Back to Sahm

Privacy Policy

Effective Date: April 15, 2026 · Last Updated: April 15, 2026

Your privacy is fundamental to us. This Privacy Policy explains how Jasmine Entertainment FZE ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your personal data when you use the Sahm (سهم) application and related services (the "Service").

Sahm is an AI-powered personal life management tool. By its nature, the Service processes highly personal data to deliver its core functionality. We are committed to transparency about how your data is handled and to giving you meaningful control over your information.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. This Policy should be read together with our Terms of Service.

1. Introduction

1.1. Sahm enables you to capture unstructured thoughts, notes, voice recordings, photographs, documents, emails, and browsing context, and uses artificial intelligence to organize this information into structured life items. The Service analyzes your data to identify patterns, generate insights, make predictions, and surface connections across your life.

1.2. Given the deeply personal nature of the data you entrust to us, we hold ourselves to the highest standards of data protection and privacy. This Policy describes our practices in detail so you can make informed decisions about using the Service.

1.3. This Policy applies to all users of the Service worldwide. Where specific regulations grant additional rights to users in particular jurisdictions, those additional rights are described in dedicated sections of this Policy (Sections 12, 13, and 14).

2. Data Controller

2.1. The data controller responsible for your personal data is:

Jasmine Entertainment FZE

Sharjah Publishing City Free Zone
Sharjah, United Arab Emirates

Email: support@getsahm.com

2.2. For questions specifically relating to data protection, please contact our Data Protection Officer at privacy@getsahm.com.

3. Data We Collect

We collect the following categories of data:

3.1. Account Information

When you create an account, we collect:

  • Name (first and last);
  • Email address;
  • Profile photograph (if provided);
  • Authentication credentials and session tokens for email verification and social sign-in;
  • Account preferences and settings.

3.2. User Content (Brain Dumps and Ambient Capture)

The core of the Service involves processing content you submit. This may include:

  • Text input: Unstructured notes, thoughts, to-do items, and other text you type or paste;
  • Voice recordings: Audio files you record through the Service, which are transcribed and analyzed;
  • Photographs and images: Images you upload, which may be processed using optical character recognition (OCR) and image analysis;
  • Documents: Files you upload (PDFs, text files, etc.) that are parsed and analyzed;
  • Forwarded emails: Emails you forward to the Service, including email headers, body text, and attachments;
  • Browser extension captures: Web page content, URLs, and contextual information captured through the Sahm browser extension, if installed.

3.3. AI-Derived Data

Through AI processing of your User Content, we generate and store:

  • Structured life items: Parsed, categorized entries created from your unstructured input;
  • Vector embeddings: Mathematical representations of your content stored in our database (PostgreSQL with pgvector) used to identify semantic relationships and patterns;
  • Insights and predictions: AI-generated observations about patterns in your data;
  • Relationship maps: Connections identified between people, events, goals, and other elements in your data;
  • Brain Wiring outputs: Results of overnight holistic analysis of your accumulated data.

3.4. Payment Information

When you subscribe to a paid plan, our payment processor Stripe collects:

  • Payment card number, expiration date, and CVC (processed and stored exclusively by Stripe);
  • Billing name and address;
  • Transaction history and subscription status.

We receive from Stripe only: the last four digits of your card number, card type, billing address, transaction amounts, and subscription status. We do not store full payment card details on our servers.

3.5. Usage Data

We automatically collect information about how you interact with the Service:

  • Features used and frequency of use;
  • Session duration and timestamps;
  • Device type, operating system, and browser version;
  • IP address (used for approximate geolocation and security purposes);
  • Error logs and performance data;
  • Referral source (how you found the Service).

3.6. Communication Data

If you contact our support team, we collect:

  • Your email address and name;
  • The content of your correspondence;
  • Any attachments you provide;
  • Support ticket metadata (timestamps, status, category).

4. How We Use Your Data

We use your data for the following purposes:

4.1. Providing the Service

  • Processing your Brain Dumps and Ambient Captures into structured life items;
  • Generating AI insights, predictions, and pattern analyses;
  • Powering the Card Feed, Constellation View, and Brain Wiring features;
  • Enabling Share Features when you choose to share content;
  • Authenticating your identity and maintaining your account.

