This is the Privacy Policy of Sanity AS and Sanity US Inc. ("Sanity"). For Sanity, the protection and confidentiality of your data is of the utmost importance.
Sanity collects and uses your Personal Data strictly within the legal limits of the data protection law of the Kingdom of Norway, the EU General Data Protection Regulation no. 2016/679 and UK GDPR (collectively, the "GDPR") as incorporated in Norwegian law, in addition to applicable data protection laws in the United States, including but not limited to, the California Consumer Privacy Act (“CCPA”). Terms that we use in this document like "personal data", "processing", "data controller" and "data processor" shall have the meaning as defined therein.
This Privacy Policy describes the processing of Personal Data that is provided, collected, or disclosed while providing our services to you (“Sanity Services”) and on the websites, applications, and online platforms that link to this Privacy Policy (collectively, “Site”), including when you apply for a job with us.
We may provide you with a different privacy notice or policy in certain specific situations, in which case that privacy notice or policy will apply to the Personal Data collected or processed in that specific situation, rather than this one.
If you provide us with Personal Data related to anyone other than yourself, please note that you are responsible for complying with all privacy and data protection laws prior to providing that data to Sanity (including collecting consent, if required).
We may modify this Privacy Policy at any time. All changes will be effective immediately upon posting to our Site. Material changes will be conspicuously posted on our Site or otherwise communicated to you. The latest version of the Privacy Policy is always accessible at www.sanity.io/legal/privacy.
1. Personal Data We collect
1.1 Log in information and data you provide as a customer of sanity.io
In order to use certain Sanity Services, you may be required to register an account. You may register using third-party identity providers, such as Google and Github. If you choose to do so, these identity providers will provide Sanity with your name, email address and profile picture (if available). Sanity will not, however, have access to your password with the identity providers. Please refer to the privacy policies of such third-party identity providers to understand how they collect and process your Personal Data.
If you sign up with Sanity directly, we will require you to enter your name, email address and a password, and you may also provide us with other information upon login, such as your profile picture. This data is required to create and administer a user account for you and to enable you to use the Sanity Services.
For enterprise customers, Sanity allows signup and login via third-party enterprise authentication services, if previously agreed upon and formalized in terms with said enterprise. Please refer to the privacy policies of such enterprises to understand how they collect and process your Personal Data.
If you decide to use Sanity Services that are subject to a charge, you are required to provide the name, address, email address, and phone number of your organization or yourself for payment reasons. This information is also processed by our payment processor. Credit card information is never available to Sanity but is only transmitted to and stored with our payment processor.
You may choose to download our published whitepapers or sign up for our newsletter and service status updates provided via email. We will store your name and email address, and use this information to send you marketing communications. We will also disclose this information to third- party vendors to deliver these services on our behalf. You may choose to unsubscribe from these email communications at any time. We will also very occasionally send important service updates to all registered users via email, using the same third-party vendors.
1.2 Information within content owned by our users at sanity.io
Users can upload a variety of content, such as texts, images, videos and music files to and via the Sanity Services, defined as "Customer Data" in our General Terms and Conditions. Typical content uploaded to Sanity might be news articles or a shop's production information. This data may occasionally, but not usually, contain data that may be qualified as Personal Data. In this context, Sanity is only a processor of data on behalf of the user and not the data controller. Sanity will only process and store this data within the framework of the provision of the service, in the scope described in the General Terms and Conditions and our Agreement with you or the entity with which you are connected to.
1.3 Data collected through the use of APIs and SDKs
Sanity allows customers to integrate their uploaded content into their internal systems and/or third-party systems delivered by other parties through an Application Programming Interface (API). Sanity by design does not determine what systems it may be configured to interoperate with but typical examples of classes of such systems are content delivery (e.g. HTML rendering systems, native mobile applications, digital signage systems) and content optimisation (e.g. e-commerce personalization services, A/B/N-testing or similar) systems.
The SDKs can, however, be configured by the user/client of our service to send the identity (user ID) of logged-in users to our APIs in order to facilitate, for example, access control. This would be a user-based decision/parameter defined by client and therefore out of our control.
Sanity logs the originating IP address of an end user to avoid fraudulent use (e.g., denial of service attack).
