Privacy Policy

1. Data Controller

The Company is the data controller of your data with the details mentioned above. For any matters relating to the processing of your personal data by the Company through the Platform you may contact us at: support@sophea.ai. Should you require any clarification or further information, please do not hesitate to contact us before taking any action. Any clarification provided to you does not constitute a modification or replacement of this Policy and is provided solely for your convenience.

2. Categories of Data Collected, Purposes and Legal Basis for processing

2.1. During the use of the Sophea.AI Platform, various categories of personal data may be collected and processed, depending on the Services and Features and the way you interact with the Platform. Your data is always processed exclusively for specific, lawful purposes, as indicated below.

2.2. Minors: Access and use of the Sophea.AI service is permitted exclusively to persons over 16 years of age, in accordance with applicable Greek and European legislation on the protection of minors on the internet. The Platform is not addressed to nor intended for use by children or adolescents under 16 years of age and does not knowingly collect personal data from persons who do not meet this age limit. Creating an account, using the service, or sending any content by a minor without the consent of the person with parental responsibility is not permitted. In case we determine or are reliably notified that data has been collected from a minor user without the required consent, Sophea.AI will immediately take all necessary measures to verify the user’s age, deactivate the account, and delete the related data from its systems without delay.

2.3. In principle we collect personal data directly from you, but in some cases also through third parties and by automated means as indicated below.

2.4. In particular, we process your personal data as follows:

• 1. Platform Registration — To create and manage your Account in the Platform. Data: full name, email address, phone number, username. Legal basis: Contract performance (to provide our Services to you and communicate with you); Consent (optional fields provided voluntarily).
• 2. Billing and payment — To invoice you and handle your payments. Data: product type, payment method, transaction date/time, billing code (collected via authorized payment provider, e.g., Stripe, Viva Wallet). Legal basis: Contract performance; Legal obligation (e.g., tax).
• 3. Provision of Services and Features — When you use the Platform Services and Features, we collect your data and store it temporarily or permanently for purposes of service provision, personalization, model training (where applicable), or performance analysis. Data: User Content (your prompts, queries, responses, messages, files; Outputs generated by the Platform). Legal basis: Contract performance; Legitimate interest (performance analysis); Legitimate interest (model training, depending on your Tier); Legal obligation.
• 4. Special categories of personal data (sensitive personal data) — May include information of legal, medical, financial, or other sensitive nature that you voluntarily enter. Legal basis: Explicit consent (the Platform does not actively collect such data, but treats your voluntary provision as explicit consent for processing to provide a response).
• 5. Maintaining system security and improving Platform’s functionality — We process technical data of your browsing sessions (e.g., IP address, OS/browser type and version, language, time zone, resolution, device). Legal basis: Legitimate interest (debugging, UX optimization, statistics); Legal obligation (system security and abuse prevention).
• 6. Provision of platform functionalities and marketing (collected through cookies) — We process your cookie preferences and browsing activity to log your storing preferences, provide notifications and other features. Data: browsing data and data collected through cookies and related identifiers. Legal basis: Consent (see Cookies Policy).
• 7. Marketing — We process your contact details to communicate with you in the context of our contractual relationship and inform you of new services/features. We may also send direct marketing communications when you explicitly provide such data to us. Legal basis: Legitimate interest (for contractual relationship communications, with opt‑out); Consent (for direct marketing you sign up for).
• 2.5. Where data is processed based on your consent, you may withdraw it at any time for the future. Withdrawal does not affect processing performed prior to your request. Consent withdrawal is registered within five (5) days of receipt.
• 2.6. Where processing is based on our legitimate interest, it is reasonably balanced against your rights and freedoms. For marketing based on legitimate interest, you may opt out via the unsubscribe link or by emailing support@sophea.ai.
• 2.7. In cases where your data is processed in accordance with our legal obligations, you cannot object, as we must process such data to comply with the law.

3. Disclosure and Transfer of Data to Third Parties

3.1. The processing of personal data is carried out only by persons or units to whom specific powers have been assigned, who are under our control, and only on our instructions.

3.2. Your personal data is not sold, rented, or exchanged with any third party. Their disclosure is made exclusively to collaborating entities that provide technical, legal, or support services and only to the extent absolutely necessary for the proper operation and provision of the Sophea.AI service.

3.3. All third-party recipients are subject to contractual confidentiality, secrecy and integrity commitments and are required to implement appropriate technical and organizational protection measures.

3.4. Indicatively, your data may be disclosed to the following types of partners:

• Infrastructure and hosting service providers (cloud providers), for secure storage and operation of the platform, provided that servers are located within the European Union or, in case of outside EU, appropriate safeguards are implemented.

• Customer support platforms, such as ticketing systems and live chat systems, exclusively for user service and monitoring support requests.

• Payment service providers, for processing subscriptions and purchases through secure and certified channels (e.g., PCI-DSS compliant).

• Accounting and tax offices, for issuing invoices and maintaining related tax obligations, in accordance with Greek and European legislation.

3.5. In any case, please note that the security of your personal data depends also on factors or technical problems of the network, which are not controlled by the Company, or on events of force majeure, for which we do not provide any guarantee.

4. Data Security

4.1. Sophea.AI implements multilateral technical and organizational security measures aimed at protecting personal data from loss, unauthorized access, alteration, disclosure, or any other form of unlawful processing.

