AI Privacy Notice

Effective Date: September 30, 2025

1. Purpose

This Artificial Intelligence Privacy Notice (“Notice”) outlines the latest Artificial Intelligence (“AI”) features integrated into the offerings of Sawtooth Software (“Sawtooth,” “we,” “our,” or “us”), whether developed in-house at Sawtooth or provided by third-party vendors. We are committed to ensuring transparency, accountability, and compliance with applicable data protection laws, including but not limited to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”) as amended, the General Data Protection Regulation (“GDPR”), and the EU Artificial Intelligence Act (“EU AI Act”).

This Notice is intended for our customers, survey authors, and users of our AI offerings. Collectively, we refer to these groups as “you” throughout this Notice.

For those individuals who participate in surveys conducted through our platforms, please review our Privacy Notice to Survey Respondents.

2. Transparency of Our Current AI Offerings

a. HubSpot AI Features

This section applies to you only if and when you send/exchange any email to/with support@sawtooth.com (“Support Help Desk”) or sales@sawtooth.com (“Sales Help Desk”), together our “Help Desk”. We would like you to know that, when you email our Help Desk, we serve you through a third-party vendor, HubSpot, and this platform integrates AI features provided by its sub-processors (HubSpot Sub-Processors Page) to enhance our customer support.

Under the EU AI Act, HubSpot’s current AI features would be categorized as “limited risk” AI systems.

Key Roles Under EU AI Act.

  • HubSpot: the provider of its AI features
  • OpenAI: the upstream provider of the foundational GPAI model
  • Sawtooth: the deployer/user of the AI features
  • Sawtooth’s customers or any Help Desk email senders: the data subjects

AI Functionalities (i.e., the purposes of processing) include:

  • Automated summarization of support conversations
  • AI-generated response recommendations for support/sales agents
  • Contextual analysis to improve service quality and resolution speed

User Awareness of AI Interaction and Synthetic Content. If you choose to email our Help Desk, please note that our response to your email may be either completely synthetically generated by AI or partially generated by AI with human input and modification. Please also note that these AI features are not configurable on a per-customer basis and are essential to our ability to efficiently respond to inquiries and provide timely support.

General-Purpose AI (GPAI) Model Disclosure. Our third-party vendor, HubSpot, includes AI-powered summaries and response recommendations designed to assist our support and sales personnel in managing and replying to your inquiries more efficiently. These capabilities are supported by general-purpose AI (GPAI) models developed and maintained by HubSpot and its sub-processors, which may include OpenAI. In alignment with Article 53 of the EU AI Act, we disclose that these GPAI models are trained on broad datasets intended to support a wide range of natural language tasks. However, we affirm that no data entered into HubSpot Help Desk, including help desk tickets, email content, support or sales personnel responses, or customer interactions would be used to train or fine-tune the underlying AI models. All data remains securely within the HubSpot environment and is processed solely to deliver real-time assistance and insights to authorized support and sales personnel. This ensures that your data contributes to your operational outcomes without influencing the development of external AI systems.

Human Oversight. HubSpot’s AI tools are used to assist - not replace - our human support agents. All AI-generated summaries and recommendations are reviewed and actioned by Sawtooth human personnel. Here at Sawtooth, we do not use any HubSpot AI feature for automated decision-making that produces legal effects or impacts the fundamental rights of any individual.

Control. If you do not consent to the use of any support or sales service provided by HubSpot AI, please do not send emails to our Help Desk. Instead, please feel free to directly email any known contact at Sawtooth, or contact privacy@sawtooth.com if you have not worked with anyone at Sawtooth in the past. You have every right to withdraw your consent at any time. Please contact privacy@sawtooth.com if you would like to withdraw your consent or delete any content or information previous processed by this offering.

b. Sawtooth’s Smart Follow-Up in Discover 

This section applies to you if you are an individual who participates in a survey conducted through our Discover platform. The AI Smart Follow-Up in our Discover application refers to an AI feature that dynamically generates personalized follow-up questions based on your previous answers, especially open-ended ones. Currently, this AI will only ask a single follow-up question per response.

Under the EU AI Act, this feature is classified as “limited risk,” and we have implemented transparency and opt-in mechanisms and rigorous reviewing process accordingly.

Key Roles Under EU AI Act.

