Legal information for Sovio accounts and services
Boundaries before automationThe legal surface keeps draft status, privacy controls, and user agency visible.

Privacy Policy

Effective date: [EFFECTIVE_DATE]  ·  Last updated: [LAST_UPDATED_DATE]

This Privacy Policy describes how [COMPANY_LEGAL_NAME] (“Sovio,” “we,” “us”) collects, uses, and shares information when you use the Sovio application, website, and related services (the “Service”). Where this policy and our Terms of Service conflict, the Terms control for contractual matters and this policy controls for data protection matters.

1. Data We Collect

We collect the following categories of data:

  • Account data: email address, display name, and profile photo you upload.
  • Location data: approximate or precise location, collected only if you enable location features.
  • Calendar metadata: event titles, times, and attendee signals when you connect a calendar integration. We do not request full calendar bodies unless you opt in via [CALENDAR_CONSENT_FLOW].
  • Messages: messages you send to other users through the Service and associated read receipts, reactions, and timestamps.
  • AI-generated drafts: drafts and suggestions our AI systems produce on your behalf, including the prompts and context used to generate them.
  • Billing identifiers: Stripe customer ID, subscription status, and the last four digits or brand of your payment card as returned by Stripe. We do not store full card numbers.
  • Device and push data: device type, operating system, app version, and push-notification tokens.
  • Usage and diagnostic data: feature interaction events, performance metrics, and crash reports used to operate and improve the Service.
  • Support correspondence: messages you send when contacting support and the context needed to respond.

We do not intentionally collect special-category data (such as health, biometric, or political-opinion data). If you post such data in user-generated content, you do so at your own discretion.

2. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To personalize suggestions, drafts, and plans tailored to you.
  • To operate billing, enforce subscription limits, and detect payment fraud.
  • To send transactional communications (account, security, billing, support).
  • To send product updates or marketing, where permitted by law and subject to your preferences. You can opt out at any time via [MARKETING_OPT_OUT_PATH].
  • To monitor for abuse, enforce our Terms, and comply with legal obligations (e.g., responding to lawful requests).
  • To train or fine-tune our own models: [MODEL_TRAINING_POLICY]. We do not share your content with third-party AI providers for their own model training.

3. Legal Basis (If GDPR or UK GDPR Applies to You)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

  • Contract: to provide the Service you requested.
  • Legitimate interests: to secure the Service, prevent fraud, and improve our features, balanced against your rights. See [LEGITIMATE_INTERESTS_ASSESSMENT_REFERENCE].
  • Consent: for optional features such as location, push notifications, and marketing email. You may withdraw consent at any time.
  • Legal obligation: to comply with applicable laws and lawful requests.

4. Sharing With Third Parties

We do not sell personal data in the ordinary sense of the word. We share data with the following categories of service providers (subprocessors), under contracts that restrict their use of the data:

SubprocessorPurposeData categories
SupabasePrimary database, authentication, and file storage.Account data, messages, AI drafts, calendar metadata, uploaded images.
Google (Gemini API)AI inference for drafts, suggestions, and summaries.Prompts, AI context snippets, and generated outputs.
StripePayment processing and subscription billing.Email, billing identifiers, payment-method metadata.
SentryError monitoring and performance tracing.Device diagnostics, crash reports, IP address.
ExpoMobile app delivery and push-notification relay.Push tokens, device identifiers.
AppleiOS app distribution and APNs push delivery.App Store account identifiers, push tokens.
Google (Play + FCM)Android app distribution and FCM push delivery.Play account identifiers, push tokens.

We also disclose data when required by law (for example, response to a valid subpoena, court order, or government request), to enforce our Terms, or to protect the rights, safety, or property of Sovio, our users, or the public. In the event of a merger, acquisition, or asset sale, data may be transferred to the successor subject to this policy. We will notify affected users before any such transfer takes effect.