4.2. The measures taken are continuously evaluated and adapted, taking into account the latest technological developments, the nature and scope of data, as well as the estimated risk to the rights and freedoms of subjects.

4.3. Specific measures implemented include, indicatively:

• Data encryption both at rest and in transit, using strong algorithms (e.g., AES-256, TLS 1.3).

• Multi-level access control (role-based access control), with user identity verification, use of strong passwords, and, where possible, multi-factor authentication (2FA).

• Event logging and monitoring, with the ability to detect unauthorized actions, breach attempts, and monitoring unusual activity.

• Periodic risk assessment and execution of security tests (penetration tests and vulnerability assessments), by external certified entities.

• Recovery procedures (disaster recovery & business continuity planning) to minimize consequences in case of an incident.

• Staff training on cybersecurity, data protection, and social engineering prevention.

4.4. Compliance with Sophea.AI security policies is checked internally on a regular basis and may also be subject to external audits where provided.

5. Data Retention

5.1. Sophea.AI retains your personal data only for as long as absolutely necessary to fulfill the purposes for which they were collected, such as service provision, compliance with legal obligations, and protection of potential legal claims, in accordance with the principles of minimization and limited temporal retention of GDPR.

5.2. To determine the retention period for your personal data, we take into account the nature of the data, the purpose of processing, security, and legal compliance obligations. We retain personal data for a period that is related to the specific purpose of processing, until the purpose is fulfilled or for a longer period if required by law or in accordance with the legitimate interests of our company until such interests are no longer active.

5.3. More specifically, the following retention timeframes apply:

• Platform Registration & Billing and payment & Provision of Services and Features — We maintain your data for as long as we have a contractual relationship with you, and for up to 12 months after final deactivation or deletion of the account, unless their deletion is requested beforehand. However, if you indicate otherwise upon closing up your Account, we will not maintain such data. If some data are necessary for compliance with legal obligation that we may be under, the data will be kept for as long as necessary for us to comply. Data provided on a voluntary basis is kept until you withdraw your consent to such processing.

• Maintaining system security and improving Platform’s functionality & Provision of platform functionalities — For automated processing of data taking place when you browse the Platform and make use of the Services, we generally keep your data as such, if required, for purposes related to the proper functioning of the Platform and the security of access thereto (e.g. for a few months such as 6–12 months). Technical log files related to system security, session management, and abuse prevention are retained for up to six (6) months, unless otherwise required in the context of security investigations or incidents. After that, we anonymize it for research or statistical purposes.

• Marketing (and marketing cookies) — When based on your consent (e.g., newsletter), we retain the data until consent is withdrawn and, in any case, no longer than 2 years since your last interaction. When marketing is based on our legitimate interest, we process your data until you explicitly opt-out and, in any case, no longer than 2 years since your last interaction. See the Cookies Policy for more information.

• Contact Form — For as long as we need to respond to your request submitted via the contact form, and for a minimum of 2 years following our last exchange of communications in connection to it.

5.4. Your data may be retained longer for legitimate interest purposes, such as to protect our legal rights in the event of a dispute arising from your interaction with us, for the period during which liability could arise from the processing, and which allows for processing pending requests and managing any legal claims or complaints.

5.5. After the expiration of the above periods, data is either securely deleted or irreversibly anonymized, so that identification of the subject is no longer possible.

6. Your Rights

6.1. You can submit a written request to the email support@sophea.ai in order to exercise the following rights, as provided for by data protection legislation:

• Right of access: You can request confirmation of whether Sophea.AI processes your personal data and receive a copy of it, as well as information regarding the purpose, category of data, recipients, and retention duration.

• Right to rectification: You have the right to request correction of inaccurate or completion of incomplete personal data concerning you.

• Right to erasure (right to be forgotten): You can request deletion of your personal data, provided there is no legal or contractual obligation for Sophea.AI to retain it.

• Right to restriction of processing: You can request restriction of processing of your data in specific cases, such as during verification of data accuracy or lawfulness.

• Right to object: You can object to the processing of your data, particularly when it is based on legitimate interest or concerns direct marketing. Sophea.AI will stop processing, unless it demonstrates compelling and overriding legitimate grounds.

• Right to portability: You have the right to receive the data you have provided to us in a structured, commonly used, and machine-readable format (e.g., CSV, JSON), as well as to request their transmission to another data controller.

• Right to withdraw consent: If processing is based on your consent, you have the right to withdraw it at any time without retroactive effect and without any consequence on service use (where consent is not required).

6.2. Sophea.AI is committed to examining and responding to your requests within 30 calendar days from the date of receipt. In exceptional cases, this time may be extended for another 60 days, upon notification.

6.3. In order for us to respond to and/or accurately fulfill your request, you must always provide specific, accurate, and truthful data and/or facts. Otherwise, the Company shall not be liable for any errors beyond its control. Furthermore, we reserve the right to reject requests that are unfounded, excessive, abusive, submitted in bad faith, or illegal under the law. We may also ask for clarification to understand your concerns and expectations so that we can address your request more effectively.

6.4. We have the right to ask you for proof of your identity in order to fulfil your rights.

6.5. You do not have to pay a fee to exercise your rights in relation to personal data, unless otherwise provided by law or in cases where the request is unfounded or excessive. In this case, you may be charged a reasonable fee. We will inform you of any potential charge before we carry out your request.