1.4 Information gathered through automatic data collection
When you access the Sanity Services or Site via a browser, the Command Line Interface (CLI), or other means, certain data is automatically transmitted for technical reasons. The following data is logged and stored separately from any other data you may transmit to us for a limited time: IP address, date and time of access, browser type and version, operating system, URL of the website visited prior to ours, amount of data transmitted, performance numbers such as latencies and caching, and any data regarding how you use and interact with the Sanity Service and its features. This data is collected for Sanity’s legitimate business purposes, including for testing, development, operation of the Sanity Services, security, and troubleshooting.
Logged-in users will also transmit authentication information through cookies or headers to allow our systems to authenticate and authorize the request and make decisions based on the logged-in user. This information is never stored together with the access logs mentioned above, but other information that is explicitly provided by the user to perform operations may, however, be logged and associated with the user in order to provide audit logs and similar.
When visiting our Site we collect aggregate statistics about your actions on our Site and store these with a third-party processor for analytics and statistics to improve the Site and Sanity Services. The collected data does not include any personal information, and it is not possible for us to trace this back to any individual.
If the user should encounter any errors while using the Sanity Services or Site, we will temporarily log information relevant to the error, including the information listed above, with a third-party processor in order to notify us of the error and aid with debugging.
1.5 Employment Information
If you apply for employment with us, we will collect Personal Data related to your potential employment, including your education and employment history, address and contact information, demographic information, and any other information included in your resume or application.
1.6 Cookies
Sanity uses cookies on the Site to provide you with a wide range of functionalities. Cookies are small text files sent by a website you visit to your computer or mobile device, which enables you to use the features and functionality of the website and services and to improve your experience. They are unique to your account or your browser. Cookies can be “session-based” or “persistent”. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser and persistent cookies last until you or your browser delete them or until they expire. To find out more about cookies, visit www.allaboutcookies.org.
| Cookie Type | Description |
|---|---|
| Strictly Necessary | These cookies are necessary for the Site and Sanity Services to function and cannot be turned off. These cookies do not store any information that can personally identify you. |
| Performance | These cookies allow us to count visits and traffic sources so we can measure and improve the performance of the Site and Sanity Services. They help us to know which pages are the most and least popular and see how visitors move around. If you do not allow these cookies, we will not know when you have visited the Site or Sanity Services and will not be able to monitor their performance. |
| Functional | These cookies enable the Site and Sanity Services to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, some or all of the Site or Sanity Services may not function properly. |
| Targeting | These cookies may be set through the Site or Sanity Services by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. They do not store any personal information that directly identifies you, but these cookies do uniquely identify your browser and device. |
Sanity uses Google Analytics and Google Tag Manager, web analytics services provided by Google for aggregate statistics about our Site usage. This also collects information for remarketing purposes. To learn more about how Google uses data, visit Google’s Privacy Policy and Google’s page on “How Google uses data when you use our partners’ sites or apps.” You may download the Google Analytics Opt-out Browser Add-on for each web browser you use, but this does not prevent the use of other analytics tools. To learn more about Google Analytics cookies, visit Google Analytics Cookie Usage on Websites.
We use Meta pixels to track user activity on our Site and improve downstream offerings, including interest-based advertising for our services and those of our partners and service providers.
We may also allow or enable third parties to collect Personal Data through cookies to provide their interest-based advertising on behalf of our products and services, or their own. Interest-based advertising occurs when advertisements are shown to you based on information collected from your online interactions over time and across multiple websites, devices, or online services that you visit or use. Some companies may engage in cross-context behavioral advertising to predict your preferences and show you advertisements that are most likely to be of interest or relevant to you. We do not control these third parties' collection or use of your information for these purposes, or the opt-out options they may individually offer you via their terms, conditions, and privacy policies. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. Examples of the third-party service providers we engage to serve interest-based advertisements include Google Ads (including Google Dynamic Remarketing and DoubleClick), Meta Ads (including Meta Pixels and Facebook advertising services), LinkedIn marketing solutions (including LinkedIn Ads and Analytics), Microsoft advertising.