4.2. Processing Payments

  • Processing subscription payments and one-time purchases;
  • Managing billing cycles and sending payment receipts;
  • Handling refund requests.

4.3. Improving the Service

  • Analyzing aggregate, anonymized usage patterns to improve features;
  • Identifying and fixing bugs and performance issues;
  • Developing new features based on aggregated user behavior data.

4.4. Communication

  • Sending transactional emails (account verification, password resets, payment confirmations);
  • Sending service-related notifications (feature updates, policy changes, security alerts);
  • Responding to your support inquiries;
  • Sending optional marketing communications (only with your explicit consent; you can opt out at any time).

4.5. Security and Fraud Prevention

  • Detecting and preventing fraudulent activity, abuse, and unauthorized access;
  • Monitoring for security threats and vulnerabilities;
  • Enforcing our Terms of Service.

4.6. Legal Compliance

  • Complying with applicable laws, regulations, and legal processes;
  • Responding to lawful requests from governmental authorities;
  • Establishing, exercising, or defending legal claims.

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Performance of Contract (Article 6(1)(b) GDPR): Processing necessary to provide the Service to you as described in our Terms of Service, including AI processing of your User Content to generate life items, insights, and predictions;
  • Consent (Article 6(1)(a) GDPR): Where you have given explicit consent, such as for marketing communications, optional data processing features, or processing of special categories of data;
  • Legitimate Interests (Article 6(1)(f) GDPR): For purposes such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights and freedoms;
  • Legal Obligation (Article 6(1)(c) GDPR): Where processing is necessary to comply with a legal obligation to which we are subject.

Where we rely on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5.1. Special Categories of Data

Given the nature of the Service, your User Content may include data that qualifies as special category data under the GDPR (e.g., health information, religious beliefs, or data concerning your personal relationships). We process such data solely on the basis of your explicit consent, which you provide by choosing to submit this information to the Service. You may withdraw this consent at any time by deleting the relevant content or your account.

6. AI Processing of Your Data

AI processing is central to the Service. This section describes in detail how your data is processed by AI systems.

6.1. How AI Processes Your Data

  • Natural Language Processing: Text inputs are analyzed to extract entities (people, places, dates, tasks), sentiment, and intent;
  • Voice Transcription and Analysis: Audio recordings are transcribed to text and then processed as described above. Original audio files are retained only as long as necessary for transcription and are then deleted, unless you choose to retain them;
  • Image Analysis and OCR: Images are processed to extract text (OCR) and identify relevant content;
  • Document Parsing: Documents are parsed to extract structured data;
  • Email Analysis: Forwarded emails are parsed to extract dates, contacts, action items, and other relevant information;
  • Vector Embedding Generation: Your content is converted into vector embeddings (numerical representations) stored in PostgreSQL with pgvector. These embeddings enable semantic search and pattern identification across your data;
  • Brain Wiring (Overnight Analysis): During scheduled overnight windows (approximately 2:00 AM to 5:00 AM in your local time zone), a comprehensive AI analysis is performed across all your accumulated data to identify holistic patterns, generate cross-cutting insights, and surface predictions. This is a Pro plan feature.

6.2. AI Providers

We use the following AI service providers to process your data:

  • Google (Gemini): Used for content parsing, entity extraction, and insight generation. Data sent to Google Gemini is processed under our enterprise agreement, which prohibits Google from using your data to train its general AI models;
  • Anthropic (Claude): Used for advanced reasoning, overnight Brain Wiring analysis, and complex pattern identification. Data sent to Anthropic is processed under our enterprise agreement, which prohibits Anthropic from using your data to train its general AI models.

Data transmitted to AI providers is encrypted in transit (TLS 1.2 or higher). We send only the minimum data necessary for each processing task. AI providers process your data as sub-processors under our data processing agreements.

6.3. No General Model Training

We do not use your User Content to train general-purpose AI models. Your data is used exclusively to provide personalized features within your own account. Our agreements with AI providers contractually prohibit them from using your data for model training purposes.

