Last updated: June 23, 2026
Who We Are and What This Policy Covers
This Privacy Policy applies to information that we collect about you when you use sutra.co or the Sutra mobile application (together, the "Services"). The Services are operated by Sutra Spaces LLC, a Delaware limited liability company with its principal place of business at 27 Joshua Edwards Court, East Hampton, NY 11937 ("Sutra," "we," "us").
When customers — such as organizations, coaches, facilitators, or course creators — use Sutra to host learning spaces and communities, Sutra processes most of the personal data uploaded by those customers and their end users as a processor on the customer's behalf. The customer is the controller of that data and is responsible for determining how and why it is processed. If a customer has uploaded your personal data to our Services, you should consult that customer's privacy notice for information about how that personal data is processed, and direct any requests in respect of that personal data to that customer in the first instance. Sutra's obligations as a processor are set out in our Data Processing Addendum. The remainder of this Privacy Policy describes Sutra's own collection and use of personal data when we act as a controller — for example, when we collect data from prospective customers, from customer administrators in connection with account management, or from anyone using the Services for our own operational, security, and product-improvement purposes.
We only collect information about you if we have a reason to do so — for example, to provide our Services, to communicate with you, or to make our Services better. We collect this information from three sources: information you provide to us, information we collect automatically when you use the Services, and information from outside sources.
- Basic account information: To set up your account, we require an email address and password, along with your first name, last name, and a username. You may choose to provide more — like a phone number or location — but you don't have to in order to create an account.
- Profile information: If you have an account, we collect the information you add to your profile, such as a profile photo (avatar) and an "about" description. Profile information you make visible in a space is visible to others in that space, so keep that in mind when deciding what to include.
- Payment and contact information: If you buy a Sutra plan, or pay a creator through their Sutra offering, you'll provide payment and contact information. Card payments are processed by our payment processor, Stripe — Sutra does not store full card numbers or security codes. We do keep a record of transactions (such as amounts, dates, plan, and Stripe identifiers) associated with your account. Creators who collect payments connect a Stripe account to receive funds.
- Content you create: When you post, comment, message, respond to surveys, or upload files and media within a space, that content — which may include personal information about you or others — is stored as part of the Services.
- Communications with us: When you contact support, respond to a survey, or sign up for our newsletter, we keep a record of that communication (including call recordings where permitted by law and with notice).
- Job applicant information: If you apply for a job with us, you may provide your name, contact details, resume/CV, and work-authorization information as part of the application process.
- Log information: Like most online services, we collect information that browsers, devices, and servers make available — browser type, IP address, device identifiers, language preference, referring site, date/time of access, operating system, and mobile network information — when you use the Services.
- Usage information: We collect information about how you use the Services — for example, actions taken in a space (who did what and when, such as creating, editing, or deleting a post), pages viewed, features used, and searches run. We use this to provide the Services, understand how they're used, and improve them.
- Location information: We may infer the approximate location of your device from its IP address (for example, to understand where our users are). With your permission through your device's operating system, our mobile apps may also collect more precise location (for example, when you choose to share it for a member-map or location feature).
- Device and stored information (mobile): With your operating-system permissions, our mobile apps may access information such as photos you choose to upload. You control these permissions in your device settings.
- Cookies and similar technologies: We and our service providers use cookies and similar technologies to keep you signed in, remember preferences, secure the Services, understand usage, and — on our public marketing and blog pages — measure and deliver advertising (including pixels from services such as Meta and LinkedIn). See our Cookies Policy for details and your choices.
How We Use AI
AI-assisted features — powered by Sutra's AI, called Cobolt — are part of the Services. Where enabled, they use the content you contribute to a space, and send certain content to third-party AI providers, in order to deliver these features. We want to be clear about how this works.
- What the AI features do. These include AI-assisted answers and search across content in a space, AI-assisted creation of courses, pages, and content ("AI build"), semantic search, and transcription of audio and video you provide. Depending on the feature, the content sent may include the text of your question, posts and content within the relevant space, prompts you write, files or URLs you provide, and audio/video to be transcribed. Cobolt also learns from contributions you make — such as posts, comments, and reflections — to power features like conversational courses, your member profile, and recommendations.
- Which providers we use. We use OpenAI and Anthropic for AI language-model features, Chroma to store the numerical representations (embeddings) that power semantic search, and Deepgram for transcription. The current list, including the categories of data each receives, is on our Subprocessors page.