Manage Your Cookie Settings
To manage your preferences with respect to these technologies, you can:
If you limit the ability of the Site and Sanity Services to set cookies, you may restrict your overall user experience and/or lose the ability to access the services, since it will no longer be personalized to you. It may also stop you from saving customized settings, such as login information.
E-mail Marketing
If you provide your email address to us, we may send you emails, including marketing emails. If you are located within the European Economic Area, we will only send you marketing emails if you have expressly opted in, for example, when you create an account and subscribe to our newsletter. If you are not located within the European Economic Area, we may send you marketing emails unless and until you have opted out. You can opt out of receiving marketing emails at any time by clicking the "Unsubscribe" link in each email or by contacting us at legal@sanity.io.
1.7 Further information
If you decide to use Sanity Services that are subject to a charge, Sanity may offer you the possibility to enter further information and/or flag issues using the customer account management tool on your profile page. The information requested by Sanity will then depend on your request and will be specified in the input mask. In addition, free-text fields allow you to enter more information. Sanity will use the information you enter to process your request.
Sanity also offers a free newsletter service. In its newsletter, Sanity informs subscribers about changes to the Sanity Services. You may opt out of the newsletter at any time. Each newsletter contains a link to opt out of receiving any future newsletters.
1.8 Links to Third-Party Websites
We are not responsible for the practices employed by any websites or services linked to or from the Sanity Services, including the information or content contained within them. We encourage you to investigate and ask questions before disclosing Personal Data to third parties, since any Personal Data disclosed will be handled in accordance with the applicable third party’s privacy policy.
In some cases, we may offer links to social media platforms (like Facebook, Instagram, Pinterest, X (formerly known as Twitter) and YouTube) that enable you to easily connect with us or share information on social media. Any content you post via these social media pages is subject to the Terms of Use and Privacy Policies for those platforms.
2. General Aspects of Data Processing and Privacy
2.1 Purposes for which we collect personal data
Sanity processes your Personal Data as described in this Privacy Policy for the following purposes:
2.2. Third Parties/Service Providers We Share Personal Data With
We may disclose all categories of Personal Data listed above to the following categories of third parties:
Employees and Affiliates. We may disclose Personal Data to our employees and affiliates who have a need to know the information for our business purposes.
Service Providers. We may disclose Personal Data to service providers that provide services for us as set forth below.
Government Officials / Law Enforcement. We will cooperate with law enforcement and other governmental agencies, and may disclose Personal Data: (i) if we believe in good faith we are legally required to disclose that Personal Data, (ii) if we are advised to disclose Personal Data by our legal counsel, or (iii) when necessary to identify, contact or bring a legal action against someone who may cause or be causing harm to, or interfering with the legal rights of, Sanity or any other party.
Professional Advisors. We may disclose Personal Data to our professional advisors, such as our attorneys, accountants, financial advisors and business advisors, in their capacity as advisors to Sanity.
Change in Ownership. In the event (a) Sanity is subject to a change of control, (b) our services change ownership, in whole or in part, or (c) of a bankruptcy, receivership or a similar transaction, we may provide Personal Data to the subsequent owner(s), including as part of any due diligence process.
Other. We may disclose Personal Data to third parties and/or service providers when explicitly requested by or consented to by you, or for the purposes for which you disclosed the Personal Data to us as indicated at the time and point of the disclosure (or as was obvious at the time and point of disclosure).
2.3 Deletion of your data
Your data will be deleted from our systems and third-party processors once it is no longer required for the aforementioned purposes. We delete or anonymize logs within 90 days of collection. If you delete your user account, your Personal Data will be removed from our systems without unreasonable delay, and at the latest within 90 days, unless applicable legislation or legal process prevents us from doing so. To the extent that Sanity is legally obliged to archive data, such data will be blocked and will not be available for productive use.
Customer-controlled data may be deleted via our API. We retain a complete history of all changes to a dataset, including deleted documents, with a maximum retention period given by the project's plan. Custom retention periods can be configured for the entire dataset or by document type for customers with our custom history retention feature. Customers can also permanently delete a document and all history via a purge mutation through our API. Note that user-specified document IDs will be retained in our systems indefinitely (until the entire dataset is deleted), for technical reasons - we strongly recommend that document IDs never contain personal or sensitive data. Deleted assets may remain available in public CDN caches until the configured expiry time.
