Privacy Policy
This is the Privacy Policy of Sanity AS and Sanity US Inc. ("Sanity"). For Sanity, the protection and confidentiality of your data is of the utmost importance.
Sanity collects and uses your personal data strictly within the legal limits of the data protection law of the Kingdom of Norway, the EU General Data Protection Regulation no. 2016/679 and UK GDPR (collectively, the "GDPR") as incorporated in Norwegian law, in addition to applicable data protection laws in the United States, including but not limited to, the California Consumer Privacy Act (“CCPA”). Terms that we use in this document like "personal data", "processing", "data controller" and "data processor" shall have the meaning as defined therein.
We may modify this Privacy Policy at any time. All changes will be effective immediately upon posting to our website. Material changes will be conspicuously posted on our website or otherwise communicated to you. The latest version of the Privacy Policy is always accessible at www.sanity.io/legal/privacy.
1. Personal Data We collect
1.1 Log in information and data you provide as a customer of sanity.io
In order to use all services offered by Sanity, you are required to register. You may register using third party identity providers, such as Google and Github. If you choose to do so, the identity providers will provide Sanity with your name, email address and profile picture (if available). Sanity will not, however, have access to your password. If direct signup with Sanity is provided, we will require you to enter your name, email address and password, and you may also provide us with other information upon login, such as your profile picture. For both options, this data is required to create and administer a user account for you and to enable you to use the service. For enterprise customers, Sanity allows signup and login via third party enterprise authentication services, if previously agreed upon and formalized in terms with said enterprise.
If you decide to use services offered by Sanity that are subject to a charge, you are required to provide the name, address, email address, and phone number of your organization (or yours if not applicable) for payment reasons. This information is also processed by our payment processor. Credit card information is never available to Sanity, but is only transmitted to and stored with our payment processor.
To provide you with a better service, user and organization data may also be stored in third-party CRM systems or similar tools (such as e.g. hubspot.com and salesforce.com) for sales and marketing purposes.
You may choose to download our published whitepapers or sign up for our newsletter and service status updates provided via email. We will store your name and email address, and use this information to send you marketing communications. We will also share this information with third party vendors to deliver these services on our behalf. You may choose to unsubscribe from these email communications at any time. We will also very occasionally send important service updates to all registered users via email, using the same third-party vendors.
Sanity is the data controller for the personal data of our service users according to relevant data protection law.
1.2 Information within content owned by our users at sanity.io
Users can upload a variety of content, such as texts, images, videos and music files to and via the Sanity Services, defined as "Customer Data" in our General Terms and Conditions. Typical content uploaded to Sanity might be news articles or a shop's production information. This data may occasionally, but not usually, contain data that may be qualified as personal data. In this context, Sanity is only a processor of data on behalf of the user and not the data controller. Sanity will only process and store this data within the framework of the provision of the service, in the scope described in the General Terms and Conditions and our Agreement with you or the entity with which you are connected to.
1.3 Data collected through the use of APIs and SDKs
Sanity allows customers to integrate their uploaded content into their internal systems and/or third-party systems delivered by other parties through an Application Programming Interface (API). Sanity by design does not determine what systems it may be configured to interoperate with but typical examples of classes of such systems are content delivery (e.g. HTML rendering systems, native mobile applications, digital signage systems) and content optimisation (e.g. e-commerce personalization services, A/B/N-testing or similar) systems.
The SDKs can, however, be configured by the user/client of our service to send the identity (user ID) of logged-in users to our APIs in order to facilitate, for example, access control. This would be a user-based decision/parameter defined by client and therefore out of our control.
Sanity logs the originating IP address of an end user to avoid fraudulent use (e.g., denial of service attack).
1.4 Information gathered through automatic data collection
When you access the Sanity Services via a browser, the Command Line Interface (CLI), or other means, certain data is automatically transmitted for technical reasons. The following data is logged and stored separately from any other data you may transmit to us for a limited time: IP address, date and time of access, browser type and version, operating system, URL of the website visited prior to ours, amount of data transmitted, performance numbers such as latencies and caching, and any data regarding how you use and interact with the Sanity Service and its features. This data is collected for Sanity’s legitimate business purposes, including for testing, development, operation of the Sanity Services, security, and troubleshooting.