- Training of third-party models. We do not use your content to train third-party (foundation) AI models. We use OpenAI and Anthropic under their commercial/API terms, and under those terms they do not use your inputs or outputs to train their models. Providers may retain content briefly to monitor for abuse and operate their services, as described in their terms. (This is separate from Cobolt's personalization, described in "Your controls" below.)
- Your controls. AI-assisted features are generally enabled by default. You can exclude your own contributions from Cobolt at any time in your account settings under AI & Privacy (sutra.co/settings/account) — turning this on keeps your posts, comments, and reflections out of Cobolt and erases what Cobolt has already learned from you (it does not change what you can see). Space administrators can also disable AI features for a space through its settings, and where Sutra acts as a processor for customer content, the customer (controller) directs whether these features are used.
- Accuracy and human oversight. AI output can be inaccurate, incomplete, or out of date, and is not a substitute for professional judgment. Please review AI-generated content before relying on or publishing it.
- To provide our Services — for example, to set up and maintain your account, host your spaces and content, back up and restore data, provide AI-assisted features, process payments, and provide customer support.
- To ensure quality, maintain safety, and improve our Services — for example, by shipping updates and new features, and by analyzing how the Services are used so we can make them better.
- To market our Services and measure our marketing — for example, by sending you messages about Sutra and measuring how our campaigns perform. You can opt out of marketing messages at any time.
- To protect our Services, our users, and the public — for example, by detecting and preventing fraud, abuse, spam, and security incidents, and by complying with legal obligations.
- To fix problems — for example, by monitoring, debugging, and repairing issues.
- To communicate with you — for example, to respond to support requests, share product updates, and (if you haven't opted out) send offers we think you'll find relevant. We'll always send account and legal notices.
- To recruit and hire — for example, by evaluating job applicants and communicating with them.
For those in the EU, UK, or Switzerland, our legal grounds for processing your information as a controller are: (1) performance of a contract with you (for example, to provide a paid plan or administer your account); (2) compliance with a legal obligation; (3) protection of vital interests; (4) our legitimate interests (for example, to provide, secure, and improve the Services, to communicate with you, and to understand usage), balanced against your rights; and (5) your consent where required (for example, for certain cookies, as described in our Cookies Policy).
We share information about you in limited circumstances, with appropriate safeguards:
- Service providers (subprocessors): We share information with vendors that help us run the Services — for example, hosting and storage, email and notification delivery, payment processing, analytics and error monitoring, customer support, security, and the AI providers described above. We require these vendors to protect the information and to use it only to provide services to us. The current list is on our Subprocessors page.
- Advertising and analytics partners: On our public marketing and blog pages, we use cookies and pixels from advertising and analytics services (such as Meta and LinkedIn) to understand the effectiveness of our marketing and to show ads for Sutra on other platforms. See our Cookies Policy and the choices described in "Your Rights" below.
- Legal and safety: We may disclose information in response to a lawful request (such as a subpoena or court order), or when we believe in good faith that it's necessary to protect the rights, property, or safety of Sutra, our users, or the public.
- With your consent or direction: We may share information when you ask us to or otherwise direct us to.
- Business transfers: If Sutra is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to this Privacy Policy.
- Aggregated or de-identified information: We may share information that can no longer reasonably be used to identify you — for example, aggregate usage statistics.
We do not sell your personal information for money, and we aren't a data broker. We do use advertising and analytics cookies and pixels (including from services such as Meta and LinkedIn) on our public marketing and blog pages to measure and promote our Services; under some state privacy laws this may be considered "selling" or "sharing" personal information, and your choices are described under "Your Rights" below. We do not use your content to train third-party AI models, and (as described above) our AI providers do not use it to train theirs under the commercial terms we use.
Information you choose to make public is disclosed publicly. Depending on a space's settings, content such as your profile, posts, and comments may be visible to others in the space, and content in public spaces may be visible to anyone and indexed by search engines. Please keep this in mind when deciding what to share and where.
We keep information about you for as long as it's needed for the purposes described above, and where we're not legally required to keep it. For example, we retain web-server logs for approximately 30 days. When you delete content or a space, it generally remains recoverable for about 30 days before deletion, after which it may persist in routine backups for a limited period (consistent with our hosting provider's point-in-time-recovery window, currently up to about seven days) before being purged.
