SOPHIA

Privacy Policy

Allotment Technology Ltd · Version 2026-03-10 · Effective 10 March 2026

View legal changelog

1. Who We Are

SOPHIA is operated by Allotment Technology Ltd (England and Wales). We act as the controller for personal data described in this policy. ICO registration: ZC092549.

Contact: admin@usesophia.app

2. Data We Process

Account and Authentication

We receive your name, email address, and account identifiers from Neon Auth when you sign in (including when you use Google as the identity provider).

Billing and Payments (Paddle as Merchant of Record)

Paddle processes subscription payments as Merchant of Record. We do not store your full card details. We store billing profile metadata such as tier, subscription status, currency, provider customer/subscription IDs, and legal acceptance version records.

BYOK and Usage Metering

BYOK usage does not require prepaid wallet balances or top-up purchases. We store only the minimum billing and subscription records needed for audit, entitlement checks, and dispute handling.

Queries, Sources, and Ingestion Preferences

We store query history, selected runtime links, and ingestion preferences. If you mark a source as public_shared, it may be incorporated into SOPHIA's shared knowledge base. If you mark a source as private_user_only, retrieval and management are restricted to your account.

Operational and Security Data

We process request metadata (for example IP address, user agent, timestamps, and service logs) for reliability, fraud prevention, abuse control, and incident response.

3. Why We Process Data (Legal Bases)

  • Contract: provide the app, subscriptions, and account features.
  • Legitimate interests: service security, abuse prevention, diagnostics, and product improvement.
  • Legal obligation: tax/accounting records, law enforcement requests, and consumer law compliance.
  • Consent: explicit confirmations for public source sharing and legal-acceptance flows.

For UK and EU users, rights are provided under UK GDPR/EU GDPR. For US users, we apply a baseline consumer disclosure approach and honor applicable state rights requests where required.

4. Sharing and Sub-processors

We do not sell personal data. We share data with vendors only to provide SOPHIA:

  • Google: Sign-in via Google OAuth, Cloud infrastructure, and model/runtime services where configured.
  • Neon: hosted Postgres, authentication service, and related infrastructure for accounts and app data.
  • Paddle: billing checkout, subscriptions, customer portal, payment administration.
  • Model providers: BYOK and platform model calls according to your selected run configuration.

We may disclose data where required by law, regulation, or valid legal process.

5. International Transfers

Some processors may handle data outside the UK/EEA, including in the US. Where required, we rely on appropriate transfer mechanisms (for example contractual safeguards and equivalent protections made available by our providers).

6. Retention Schedule

  • Query history/cache events: typically up to 30 days unless longer retention is required for active debugging or legal compliance.
  • Billing profile and subscription records: retained while account is active and as required for finance/tax obligations.
  • Billing ledger events (wallet, top-ups, BYOK fees): up to 7 years for accounting, fraud, and audit purposes.
  • Private sources: retained until user deletion or account deletion, subject to backup and legal retention windows.
  • Public contribution records: retained as part of the shared service knowledge base and associated audit trail.
  • Infrastructure/security logs: typically up to 30 days unless needed for incident response.

7. Your Rights

Depending on your location and applicable law, you may request access, correction, deletion, portability, restriction, or objection. You may also request account deletion, private-source deletion, and billing-data access.

Send requests to admin@usesophia.app. We may verify identity before acting.

UK users can complain to the ICO.

8. Children

SOPHIA is intended for users 18+ and is not directed to children.

9. Security

We use technical and organizational controls, including encryption in transit, role-based access controls, and production access restrictions.

10. Changes

We may update this policy. Material updates will be reflected by a new legal version, effective date, and changelog entry.

11. Contact

Allotment Technology Ltd
admin@usesophia.app