6.4. Automated Decision-Making

The Service uses automated processing to organize, categorize, and prioritize your data. However, the Service does not make decisions that produce legal effects or similarly significant effects on you based solely on automated processing. AI Outputs are informational only; you retain full control over any actions you take based on them.

7. Data Sharing and Third-Party Processors

7.1. We do not sell your personal data. We do not share your User Content with third parties for their own purposes. We share data only in the limited circumstances described below.

7.2. Sub-Processors

We use the following categories of sub-processors to deliver the Service:

ProviderPurposeData ProcessedLocation
Google and AppleOptional social sign-inName, email, profile identifiers, identity tokensUnited States
StripePayment processingPayment card details, billing address, transaction dataUnited States
Google (Gemini)AI content processingUser Content submitted for AI analysisUnited States
Anthropic (Claude)AI content processing, Brain WiringUser Content submitted for AI analysisUnited States
CloudflareCDN, R2 object storage, Workers (share pages)Uploaded images, shared page content, traffic dataGlobal (edge network)
RailwayBackend infrastructure hostingAll backend data (database, application logic)United States
ResendTransactional email deliveryEmail address, email contentUnited States

7.3. User-Initiated Sharing

When you use Share Features (Live Views, Availability Beacon, Digest Stream, Collections), the selected content is made accessible through publicly or semi-publicly accessible pages hosted on Cloudflare Workers. You control what data is shared and can revoke access at any time.

7.4. Legal Requirements

We may disclose your data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation;
  • Protect and defend our rights or property;
  • Prevent fraud or other illegal activity;
  • Protect the safety of users or the public;
  • Protect against legal liability.

We will notify you of any legal demand for your data unless prohibited from doing so by law or court order.

7.5. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to the applicable privacy policy.

8. Cross-Border Data Transfers

8.1. Jasmine Entertainment FZE is based in the United Arab Emirates. However, the Service relies on infrastructure and service providers located in multiple jurisdictions, primarily the United States.

8.2. Your data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

8.3. For EEA/UK Users: When we transfer personal data outside the EEA or UK, we ensure adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Transfers to countries that have received an adequacy decision from the European Commission;
  • Other lawful transfer mechanisms as appropriate.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@getsahm.com.

8.4. For UAE Users: Cross-border transfers of personal data are conducted in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations, including any requirements for adequate levels of protection or appropriate safeguards.

9. Data Retention

9.1. Active Accounts: We retain your data for as long as your account is active and as necessary to provide the Service to you.

9.2. Account Deletion: When you delete your account, we will delete your User Content, AI-derived data (including vector embeddings), and associated personal data within ninety (90) days. Certain data may persist in encrypted backups for up to an additional ninety (90) days before being purged.

9.3. Specific Retention Periods:

  • User Content and Life Items: Retained for the duration of your account, deleted within 90 days of account deletion;
  • Vector Embeddings: Retained for the duration of your account, deleted alongside User Content;
  • Voice Recordings (original audio): Deleted after transcription is complete (typically within 24 hours), unless you opt to retain originals;
  • Payment Records: Retained for seven (7) years after the transaction as required by financial regulations and tax law;
  • Usage Data: Retained in aggregate, anonymized form indefinitely for analytics; identifiable usage data is deleted within 90 days of account deletion;
  • Support Communications: Retained for three (3) years from the date of last communication for quality and training purposes;
  • Server Logs: Retained for ninety (90) days for security and debugging purposes.

9.4. Inactive Accounts: Accounts that have been inactive for more than twelve (12) consecutive months may be scheduled for deletion. We will send at least two (2) notices to your registered email address at least thirty (30) days before deletion, giving you the opportunity to reactivate your account or export your data.

10. Data Security

10.1. We implement technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Measures

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher;
  • Encryption at Rest: Data stored in our databases and object storage (Cloudflare R2) is encrypted at rest using AES-256 encryption;
  • Access Controls: Role-based access controls (RBAC) limit access to personal data to authorized personnel only;
  • Authentication Security: Passwordless email verification and signed session tokens protect user accounts;
  • API Security: API endpoints are protected with authentication tokens, rate limiting, and input validation;
  • Dependency Management: Regular automated scanning of software dependencies for known vulnerabilities.