Security
We work hard to protect information about you against unauthorized access, use, alteration, and destruction, and we take reasonable technical and organizational measures to do so, though no online service is 100% secure. A description of the measures we apply to customer data is set out in Annex 2 of our Data Processing Addendum.
Your Choices
- Limit what you provide: You can choose not to provide optional account, profile, or billing information, though some features may not work without it.
- Mobile permissions: You can use your device settings to limit our apps' access to location, photos, and other stored information.
- Opt out of marketing: Follow the unsubscribe instructions in our messages or contact us. We'll still send account and legal notices.
- Cookies and advertising: You can manage cookies through your browser, and you can opt out of interest-based advertising using industry tools such as youronlinechoices.eu (EU) or optout.aboutads.info (US), or by contacting us. See our Cookies Policy.
- AI: You can exclude your contributions from Sutra's AI (Cobolt) in your account settings under AI & Privacy (sutra.co/settings/account).
- Access, export, and delete: You can update much of your information in your account settings, and you can delete your account from within the Services. You can request an export of your personal information by emailing support@sutra.co. We may retain certain information after deletion as described in "How Long We Keep Information."
Your Rights
Depending on where you live — including California, and countries covered by the EU/UK GDPR and the Swiss FADP — you may have rights over your personal information.
EU, UK, and Switzerland (GDPR / UK GDPR / FADP)
Subject to legal exemptions, you have the rights to: request access to your personal data; request correction or deletion; object to or restrict our processing; and request portability. You also have the right to lodge a complaint with your supervisory authority. Where Sutra processes your data on a customer's behalf (as a processor), please direct your request to that customer; we will assist them as described in our Data Processing Addendum.
California (CCPA, as amended by the CPRA)
In the preceding 12 months, we may have collected the following categories of personal information, depending on the Services used: identifiers (such as name, contact information, and online/device identifiers); commercial information (such as billing information and purchase history); internet or other network activity (such as usage of the Services); geolocation data (such as approximate location from your IP address); audio, electronic, or visual information (such as a profile photo, or call recordings); professional or employment-related information (such as a job application); and inferences (such as likelihood of retention). "Sensitive personal information" we may process includes account log-in credentials and, only where you choose to provide it, precise geolocation; we do not use sensitive personal information to infer characteristics, and we use it only for permitted business purposes.
We collect this information from the sources described in "Information We Collect," for the purposes described in "How and Why We Use Information," and we share it with the categories of recipients described in "Sharing Information."
Subject to legal exemptions, California residents have the right to: know and access the personal information we collect; correct inaccurate personal information; delete personal information; opt out of the "sale" or "sharing" of personal information; limit the use of sensitive personal information; and not receive discriminatory treatment for exercising these rights. We do not sell your personal information for money. However, because we use advertising cookies and pixels (such as Meta and LinkedIn) on our public marketing and blog pages, our practices may be considered a "sale" or "share" of personal information under the CPRA and similar state laws. You can opt out by managing cookies in your browser, using the industry opt-out tools listed in our Cookies Policy, or by emailing support@sutra.co with the subject "Do Not Sell or Share."
Automated decision-making: We do not use your personal information to make decisions that produce legal or similarly significant effects about you without human involvement. AI-assisted features generate content and suggestions for you and your space; they do not make consequential decisions about you on our behalf.
Exercising Your Rights
You can access, correct, or delete much of your information directly in your account settings. For other requests, contact us as described in "How to Reach Us." We'll verify your identity before acting on a request — for example, by confirming you can access the email associated with your account — and you may use an authorized agent with written authorization.
How to Reach Us
If you have a question about this Privacy Policy or want to exercise any of the rights above, contact us at support@sutra.co.
Because the Services are offered worldwide, information about you may be processed in, stored in, or accessed from countries outside your own, including the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we use appropriate safeguards (such as the European Commission's Standard Contractual Clauses), as further described in our Data Processing Addendum.
Children
The Services are designed for adults. You must be at least 13 years old to use them, and customers must not knowingly collect personal information from children under 13 through the Services without verifiable parental consent as required by law (see the prohibited-data provisions of our Data Processing Addendum). If you believe a child under 13 has provided us personal information, contact us at support@sutra.co and we'll take appropriate steps.
Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date above shows when it was last revised. If we make material changes, we'll provide additional notice (for example, through the Services or by email). Your continued use of the Services after an update takes effect is subject to the updated policy.