5. Retention

We retain data only as long as needed for the purposes described above. Typical retention windows:

  • Account data: while your account is active, plus [ACCOUNT_GRACE_DAYS] days after deletion request for recovery.
  • Messages and AI drafts: until you delete them, close your account, or the retention schedule at [RETENTION_POLICY_REFERENCE] elapses.
  • Billing records: as required by tax and accounting law (typically [BILLING_RETENTION_YEARS] years).
  • Sentry diagnostics and logs: retained according to vendor defaults, typically 30–90 days.

6. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access and portability: request a copy of the personal data we hold about you in a machine-readable format.
  • Rectification: correct inaccurate or incomplete data.
  • Deletion: request deletion of your account and associated data, subject to legal retention obligations.
  • Restriction and objection: restrict or object to certain processing, including marketing and profiling.
  • Withdraw consent: where we process on consent, withdraw it at any time without affecting past processing.
  • Complaint: lodge a complaint with your local supervisory authority; in the EU, you can find yours via [EU_SUPERVISORY_AUTHORITY_LINK].

To exercise these rights, submit a request through our DSAR form at /dsar or email [PRIVACY_CONTACT_EMAIL]. We will respond within [DSAR_RESPONSE_DAYS] days. If you are a California resident, the California Consumer Privacy Act (CCPA) may apply and grant additional rights, including the right to know what categories of personal information we sell or share (we do not sell personal information in the traditional sense; see [CCPA_DO_NOT_SELL_DISCLOSURE] for our disclosure).

7. International Data Transfers

Our primary infrastructure is hosted in Supabase’s US-East region. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses. See [TRANSFER_MECHANISM_DETAILS] for specifics.

8. Security

We use industry-standard safeguards including encryption in transit (TLS), encryption at rest for supported storage, least-privilege access controls, and row-level security in our primary database. No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you in accordance with applicable law. Contact [SECURITY_CONTACT_EMAIL] to report a suspected vulnerability.

9. Children’s Privacy

The Service is not directed to children under [CHILDREN_AGE_THRESHOLD_13_OR_16] years old, and we do not knowingly collect personal data from children under that age. If you believe we have inadvertently collected such data, contact us and we will delete it promptly. Parents or guardians with concerns may email [PRIVACY_CONTACT_EMAIL].

10. Cookies and Similar Technologies

We use cookies and similar technologies to operate the web application, remember your session, and improve the Service. For details, see our Cookie Notice.

11. Automated Decision-Making and AI Profiling

We use automated systems (including large language models) to generate suggestions and drafts. These do not produce legal or similarly significant effects. If we ever introduce automated decision-making that meaningfully affects your rights, we will update this section and provide the safeguards required by [AUTOMATED_DECISION_LEGAL_FRAMEWORK].

12. Jurisdiction-Specific Disclosures

California residents (CCPA / CPRA): [CCPA_CATEGORIES_COLLECTED], [CCPA_SOURCES], [CCPA_PURPOSES], [CCPA_SHARING_DISCLOSURE]. You have the right to know, delete, correct, and limit the use of sensitive personal information. We do not knowingly sell personal information. We do not use or disclose sensitive personal information for purposes that require a right to limit.

EEA / UK residents (GDPR / UK GDPR): legal bases are set out in Section 3. Our Data Protection Officer, if one is appointed, can be reached at [DPO_CONTACT_EMAIL]. EU representative: [EU_REPRESENTATIVE_DETAILS]. UK representative: [UK_REPRESENTATIVE_DETAILS].

Other jurisdictions: [OTHER_JURISDICTION_ADDENDA].

13. Changes to This Policy

We may update this policy. If we make material changes, we will notify you via [PRIVACY_NOTICE_METHOD] at least [PRIVACY_NOTICE_PERIOD_DAYS] days before the change takes effect, unless a shorter period is required by law.

14. Contact

Privacy questions or requests: [PRIVACY_CONTACT_EMAIL]. Mailing address: [COMPANY_LEGAL_NAME], [COMPANY_MAILING_ADDRESS].

This page summarizes customer-facing legal information for Sovio. Contact support for account, privacy, or safety questions.