Organizational Measures

  • Access to personal data is limited to team members who require it for their role;
  • All team members are bound by confidentiality obligations;
  • Regular security reviews and risk assessments;
  • Incident response procedures for data breaches.

10.2. Despite our efforts, no method of electronic transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. You are responsible for maintaining the security of your account credentials.

11. Your Rights

Regardless of your location, we provide the following rights to all users:

  • Access: You may request a copy of the personal data we hold about you;
  • Correction: You may request that we correct any inaccurate or incomplete personal data;
  • Deletion: You may request that we delete your personal data, subject to any legal retention obligations;
  • Data Portability: You may request a copy of your data in a structured, machine-readable format;
  • Objection: You may object to certain types of processing, such as processing based on legitimate interests;
  • Restriction: You may request that we restrict the processing of your data in certain circumstances;
  • Withdrawal of Consent: Where we process your data based on consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@getsahm.com. We will respond to your request within thirty (30) days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

Where your request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or refuse to act on it, in accordance with applicable law.

12. GDPR Compliance (European Economic Area Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

12.1. Data Protection Rights

In addition to the rights described in Section 11, you have the right to:

  • Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe our processing of your personal data violates the GDPR;
  • Object to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Service does not make such decisions;
  • Right to Explanation: You may request a meaningful explanation of the logic involved in any automated processing of your data.

12.2. Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all sub-processors listed in Section 7.2, ensuring they meet GDPR requirements for data protection.

12.3. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including our AI processing operations.

12.4. Representative

If required under Article 27 of the GDPR, we will appoint a representative in the EU. Details of our EU representative, once appointed, will be published at this location. In the interim, you may contact us directly at privacy@getsahm.com.

13. CCPA Compliance (California Residents)

If you are a resident of the State of California, United States, the following additional provisions apply pursuant to the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, "CCPA"):

13.1. Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers: Name, email address, IP address, account ID;
  • Commercial Information: Subscription plan, payment history, transaction records;
  • Internet or Network Activity: Usage data, browser type, device information;
  • Geolocation Data: Approximate location derived from IP address;
  • Audio, Electronic, Visual Information: Voice recordings, photographs, documents you upload;
  • Inferences: AI-generated insights, predictions, and pattern analyses derived from your data;
  • Sensitive Personal Information: Potentially, depending on the content you choose to submit (e.g., health-related information, personal beliefs, relationship details).

13.2. Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. We have not sold or shared personal information in the preceding twelve (12) months.

13.3. Your California Privacy Rights

As a California resident, you have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected about you;
  • Delete: Request deletion of your personal information, subject to certain exceptions;
  • Correct: Request correction of inaccurate personal information;
  • Opt-Out of Sale/Sharing: Although we do not sell or share your data, you may exercise this right at any time;
  • Limit Use of Sensitive Personal Information: Request that we limit the use and disclosure of your sensitive personal information to what is necessary to provide the Service;
  • Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

13.4. Exercising Your Rights

To exercise your CCPA rights, please contact us at privacy@getsahm.com or submit a request through the Service's settings. We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf, subject to identity verification.

13.5. Financial Incentives

Our Free Tier offering is not a financial incentive program. It is a standard tier of service available to all users regardless of their data sharing decisions.

14. UAE Personal Data Protection Law Compliance

As a company registered in the United Arab Emirates, we comply with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its implementing regulations.

14.1. Lawful Basis for Processing

We process personal data under the UAE PDPL on the following bases:

  • Your consent, which you provide by creating an account and using the Service;
  • Performance of a contract to which you are a party (our Terms of Service);
  • Compliance with legal obligations applicable to us in the UAE;
  • Our legitimate interests, provided they do not override your fundamental rights and freedoms.

