Is Sana safe with your data?

Sana

Sana Labs AB

79/100

Good disclosure · high confidence

Sana earns a B (79/100) because it discloses most of its data practices.

#11

of 102 apps ranked

score · Enterprise copilot avg 59

+20

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

Sana's privacy notice is a GDPR-grade document. It states twice that Sana and its third-party service providers do not use personal data to train artificial intelligence or machine learning models, and it commits that Sana will not sell personal data. Three areas are weak. Core service retention is described only as account lifetime or as long as necessary. Output IP ownership is not addressed, because no terms were captured. Security controls are described generically, with no named TLS or AES-256.

What Sana's privacy policy says about your data

No model training

The notice states twice that Sana and any of its third-party service providers do not use your personal data to train artificial intelligence or machine learning models, with Civic Tier and Company Subscriber content excluded from any content review.

Does not sell data

Sana commits that it will not sell your personal data, and confirms under the CCPA that it does not sell or share personal information as those terms are defined under the CCPA and CPRA.

Full data-subject rights

Access, rectification, erasure, restriction, objection, consent withdrawal, and a structured machine-readable portability right are each spelled out, with a one-month response deadline.

Named transfer safeguard

Processing happens within the EU and EEA. Transfers to third countries rely on adequacy, the European Commission's standard contractual clauses, explicit consent, or article 49 GDPR derogations.

What the policy is silent or vague on

Only partial: a way to opt out of training
Only partial: your ownership of generated outputs
Only partial: a retention period for your data
Only partial: a deletion timeline after closure or request

Sana privacy rating

Training-data use2 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inDisclosed

Names a way to opt out of or into trainingPartial

Says whether training use differs by plan or tierDisclosed

Lets the user keep ownership of generated outputsPartial

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion1 of 4 disclosed

States a retention period for your dataPartial

States a deletion timeline after closure or requestPartial

Sets a shorter retention for AI conversation logsPartial

Commits to collecting only the data it needsDisclosed

Third-party sharing4 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementDisclosed

Does not sell or share data for advertising, or offers opt-outDisclosed

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessPartial

Transparency4 of 4 disclosed

Discloses that you are interacting with AIDisclosed

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticeDisclosed

Sensitive data and children2 of 3 disclosed

Discloses automated decisions and a human-review pathDisclosed

Limits the use of special-category dataPartial

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability0 of 3 disclosed

Describes its security safeguardsPartial

Commits to breach notificationPartial

Names a certification or a privacy contactPartial

DisclosedPartialSilentAdverseNot applicable

Details

Category: Enterprise copilot
Modalities: text
Processes biometrics: No
Policy last updated: 2026-04-22
Region scored: Global / US-default
Assessed: 2026-06-20

Read Sana's privacy policy

Other enterprise copilot apps

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.