  • Sawtooth: the provider of Smart Follow-Up
  • Microsoft Azure AI Foundry: the provider of its AI features
  • OpenAI (hosted by Microsoft): the upstream provider of the foundational GPAI model
  • Customers of Sawtooth: the deployer/user of Smart Follow-Up
  • Survey Respondents: the data subjects

AI Functionalities (i.e., the purposes of processing) include:

  • Real-Time Response Analysis
    The AI analyzes survey respondent input using natural language processing (NLP) to detect themes, sentiment, and intent.
  • Contextual Question Generation
    Based on that analysis, the AI generates a tailored follow-up question that feels natural and relevant. For example, the question “Can you share more about what made the onboarding process difficult?” may be generated immediately after a question where the respondent references onboarding challenges.
  • Conversational Flow
    Instead of static forms, the survey becomes a dynamic interviewer to interviewee dialogue. This may keep the respondent engaged and encourage richer, more thoughtful responses.
  • Deeper Insight Collection
    By prompting elaboration, Smart Follow-Up helps the business or you uncover the “why” behind the survey respondent’s opinions, behaviors, or pain points, which may be critical for product development, CX, and market research.

User Awareness of AI Interaction and Synthetic Content. We make sure that this AI Privacy Notice is presented to you right next to the toggle where you have complete control over the opt-in and opt-out of AI features in Discover. If AI features are turned on by you (or someone with administrative privileges), and you add a Smart Follow-Up question to your survey, survey respondents will be exposed to Smart Follow-Up when taking the survey. This feature utilizes Microsoft Azure AI technology to assist in contextual question generation. While survey respondents do not have direct interaction with the AI, their responses are submitted to the AI system, and they are given follow-up questions created by it. You should know that it is up to you to decide whether your survey respondents should be put on notice of this AI feature, depending on how your survey is designed and the legal advice given to you by your own counsel, and how and when such notice should be presented to your survey respondents.

General-Purpose AI (GPAI) Model Disclosure. The Discover Smart Follow-Up feature is powered by Microsoft Azure AI Foundry, which utilizes general-purpose AI (GPAI) models. In accordance with Article 53 of the EU AI Act, we disclose that these models are developed and maintained by Microsoft and are trained on large-scale datasets summarized in Microsoft’s public GPAI documentation. Importantly, we affirm that user and survey respondent data collected through Discover, including survey designs, responses, and analytical outputs, are not used to train or fine-tune Microsoft Azure AI Foundry models. Furthermore, Discover does not use user or survey respondent data to train its own AI systems. All data remains securely within the application environment and is processed solely for the purpose of delivering insights to authorized users. These safeguards ensure that your data contributes to your outcomes, not to the evolution of external AI models.

Human Oversight. Sawtooth maintains human oversight by reviewing the programming of this AI feature and making improvements based on your voluntary feedback. If you use this AI feature in your survey, you can provide additional instructions (beyond the default prompt) to influence the outputs generated by this AI feature to your survey respondents. Sawtooth personnel do not monitor the AI Smart Follow-Up feature in real time and cannot intervene in the dialogue, switch this AI feature with a human agent, or access or share the survey data, except as required to process your data in accordance with the applicable agreement and by applicable laws and regulations.

Control. Activation of this AI feature requires explicit opt-in by you (if you have administrative privileges in Discover), or someone with administrative privileges. You can opt-out of this AI feature at any time.

c. Sawtooth’s Open-End Analysis in Discover:

An AI open-end analysis in Sawtooth’s Discover is designed to make sense of the free-text responses survey respondents give to open-ended questions—those “tell us more” moments that don’t fit into multiple-choice boxes. Microsoft Azure AI Foundry is the development framework that enables Sawtooth to build and deploy this tool using Microsoft’s infrastructure - especially Azure OpenAI services. Since our Discover platform leverages Microsoft’s AI capabilities (like GPT models) to analyze open-ended survey responses, Microsoft Azure is a sub-processor of your data.

Under the EU AI Act, this feature is classified as “limited risk,” and we have implemented transparency and opt-in mechanisms and a rigorous reviewing process accordingly.

Key Roles Under EU AI Act.

