FiveSages logo
Sign InStart a Debate
Public legal surface

FiveSages Privacy Policy

Last updated: February 26, 2026

This Privacy Policy describes how Five Sages LTD collects, uses, stores, discloses, and deletes personal data in connection with the FiveSages platform. It is written to reflect the product's operational behaviour, including hard deletion of session content, timed raw-upload retention, restricted support access, and a no-training default for customer content.

1. Controller information

Five Sages LTD is the controller for personal data processed through the FiveSages product except where a separate agreement states otherwise. Our registered address is 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom. Privacy enquiries may be sent to legal@fivesages.ai.

2. Data categories we process

  • Account data such as email address, authentication identifiers, and workspace membership metadata.
  • Session data such as prompts, model selections, debate rounds, outputs, and event history.
  • Uploaded file data including original raw files, parsed document text, and evidence extraction metadata.
  • Operational metadata such as timestamps, credits, billing actions, trace metadata, and device or request telemetry.
  • Support and compliance data such as support-access records, human-access audit logs, and deletion workflow records.

3. How we use personal data

We use personal data to provide the service, maintain account access, run session workflows, process user uploads, route prompts to selected AI providers, administer billing, detect abuse, support users when asked, comply with law, and enforce platform safety and security controls.

We do not use your session content to train our own models by default. We do not use your content for product improvement without explicit opt-in. We do not reuse one customer's prompts, documents, or outputs to improve another customer's results.

4. Legal bases

Depending on the context, we process personal data because it is necessary to perform our contract with you, necessary for our legitimate interests in operating and securing the service, necessary to comply with legal obligations, or based on consent where consent is specifically requested.

5. Retention and deletion

We apply storage limitation and data minimisation principles. Retention periods differ by data category because not all records serve the same purpose.

  • Raw uploaded files are stored in encrypted object storage and are deleted automatically after 30 days.
  • Parsed document content, prompts, model responses, and related session content are retained until the user deletes the session or the session is purged after 90 days of inactivity, whichever occurs first.
  • Deleting a session triggers hard deletion of session-linked content, uploaded documents, parsed text, event history, jobs, artefacts, traces, and unnecessary prompt-content logs.
  • Account deletion triggers a broader erasure workflow for user-owned session content and account access, while retaining only narrowly scoped records required for billing, tax, security, or legal compliance.
  • Billing and financial metadata may be retained for up to 6 years where necessary for UK tax, accounting, or legal obligations.

6. Support access and internal review

Human access to customer content is restricted. We design the product so that sensitive content reads by support or platform administrators require a documented support-access record tied to a user request, or a tightly limited break-glass exception for security, abuse, or incident response.

Sensitive admin reads are logged in dedicated human-access audit records. We do not permit unrestricted browsing of user sessions as a standard internal workflow.

7. Third-party AI providers and subprocessors

When you use the platform, prompts and related context may be transmitted to the AI providers that correspond to the models you selected. Infrastructure and authentication subprocessors may also process relevant data to provide storage, database, and security functionality.

Amazon Web Services
Cloud infrastructure and encrypted object storage for application and document processing workloads.
OpenAI
Third-party AI model provider used when users select supported OpenAI-backed models.
Anthropic
Third-party AI model provider used when users select supported Anthropic-backed models.
Google
Third-party AI model provider used when users select supported Gemini-backed models.
Supabase
Authentication and managed PostgreSQL database services for the FiveSages application.

8. International transfers

We may process or transfer data internationally where required to operate the product and route requests to the providers you choose. Where required, we use appropriate contractual, organisational, and technical safeguards.

9. Security

We use technical and organisational measures intended to protect data against unauthorised access, accidental loss, misuse, or unlawful disclosure. No online system can be guaranteed to be perfectly secure, and you remain responsible for deciding what content to upload and for using appropriate redaction and access controls.

10. Your rights

Subject to applicable law, you may have rights to access, correct, erase, restrict, object to, or port certain personal data. You may also withdraw consent where processing depends on consent. To exercise rights or raise a concern, contact legal@fivesages.ai.

11. Children

The service is not intended for individuals under 18. If we become aware that personal data from a person under 18 has been provided in breach of our policy, we may suspend access and take deletion steps as appropriate.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect legal, product, security, or operational changes. The current version will always be posted on this page with the latest update date.