Privacy Policy — SomaSoft.ai

01 Introduction

SomaSoft ("we," "us," or "our") operates the website somasoft.ai and related API services. This Privacy Policy explains what personal data we collect, how we use it, how long we keep it, and what rights you have.

SomaSoft is operated by Mark Nafe, based in Illinois, United States. We are committed to protecting your privacy through PII minimization by design: we collect only the data strictly necessary to provide our services.

02 What We Collect (and What We Do Not)

Data We Collect

Data	Purpose	Retention
Email address	Account creation, service communications	Until account deletion
API keys (SHA-256 hashed)	Authentication; we store only the hash, never the plaintext key	Until account deletion
Usage logs (endpoint, response time, token count, status code)	Service monitoring, rate limiting, abuse prevention	30 days
IP address	Rate limiting, abuse prevention	30 days
Payment information	Processed entirely by Stripe; we never see or store your card number	Managed by Stripe

Data We Do Not Collect

We do not use advertising trackers or analytics platforms.
We do not sell, rent, or share your personal data with third parties for marketing.
We do not collect behavioral profiles, browsing history, or device fingerprints.
We do not use third-party cookies or tracking pixels.

03 How We Use Your Data

We use the data we collect exclusively to:

Provide and maintain our API services, research papers, and web chat.
Authenticate your API requests.
Monitor service health and performance.
Enforce rate limits and prevent abuse.
Process payments (via Stripe).
Communicate with you about your account or service changes.

We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.

04 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the services you signed up for (account management, API access, payment processing).
Legitimate interest (Art. 6(1)(f) GDPR): Usage logs and IP addresses for service security, rate limiting, and abuse prevention. Our legitimate interest does not override your rights because we minimize data collected and retain it for only 30 days.
Consent (Art. 6(1)(a) GDPR): Where required, we obtain your explicit consent before processing (e.g., optional communications). You may withdraw consent at any time.

05 Data Retention

Data Category	Retention Period
Usage logs (endpoint, response time, tokens, status code)	30 days, then automatically purged
IP addresses	30 days
Email address	Until you request account deletion
API keys (hashed)	Until you request account deletion
Payment data	Managed by Stripe per their retention policy

When you request account deletion, we remove your email and hashed API keys within 30 days. Anonymized, aggregated usage statistics may be retained indefinitely for service improvement.

06 Third-Party Data Processors

We use a minimal set of third-party processors, each bound by data processing agreements:

Processor	Purpose	Data Shared
Heroku (Salesforce, Inc.)	Application hosting and infrastructure	All data processed by our servers transits Heroku infrastructure
Stripe, Inc.	Payment processing	Payment details (card number, billing address) are sent directly to Stripe and never touch our servers

We do not share your personal data with any other third parties.

07 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EEA Residents)

Access (Art. 15): Request a copy of the personal data we hold about you.
Rectification (Art. 16): Request correction of inaccurate data.
Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Restriction (Art. 18): Request restriction of processing in certain circumstances.
Portability (Art. 20): Receive your data in a structured, machine-readable format.
Objection (Art. 21): Object to processing based on legitimate interest.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local data protection authority.

Under CCPA (California Residents)

Right to know what personal information we collect, use, and disclose.
Right to delete your personal information.
Right to opt out of the sale of personal information. Note: we do not sell your personal information.
Right to non-discrimination for exercising your privacy rights.

How to Exercise Your Rights

To request data access, export, correction, or deletion, contact us at:

Email: privacy@somasoft.ai

We will respond to all verified requests within 30 days. We may ask for identity verification before processing your request.

08 Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@somasoft.ai.

09 Security Measures

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit: All connections to somasoft.ai use TLS (HTTPS). Unencrypted HTTP requests are redirected.
Hashed credentials: API keys are stored as SHA-256 hashes. We cannot recover your original key; if lost, you must generate a new one.
Credential protection: Internal credentials are protected using Windows DPAPI encryption at rest.
Access control: Server access is restricted to authorized personnel only.
Minimal data collection: By collecting less data, we reduce the surface area for potential breaches.

No system is 100% secure. If you suspect a security incident, please report it to privacy@somasoft.ai immediately.

10 International Data Transfers

Our servers are hosted in the United States via Heroku (Salesforce). If you access our services from outside the United States, your data will be transferred to, stored, and processed in the United States.

For EEA users, we rely on the EU-U.S. Data Privacy Framework and standard contractual clauses (where applicable through our processor agreements with Heroku and Stripe) to ensure adequate protection of your data.

11 Cookie Policy

We use a minimal cookie approach:

Essential session cookies: Required for authentication and maintaining your session. These are strictly necessary and do not require consent under GDPR.

We do not use:

Analytics cookies (no Google Analytics, no Matomo, no equivalent).
Advertising or tracking cookies.
Third-party cookies of any kind.
Browser fingerprinting or similar tracking technologies.

Because we use only essential cookies, no cookie consent banner is required.

12 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Effective Date" at the top of this page.
Notify registered users by email for significant changes that affect their rights.
Post a notice on somasoft.ai for at least 30 days.

Continued use of our services after changes take effect constitutes acceptance of the updated policy.

13 Contact Information

Data Controller & Data Protection Contact

Mark Nafe

SomaSoft

Illinois, United States

Privacy inquiries: privacy@somasoft.ai

General contact: auriv@somasoft.com

For GDPR-related requests, Mark Nafe serves as the data protection point of contact. EEA residents also have the right to lodge a complaint with their local supervisory authority.