion: request erasure of your data ("right to be forgotten")
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Restriction: request limited processing of your data
To exercise any of these rights, contact [email protected].
7. Data Processing Location
SARA Open is hosted on servers in the United States. By using the service, you consent to the transfer and processing of your data in the US. For EU/EEA users, data transfers are conducted under Standard Contractual Clauses (SCCs) where applicable.
8. Cookies
We use a single session cookie (sara_session) for authenticated users and a fingerprint cookie (sara_fp) for anonymous users. A theme preference (sara_theme) is stored in localStorage. These are strictly functional and are not used for advertising tracking.
9. Security
Data is transmitted over HTTPS. Cookies are marked HttpOnly and Secure. Plugin credentials and integration tokens are encrypted at rest using Fernet symmetric encryption. API keys are stored as irreversible hashes. We apply rate limiting, input validation, prompt injection detection, and abuse monitoring to protect the service.
10. Children's Privacy
SARA Open is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated date. For material changes, we will notify signed-in users via email. Continued use of SARA Open after changes constitutes acceptance of the revised policy.
12. Contact
Privacy questions or deletion requests: [email protected]
Data controller: SIRP Labs, Inc., Delaware, USA
General inquiries: sirp.io