Privacy Policy

1. Who We Are

Sophosic Inc. ("Sophosic," "we," "our," or "us") is a provider of AI-powered SaaS tools designed to support businesses in their operational, technical, and customer-facing workflows. We are committed to protecting your privacy and ensuring your data is handled securely and transparently.

2. Information We Collect

To deliver, support, and continuously improve the Sophosic Platform and services, we collect various types of information from and about our users. This data helps us ensure secure access, personalize your experience, troubleshoot issues, and develop new features.

The types of information we collect include:

a. Account and Contact Information

When you create an account with Sophosic or interact with us as part of a business relationship, we collect personal and business-related details necessary to establish and maintain your account. This includes:

• Full name and email address – used for authentication, notifications, and customer support
• Phone number – used for optional identity verification, support outreach, or account recovery
• Company name, team name, and user role – used to tailor the platform experience to your organization and manage team-level access
• Billing information – including billing address and limited payment details (e.g., last four digits of a credit card), managed securely by trusted third-party payment processors. Sophosic does not store full credit card information directly.

b. User-Generated Content

Our platform enables you to input and generate content in many forms. Depending on how you use the Services, we may collect:

• Text inputs such as prompts, questions, or configuration instructions entered into chat interfaces
• Uploaded files or documents used for analysis, AI-driven processing, or collaborative workspaces
• Saved project settings, configuration data, or workflows used to personalize and streamline your team's experience
• Messages and interactions with the system, including those involving AI assistants, feedback inputs, or shared knowledge bases

This content is stored securely and only used to provide or improve services as outlined in this policy.

c. Usage Data

To ensure the platform works reliably and efficiently, and to understand how users interact with our features, we automatically collect certain technical and behavioral data, including:

• Log data, such as IP address, browser type, operating system, device identifiers, and access times
• Session activity, including pages viewed, buttons clicked, error logs, and feature usage frequency
• Interaction patterns, which help us identify bottlenecks, detect misuse, and guide future development priorities

This information is anonymized or aggregated where appropriate and is essential for platform performance, monitoring, and analytics.

d. Cookies and Tracking Technologies

Like most SaaS providers, we use cookies, pixels, and similar technologies to enhance your experience and understand user behavior. These tools help us:

• Remember your login sessions and preferences between visits
• Measure and optimize performance across different browsers and devices
• Identify and diagnose bugs or crashes
• Provide analytics through services such as Google Analytics or in-house systems

You can control cookie settings through your browser preferences, and we honor "Do Not Track" signals where supported.

3. How We Use Your Information

The data we collect serves a critical role in delivering a secure, seamless, and valuable experience on the Sophosic Platform. We use your information for a range of operational, functional, and legal purposes to ensure the platform meets your expectations and complies with relevant standards. Specifically, we use your information to:

a. Provide, Maintain, and Improve the Services

We use your data to operate the Sophosic Platform and ensure all core features function properly. This includes:

• Delivering AI-driven assistance and automation based on your inputs
• Managing access to your organization's custom tools, datasets, and settings
• Personalizing user interfaces, workflows, and content recommendations
• Performing routine maintenance and applying system updates

b. Authenticate Users and Authorize Access

To protect your data and ensure that only authorized users can access sensitive information, we use account and device information to:

• Verify login credentials
• Enforce multi-factor authentication (where applicable)
• Track session activity and detect anomalies that might indicate fraud or unauthorized access

c. Communicate With Users

We use your contact information to send critical communications, such as:

• Notifications about account activity, billing updates, or policy changes
• Service-related announcements, including new features or scheduled maintenance
• Support-related interactions, including help requests, troubleshooting, and status updates

We may also contact you with optional service updates or user feedback requests, but you can opt out of non-essential communications at any time.

d. Process Payments and Manage Billing

For paid users, we use your billing details to:

• Process transactions via our secure, PCI-compliant third-party payment processors
• Generate invoices and receipts
• Manage plan changes, subscription renewals, and cancellations

Sophosic does not store full payment card information directly; all payment processing is handled by trusted providers under strict compliance standards.

e. Analyze Usage for Performance Optimization and Product Development

We use aggregate and anonymized usage data to understand how users interact with the platform, enabling us to:

