Privacy Policy

This is the Privacy Policy of Sanity AS and Sanity US Inc. ("Sanity"). For Sanity, the protection and confidentiality of your data is of the utmost importance.

Sanity collects and uses your Personal Data strictly within the legal limits of the data protection law of the Kingdom of Norway, the EU General Data Protection Regulation no. 2016/679 and UK GDPR (collectively, the "GDPR") as incorporated in Norwegian law, in addition to applicable data protection laws in the United States. Terms that we use in this document like "personal data", "processing", "data controller" and "data processor" shall have the meaning as defined therein.

This Privacy Policy describes the processing of Personal Data that is provided, collected, or disclosed while providing our services to you (“Sanity Services”) and on the websites, applications, and online platforms that link to this Privacy Policy (collectively, “Site”), including when you apply for a job with us.

We may modify this Privacy Policy at any time. All changes will be effective immediately upon posting to our Site. Material changes will be conspicuously posted on our Site or otherwise communicated to you. The latest version of the Privacy Policy is always accessible at www.sanity.io/legal/privacy.

1. Personal Data We Collect

1.1 Log in information and data you provide as a Sanity customer

In order to use certain Sanity Services, you may be required to register an account. You may register using third-party identity providers, such as Google and Github. If you choose to do so, these identity providers will provide Sanity with your name, email address and profile picture (if available). Sanity will not, however, have access to your password with the identity providers. Please refer to the privacy policies of such third-party identity providers to understand how they collect and process your Personal Data.

If you sign up with Sanity directly, we will require you to provide your name, email address and a password, and you may also provide us with other information upon login, such as your profile picture. This data is required to create and administer a user account for you and to enable you to use the Sanity Services.

For enterprise customers, Sanity allows signup and login via third-party enterprise authentication services, if previously agreed upon and formalized in terms with said enterprise. Please refer to the privacy policies of such enterprises to understand how they collect and process your Personal Data.

If you decide to use Sanity Services that are subject to a charge, you are required to provide the name, address, email address, and phone number of your organization or yourself for payment reasons. This information is also processed by our third-party payment processor. Credit card information is never available to Sanity but is only transmitted to and stored with our third-party payment processor.

You may choose to download our published whitepapers or sign up for our newsletter and service status updates provided via email. We will store your name and email address, and use this information to send you marketing communications. We will also disclose this information to third- party vendors to deliver these services on our behalf. You may choose to unsubscribe from these email communications at any time. We will also very occasionally send important service updates to all registered users via email, using the same third-party vendors.

1.2 Information within content owned by our users

Users can upload a variety of content, such as texts, images, videos and music files to and via the Sanity Services, defined as "Subscriber Data" in our Terms of Service. Typical content uploaded to Sanity might be news articles or a shop's production information. This data may occasionally, but not usually, contain data that may qualify as Personal Data. In this context, Sanity is only a processor of data on behalf of the user and not the data controller. Sanity will only process and store this data within the framework of the provision of the Sanity Services, in the scope described in the Terms of Service and our Agreement with you or the entity with which you are connected to.

1.3 Data collected through the use of APIs and SDKs

Sanity allows customers to integrate their uploaded content into their internal systems and/or third-party systems delivered by other parties through an Application Programming Interface (API). Sanity by design does not determine what systems it may be configured to interoperate with but typical examples of classes of such systems are content delivery (e.g. HTML rendering systems, native mobile applications, digital signage systems) and content optimisation (e.g. e-commerce personalization services, A/B/N-testing or similar) systems.

The SDKs can, however, be configured by the user/customer of the Sanity Services to send the identity (user ID) of logged-in users to our APIs in order to facilitate, for example, access control. This would be a user-based decision/parameter defined by the user/customer and therefore out of our control.

Sanity logs the originating IP address of an end user to avoid fraudulent use (e.g., denial of service attack).

1.4 Information gathered through automatic data collection

When you access the Sanity Services or Site via a browser, the Command Line Interface (CLI), or other means, certain data is automatically transmitted for technical reasons. The following data is logged and stored separately from any other data you may transmit to us for a limited time: IP address, date and time of access, browser type and version, operating system, URL of the website visited prior to ours, amount of data transmitted, performance numbers such as latencies and caching, and any data regarding how you use and interact with the Sanity Services or Site and their features. This data is collected for Sanity’s legitimate business purposes, including for testing, development, operation of the Sanity Services, security, and troubleshooting.

Logged-in users will also transmit authentication information through cookies or headers to allow our systems to authenticate and authorize the request and make decisions based on the logged-in user. This information is never stored together with the access logs mentioned above, but other information that is explicitly provided by the user to perform operations may, however, be logged and associated with the user to provide audit logs and similar records.