  • Sawtooth: the provider of Open-End Analysis
  • Microsoft Azure AI Foundry: the provider of its AI features
  •  OpenAI (hosted by Microsoft): the upstream provider of the foundational GPAI model
  • Customers of Sawtooth: the deployer/user of Open-End Analysis
  • Survey Respondents: the data subjects

AI Functionalities (i.e., the purposes of processing): 

  • Reads and Understands Text Responses
    AI scans through the open-ended answers.
  • Identifies Key Themes and Topics
    It detects recurring ideas, concerns, or sentiments—like “pricing,” “customer service,” or “ease of use”—and groups them into categories.
  • Performs Sentiment Analysis
    AI can assess whether responses are positive, negative, or neutral, helping you understand emotional tone across feedback.
  • Automated Coding
    Instead of you manually tagging responses, AI assigns “codes” or labels to each one based on detected themes. This is similar to how researchers categorize qualitative data.
  • Generates Summaries

It generates an overall summary of what respondents are saying in the open-ended answers. User Awareness of AI Interaction and Synthetic Content. We make sure that this AI Privacy Notice is presented to you right next to the toggle where you have complete control over the opt-in and opt-out of AI features in Discover. If AI features are turned on by you (or someone with administrative privileges), you (survey authors/users of our Discover application) will be directly interacting with Open-End Analysis when reviewing the analysis generated by AI. This application utilizes Microsoft Azure AI technology to assist in analytical outputs. While survey respondents do not interact directly with the AI, their open-ended responses are analyzed by the system. You should know that it is up to you to decide whether your survey respondents should be put on notice of this AI feature depending on how your survey is designed and the legal advice given to you by your own counsel and how and when such notice should be presented to your survey respondents.

General-Purpose AI (GPAI) Model Disclosure. The Discover Open-End Analysis feature is powered by Microsoft Azure AI Foundry, which utilize general-purpose AI (GPAI) models. In accordance with Article 53 of the EU AI Act, we disclose that these models are developed and maintained by Microsoft and are trained on large-scale datasets summarized in Microsoft’s public GPAI documentation. Importantly, we affirm that user and survey respondent data collected through Discover, including survey designs, responses, and analytical outputs, are not used to train or fine-tune Microsoft Azure AI Foundry models. Furthermore, Discover does not use user or survey respondent data to train its own AI systems. All data remains securely within the application environment and is processed solely for the purpose of delivering insights to authorized users. These safeguards ensure that your data contributes to your outcomes, not to the evolution of external AI models.

Human Oversight. Sawtooth maintains human oversight by using AI Foundry’s evaluation tools to test model performance against expected outputs and reviewing AI Open-End Analysis feature to ensure thematic accuracy, appropriateness, and relevance. However, if this AI feature is on, it is up to you to oversee the types of information analyzed by this AI feature. Sawtooth personnel do not monitor this Open-End Analysis feature in real time and cannot intervene in the analysis process, substitute AI-generated insights with human interpretation, or access or share the survey data, except as required to process data in accordance with the applicable agreement and by applicable laws and regulations.

Control. Activation of this AI feature requires explicit opt-in by you (if you have administrative privileges in Discover), or someone with administrative privileges. You can opt-out of this AI feature at any time.

3. Categories of Personal Data Processed

a. HubSpot AI Features may process the following types of personal and business-related data:

  1. Contact details (e.g., name, email, company affiliation)
  2. Communication content (e.g., support tickets, emails, chat transcripts)
  3. Metadata (e.g., timestamps, ticket status, agent notes)
  4. Behavioral data (e.g., interaction history, sentiment indicators)

b. Sawtooth’s Smart Follow-Up in Discover may process the following types of personal and business-related data:

  1. Survey Response Data
    • Free text answers to open-ended questions

c. Sawtooth’s Open-End Analysis in Discover may process the following types of personal and business-related data:

  1. Survey Response Data
    • Free text answers to open-ended questions
  2. Inferred Data (Generated by AI)
    • Sentiment classification (positive, negative, neutral)
    • Topic or theme categorization (e.g., “pricing concerns,” “customer service”)

4. Legal Basis for Processing

a. HubSpot AI Features

  • Article 6(1)(b) of the General Data Protection Regulation (GDPR) states that processing personal data is lawful if it is necessary for the performance of a contract with the data subject or to take steps at their request before entering into a contract. This means we can process your data if it needs to do so to fulfill an agreement that you are a party to, such as delivering a service or product (“Contract Performance”); or
  • Legitimate interests pursuant to Article 6 (1) (f) General Data Protection Regulation (“Legitimate Interest”) is what we generally rely on when you use the HubSpot Help Desk for the efficient performance and the continual management of your data processed by HubSpot’s AI features. We are of the opinion that our legitimate interest is not overridden by your interests and rights or freedoms, given (i) the regular reviews and related documentation of the processing activities described herein, (ii) the protection of your personal data by our data privacy processes, (iii) the transparency we provide on the processing activity, and (iv) the rights you have in relation to the processing activity. If you wish to obtain further information on this balancing test approach, please contact us at: privacy@sawtooth.com.