Data may in certain cases remain in the systems of our subprocessor Google Cloud Platform for as long as 180 days, as outlined in their terms of service, although it will generally be removed much sooner. This data is not available to us.
2.4 Location of your data
Please note that data may be transferred from your country of residence to other countries. Where permitted by applicable law, we may transfer the Personal Data we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as your home country, as necessary for the purposes set out in this Privacy Policy.
2.5 California Residents
This Section applies to our collection and use of “Personal Information” if you are a resident of California, as required by the California Consumer Privacy Act of 2018 and its implementing regulations, as amended by the California Privacy Rights Act (“CCPA”).
Sanity makes the following disclosures regarding Personal Information collected and/or sold by us within the preceding 12-month period preceding the effective date of this Privacy Policy.
Sources of Personal Information
We collect Personal Information from the categories of sources detailed in the “Personal Data We collect” section above.
Use of Personal Information
We collect Personal Information for the business and commercial purposes detailed in the “Purposes for which we collect Personal Data” section above.
Disclosure of Personal Information
The categories of third parties to whom we disclose Personal Information for a business or commercial purpose or to whom we sell or Share (that is, disclose to a third party for targeted or cross-context behavioral advertising) Personal Information include our affiliates, service providers, business partners, third parties for legal, security, and safety purposes, third parties in connection with a corporate transaction, and other entities to which you have consented to the disclosure.
| Categories of Personal Information We Collect | Categories of Third Parties to Whom We Sell or Share Personal Information |
|---|---|
| Identifiers | Analytics and remarketing companies |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) | We do not sell or Share this category of Personal Information |
| Protected classification characteristics under California or federal law | We do not sell or Share this category of Personal Information |
| Commercial information | We do not sell or Share this category of Personal Information |
| Geolocation data | We do not sell or Share this category of Personal Information |
| Internet or other similar network activity | Analytics and remarketing companies |
| Inferences drawn from other personal information | We do not sell or Share this category of Personal Information |
| Professional or employment-related information | We do not sell or Share this category of Personal Information |
We will retain each category of your Personal Information only for as long as necessary to fulfill the purposes described in Section 2.1 above, unless otherwise required by applicable laws. We consider the following criteria to determine how long we will retain your Personal Information including whether: we need your Personal Information to provide you with the services you requested; we continue to have a business relationship with you; you have requested information or services from us; we have a legal right or obligation to continue to retain your Personal Information; we have an obligation to a third party that involves your Personal Information; our retention or recordkeeping policies and obligations dictate that we retain your Personal Information; we have an interest in providing you with information about our services; and we have another business purpose for retaining your Personal Information.
2.6 Individuals located in the EU, EEA and UK
Legal Bases for Processing Personal Data
If you are an individual located in the European Union (EU), European Economic Area (EEA) or United Kingdom (UK), where Sanity acts as a data controller, we collect and process Personal Data about you where we have a legal basis for doing so under the General Data Protection Regulation (GDPR) and UK GDPR, where “Personal Data” has the definition set forth in the GDPR and UK GDPR. This means we collect and process your Personal Data only when:
Where we rely on your consent to process your Personal Data, you have the right to withdraw or decline consent at any time.
Where we rely on our legitimate interests to process your Personal Data, you may have the right to object. More information on exercising this right can be found in Section 2.8 below (“How to Exercise your Privacy Rights”).
Special Category Data
Sanity does not intend to collect any Special Category Data, which is any data that reveals your racial or ethnic origin, political opinions, religious, moral or philosophical beliefs, trade union membership, political views, the processing of genetic data, biometric data for the purpose of identifying a person, and data concerning health or a person’s sex life and/or sexual orientation. Please refrain from providing us with any Special Category Data.
Transfers, Storage, and Processing
Personal Data that we collect or receive may be transferred to and/or processed by third parties that are located outside of the EU, EEA, or UK, some of which EU, EEA and UK authorities may not consider to have an adequate level of protection for Personal Data. Sanity will only transfer Personal Data to third parties located outside of the EU, EEA, and UK when it has ensured appropriate safeguards for such Personal Data through use of the standard contractual clauses or other approved methods by the EU, EEA, and UK.
