Privacy Policy
Last Updated: January 16, 2026
TABLE OF CONTENTS
6. Analytics, Advertising, and Third-Party Services
8. Data Retention and Deletion
9. International Data Transfers and Legal Jurisdiction
12. Legal Information and Contact Details
1. DEFINITIONS AND KEY TERMS
1.1 Company and Service Terms
- Sagabox Inc ("we," "us," or "our"): A Delaware Corporation.
- Service: All features, functionalities, programs, and content available through Sagabox
- Platform: Our website (sagabox.com) and related services accessible via any device
- User: Any individual accessing or using our services ("you" or "your")
1.2 Data and Privacy Terms
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data
- Data Controller: Sagabox Inc, determining the purposes and means of processing personal data
- Data Processor: Third parties that process personal data on our behalf
- Cookie: Small text file stored on your device containing data about your platform usage
1.3 Security Terms
- Authentication: Process of verifying user identity
- Encryption: Process of encoding information to prevent unauthorized access
- Token: Unique identifier used for secure authentication
- SSL/TLS: Security protocols for encrypted data transmission
2. INTRODUCTION AND SCOPE
2.1 Policy Overview
This privacy policy explains how Sagabox Inc collects, uses, and protects your personal data. It provides detailed information about your privacy rights and how you can exercise them.
2.2 Policy Application
This policy applies to all users of Sagabox globally, all data collection methods, all service features and functionalities, and all platform versions and updates.
2.3 Policy Updates
We reserve the right to update this policy. Material changes will be notified via email. Continued use after changes constitutes acceptance.
3. PERSONAL DATA COLLECTION
3.1 Account Information
Essential Data:
We collect the following information necessary to provide our service. Your email address is required for authentication and account management. Your name is collected during payment processing. We record your last sign-in timestamp for security purposes. Unique account identifiers are generated to manage your account. IP addresses are collected for security and fraud prevention.
Optional Data:
You may choose to provide additional information. Phone numbers may be collected through payment processors if you provide them. User preferences and settings help us customize your experience. Communication preferences allow you to control how we contact you.
3.2 Service Usage Data
Reading Activity:
We collect information about how you use our platform. This includes which serialized novels you read, your reading progress and bookmarks, chapters accessed and completion status, time spent reading, and your reading preferences and habits.
Interaction Data:
We track how you interact with our platform, including features accessed, time spent on platform, navigation patterns, and device information.
3.3 Payment Information and Processing
We only receive and store limited payment information. This includes tokenized payment method identifiers, the last four digits of payment cards, the first six digits of payment cards, and card expiration dates. We never store complete card numbers or security codes. All payment processing is handled by PCI DSS compliant payment processors.
3.4 Technical and Device Data
Device Information:
We collect information about the devices you use to access our service. This includes operating system and version, browser type and version, screen resolution, device type and model, and language preferences.
Connection Data:
We collect information about your internet connection, including IP address, network information, connection type, geographic location (derived from IP), and time zone settings.
Performance Data:
To improve our service, we monitor load times, error messages, system performance metrics, network latency, and application response times.
4. DATA PROCESSING AND USAGE
4.1 Primary Processing Purposes
Service Provision:
We process your data to provide and maintain our service. This includes account creation and management, authentication and security, feature access and customization, customer support, and service optimization.
Payment Processing:
Your payment data is processed for subscription management, payment authorization, fraud prevention, transaction records, and billing support.
Communication:
We use your contact information to send service updates and notifications, security alerts, product information, support responses, and legal notices.
4.2 Secondary Processing Purposes
Service Improvement:
We analyze usage data to improve our service through usage pattern analysis, feature optimization, performance monitoring, user experience enhancement, and bug identification and resolution.
Analytics and Research:
We use aggregated data for aggregate usage statistics, trend analysis, platform optimization, feature development, and performance benchmarking.
4.3 Legal Bases for Processing
Contractual Necessity:
We process certain data because it is necessary to provide our service. This includes account management, service provision, payment processing, feature access, and support services.
Legal Obligations:
We process data to comply with tax compliance requirements, financial records maintenance, legal requirements, regulatory compliance, and safety and security obligations.
Legitimate Interests:
We have legitimate business interests in service improvement, fraud prevention, security maintenance, technical optimization, and business development.
Consent-Based Processing:
For certain activities, we rely on your consent, including marketing communications, optional features, third-party integrations, analytics participation, and feature testing.
5. DATA STORAGE AND SECURITY
5.1 Storage Location and Data Transfers
All personal data is stored in secure data centers with enterprise-grade security. Data is transmitted globally using encrypted channels. We employ appropriate safeguards for international data transfers. Continuous compliance monitoring and security measures are in place.
5.2 Security Measures
Authentication and Access:
We protect your account with multi-factor authentication capability, passwordless authentication via email, single-use verification codes, session management with automatic termination, role-based access control, principle of least privilege, access logging and monitoring, regular access reviews, and automated access termination.
