Privacy Policy

This Privacy Policy explains how WebSage (“WebSage”, “we”, “our”, “us”) collects, uses, stores, shares, and protects information you provide when you use our AI-powered customer support platform at https://websage.app.

WebSage is a customer support product for small and medium businesses. It provides an AI chat agent, a shared team inbox, and optional connectors to Google services (Gmail, Google Sheets, Google Calendar) so the AI can reference your own data when answering customer questions.

Account and business information:

• Your name, email address, and hashed password (via bcrypt) when you sign up.
• Your business name, branding settings, and team members you invite.
• Billing information processed via our payment provider.

Knowledge base content:

• Documents (PDF, DOCX, text) you upload.
• URLs you provide for us to crawl.
• FAQ entries you create.

Conversation data:

• Messages exchanged between your customers and the AI or your support agents.
• Customer identifiers (session IDs, optional name/email) captured by the chat widget.

Usage data:

• Log data (IP address, user-agent, timestamps) for security and debugging.
• Product-usage analytics (which features are used, anonymized).

If you choose to connect a Google service, WebSage accesses only the scopes you explicitly authorize during the OAuth consent flow. We store a minimal set of fields, encrypted at rest, for the sole purpose of providing the connector feature you enabled.

Gmail (if connected):

• Scopes requested: gmail.readonly, gmail.send, userinfo.email.
• What we access: email metadata (subject, sender, recipient, timestamp), email body content — only when the AI receives a customer question that requires referencing your inbox.
• What we store: encrypted OAuth access and refresh tokens, your connected Google account email address. We do not persistently store email message content.

Google Sheets (if connected):

• Scopes requested: spreadsheets.readonly, spreadsheets.
• What we access: spreadsheet contents of the sheets you authorize, for AI reference and agent-requested operations.
• What we store: encrypted OAuth tokens only. We do not persistently store spreadsheet content.

Google Calendar (if connected):

• Scopes requested: calendar.readonly, calendar.events.
• What we access: calendar events for the calendars you authorize.
• What we store: encrypted OAuth tokens only.

Google user data is used exclusively to provide and improve the user-facing features of WebSage that you explicitly enabled by connecting a Google service. Specifically:

• To fetch information (emails, sheet rows, calendar events) when the AI agent or a human agent needs it to answer a customer question.
• To send emails or write to sheets on your behalf only when you or the AI (with your configuration) invokes that action.
• To refresh expired OAuth tokens so the connector continues working.

WebSage's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not sell Google user data to third parties. Ever.

We do not share or transfer Google user data with any third party except:

• To our AI model provider (OpenAI, Anthropic, or equivalent) — only the minimum message content required to generate a response — under contracts that prohibit using the data to train their models.
• To our cloud infrastructure providers (Railway, Cloudflare, Neon, Upstash, Qdrant) solely for hosting, storage, and operation of the service, under standard data processing agreements.
• When required by law, valid subpoena, or to protect safety.

We do not use Google user data for advertising, profiling, or any purpose other than providing and improving user-facing features of WebSage.

• In transit: all data is transmitted over HTTPS / TLS 1.2+.
• At rest: OAuth access tokens, OAuth refresh tokens, API keys, and connector credentials are encrypted with AES-256-GCM using a key stored outside the database.
• Authentication: passwords are hashed with bcrypt (cost 10+).
• Access control: every request to Google APIs is scoped to the business account that authorized it. Multi-tenant isolation is enforced at the database and vector store level.
• Audit: access logs retained for 30 days.

• Google OAuth tokens are retained until you disconnect the connector in Settings → Connectors, at which point they are deleted immediately.
• When you delete a knowledge base item, its content and vector embeddings are removed within 24 hours.
• If you delete your WebSage account, all account, business, conversation, knowledge base, and connector data is deleted within 30 days.
• To request immediate deletion, email privacy@websage.app.

Under GDPR and equivalent laws, you have the right to access, correct, export, or delete your personal data. You can also revoke any Google connector at any time by clicking Disconnect in the WebSage dashboard, or by visiting https://myaccount.google.com/permissions and revoking access to WebSage. To exercise any data-subject right, email privacy@websage.app.

WebSage uses strictly necessary cookies for authentication and session management. We use privacy-respecting analytics to measure product usage; these do not share personally identifiable information with third parties.

If we materially change how we use Google user data, we will update this page and notify signed-in users by email or in-product banner before the change takes effect. The “Last updated” date at the top reflects the most recent change.

WebSage — attention: Privacy Officer.
Email: privacy@websage.app