SGEN data security and privacy explained
How to understand and manage SGEN data security and privacy
Your site's content, visitor events, and account information live inside the SGEN platform. This page explains exactly where that data is hosted, how it is protected in transit, what SGEN retains and for how long, which third-party services receive data, and what your account roles control. Every fact here comes from the SGEN system map — nothing is invented or inferred from certification claims. Read this before writing your own privacy policy or responding to a customer security questionnaire.
What is this for?
Use this page to answer the practical questions your team or your clients will ask:
- Where is my data physically hosted? Google Cloud, United States. No EU residency option exists today.
- Can one SGEN site read another site's database? No. Each site runs in its own isolated database with unique credentials.
- Is traffic encrypted? Yes. All traffic travels over HTTPS with TLS. The platform enforces HSTS.
- What does SGEN store about me and my visitors? Account details, site content, visitor behavioral events, support tickets, and affiliate payout data if enrolled.
- Which third-party services receive data? The confirmed subprocessor list is in the Subprocessors section below.
- How long is my data kept after I delete something? Deleted sites are held for 30 days then purged. Backups run on a 7-day automatic cycle.
- What roles can I assign my team? Owner, Admin, and Member. An organization can have at most 10 admins.
Good use cases
Answering a client security questionnaire. Most questionnaires ask where data is hosted, how it is encrypted in transit, and who the subprocessors are.
Writing or reviewing a privacy policy for your site. Your privacy policy needs to name your data processors. SGEN is one processor; the subprocessor list below names the others.
Understanding what happens when you delete a site. The 30-day grace window and the backup lifecycle affect how quickly data is fully gone.
Setting up your team access correctly. The Roles section explains what each role can do and the 10-admin cap.
Explaining SGEN to a new team member responsible for compliance. Point them to this page as the starting reference.
Responding to a visitor's data-access request. The data categories section tells you what exists on the platform side.
What NOT to use this for
Confirming security certifications. SGEN does not currently publish ISO 27001, SOC 2, HIPAA, or similar certification documents.
Claiming GDPR or CCPA compliance on SGEN's behalf. The compliance determination is yours to make.
Self-serve account deletion. The Delete Account control does not currently complete a deletion. Contact SGEN support directly.
Confirming encryption at rest. In-transit encryption (HTTPS/TLS) is confirmed. At-rest encryption is not stated in the available documentation and is therefore not claimed here.
Region selection or data-residency configuration. There is no EU or regional data-residency option. All data is stored in the United States on Google Cloud.
Before you start
- Your own data inventory. List what personal data your site collects from visitors.
- A designated team member for data requests. Visitor data-access and deletion requests need someone to own them.
- Access to your organization's account settings. You need Owner or Admin access to review or change roles.
- Your site's current backup status. Open the dashboard and confirm the last backup completed.
Where to go
- Dashboard → Sites → [your site] → Settings → Backups — manage manual backups.
- Dashboard → Account Settings → Organization → Members — review and change team member roles.
- Dashboard → Account Settings → Profile — name, phone, and email details.
- Dashboard → Support — file a support ticket, including account-deletion requests.
Steps
1. Confirm your site is served over HTTPS
Open your public site URL. The lock icon and https:// prefix confirm TLS is active. SGEN provisions and renews TLS certificates automatically. For custom domains, allow up to 24 hours for certificate provisioning.
2. Check your backup archive
Open Dashboard → Sites → [your site] → Settings → Backups. The platform keeps up to 7 manual backups and 7 import archives per site. Automatic backups run daily and are retained for 7 days.
3. Review your team member roles
Open Dashboard → Account Settings → Organization → Members.
- Owner — full control, including billing, role changes, and site deletion. Each organization has exactly one owner.
- Admin — can manage site content, settings, and team members. Maximum 10 admins per organization.
- Member — standard site-editing access; cannot change roles or billing.
4. Understand the site-deletion timeline
When you delete a site, it enters a 30-day grace window. After 30 days an automated job permanently purges the site database and all associated media.
5. Understand what the help widget stores
The SGEN in-app help widget stores your chat history in browser local storage only. No chat content is read back to SGEN servers.
6. Handle a visitor data-deletion request
- Identify the visitor's records by searching form submissions using their email address.