In some cases, we have an agreement with you that requires us to obtain your consent prior to the use of an AI to process your data. In such cases, the legal basis for us processing that data about you is consent pursuant to Article 6 (1) (a) General Data Protection Regulation (“Consent”).

b. Discover’s Smart Follow-Up and Open-End Analysis (Admin-Level Opt-In):

Activation of these two AI features requires explicit opt-in by you, (if you have administrative privileges), or someone with administrative privileges, before data will be processed by these AI features inside our Discover application. Hence, Consent (Article 6 (1) (a) General Data Protection Regulation) is the legal basis for processing customer data here.

You must enable this AI feature either through the Discover platform settings or during onboarding to cause this AI feature to interact with you and your survey respondents. You cannot turn on one feature without turning the other feature on at the same time.

We are unable to obtain consent directly from the survey respondents, and we have no control over their consent to this feature. Nonetheless, we do conspicuously disclose the use of AI to you (i.e., our customers and survey authors) where AI is used. If you do not consent to the processing of your or survey respondents’ data via this AI feature, please do not turn on this AI feature. If you have given your consent but wish to withdraw your consent later, please delete any data that may have already been processed by AI and turn off the AI feature.

5. Data Retention

a. HubSpot’s AI Features:

AI-generated summaries and recommendations are retained in accordance with our data retention policy and HubSpot’s platform settings. We erase your personal data if the retention of that personal data is no longer necessary for the purposes for which they were collected or otherwise processed, or to comply with legal obligations (such as retention obligations under tax or commercial laws).

b. AI Smart Follow-Up and Open-End Analysis Data Retention in Discover:

All AI-generated outputs and survey respondents’ inputs are retained in accordance with our data retention policy and our backup policy (i.e., our backup system retains data for an additional 90 days after data deletion), your control over your data, and Microsoft Azure’s data retention policy and its backup policy. We erase your data if the retention of that data is no longer necessary for the purposes for which they were collected or otherwise processed, or to comply with legal obligations (such as retention obligations under tax or commercial laws).

6. Data Sharing and International Transfers

We do not sell your data under any circumstances, including through our sub-processors. We also do not share or use your data unless required by applicable law or regulation, or as necessary to fulfill the purposes of a valid contractual agreement.

We do not use your data to train AI models.

a. HubSpot’s AI Features:

Sawtooth is the data controller/exporter, and HubSpot is the data processor/importer of inbound emails to support@sawtooth.com and sales@sawtooth.com. These features are powered by sub-processors engaged by HubSpot that can be found on this page: HubSpot Sub-Processors Page.

If you reside outside of the United States, and you email to support@sawtooth.com or sales@sawtooth.com, your data will be transferred to a third country (i.e., the United States) for processing. However, HubSpot’s AI features are designed to comply with applicable data protection regulations, including GDPR and CCPA. Data processed through these features is subject to HubSpot’s standard contractual safeguards, including Data Processing Addendum (DPA) and Standard Contractual Clauses (SCCs) for international transfers where applicable.

b. Smart Follow-Up and Open-End Analysis in Discover:

You are the data controller/exporter, Sawtooth is the data processor/importer, and Microsoft Azure is the sub-processor/importer of data submitted to these AI features in the Discover application.

In any case, Sawtooth personnel do not monitor the Smart Follow-Up feature in real time and cannot intervene in the dialogue, switch this AI feature with a human agent, or access or share your survey questions, design, or data, except as required to process your data in accordance with the applicable agreement and by applicable laws and regulations.

We may engage sub-processors to support the operation, optimization, and security of our AI features, platforms, and offering. These entities are contractually bound to process personal data only on our behalf and in accordance with strict confidentiality and data protection obligations.

Specifically, Microsoft Azure may engage sub-processors (Microsoft Online Services Sub-processor List) to provide cloud infrastructure, AI model orchestration, and system monitoring.

Your data may be transferred to and processed in jurisdictions outside of your country of residence, including the United States and other countries where Microsoft or its sub-processors operate.