Data Protection:
We implement industry-standard security measures including AES-256 encryption for data at rest, TLS encryption for data in transit, security protocols for all data transmission, and regular security audits.
System Security:
Our infrastructure is protected by DDoS protection via Cloudflare, intrusion detection systems, regular security patching, and infrastructure monitoring.
Payment Security:
All payment processing is PCI DSS compliant. We use tokenized payment information storage. We have no access to complete card numbers. Encrypted payment data transmission protects your financial information. Immediate security incident response procedures are in place. Regular compliance monitoring ensures ongoing security.
Backup and Recovery:
We maintain regular automated backups with encrypted backup storage. Disaster recovery planning and business continuity measures ensure service continuity. Data restoration procedures and geographic redundancy measures protect against data loss.
Organizational Security:
We maintain incident response procedures and protocols, access control policies and enforcement, security incident reporting framework, and change management procedures.
Monitoring and Maintenance:
Our security team provides real-time system monitoring and security event logging, performance tracking and analysis, regular security reviews and assessments, continuous compliance monitoring, regular system updates, vulnerability assessments, and security patch management.
5.3 Data Breach Notification Procedures
Definition and Scope:
A data breach is defined as unauthorized access to personal data, accidental loss or destruction of personal data, unauthorized disclosure of personal data, or any incident compromising data confidentiality, integrity, or availability.
Internal Response:
Upon discovering a potential breach, we will immediately initiate our incident response plan, assess the nature and scope of the breach, take immediate steps to contain the breach, document all aspects of the incident, and evaluate the risks to affected individuals.
User Notification
We will notify affected users within 72 hours of breach confirmation through email notification.
Notification Content:
Our breach notifications will include a description of the incident, types of data affected, potential impact on users, steps we've taken to address the breach, recommended user actions, contact information for questions, and resources for additional support.
Regulatory Compliance:
Where required by law, we will notify relevant supervisory authorities, comply with jurisdiction-specific requirements, provide mandatory documentation, cooperate with investigations, and implement required remedial measures.
Post-Breach Measures:
Following any breach, we will conduct a thorough investigation, implement additional security measures, update procedures as necessary, provide ongoing updates to affected users, and review and enhance security protocols.
6. ANALYTICS, ADVERTISING, AND THIRD-PARTY SERVICES
6.1 Analytics and Infrastructure Partners
Analytics Services:
We utilize various services to monitor and improve our platform. Google Tag Manager helps us manage analytics and marketing tags. Google Analytics provides user behavior analysis and service optimization. MixPanel enables user interaction tracking and feature usage analysis. Google BigQuery supports large-scale data analysis and reporting. Sentry provides error monitoring, performance tracking, and session recording. Cloudflare offers performance analytics and security monitoring.
Session Recording Details:
Through Sentry, we implement session recording with the following safeguards. All user inputs are automatically masked. No personally identifiable information is collected. All data entry fields are excluded. All user interactions are anonymized. Usage is limited to bug investigation and performance optimization.
Data Collection Scope:
These services may collect usage patterns, feature interaction data, performance metrics, error information, anonymized user flows, and aggregate statistics.
6.2 Advertising Partners and Data Sharing
Advertising Partners:
We may work with advertising partners including Facebook, Google, SnapChat, TikTok, Taboola, Outbrain, AppLovin, and Pinterest.
Data Sharing Practices:
These partners may receive anonymous identifiers, email addresses (for advertising purposes), usage data, device information, and interaction metrics.
Partner Data Usage:
Our advertising partners may track user interactions, measure ad performance, optimize ad targeting, create lookalike audiences, and provide analytics reports.
Your Control:
You can opt out of targeted advertising through platform-specific settings, browser privacy controls, industry opt-out tools, and your account privacy settings.
6.3 Third-Party Service Providers
We work with trusted service providers for payment processing (Stripe, PayPal), email services (SendGrid, Mailchimp), cloud hosting (AWS, Google Cloud), content delivery (Cloudflare), and customer support tools.
Data Sharing:
We only share the minimum data necessary for these providers to perform their services. All providers are bound by confidentiality agreements. We conduct due diligence on all third-party providers. Regular audits ensure compliance with our privacy standards.
7. YOUR RIGHTS AND CHOICES
7.1 Universal Rights
All users have the following basic rights. You can access your personal data at any time. You have the right to correct inaccurate data. You can request data deletion (see Section 8.2 for procedures). You may object to certain types of processing. Data portability allows you to receive your data in a machine-readable format. You can withdraw consent for consent-based processing at any time.
7.2 Regional Privacy Rights
European Union and UK Residents (GDPR):
Under GDPR, you have the right to be informed about data collection and use. You have the right to access your personal data. You can request rectification of inaccurate data. The right to erasure allows you to request deletion of your data. You can restrict processing in certain circumstances. Data portability enables you to receive and transfer your data. You have the right to object to certain processing activities. You have rights regarding automated decision-making and profiling.