- Delete the specific records from your site's admin panel.
- Note that automatic backup retention runs 7 days. Manual backups you hold will need to be individually deleted or will fall off at expiry.
- Document the request and your response for your own compliance records.
7. Request account deletion
Contact support at support@sgen.com. The Delete Account button in the dashboard does not currently complete a deletion. Support will confirm your identity and process the request manually.
What success looks like
- Your public site shows a valid HTTPS padlock in every browser.
- Your backup archive shows automatic backups within the last 24 hours.
- Every team member has the correct role — no ex-employees with admin access.
- You know the 30-day deletion timeline and have it documented.
- You have a named person responsible for handling visitor data requests.
- Your privacy policy names SGEN and the subprocessors as data processors.
Hosting and per-site isolation
SGEN runs on Google Cloud in the United States. There is no EU residency option or regional data-residency configuration available today. All customer sites are served from US infrastructure.
Each customer site has its own isolated database. The database runs under a unique user account that has access only to that site's data. No query from one site can touch another site's rows. Sessions are also scoped per site; a session token from one site cannot authenticate against another.
This is a structural database-level boundary enforced by the platform for every site — not a flag or a setting.
Data retention reference
Every confirmed retention window in the SGEN platform, from the SGEN system map:
| Data type | Retention |
|---|---|
| Deleted site (grace window) | 30 days before automated purge |
| Automatic site backups | 7 days (production sites only) |
| Manual site backups | Up to 7 per site; no automatic expiry |
| Import archives | Up to 7 per site; no automatic expiry |
| Session cookies (admin) | 14 days of inactivity |
| Session cookies (regular user) | 6 hours |
| Help widget chat (browser) | Until browser local storage is cleared |
The 30-day site purge is automated. If you delete a site and change your mind, you have 30 days to restore it. After 30 days, restoration is not possible.
Manual backups do not expire automatically. They stay in your archive until you delete them or hit the 7-backup limit.
Automatic backups run on production sites only. Sandbox sites do not receive automatic daily backups.
Subprocessors
These external services receive data as part of the SGEN platform. Your privacy policy should name these alongside SGEN as data processors.
| Service | Category | Purpose |
|---|---|---|
| Google Cloud | Infrastructure | Hosting, storage, databases, CDN — United States |
| Stripe | Payments | Subscription billing and card processing |
| Wise | Payments | Affiliate payout processing (if enrolled) |
| Xendit | Payments | Affiliate payout via GCash (if enrolled, Philippines) |
| Razorpay | Payments | Affiliate payout (if enrolled, India) |
| SendGrid | Communications | Transactional email (OTP, notifications) |
| Twilio | Communications | SMS and OTP verification |
| ClickUp | Support | Support ticket tracking |
| GoHighLevel | CRM | CRM contact created on checkout |
| Google Analytics | Analytics | Site analytics (Google integration) |
| Google Tag Manager | Analytics | Tag management (Google integration) |
| Google Search Console | Analytics | Search data (Google integration) |
| Anthropic | AI | In-app help and assistant features |
| OpenAI / Gemini | AI | AI fallback for help features |
Google Analytics, Tag Manager, and Search Console apply only if you have connected a Google account to your site. Payout processors (Wise, Xendit, Razorpay) apply only if enrolled in the affiliate program. AI subprocessors (Anthropic, OpenAI, Gemini) handle help widget interactions.
Cookies and local storage
| Name | Type | Details |
|---|---|---|
| Session cookie | Required | Keeps you signed in to the SGEN admin. Expires after 14 days of inactivity (admin) or 6 hours (regular users). |
| sgen_ref | Affiliate attribution | Set when a visitor arrives via a referral link. Not set for non-referral visitors. |
| Help widget chat history | Local storage only | Stored on your device. Not transmitted to SGEN servers. Cleared when you clear browser storage. |
These are the cookies SGEN itself sets. Third-party integrations set their own cookies. Your site's cookie consent banner should cover those.
Related reading
- How SGEN handles platform updates — security patches reach your site through the same update process.
- SGEN reliability and uptime explained — availability commitments and backup restore.
- SGEN site performance explained — how caching affects when privacy-related content changes go live.
- Team access the right way — detailed walkthrough of setting up roles within the 10-admin cap.