When visiting our Site we collect aggregate statistics about your actions on our Site and store these with a third-party processor for analytics and statistics to improve the Site and Sanity Services. The collected data does not include any personal information, and it is not possible for us to trace this back to any individual.

If the user should encounter any errors while using the Sanity Services or Site, we will temporarily log information relevant to the error, including the information listed above, with a third-party processor in order to notify us of the error and aid with debugging.

1.5 Employment Information

If you apply for employment with us, we will collect Personal Data related to your potential employment, including your education and employment history, address and contact information, demographic information, and any other information included in your resume or application.

1.6 Cookies

We and our service providers may use cookies and similar
technologies to collect usage and browser information about how you use the Sanity Services and Site. The technologies we use for this automatic data collection may include cookies and web beacons that permit us to verify system and server integrity and generate statistics around the popularity of certain content. We process the information collected through such technologies, which may include or be combined with Personal Data, to help operate certain features of our Site or Sanity Services, to enhance your experience through personalization, and to help us better understand the features of our Site or Sanity Services that you and other users are most interested in.

Content Delivery – We partner with service providers to host our Site and deliver specific content. For example, we partner with companies like YouTube to deliver specific content delivery like audio and video. For more information about how YouTube collects and uses your data, visit Google’s Privacy Policy.

Website Analytics – Sanity uses analytics services

Sanity uses analytics services that use cookies and other technologies to
assist us with analyzing our Site traffic and usage to optimize, maintain, and secure our Site, as well as inform subsequent business decisions. These include, but are not limited to, Google Analytics.To learn more about how Google uses data, visit Google’s Privacy Policy and Google’s page on “How Google uses data when you use our partners’ sites or apps.” You may download the Google Analytics Opt-out Browser Add-on for each web browser you use, but this does not prevent the use of other analytics tools. To learn more about Google Analytics cookies, visit Google Analytics Cookie Usage on Websites.

We use Meta, LinkedIn, and X (formerly known as Twitter) pixels to track user activity on our Site and improve downstream offerings, including interest-based advertising for our services and those of our partners and service providers.

Interest-Based Advertising – We may also allow or enable third parties to collect Personal Data through cookies to provide their interest-based advertising on behalf of our products and services, or their own. Interest-based advertising occurs when advertisements are shown to you based on information collected from your online interactions over time and across multiple websites, devices, or online services that you visit or use. Some companies may engage in cross-context behavioral advertising to predict your preferences and show you advertisements that are most likely to be of interest or relevant to you. We do not control these third parties' collection or use of your information for these purposes, or the opt-out options they may individually offer you via their terms, conditions, and privacy policies. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. Examples of the third-party service providers we engage to serve interest-based advertisements include Google Ads (including Google Dynamic Remarketing and DoubleClick), Meta Ads (including Meta Pixels and Facebook advertising services), LinkedIn marketing solutions (including LinkedIn Ads and Analytics),and X (formerly known as Twitter) advertising and conversion tracking., Microsoft advertising. It is in this context that we may provide advertising networks, data analytics providers, social networks, and video sharing platforms with Personal Data such as your IP address, device information, Internet and other electronic network activity information, and geolocation information in the last twelve months.

Selling Personal Data – While we do not sell Personal Data in exchange for monetary consideration, we do disclose Personal Data for other benefits that could be deemed a “sale” under various data protection laws because it is sometimes broadly defined to include activities such as the delivery of interest-based advertising on websites or allowing third parties to receive certain information, such as cookies, IP address, and/or browsing behavior.

Manage Your Cookie Settings

To manage your preferences with respect to these technologies, you can:

• Click on the “Cookie preferences” link at the bottom of any page, or customize your browser settings to refuse all or some browser cookies, or to alert you when websites set or access cookies.
• Block the collection and use of your information by online platforms and ad tech companies for the purpose of serving interest-based advertising by visiting the opt out pages of the self-regulatory programs of which those companies are members: National Advertising Initiative and Digital Advertising Alliance (or the European Interactive Digital Advertising Alliance, if you are located in the European Economic Area). Please note that even if you opt out of interest-based advertising, you may still see “contextual” ads which are based on the context of what you are looking at on the websites and pages you visit.
• Review and execute any provider-specific instructions to customize your preferences or opt-out of certain processing, including interest-based advertising, by third-party service providers. For example, to opt-out of this type of advertising by Google, customize your ad preferences, or limit Google’s collection or use of your data, visit Google’s Safety Center and Google’s Ad Settings and follow Google’s personalized ad opt-out instructions. Meta also offers an Ad Preferences center to customize your settings, as well as a Privacy Policy with additional information on how you can exercise your rights.