Logged-in users will also transmit authentication information through cookies or headers to allow our systems to authenticate and authorize the request and make decisions based on the logged-in user. This information is never stored together with the access logs mentioned above, but other information that is explicitly provided by the user to perform operations may, however, be logged and associated with the user in order to provide audit logs and similar.
When visiting our website at sanity.io we collect aggregate statistics about your actions on our website and store these with a third-party processor for analytics and statistics to improve our website and service. The collected data does not include any personal information, and it is not possible for us to trace this back to any individual.
If the user should encounter any errors while using our services, we will temporarily log information relevant to the error, including the information listed above, with a third party processor in order to notify us of the error and aid with debugging.
California’s “Do-Not-Track” Requirement. we currently do not respond to “do not track” requests.
1.5 Cookies
Sanity uses cookies to provide you with a wide range of functionalities. Cookies are small text files sent by a website you visit to your computer or mobile device, which enables you to use the features and functionality of the website and services and to improve your experience. They are unique to your account or your browser. Cookies can be “session-based” or “persistent”. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser and persistent cookies last until you or your browser delete them or until they expire. To find out more about cookies, visit www.allaboutcookies.org.
| Cookie Type | Description |
|---|---|
| Strictly Necessary | These cookies are necessary for the website and services to function and cannot be turned off. These cookies do not store any information that can personally identify you. |
| Performance | These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website and services. They help us to know which pages are the most and least popular and see how visitors move around. The information collected from these cookies are aggregated and anonymous. If you do not allow these cookies, we will not know when you have visited our website or services and will not be able to monitor their performance. |
| Functional | These cookies enable our website and services to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, some or all of these website or services may not function properly. |
| Targeting | These cookies may be set through our website or services by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. They do not store any personal information that directly identifies you, but these cookies do uniquely identify your browser and device. If you do not allow these cookies, you will experience less targeted advertising. |
Sanity uses Google Analytics and Google Tag Manager, web analytics services provided by Google for aggregate statistics about our website usage. This also collects information for remarketing purposes. The information gathered is anonymous, and cannot be traced back to individuals. To learn more about how Google uses data, visit Google’s Privacy Policy and Google’s page on “How Google uses data when you use our partners’ sites or apps.” You may download the Google Analytics Opt-out Browser Add-on for each web browser you use, but this does not prevent the use of other analytics tools. To learn more about Google Analytics cookies, visit Google Analytics Cookie Usage on Websites.
When users visit Sanity.io they may choose to opt-in to seeing advertising about Sanity elsewhere on the internet. Sanity uses Google Marketing Services to allow more targeted ads for our website on sites using Google Display Network and Google Search Ads. The user data is processed pseudonymously by Google Marketing Services.
Manage Your Cookie Settings
Browser manufacturers provide help pages relating to cookie management in their products. Please see the links below for more information about how to manage your cookie settings:
For other browsers, please consult the documentation that your browser manufacturer provides. You can opt out of interest-based targeting provided by participating ad servers through the Digital Advertising Alliance (https://optout.aboutads.info/). In addition, on your device, you can change your device settings to control whether you see online interest-based ads.
If you limit the ability of websites and applications to set cookies, you may restrict your overall user experience and/or lose the ability to access the services, since it will no longer be personalized to you. It may also stop you from saving customized settings, such as login information.
E-mail Marketing
If you provide your email address to us, you understand that we may send you emails, including marketing emails. If you are located within the European Economic Area, we will only send you marketing emails if you have expressly opted in, for example, when you create an account and subscribe to our newsletter. If you are not located within the European Economic Area, we may send you marketing emails unless and until you have opted out. You can opt out of receiving marketing emails at any time by clicking the "Unsubscribe" link in each email or by contacting us at legal@sanity.io.