California Residents (CCPA/CPRA):
California residents have additional rights including knowledge of personal information collection, knowledge of information sharing practices, deletion rights for personal information, correction rights for inaccurate data, opt-out rights for data sales, non-discrimination rights when exercising privacy rights, and portability rights to receive data in a usable format.
Australian Residents:
Under the Privacy Act, Australian residents have rights to collection notification, access to personal information, correction of inaccurate data, purpose specification for data use, use limitation protections, and disclosure transparency.
Canadian Residents:
Under PIPEDA, Canadian residents have access rights to personal information, accuracy rights to correct data, consent withdrawal options, use transparency regarding data processing, and protection expectations for personal data.
7.3 How to Exercise Your Rights
Submission Methods:
All privacy rights requests can be submitted through any of our official contact channels listed in Section 12.2.
Verification Process:
To protect your privacy, we require initial verification including email verification, account authentication (if applicable), and identity documentation (if needed for sensitive requests). For sensitive requests or authorized agents, we may require additional verification including government-issued ID, proof of authority (for agents), and additional security checks as needed.
Response Timelines:
We follow these standard response times for all requests. Initial acknowledgment is provided within 72 hours. Standard response time is 30 days. Maximum extension period is 45 days (with notification). Appeal decisions are provided within 30 days. Note that California residents receive acknowledgment within 10 days per CCPA requirements.
Data Delivery:
All personal data will be provided in machine-readable format (CSV or JSON), with complete data inventory, via encrypted transmission.
Appeal Process:
If you're unsatisfied with our response, you may submit an appeal within 30 days. Include the reason for your appeal and provide any additional information. You will receive a decision within 30 days.
8. DATA RETENTION AND DELETION
8.1 Retention Periods
Active Accounts:
We retain your data while your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements.
Inactive Accounts:
Accounts inactive for 365 days are automatically deleted. You will receive notice before deletion. You can prevent deletion by logging in.
Specific Data Types:
Account information is retained for the duration of your account plus 90 days. Payment records are kept for 7 years for tax and legal compliance. Usage data is retained for 2 years for analytics purposes. Support communications are kept for 3 years. Marketing data is retained until you opt out or for 2 years of inactivity.
8.2 Data Deletion
How to Request Deletion:
You can request account and data deletion through account settings, email to privacy@sagabox.com, or our help center. Include your account email, reason for deletion (optional), and confirmation of your identity.
Deletion Process:
We will verify your identity, process your request within 30 days, send confirmation of deletion, and retain only data required by law.
Exceptions:
We may retain certain data to comply with legal obligations, resolve disputes, prevent fraud and abuse, complete transactions, or maintain backups (deleted within 90 days).
9. INTERNATIONAL DATA TRANSFERS AND LEGAL JURISDICTION
9.1 Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for all international transfers through standard contractual clauses, adequacy decisions, binding corporate rules, and your explicit consent where required.
9.2 Legal Jurisdiction
SagaBox Inc operates under the laws of the **State of Delaware, United States**. We comply with applicable data protection laws in all jurisdictions where we operate. Where conflicts arise, we apply the most protective standard.
9.3 Cross-Border Data Flows
We implement appropriate technical and organizational measures to protect data during international transfers. Regular audits ensure compliance with international data protection standards. We work only with processors that provide adequate data protection.
10. CHILDREN'S PRIVACY
10.1 Age Restrictions
Our service is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18. If you are under 18, do not use our service or provide any personal information.
10.2 Parental Notice
If we learn that we have collected personal data from a child under 18, we will delete that information as quickly as possible. If you believe we have collected information from a child under 18, please contact us immediately at privacy@sagabox.com.
11. CHANGES TO THIS POLICY
11.1 Policy Updates
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
11.2 Notification of Changes
We will notify you of material changes by email to your registered email address, prominent notice on our website, and in-app notifications (where applicable). The "Last Updated" date at the top of this policy will always reflect the most recent version.
11.3 Your Acceptance
Your continued use of our service after we post changes constitutes your acceptance of the updated policy. If you do not agree to the changes, you should discontinue use of our service and contact us to delete your account.
12. LEGAL INFORMATION AND CONTACT DETAILS
12.1 Data Controller
SagaBox Inc is the data controller responsible for your personal data.
12.2 Contact Information
For Privacy Inquiries:
Email: privacy@sagabox.com
For General Support:
Email: support@sagabox.com
For Data Subject Requests:
Email: privacy@sagabox.com
Subject Line: "Data Subject Request"
Mailing Address:
SagaBox Inc
8 The Green, STE R
Dover, DE 19901, USA
12.3 Supervisory Authority
If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.
EU Users:
You can find your data protection authority at: https://edpb.europa.eu/about-edpb/board/members_en
UK Users:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk
12.4 Additional Resources
Cookie Policy: [Link to Cookie Policy]
Terms & Conditions: [Link to Terms]
Help Center: [Link to Help Center]