Privacy Policy
1. Introduction and Scope
This Privacy Policy describes how Sofibia ("we", "us", "our") collects, uses, stores, and protects personal information in connection with the Sofibia platform (the "Service") available at https://sofibia.com.
This Policy applies to:
- Registered users of the Service ("Customers" or "Users")
- End-users who submit feedback through forms created by our Customers ("Respondents")
- Visitors to our website
This Policy does not apply to:
- Data that Customers collect independently of our Service. Customers are independent data controllers for personal data they input beyond what is described here. See our Data Processing Agreement for details.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Who We Are
[COMPANY_NAME]
[COMPANY_LEGAL_ADDRESS]
Email: support@sofibia.com
Website: https://sofibia.com
For GDPR purposes:
- Customer account data: we act as a data controller.
- Respondent feedback data: we act as a data processor on behalf of Customers.
For EEA/UK/Swiss residents: you can reach us about data protection at privacy@sofibia.com.
3. Key Definitions
- Customer — a company or individual with a registered account on the Service.
- User — an employee or team member with access to a Customer's account.
- Respondent — a person who submits feedback through a form created by a Customer.
- Feedback — text submitted by a Respondent.
- Personal Data — any information that identifies or can reasonably identify a natural person.
4. Data We Collect and Why
4.1 Account Data
When registering or being invited, we collect: name, email address, password (stored only in hashed form), Google account identifiers (if using Google sign-in), company information (name, email, phone), user role, and timestamps.
4.2 Authentication Data
We use token-based authentication. Session tokens are stored in your browser's local storage. We track failed login attempts to prevent brute-force attacks. We do not use HTTP cookies for session management. For the aggregate usage cookies set by Google Analytics, see Sections 4.7 and 6.4.
4.3 Feedback Data
When a Respondent submits feedback, we collect: feedback content, submission timestamp, browser information (for anti-fraud), and optionally name and email (only if the Respondent chooses to share their identity). Voice recordings, if submitted, are transcribed and not permanently stored after transcription.
Respondents: feedback is collected on behalf of Customers, who are the data controllers. To exercise your data rights, contact the company whose form you used. If you cannot reach them, contact us at support@sofibia.com.
4.4 AI Analysis
Feedback is analyzed by AI to generate summaries, sentiment analysis, emotional traits, intent signals, and semantic search capabilities. This involves sending feedback content to third-party AI providers (see Section 6).
4.5 Usage Data
We track AI feature usage for billing and plan management.
4.6 Audit Logs
We maintain logs of security-relevant actions (logins, logouts, administrative actions) including user identifiers, event type, IP address, and timestamp. Audit logs are automatically deleted after a short retention period.
4.7 Browser Storage
We use browser localStorage and sessionStorage for session tokens and user preferences (language, theme, layout). This data is not shared with third parties. You can clear it at any time by logging out or clearing your browser storage.
We also use Google Analytics 4 to measure aggregate usage of the marketing website and the application dashboard. This sets two first-party cookies (_ga, _ga_CC8G95CMWB) and is not loaded on the public feedback form. See our Browser Storage Policy for full details.
We do not use tracking pixels, behavioral advertising, or retargeting.
5. Legal Bases for Processing (GDPR)
If you are in the EEA, UK, or Switzerland, we process your data under the following bases:
- Performance of contract (Art. 6(1)(b)) — account management, authentication, billing, AI analysis
- Legitimate interests (Art. 6(1)(f)) — feedback processing, security, audit logs
- Consent (Art. 6(1)(a)) — identity sharing by Respondents, voice recording
6. Third-Party Services
6.1 AI Providers
- OpenAI (USA) — text analysis, summarization, voice transcription
- Anthropic (USA) — text analysis, summarization
6.2 Infrastructure
- Google Cloud Platform (USA) — cloud hosting, database, cache
6.3 Authentication
- Google OAuth 2.0 — Sign-in with Google
6.4 Analytics
- Google Analytics 4 (Google Ireland Limited / Google LLC) — aggregate usage measurement for the marketing website and the application dashboard. IP addresses are anonymized; Google Signals and advertising features are disabled. Not loaded on the public feedback form.
A current list of sub-processors is maintained in our Data Processing Agreement.
7. International Data Transfers
Our infrastructure is hosted in the United States. If you are in the EEA, UK, or Switzerland, your data will be transferred to and processed in the US.
We rely on Standard Contractual Clauses (SCCs), Data Processing Agreements with all sub-processors, and the EU-U.S. Data Privacy Framework where applicable.
You may request a copy of the relevant transfer mechanisms at support@sofibia.com.
8. Data Retention
- Account data — lifetime of the account; deleted immediately on account deletion
- Feedback and AI analysis — lifetime of the Customer's account
- Session tokens — short-lived, automatically expired
- Audit logs — up to 7 days (up to 365 days for data-export audit trail)
- Voice recordings — deleted immediately after transcription
- Billing and tax records — up to 7 years as required by law
8.1 Account Deletion
On-demand: Customers may delete their account at any time from account settings. Deletion is immediate, irreversible, and removes all associated data.
Inactive accounts: we automatically delete inactive accounts — after 6 months without sign-in (accounts that never had a paid subscription) or 12 months (accounts that previously had a paid subscription). Accounts with an active paid subscription are never auto-deleted. A warning email is sent 30 days before auto-deletion. Signing in cancels the deletion.
8.2 Imported Feedback
Feedback imported from third-party platforms follows the same retention rules, unless the source platform's terms require shorter retention.
9. Your Rights
EEA / UK / Swiss Residents
You have the right to: access, rectify, erase, restrict processing, data portability, object to processing, withdraw consent, and object to automated decision-making.
Email support@sofibia.com with subject "Data Subject Request". We respond within 30 days.
Respondents: contact the Customer (data controller) directly.
You may lodge a complaint with your local supervisory authority.
All Users
- Update your data in account settings
- Delete your account at any time from account settings
- Opt out of identity sharing when submitting feedback
10. Children's Privacy
The Service is not directed to individuals under 16 (or 13 in the US). We do not knowingly collect data from children.
11. Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit, hashed password storage, short-lived authentication tokens, brute-force protection, strict data isolation between customers, role-based access control, and monitored support access.
No method of electronic transmission or storage is 100% secure. In the event of a data breach, we will notify affected individuals and authorities as required by law.
12. California Residents — CCPA/CPRA
If you are a California resident, you have the right to know what personal information is collected, delete your information, correct inaccuracies, and opt out of sale or sharing.
We do not sell personal information. We do not share it for cross-context behavioral advertising.
Email support@sofibia.com with subject "CCPA Request". We respond within 45 days.
13. Changes to This Policy
We may update this Policy. Material changes will be communicated via updated date, email notification where required, and in-app notice. Continued use after the effective date constitutes acceptance.
14. Contact Us
[COMPANY_NAME]
Email: support@sofibia.com
Address: [COMPANY_ADDRESS]
Website: https://sofibia.com
EEA/UK residents: privacy@sofibia.com
We aim to respond within 5 business days.