If you limit the ability of the Site and Sanity Services to set cookies, you may restrict your overall user experience and/or lose the ability to access the services, since it will no longer be personalized to you. It may also stop you from saving customized settings, such as login information.

E-mail Marketing

If you provide your email address to us, we may send you emails, including marketing emails. If you are located within the European Economic Area, we will only send you marketing emails if you have expressly opted in, for example, when you create an account and subscribe to our newsletter. If you are not located within the European Economic Area, we may send you marketing emails unless and until you have opted out. You can opt out of receiving marketing emails at any time by clicking the "Unsubscribe" link in each email.

1.7 Further information

If you decide to use Sanity Services that are subject to a charge, Sanity may offer you the possibility to enter further information and/or flag issues using the customer account management tool on your profile page. The information requested by Sanity will then depend on your request and will be specified in the input mask. In addition, free-text fields allow you to enter more information. Sanity will use the information you enter to process your request.

Sanity also offers a free newsletter service. In its newsletter, Sanity informs subscribers about changes to the Sanity Services. You may opt out of the newsletter at any time. Each newsletter contains a link to opt out of receiving any future newsletters.

1.8 Links to Third-Party Websites

We are not responsible for the practices employed by any websites or services linked to or from the Sanity Services, including the information or content contained within them. We encourage you to investigate and ask questions before disclosing Personal Data to third parties, since any Personal Data disclosed will be handled in accordance with the applicable third party’s privacy policy.

In some cases, we may offer links to social media platforms (like Facebook, Instagram, Pinterest, X (formerly known as Twitter), Discord, Bluesky, and YouTube) that enable you to easily connect with us or share information on social media. Any content you post via these social media pages is subject to the Terms of Use and Privacy Policies for those platforms.

We may also integrate with other websites to provide enhanced services, technological capabilities, or resources for you. These plug-in services and capabilities are governed by the terms, conditions, and policies of the underlying companies. We may give you the option to login to the Sanity Services via third-party services like Google and Github. If you choose to leverage this option to link your accounts, we will receive information associated with your account (such as your name and profile information) from that third-party service. This information varies and is controlled by that service or as authorized by you via your privacy settings at that service. We recommend reviewing the service’s privacy policy beforehand and managing your privacy settings on an ongoing basis.

2. General Aspects of Data Processing and Privacy

2.1 Purposes for which we collect and use personal data

Sanity processes your Personal Data as described in this Privacy Policy for the following purposes:

• To provide the Site and Sanity Services
• To handle inquiries and requests
• To create and administer records about an account that you register with us
• To provide access to resources and information that you have requested from us
• To provide you with technical support based on your individual needs
• To improve the Site and Sanity Services, like the navigation and content ofour Site
• For system administration and security
• To process transactions
• To fulfil our legal obligations regarding financial transactions
• For general business purposes, including improving customer service
• To help us improve the content and functionality of the Site and Sanity Services
• To deidentify you before posting your feedback about the Sanity Services on our Site
• To better understand our users and protect against wrongdoing
• To enforce our Terms of Service, and to generally manage our business
• For recruitment purposes, if you apply for a job at Sanity

We also analyze Personal Data of our existing customers to find new potential customers who share similar characteristics in order to improve our lead generation efforts and reach individuals and companies who are likely to be interested in our Services.

2.2. Third Parties/Service Providers We Share Personal Data With

We may disclose all categories of Personal Data listed above to the following categories of third parties:

Employees and Other Personnel. We may disclose Personal Data to our employees and personnel (such as contractors) who have a need to know the information for our business purposes.

Affiliates. We may disclose Personal Data with our affiliated entities for business and marketing purposes.

Service Providers. We may disclose Personal Data to service providers that use to support our business, including but not limited to, data analytics providers, website hosting providers, and other technology providers. If you are
applying for a job with us, this may include service providers such as background check providers and human resource providers.

Business Partners. We may disclose Personal Data with trusted business partners. For example, we may disclose your Personal Data with a company whose products or services we think may be of interest to you or who we co-sponsor a promotion or service with.

Ad Tech Companies and Other Providers. We may share or make available limited Personal Data (such as a mobile device identifiers) with ad tech companies and other online service providers. When we share your Personal Data in this context, we follow applicable legal requirements, which may require that we provide opt-out rights or other individual rights.