Where such transfers occur, we implement appropriate safeguards to ensure an adequate level of data protection, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK and Swiss International Data Transfer Addendum
  • Data Processing Agreements (DPAs) with security and privacy terms

7. Data Subject Rights

a. California Residents

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale or sharing of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

Please note that we do not “sell” or “share” your personal information, as those terms are defined under the CCPA as amended or other applicable state law. Additionally, we do not use your “sensitive personal information” for any purposes that would permit you to limit our use of such information.

b. EEA/UK Residents

  • Your Right of Access:
    • The right to obtain confirmation that Sawtooth processes your personal information; and
    • Access to the personal information Sawtooth has about you.
  • Your Right to Rectification:
    • You have the right to have factually inaccurate personal information rectified, to the extent Sawtooth has such inaccurate personal information.
  • Your Right to Erasure:
    • You have the right to have your personal information erased if:
      • Your personal information is no longer necessary for the purpose for which Sawtooth originally collected or processed it;
      • You decide to withdraw your consent;
      • You object to Sawtooth’s processing of your personal information, and Sawtooth has no overriding legitimate interest or other valid basis to  continue the processing of your personal information;
      • Sawtooth has processed your personal information unlawfully; or
      • Sawtooth must erase your personal information to comply with a legal obligation.
  • Your Right to Restrict Processing:
    • You have the right to limit the way Sawtooth uses your personal information in certain circumstances:
      • You contested, in good faith, the accuracy of your personal information in Sawtooth’s possession and Sawtooth is verifying the accuracy of such information;
      • Sawtooth has unlawfully processed your personal information and you oppose erasure and request restriction instead;
      • Your personal information is subject to destruction under Sawtooth’s data retention policy, but you need Sawtooth to keep it in order to establish, exercise, or defend a legal claim; or
      • You have objected, in good faith, to Sawtooth processing your personal information, and Sawtooth is considering whether it has legitimate grounds to continue processing your personal information.
  • Your Right to Object to Processing:
    • You have the right to object to certain types of processing of your personal information, which include:
      • Processing for direct marketing purposes (including profiling); and
      • Processing for purposes of scientific/historical research and statistics.
  • Your Right to Data Portability:
    • Under limited circumstances, you have the right to obtain from Sawtooth and reuse your personal information for your own purposes. This right allows you to move, copy, or transfer your personal information easily, without hindrance to usability. If you request it, Sawtooth may transmit your personal information directly to another organization if this is technically feasible.

Prior to executing your individual rights request, we will first verify your identity by asking you to provide information about yourself and comparing that information with what we have on file about you. The information we may ask you to provide to verify your identity may include your name, or some other personal identifier. You may also authorize an agent to submit a request on your behalf by submitting a written permission that authorizes the agent to act on your behalf and includes your signature. If you use an authorized agent, we will still take steps to verify your identity. Please contact privacy@sawtooth.com, and we will respond to your request consistent with applicable law.

If your inquiry relates to your company’s service account of Sawtooth products or services, please note the Sawtooth Privacy team cannot delete, correct, or access service account data or terminate your contracted Sawtooth product or service account. Please email sales@sawtooth.com or your assigned account representative to administer service account data.

If your inquiry relates to any technical issue when taking the survey or designing the survey, please email support@sawtooth.com or the business that requested your participation in the survey.

You always have the right to approach the competent data protection authority with your request or complaint. A list and contact details of local data protection authorities is available here.

8. Contact and Questions

a. Our EU Representative can be contacted at:

Rickert Rechtsanwaltsgesellschaft mbH
Colmantstraße 15 53115 Bonn Germany
art-27-rep-SawtoothSoftware@rickert.law

b. Our UK Representative can be contacted at:

Sawtooth Software UK Limited
C/O Monetta LLP, 232 Stamford Street Central,
Ashton-Under-Lyne,
United Kingdom, OL6 7NQ,
dean@sawtooth.com
+44 161 768 5267

c. Our Data Protection Officer (DPO) can be contacted at:

Sawtooth Software, Inc.
3210 N. Canyon Rd., Suite 202, Provo, Utah, 84604, USA
dpo@sawtooth.com
+1 801 477 4700

Sawtooth Software

3210 N Canyon Rd Ste 202

Provo UT 84604-6508

United States of America

+1 801 477 4700

Support: support@sawtooth.com

Consulting: consulting@sawtooth.com

Sales: sales@sawtooth.com

Products & Services

Lighthouse StudioDiscoverConsulting

Support & Resources

Technical SupportTechnical PapersWorkshopsCommunity Forum

Company

Contact UsCareersAbout Us