14.2. Rights Under UAE PDPL

Under the UAE PDPL, you have the right to:

  • Access your personal data held by us;
  • Request correction of inaccurate data;
  • Request deletion or destruction of data that is no longer necessary;
  • Withdraw consent at any time;
  • Object to processing in certain circumstances;
  • Request data portability;
  • Lodge a complaint with the UAE Data Office.

14.3. Cross-Border Transfers

Where we transfer personal data outside the UAE, we do so in accordance with the requirements of the UAE PDPL, ensuring that the receiving country provides an adequate level of data protection or that appropriate safeguards are in place.

15. Children's Privacy

15.1. The Service is not intended for use by individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16.

15.2. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data as promptly as possible.

15.3. If you are a parent or guardian and believe your child under 16 has provided personal data to us, please contact us at privacy@getsahm.com so we can take appropriate action.

15.4. In jurisdictions where the minimum age for data processing is higher than 16, we will comply with the applicable local requirement.

16. Cookies and Tracking Technologies

16.1. The Service uses the following types of cookies and similar technologies:

Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled. They include:

  • Authentication session storage for signed-in users;
  • Security cookies (CSRF protection);
  • User preference cookies (theme, language settings).

Analytics Cookies

With your consent, we may use analytics cookies to understand how users interact with the Service. These help us measure feature usage and identify areas for improvement. You can opt out of analytics cookies through your browser settings or our cookie preferences interface.

16.2. No Advertising Cookies

We do not use advertising or tracking cookies. We do not serve ads and do not share cookie data with advertising networks.

16.3. Local Storage

The Service uses browser local storage to store your theme preferences, UI state, and temporary data for offline functionality. This data remains on your device and is not transmitted to our servers except as necessary for the Service's operation.

16.4. Managing Cookies

You can manage or delete cookies through your browser settings. Disabling strictly necessary cookies may prevent the Service from functioning properly. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

17. Sharing Features and Public Data

17.1. When you use Share Features, you are making a deliberate choice to make selected data accessible outside your private account. This section clarifies how shared data is handled.

17.2. What is Shared: Only the specific content you select for sharing is made accessible. Your entire account data is never shared.

17.3. How it is Hosted: Shared content is served through Cloudflare Workers as publicly or semi-publicly accessible web pages. These pages may be accessible to anyone with the URL.

17.4. Search Engine Indexing: Shared pages may be indexed by search engines. You can configure sharing settings to include a noindex directive to discourage search engine indexing, though we cannot guarantee compliance by all search engines.

17.5. Third-Party Access: Once content is shared, recipients may copy, screenshot, or otherwise capture the shared content. We cannot control how recipients use information they access through shared pages.

17.6. Revoking Shares: You may revoke access to any shared content at any time. Once revoked, the shared page will return a 404 error. However, previously accessed or cached content cannot be recalled.

17.7. Third-Party Personal Data: You must not share content containing personal data of third parties through Share Features unless you have obtained their consent or have another lawful basis for doing so.

18. Data Breach Notification

18.1. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by GDPR, UAE PDPL, or other applicable law);
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  • Document the breach, its effects, and the remedial actions taken.

18.2. Breach notifications will include:

  • A description of the nature of the breach;
  • The categories and approximate number of individuals affected;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach;
  • Contact details for obtaining further information.

19. Changes to This Policy

19.1. We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.

19.2. For material changes, we will:

  • Post a prominent notice within the Service at least thirty (30) days before the changes take effect;
  • Send an email notification to your registered email address;
  • Update the "Last Updated" date at the top of this Policy.

19.3. For non-material changes (e.g., formatting, clarifications that do not alter the substance), we will update the Policy and note the change in the revision history.

19.4. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your account and data.

20. Contact Information and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Inquiries

Jasmine Entertainment FZE

Sharjah Publishing City Free Zone
Sharjah, United Arab Emirates

Email: support@getsahm.com

Website: getsahm.com

Data Protection Officer

Data Protection Officer

Email: privacy@getsahm.com

Supervisory Authorities

If you are unsatisfied with our response to a privacy concern, you may contact the relevant data protection authority:

This Privacy Policy was last updated on April 15, 2026.