Legal Obligation or Safety Reasons. We may disclose Personal Data to a third-party: if we have a good faith belief that such disclosure of Personal Data is reasonably necessary to (a) satisfy or comply with any requirement of law, regulation, legal process, or enforceable governmental request, (b) enforce or investigate a potential violation of any agreement you have with us, (c) detect, prevent, or otherwise respond to fraud, security or technical concerns, (d) support auditing and compliance functions, or (e) protect the rights, property, or safety of Sanity, its employees and customers, or the public against harm.

Professional Advisors. We may disclose Personal Data to our professional advisors, such as our attorneys, accountants, financial advisors and business advisors, in their capacity as advisors to Sanity.

Merger or Change of Control. We may disclose Personal Data to third parties as necessary if we are involved in a merger, acquisition, or any other transaction involving a change of control in our business, including but not limited to, a bankruptcy or similar proceeding. Where legally required, we will give you notice prior to such disclosure.

Other. We may disclose Personal Data to third parties and/or service providers when explicitly requested by or consented to by you, or for the purposes for which you disclosed the Personal Data to us as indicated at the time and point of the disclosure (or as was obvious at the time and point of disclosure).

2.3 Deletion of your data

Your data will be deleted from our systems and third-party processors once it is no longer required for the aforementioned purposes. We delete or anonymize logs within 90 days of collection. If you delete your user account, your Personal Data will be removed from our systems without unreasonable delay, and at the latest within 90 days, unless applicable legislation or legal process prevents us from doing so. To the extent that Sanity is legally obliged to archive data, such data will be blocked and will not be available for productive use.

Customer-controlled data may be deleted via our API. We retain a complete history of all changes to a dataset, including deleted documents, with a maximum retention period given by the project's plan. Custom retention periods can be configured for the entire dataset or by document type for customers with our custom history retention feature. Customers can also permanently delete a document and all history via a purge mutation through our API. Note that user-specified document IDs will be retained in our systems indefinitely (until the entire dataset is deleted), for technical reasons - we strongly recommend that document IDs never contain personal or sensitive data. Deleted assets may remain available in public CDN caches until the configured expiry time.

Data may in certain cases remain in the systems of our subprocessor Google Cloud Platform for as long as 180 days, as outlined in their terms of service, although it will generally be removed much sooner. This data is not available to us.

2.4 International Use and Cross-Border Data Transfers

If you are visiting our Site from outside of the United States, please note that our Site is hosted in the United States. Where permitted by applicable law, we may transfer the Personal Data we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as your home country, as necessary for the purposes set out in this Privacy Policy.

For individuals in the European Union, European Economic Area, Switzerland, and United Kingdom: Sanity will only transfer Personal Data to third parties located outside of these regions when it has ensured appropriate safeguards for such Personal Data through use of the standard contractual clauses or other lawful and approved methods.

2.5 California Residents

This section provides additional information regarding Sanity’s practices pursuant to the California Consumer Privacy Act of 2018 and its implementing regulations, as amended by the California Privacy Rights Act (“CCPA”), where “Personal Information” has the definition set forth in the CCPA.

Please see the below chart for detailed information about the categories of Personal Information we have collected from California residents during the twelve months preceding the date on which this Privacy Policy was last updated and the categories of third parties to whom we Sell or Share Personal Information (as those terms are defined in the CCPA). For each category of Personal Information set forth in the chart below, the categories of third parties to whom we disclose it for a business or commercial purpose are set forth in the “Third Parties We Disclose Personal Data To” section above.

Shine the Light. Pursuant to California Civil Code Section 1798.83, if you are a California resident, you have the right to obtain: (a) a list of all third parties to whom we may have disclosed your personal information the past year for direct marketing purposes, and (b) a description of the categories of personal information disclosed, by contacting us at privacy@sanity.io.

2.6 Individuals located in the EU, EEA and UK

Legal Bases for Processing Personal Data

If you are an individual located in the European Union (EU), European Economic Area (EEA) or United Kingdom (UK), where Sanity acts as a data controller, we collect and process Personal Data about you where we have a legal basis for doing so under the General Data Protection Regulation (GDPR) and UK GDPR, where “Personal Data” has the definition set forth in the GDPR and UK GDPR. This means we collect and process your Personal Data only when:

• it is necessary for a legitimate interest (which is not overridden by your individual privacy interests),
• you have consented to this collection and processing for a specific purpose;
• it is necessary to fulfil our contractual obligations; or
• it is necessary to comply with a legal obligation.

Where we rely on your consent to process your Personal Data, you have the right to withdraw or decline consent at any time.

Where we rely on our legitimate interests to process your Personal Data, you may have the right to object. More information on exercising this right can be found in Section 2.8 below (“How to Exercise your Privacy Rights”).