Unresolved Complaints
If your inquiry with us has not been satisfactorily addressed, or if you believe we are processing your Personal Data not in accordance with the law or this Notice, you may file a complaint with the supervisory authority in your country of residence.
2.7 Your Privacy Rights
Subject to certain limitations such as exceptions permitted by applicable law and verification of your identity, you may exercise the following privacy rights:
| Privacy Right | Description |
|---|---|
| Notice | The right to be notified of what categories of Personal Data will be collected at or before the point of collection and the purposes for which they will be used and disclosed. |
| Access | The right to request the categories of Personal Data that we collected in the previous twelve (12) months, the categories of sources from which the Personal Data was collected, the specific pieces of Personal Information or Personal Data we have collected about you, and the business purposes for which such Personal Data is collected and disclosed. |
| Erasure | The right to have your Personal Data deleted, subject to applicable exceptions. |
| Data Portability | The right to receive copies of your Personal Data that we have collected in a commonly used and machine-readable format. |
| Restriction of Processing / Right to Object | The right to restrict us from or object to our processing your Personal Data in specified circumstances. |
| Correction / Rectification | The right to request that we correct any incorrect Personal Data that we collect or retain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see below), we will correct (and direct any of our service providers that hold your data on our behalf to correct) your Personal Data from our records, unless an exception applies. |
| Automated Decision Making | The right to request information about the logic involved in automated decision-making and a description of the likely outcome of processes, and the right to opt out. Sanity does not currently engage in any automated decision-making practices. |
| Opt Out of Sale and/or Targeted Advertising | The right to opt out of the sale of Personal Data or the disclosure of Personal Data to a third party for targeted or cross-context behavioral advertising |
Shine the Light. Pursuant to California Civil Code Section 1798.83, if you are a California resident, you have the right to obtain: (a) a list of all third parties to whom we may have disclosed your personal information the past year for direct marketing purposes, and (b) a description of the categories of personal information disclosed, by contacting us at privacy@sanity.io.
2.8 How to Exercise Your Privacy Rights
To exercise your rights under applicable data protection law, please submit a request to us by contacting us at privacy@sanity.io, or by phone at +1 (415) 429-7511.
Only you or an authorized agent may make a verifiable consumer request. You may only make a verifiable consumer request for access twice within a 12-month period. The request must:
We must verify your identity before fulfilling your requests. If we cannot initially verify your identity, we may request additional information to complete the verification process. We will only use Personal Information/Personal Data provided in a request to verify the requestor’s identity. If you are an authorized agent making a request on someone else’s behalf, we will also need to verify your identity, which may require proof of your written authorization or evidence of a power of attorney.
We endeavor to respond to requests within the time period required by applicable law. If we require more time, we will inform you of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period prior to the date we receive the verifiable consumer request. We do not charge a fee to process or respond to your requests unless they are excessive or repetitive. If we determine that a request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. We may deny certain requests, or only fulfill some in part, as permitted or required by law. If you are not satisfied with the resolution of your request and you are afforded a right to appeal such decision, you will be notified of our appeal process in our response to your request.
We will not discriminate against you in the event you choose to exercise any of your privacy rights.
This Privacy Policy is available to consumers with disabilities. To access this Notice in an alternative downloadable format, top-right of the page.
2.9 Children’s Privacy
We do not knowingly collect or solicit any Personal Data from children, as defined under applicable law, without verified written parental consent, and we have no actual knowledge of selling such Personal Data of minors under 16 years of age. If we learn that we have collected Personal Data from a child, we will promptly take steps to delete that information. If you believe we might have any information from or about a child, please contact us at legal@sanity.io.
2.10 How We Protect Personal Data
We have implemented commercially reasonable measures designed to secure your Personal Data from accidental loss and from unauthorized access, use, alteration, and disclosure. Unfortunately, the transmission of information via the internet is not completely secure. Despite these efforts to store Personal Data in a secure environment, we cannot guarantee the security of Personal Data during its transmission or its storage on our systems.
3. Contact Information
For any questions or concerns, please contact us at legal@sanity.io or dpo@sanity.io.