• Identify common usage patterns and feature adoption trends
• Detect and fix performance issues or bugs
• Develop new capabilities and improve existing features
• Make data-driven decisions to enhance usability and value

f. Comply With Legal Obligations and Enforce Our Terms

In some cases, we may need to process or disclose your data to:

• Comply with applicable laws, regulations, and legal requests
• Respond to lawful subpoenas, court orders, or government inquiries
• Investigate and prevent fraud, security incidents, or abuse
• Enforce our Terms of Service and other contractual commitments

4. Sharing of Information

At Sophosic Inc., we take your privacy seriously. We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes. However, to deliver our services effectively and comply with applicable laws, we may share your information under specific, limited circumstances as described below.

a. Trusted Third-Party Service Providers

We work with carefully vetted third-party partners to help us operate our platform efficiently and securely. These service providers are contractually bound to process your data only as instructed by Sophosic and to maintain strict confidentiality and security standards. We may share your data with:

• Cloud infrastructure and hosting providers (e.g., AWS, Google Cloud) to store and run the platform securely and reliably
• Analytics services (e.g., Mixpanel, Google Analytics) to understand feature usage, troubleshoot issues, and improve the platform's performance and usability
• Customer support platforms (e.g., Zendesk, Intercom) to help us manage inquiries, support tickets, and real-time assistance
• Payment processors (e.g., Stripe) to securely handle billing transactions, subscriptions, and invoicing. Sophosic does not store your full payment details; payment data is encrypted and stored by these PCI-compliant third parties

These third parties are granted only the minimum necessary access to perform their services, and data sharing is governed by robust data processing agreements.

b. Other Clients (With Your Consent)

Sophosic fosters a collaborative business environment. In specific scenarios where collaboration between clients can add value, we may—with your prior, explicit consent—share limited information such as:

• Contact details (e.g., name, role, or company name) for introductions or partnership facilitation
• Usage insights or anonymized benchmarks to help peer organizations assess performance or identify best practices within the Sophosic Network

This sharing is entirely opt-in, and you will always have full control over what is shared, with whom, and when.

c. Legal and Regulatory Compliance

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to:

• Comply with a legal obligation or valid governmental request (e.g., subpoena, court order, or investigation)
• Enforce our Terms of Service or other contractual agreements
• Protect the rights, safety, and property of Sophosic, our users, or the public at large
• Detect, prevent, or address fraud, security breaches, or other harmful activity

In any such case, we will strive to limit the scope of disclosure to what is legally necessary and, where possible, notify you of the request unless prohibited by law.

5. Data Retention

We retain your information only for as long as it is necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The duration for which we store your data depends on the type of data, how it is used, and our legal and operational obligations.

Specifically, we retain data to:

• Provide and support our Services: We keep your account information, configurations, user-generated content, and usage logs so that you can access and benefit from the Sophosic Platform consistently across sessions and over time. This ensures the continuity of your service experience, including saved workflows, historical interactions, audit logs, and collaboration tools.
• Maintain active accounts: Data is retained for as long as your organization or team maintains an active subscription or free-tier account. In cases of inactivity or termination, your data may be retained for a limited grace period (e.g., 30–90 days) to allow for recovery or reactivation before permanent deletion.
• Comply with legal and regulatory obligations: We are required to retain certain data for a defined period to comply with financial regulations, tax reporting, anti-fraud laws, or court directives. For example, billing records and account activity logs may be kept for up to seven years in accordance with applicable laws.
• Resolve disputes and enforce agreements: If there is an ongoing legal claim, suspected fraud, policy violation, or contractual matter, we may preserve relevant data until the issue is fully resolved and the applicable limitation period has passed.

Data Deletion Requests

You may request the deletion of your personal data at any time by contacting us (see Section 7). Upon verification of your identity and confirmation of your request, we will delete or anonymize your data from our systems, unless retention is required by law or for legitimate business reasons such as security, dispute resolution, or data integrity auditing.

Data associated with an enterprise account may require administrator authorization for deletion, and shared content may continue to be accessible to other users unless fully purged from collaborative spaces.

6. Data Security

At Sophosic Inc., protecting your data is a core responsibility and an essential part of our commitment to trust and transparency. We employ a multilayered security approach designed to safeguard your personal and organizational information against unauthorized access, loss, misuse, alteration, or destruction.