Special Category Data

Sanity only collects Special Category Data where we have a lawful basis for doing so that is permitted under Article 9 of the GDPR, specifically within the employment context. If you apply for a job with us, we may collect data that reveals your racial or ethnic origin, trade union membership, sexual orientation, or health to fulfill our obligations, exercise our rights, and otherwise administer our employment relationship with you (including initial recruitment and hiring, where applicable). For example, we may collect health information to make reasonable disability accommodations; immigration information to verify your right to work in a particular jurisdiction; and data points like your race, ethnicity, and sexual orientation to monitor equal opportunities. Please refrain from sending us any Special Category Data outside this employment context.

2.7 Your Privacy Rights

Subject to certain limitations such as exceptions permitted by applicable law and verification of your identity, you may exercise the following privacy rights:

• Access – The right to request access to and obtain a copy of any Personal Data we may have about you.
• Deletion – The right to delete your Personal Data that we have collected or obtained, subject to certain exceptions.
• Correction – The right to request that we correct any inaccuracies in your Personal Data, subject to certain exceptions.
• Opt Out of Certain Processing – The right to: (a) opt out of the processing of your Personal Information for purposes of targeted or cross-context behavioral advertising, (b) opt out of the sale of your Personal Information, and (c) limit the use of your sensitive Personal Information (if applicable). We do not collect or process sensitive Personal Information outside of purposes permitted by law (such as section 7027(m) under the California Consumer Privacy Act Regulations), so we do not offer the option to limit its
  use.
• Objection/Restriction of Processing – The right to object or restrict us from processing your Personal Data in certain circumstances.
• Withdraw Consent – The right to withdraw your consent where we are relying on your consent to process your Personal Data.
• Automated Decision-Making – The right to know when you are subject to automated decision-making, the Personal Data used to render the decision, the principal factors and parameters involved in the decision, and human review or correction of the decision (or its underlying data, where appropriate). You may also have the right, depending on your location, to consent or opt out of (a) this automated decision-making or (b) any profiling in furtherance of decisions that produce legal or similarly significant effects. We do not profile you or other individuals in a manner that would result in legal or similarly significant effects, or engage in automated decision-making, so we do not offer an opt out of such activity.
• Lodge a Complaint – The right to lodge a complaint with a supervisory authority or other regulatory agency if you believe we have violated any of the rights afforded to you under applicable data protection laws. We encourage you to first reach out to us so we have an opportunity to address your concerns directly before you do so.

2.8 How to Exercise Your Privacy Rights

To exercise your rights under applicable data protection law, please submit a request to us by contacting us at privacy@sanity.io. You may also exercise your opt out rights by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC). We hon r Opt-Out Preference Signals, including GPC. If you choose to use an Opt-Out Preference Signal, you will need to turn it on for each supported browser or browser extension you use.

You will not be discriminated against in any way by virtue of your exercise of the rights listed in this Privacy Policy. However, should you withdraw your consent or object to processing of your Personal Information, or if you choose not to provide certain Personal Data, we may be unable to provide some, or all, of our Services to you.

Only you, or an authorized agent that you authorize to act on your behalf, may make a request related to your Personal Data. We must verify your identity before fulfilling your requests, and if we cannot verify your identity, we may request additional information from you. If you are an authorized agent making a request on behalf of another person, we will also need to verify your identity, which may require proof of your written authorization or evidence of power of attorney. We endeavor to respond to requests within the time period required by applicable law. If we require more time, we will inform you of the reason and extension period in writing.

We do not charge a fee to process or respond to your requests unless they are excessive or repetitive. If we determine that a request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. We may deny certain requests, or only fulfill some in part, as permitted or required by law. If you are not satisfied with the resolution of your request and you are afforded a right to appeal such decision, you will be notified of our appeal process in our response to your request.

2.9 Children’s Privacy

We do not knowingly collect or solicit any Personal Data from children, as defined under applicable law, without verified written parental consent, and we have no actual knowledge of selling such Personal Data of minors under 16 years of age. If we learn that we have collected Personal Data from a child, we will promptly take steps to delete that information. If you believe we might have any information from or about a child, please contact us at legal@sanity.io.

2.10 How We Protect Personal Data

We have implemented commercially reasonable measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. Unfortunately, the transmission of information via the internet is not completely secure. Despite these efforts to store Personal Data in a secure environment, we cannot guarantee the security of Personal Data during its transmission or its storage on our systems.

3. Contact Information

For any questions or concerns, please contact us at legal@sanity.io or dpo@sanity.io.