1.6 Further information
If you decide to use services offered by Sanity that are subject to a charge, Sanity may offer you the possibility to enter further information and/or flag issues using the customer account management tool on your profile page. The information requested by Sanity will then depend on your request and will be specified in the input mask. In addition, free-text fields allow you to enter more information. Sanity will use the information you enter to process your request.
Sanity also offers a free newsletter service. In its newsletter, Sanity informs subscribers about changes to the Sanity Services. You may opt out of the newsletter at any time. Each newsletter contains a link to opt out of receiving any future newsletters.
2. General Aspects of Data Processing and Privacy
2.1 Purposes for which we collect personal data
Sanity processes your personal data as described in this Privacy Policy for the following purposes:
- To provide services and information to our Customers
- To handle inquiries and requests from our Customers
- To create and administer records about an account that you register with us
- To give our Customers information and updates about their orders.
- To provide access to resources and information that you have requested from us
- To provide you with technical support based on your individual needs
- To improve our website, like the navigation and content of our sites
- For website and system administration and security
- To process transactions from our Customers
- To fulfil our legal obligations regarding financial transactions
- For general business purposes, including improving customer service
- To help us improve the content and functionality of the Sanity Services
- To deidentify you before posting your feedback about the Sanity Services on our website
- To better understand our users and protect against wrongdoing
- To enforce our Terms of Service, and to generally manage our business
- For recruitment purposes, if you apply for a job at Sanity
2.2. Third Parties/Service Providers We Share Personal Data With
We may share all categories of personal data listed above with the following categories of third parties and/or service providers:
Employees and Affiliates. We may share personal data with our employees and affiliates who have a need to know the information for our business purposes.
Third Parties and/or Service Providers. We may share personal data with third parties and/or service providers that provide services for us as set forth below.
Government Officials / Law Enforcement. We will cooperate with law enforcement and other governmental agencies, and may disclose personal data: (i) if we believe in good faith we are legally required to disclose that personal data, (ii) if we are advised to disclose personal data by our legal counsel, or (iii) when necessary to identify, contact or bring a legal action against someone who may cause or be causing harm to, or interfering with the legal rights of, Sanity or any other party.
Professional Advisors. We may share personal data with our professional advisors, such as our attorneys, accountants, financial advisors and business advisors, in their capacity as advisors to Sanity.
Change in Ownership. In the event (a) Sanity is subject to a change of control, (b) our services change ownership, in whole or in part, or (c) of a bankruptcy, receivership or a similar transaction, we may provide personal data to the subsequent owner(s), including as part of any due diligence process.
Other. We may share personal data with third parties and/or service providers when explicitly requested by or consented to by you, or for the purposes for which you disclosed the personal data to us as indicated at the time and point of the disclosure (or as was obvious at the time and point of disclosure).
2.3 Third party access to your data
Sanity employs third-party processors under contract as part of providing our services to you, who may process your personal data in cases where we are the data controller. In these cases, we only share the necessary information to enable them to carry out their tasks. Such external service providers are carefully selected in order to ensure your privacy and to fulfil our obligations under the GDPR, CCPA, and other applicable data protection laws. Service providers may only use the data for the purposes under the agreement entered into between Sanity and the service provider. More information about our specific third-party processors is included at https://www.sanity.io/third-party-sub-processors. Adequate safeguards for transfers to our subprocessors are in place, including data processing agreements compatible with EU standard clauses accepted by the European Commission.
Sanity will notify customers before changing subprocessors that have access to customer-controlled data, and allow the customer to cancel their contract before the switch if they object.
Personal data may be shared with law enforcement agencies, public bodies and third-party victims' claims based upon court orders or other binding orders from public bodies. Any such transfers of data will be made in accordance with applicable laws and regulations.
2.4 Deletion of your data
Your data will be deleted from our systems and third-party processors once it is no longer required for the aforementioned purposes. We delete or anonymize logs within 90 days of collection. If you delete your user account, your personal data will be removed from our systems without unreasonable delay, and at the latest within 90 days, unless applicable legislation or legal process prevents us from doing so. To the extent that Sanity is legally obliged to archive data, such data will be blocked and will not be available for productive use.
Customer-controlled data may be deleted via our API. We retain a complete history of all changes to a dataset, including deleted documents, with a maximum retention period given by the project's plan. Custom retention periods can be configured for the entire dataset or by document type for customers with our custom history retention feature. Customers can also permanently delete a document and all history via a purge mutation through our API. Note that user-specified document IDs will be retained in our systems indefinitely (until the entire dataset is deleted), for technical reasons - we strongly recommend that document IDs never contain personal or sensitive data. Deleted assets may remain available in public CDN caches until the configured expiry time.
Data may in certain cases remain in the systems of our subprocessor Google Cloud Platform for as long as 180 days, as outlined in their terms of service, although it will generally be removed much sooner. This data is not available to us.
2.5 Location of your data
Sanity relies on the Google Cloud Platform as a subprocessor to store collected Personal Data and your uploaded content. Personal data is stored in our EU datacenter. Uploaded content will be stored in the EU/EEA, the US, or in regions where Sanity has an operational footprint, specific by customer. For serving purposes, data may be stored transiently or cached in any country in which Google Cloud or its agents maintain facilities.
2.6 California Residents
This Section applies to our collection and use of “Personal Information” if you are a resident of California, as required by the California Consumer Privacy Act of 2018 and its implementing regulations, as amended by the California Privacy Rights Act (“CCPA”).
Sanity makes the following disclosures regarding Personal Information collected and/or sold by us within the preceding 12-month period preceding the effective date of this Privacy Policy.
Sources of Personal Information
We collect Personal Information from the categories of sources detailed in the “Personal Data We collect” section above.
Use of Personal Information
We collect Personal Information for the business and commercial purposes detailed in the “Purposes for which we collect personal data” section above.
Disclosure of Personal Information
The categories of third parties to whom we disclose Personal Information for a business or commercial purpose or to whom we sell or share Personal Information include our affiliates, service providers, business partners, third parties for legal, security, and safety purposes, third parties in connection with a corporate transaction, and other entities to which you have consented to the disclosure.
We do not knowingly sell or share the Personal Information of minors under the age of 16.
| Categories of Personal Information We Collect | Categories of Third Parties to Whom We Sell or Share Personal Information |
|---|---|
| Identifiers | Analytics and remarketing companies |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | We do not sell or share this category of Personal Information |
| Protected classification characteristics under California or federal law | We do not sell or share this category of Personal Information |
| Commercial information | We do not sell or share this category of Personal Information |
| Geolocation data | We do not sell or share this category of Personal Information |
| Internet or other similar network activity | Analytics and remarketing companies |
| Inferences drawn from other personal information | We do not sell or share this category of Personal Information |
| Professional or employment-related information | We do not sell or share this category of Personal Information |
We will retain each category of your Personal Information only for as long as necessary to fulfill the purposes described in Section 2.1 above, unless otherwise required by applicable laws. We consider the following criteria to determine how long we will retain your Personal Information including whether: we need your Personal Information to provide you with the services you requested; we continue to have a business relationship with you; you have requested information or services from us; we have a legal right or obligation to continue to retain your Personal Information; we have an obligation to a third party that involves your Personal Information; our retention or recordkeeping policies and obligations dictate that we retain your Personal Information; we have an interest in providing you with information about our services; and we have another business purpose for retaining your Personal Information.
2.7 Individuals located in the EU, EFA and UK
Legal Bases for Processing Personal Data
If you are an individual located in the European Union (EU), European Economic Area (EEA) or United Kingdom (UK), we collect and process Personal Data about you where we have a legal basis for doing so under the General Data Protection Regulation (GDPR) and UK GDPR, where “Personal Data” has the definition set forth in the GDPR and UK GDPR. This means we collect and process your Personal Data only when:
- it is necessary for a legitimate interest (which is not overridden by your individual privacy interests),
- you have consented to this collection and processing for a specific purpose;
- it is necessary to fulfil our contractual obligations; or
- it is necessary to comply with a legal obligation.
Where we rely on your consent to process your Personal Data, you have the right to withdraw or decline consent at any time.
Where we rely on our legitimate interests to process your Personal Data, you may have the right to object. More information on exercising this right can be found in Section 2.9 below (“How to Exercise your Privacy Rights”).
Transfers, Storage, and Processing
Personal Data that we collect or receive may be transferred to and/or processed by third parties that are located outside of the EU, EEA, or UK, some of which EU, EEA and UK authorities may not consider to have an adequate level of protection for personal data. Sanity will only transfer Personal Data to third parties located outside of the EU, EEA, and UK when it has ensured appropriate safeguards for such Personal Data through use of the standard contractual clauses or other approved methods by the EU, EEA, and UK.
Unresolved Complaints
If your inquiry with us has not been satisfactorily addressed, or if you believe we are processing your Personal Data not in accordance with the law or this Notice, you may file a complaint with the supervisory authority in your country of residence.
2.8 Your Privacy Rights
Subject to certain limitations such as exceptions permitted by applicable law and verification of your identity, you may exercise the following privacy rights:
| Privacy Right | Description |
|---|---|
| Notice | The right to be notified of what categories of personal data will be collected at or before the point of collection and the purposes for which they will be used and shared. |
| Access | The right to request the categories of personal data that we collected in the previous twelve (12) months, the categories of sources from which the personal data was collected, the specific pieces of Personal Information or personal data we have collected about you, and the business purposes for which such personal data is collected and shared. |
| Erasure | The right to have your personal data deleted, subject to applicable exceptions. |
| Data Portability | The right to receive copies of your personal data that we have collected in a commonly used and machine-readable format. |
| Restriction of Processing / Right to Object | The right to restrict us from or object to our processing your personal data in specified circumstances. |
| Correction / Rectification | The right to request that we correct any incorrect personal data that we collect or retain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see below), we will correct (and direct any of our service providers that hold your data on our behalf to correct) your personal data from our records, unless an exception applies. |
| Automated Decision Making | The right to request information about the logic involved in automated decision-making and a description of the likely outcome of processes, and the right to opt out. Sanity does not currently engage in any automated decision-making practices. |
| Opt Out of Sale Sharing | The right to opt out of the sale or sharing of personal data. |
Shine the Light. Pursuant to California Civil Code Section 1798.83, if you are a California resident, you have the right to obtain: (a) a list of all third parties to whom we may have disclosed your personal information the past year for direct marketing purposes, and (b) a description of the categories of personal information disclosed, by contacting us at privacy@sanity.io.
2.9 How to Exercise Your Privacy Rights
To exercise your rights under applicable data protection law, please submit a request to us by contacting us at privacy@sanity.io.
Only you or an authorized agent may make a verifiable consumer request. You may only make a verifiable consumer request for access twice within a 12-month period. The request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information/Personal Data or an authorized representative of that person; and
- Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.
We must verify your identity before fulfilling your requests. If we cannot initially verify your identity, we may request additional information to complete the verification process. We will only use Personal Information/Personal Data provided in a request to verify the requestor’s identity. If you are an authorized agent making a request on someone else’s behalf, we will also need to verify your identity, which may require proof of your written authorization or evidence of a power of attorney.
We endeavor to respond to requests within the time period required by applicable law. If we require more time, we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period prior to the date we receive the verifiable consumer request. The response we provide will also provide the reasons we cannot comply with a request, if applicable.
We will not discriminate against you in the event you choose to exercise any of your privacy rights.
This Notice is available to consumers with disabilities. To access this Notice in an alternative downloadable format, please click here.
3. Contact Information
For any questions or concerns, please contact us at legal@sanity.io or dpo@sanity.io.