Our security framework combines technical, administrative, and organizational measures that meet or exceed industry best practices. Key components of our security posture include:

a. Encryption in Transit and at Rest

All data exchanged between your devices and the Sophosic Platform is encrypted using Transport Layer Security (TLS) to prevent interception or tampering during transmission. Additionally, we encrypt stored data using AES-256 or comparable standards, ensuring that sensitive information—such as account data, uploaded content, and configuration settings—remains protected even if storage systems are compromised.

b. Role-Based Access Controls (RBAC)

We enforce strict access controls across our infrastructure and applications. User permissions are granted based on defined roles and scopes, limiting access to only the information and functionality necessary for a given user or system component. Internally, only authorized personnel with a legitimate business need are granted access to production systems or customer data—and all access is logged, monitored, and regularly reviewed.

c. Regular Audits and Penetration Testing

We conduct routine security audits, vulnerability assessments, and third-party penetration tests to proactively identify and remediate risks. These evaluations include network security, application integrity, and infrastructure resilience. Any findings are addressed in accordance with our risk management protocols, and we maintain a rapid incident response process to contain and resolve potential threats.

d. Secure Software Development Lifecycle (SDLC)

Security is embedded into every phase of our software development process. From planning to deployment, we follow secure coding practices, perform static and dynamic code analysis, and conduct mandatory code reviews to detect and mitigate potential vulnerabilities. We also use automated scanning tools and threat modeling techniques to identify security concerns early and ensure rapid patching and updates.

e. Monitoring, Logging, and Incident Response

We maintain real-time monitoring across our systems to detect unusual activity, performance degradation, or potential intrusions. All access and administrative actions are logged and subject to automated alerting. In the event of a security incident, our dedicated response team follows a documented incident response plan to contain, investigate, and notify affected users as required by law or regulation.

7. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of the data we hold about you
• Correction: Request corrections to inaccurate data
• Deletion: Request deletion of your personal data
• Objection: Object to certain data processing activities
• Portability: Request your data in a portable format

To exercise these rights, contact us at support@sophosic.ai.

8. International Data Transfers

If you access our Services outside the United States, your information may be transferred to, stored, and processed in the U.S. or other countries. We use appropriate safeguards (e.g., Standard Contractual Clauses) for cross-border data transfers.

9. Children's Privacy

Sophosic Inc. is a business-to-business (B2B) software-as-a-service (SaaS) provider, and our Services are designed exclusively for use by professionals and organizations. As such, our platform is not intended for use by individuals under the age of 16, nor do we market, promote, or design any of our tools or features for children.

We do not knowingly collect, solicit, or store personal information from children under the age of 16. If we become aware that a child has inadvertently provided us with personal data through registration, content uploads, or any form of interaction with our Services, we will take immediate steps to delete that information from our systems.

Parents or legal guardians who believe that their child may have submitted personal data to Sophosic without their consent are encouraged to contact us at support@sophosic.ai so we can investigate and take appropriate action.

We strongly recommend that administrators and users of the Sophosic Platform ensure that all individuals using their account or environment meet the minimum age requirement and are authorized to engage in business-related activities in accordance with our Terms of Service.

10. Changes to This Privacy Policy

As Sophosic Inc. evolves—whether through the introduction of new features, changes in our legal obligations, or advancements in technology—we may need to update this Privacy Policy to reflect those changes accurately and transparently. We reserve the right to modify or amend this Policy at any time, in accordance with applicable privacy laws and industry best practices.

When we update the Privacy Policy:

• Minor or routine updates (such as clarifications or formatting improvements) will be reflected by updating the "Last Updated" date at the top of the policy.
• Material changes—such as updates to how we collect, use, or share your information—will be communicated to you in a timely and clear manner. We may notify you via:
  • Email (sent to the address associated with your account)
  • In-platform notifications or banners
  • A notice on our website or dashboard

We encourage all users to review this Privacy Policy periodically to stay informed about how we are protecting and using your information.

Your continued use of the Sophosic Platform and services after the effective date of any updated Privacy Policy constitutes your acceptance of those changes. If you do not agree to the revised terms, you should stop using our services and may request deletion of your account and associated data (see Section 7).

11. Contact Us

For any questions or concerns about this Privacy Policy, contact: