Privacy Policy
Last updated: July 6, 2026
1. Introduction
Sutram Desenvolvimento de Software Ltda. ("we," "our," or "us") operates the sutram.io platform. This page informs you about our policies regarding the collection, use, and disclosure of personal information when you use our Service.
2. Data We Collect
2.1 Account Information
- Email: used for authentication and communication
- Name: for personalization and identification within projects
- Avatar: profile image (optional)
- Preferences: language, theme, and notification settings
2.2 Project Data
- Files: documents, images, videos, and other files you upload
- Messages: conversations within projects
- Metadata: information about files (name, size, type, date)
2.3 Usage Data
- Access and navigation logs
- Device and browser information
- IP address and approximate location
3. How We Use Your Data
- Provide and maintain the service
- Authenticate and protect your account
- Send notifications about project activity
- Improve our services
- Comply with legal obligations
4. Storage, Location, and Security
Your data is stored on secure servers. The location depends on your plan:
- Basic, Pro, Plus, and Max plans: files on Amazon Web Services (AWS S3) and database on AWS RDS, both in the Eastern United States region (us-east-1).
- Enterprise plan: data location (data residency) may be defined by contract, among the regions supported by our infrastructure providers — including regions in Brazil — as negotiated and formalized in the contractual instrument and its respective data-processing agreement.
We implement technical and organizational security measures to protect your data, including encryption in transit (TLS) and at rest.
4.1 Integrations with AI Assistants (MCP Connectors)
Sutram provides a Model Context Protocol (MCP) server that lets you grant external AI assistants access to Sutram projects you own or to which you have authorized access.
When you authorize an AI integration:
- The connection is authorized through the OAuth connectors screen.
- The AI provider receives a short-lived access token (1 hour) and a refresh token. The tokens operate under your permissions: the assistant can only reach the projects and actions that your own account can reach.
- Tool calls (search, read, edit, comment, etc.) are executed in real time on the AI provider's infrastructure. Data returned by Sutram's tools (file metadata, explicitly requested document content, comments) passes through the AI provider as part of the model's context.
- Sutram does not store the conversation between you and the AI assistant. We persist only the resulting changes you authorize (for example, a comment you ask the assistant to create).
- You may revoke access at any time in your Sutram account settings. Revocation immediately invalidates that connection's access and refresh tokens.
The AI provider's own privacy policy applies to how it processes your queries and the tool results it receives. Consult the privacy policy of the assistant provider you connect.
The connected assistant may be from any provider compatible with the MCP protocol — including open-source models running on infrastructure under your own control. In that case, your project content passes only between Sutram and the environment you administer, without going through third-party AI providers.
4.2 Platform AI Features
The platform uses third-party artificial-intelligence models in a single feature: text-improvement and correction suggestions in the markdown document editor, triggered by you during editing.
When you use this feature:
- Only the text of the document being edited is sent to the model provider for real-time processing. The provider may retain this data temporarily (for up to 30 days, for security and abuse-monitoring purposes), deleting it thereafter, in accordance with its terms of service for API data.
- Your content is not used to train AI models — neither by us nor, under the terms that govern our use, by the model provider we use.
- Suggestions are incorporated into the document only if you accept them.
All other AI features in Sutram — such as building knowledge graphs, ontologies, and wiki pages by agents — operate through AI assistants that you connect and control (§4.1), not through platform-initiated processing.
5. Cookies
We use the following cookies:
- sutram_locale: stores your language preference
- sutram_cookie_consent: records your cookie consent
- _sutram_key: session cookie for authentication
6. Data Sharing
We do not sell your personal data. We may share data with:
- Infrastructure providers: AWS, Fly.io (for hosting the service)
- Email providers: for sending notifications
- Payment processors: Stripe and Paddle (when you subscribe to a paid plan; only data relevant to billing is shared, never project content)
- AI model provider (text editor): for the text-improvement suggestions in the markdown editor (§4.2), we share with the model provider only the text of the document being edited, under contracts that prohibit use for training
- AI assistants you authorize: when you connect an external assistant via OAuth (see §4.1), Sutram shares the data necessary to fulfill the tool's requests with the assistant, within the scope granted. You control the project scope and may revoke at any time
- Legal authorities: when required by law
7. Legal Bases and Your Rights (LGPD and GDPR)
We process personal data on the following legal bases (Art. 7 of the LGPD; Art. 6 of the GDPR):
- Performance of a contract: account and project data, necessary to provide the service you contracted.
- Legitimate interest: usage data and access logs, for security, fraud prevention, and service improvement.
- Consent: optional communications and integrations you expressly authorize (§4.1).
- Compliance with a legal obligation: retention of records required by law (for example, the Brazilian Internet Civil Framework — Marco Civil da Internet) and tax data.
Under Brazil's General Data Protection Law (Lei nº 13.709/2018 — LGPD) and the General Data Protection Regulation (GDPR), you have the right to:
- Confirm the existence of processing and access your personal data
- Rectify inaccurate or incomplete data
- Request the anonymization, blocking, or elimination of unnecessary or excessive data
- Request the deletion of your data ("right to be forgotten")
- Restrict or object to processing
- Data portability
- Obtain information about sharing with third parties
- Withdraw consent at any time
To exercise these rights, contact our Data Protection Officer (§7.1). You also have the right to lodge a complaint with the National Data Protection Authority (ANPD) and, if you are in the European Union, with your country's supervisory authority.
7.1 Data Protection Officer (DPO)
Under Art. 41 of the LGPD, the officer responsible for personal-data processing at Sutram Desenvolvimento de Software Ltda. is:
- Sergio Vieira Greve
- Contact: privacy@sutram.io
8. International Data Transfers
For the Basic to Max plans, your data is stored in the United States (§4). This international transfer is carried out on the basis of Art. 33 of the LGPD, through contractual clauses entered into with our infrastructure providers that ensure a level of protection compatible with Brazilian law, complemented by the technical safeguards described in §4.
For data subjects in the European Economic Area, international transfers rely on the Chapter V mechanisms of the GDPR maintained by our infrastructure providers, with European standard contractual clauses and applicable certifications.
For Enterprise customers with data residency in Brazil, there is no international transfer of project content; ancillary operational data (for example, billing) may continue to be processed abroad in accordance with this policy.
9. Data Retention
- Active account: data kept for as long as the account exists
- After deletion: data removed within 30 days
- Backups: kept for up to 90 days for recovery
10. Changes to This Policy
We may update our Privacy Policy from time to time. We will notify you of material changes by email or by a notice within the service.
11. Language and Prevalence
This policy is made available in several languages for convenience. In the event of any discrepancy between versions, the Portuguese version prevails and constitutes the legally binding document.
12. Contact
For questions about this policy or your personal data:
- Company: Sutram Desenvolvimento de Software Ltda.
- Email: privacy@sutram.io