Privacy Policy

Effective Date: May 15, 2026

Last Updated: May 15, 2026

Version: 1.1

1. Overview

Soria Labs AS (hereinafter "Company", "we", "us") is a company registered in Norway, committed to protecting the personal data of users of Soria (hereinafter "Service").

This Privacy Policy has been prepared in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Norwegian Personal Data Act (Personopplysningsloven), and related EEA data protection legislation.

Company Information

Company Name: Soria Labs AS

Location: Norway

Data Protection Inquiries: contact@sorialabs.no

2. Personal Data We Collect

2.1 Account Information

Data	When Collected	Required
Email address	At registration	Required
Password (hashed)	At registration	Required
Display name	At profile setup	Optional
Social login information (Google, Apple)	At social login	Required if applicable

2.2 Voice and Content Data

Data	Description
Voice recording files	Audio files directly recorded or uploaded by the user
Transcription text	Text converted from voice
AI summaries and refined text	Summaries, tone conversions, and insights generated by AI
Folder structure and note metadata	Folder names, note titles, tags, creation/modification timestamps created by the user
Speaker tagging information	Speaker names assigned by the user during multi-speaker separation

2.3 Automatically Collected Information

Data	Purpose
Device information (OS, device model, app version)	Service stability and error tracking
IP address	Security and fraud prevention
App usage logs (feature usage frequency, error logs)	Service improvement
Subscription and payment status	Plan management

2.4 Information We Do Not Collect

We do not collect users' contact lists, photo libraries, or location data.

Payment card and bank account information is never stored on our servers. All payment instruments are tokenized and processed exclusively by our payment processors — Paddle (web subscriptions), RevenueCat together with Apple In-App Purchase or Google Play Billing (mobile subscriptions). We receive only non-sensitive transaction metadata (e.g., subscription status, last four digits of the card, billing country) necessary to operate the Service.

3. Purposes and Legal Bases for Processing

The purposes and legal bases for processing pursuant to Article 6 of the GDPR are as follows:

Purpose	Legal Basis (GDPR Art. 6)	Description
Service provision and account management	Performance of contract (Art. 6(1)(b))	Registration, login, core service features
Voice transcription and AI processing	Performance of contract (Art. 6(1)(b))	Voice-to-text conversion, AI summaries, tone conversion, and other core features
Subscription and payment management	Performance of contract (Art. 6(1)(b))	Free/Pro/Team/Enterprise plan management, usage tracking
Error tracking and service stability	Legitimate interest (Art. 6(1)(f))	App error monitoring via Sentry
Service improvement and analytics	Legitimate interest (Art. 6(1)(f))	Service quality improvement through feature usage pattern analysis
Legal obligation compliance	Legal obligation (Art. 6(1)(c))	Tax, accounting, and other legal obligations
Marketing communications	Consent (Art. 6(1)(a))	Newsletters, promotions (only with prior consent)

4. Third-Party Data Processing and International Transfers

We share data with the following third-party service providers to deliver the Service.

4.1 Data Processors

Provider	Purpose	Data Processed	Server Location	Transfer Basis
Supabase (US)	Authentication, data storage, cloud sync	Account data, note data, metadata	AWS (US/EU)	Standard Contractual Clauses (SCC)
Vercel (US)	Web application hosting and edge delivery	Request metadata, IP address, device information	US/EU	Standard Contractual Clauses (SCC)
OpenAI (US)	Voice transcription (Whisper), text refinement (GPT-4o-mini)	Audio files, transcription text	US	Standard Contractual Clauses (SCC)
Deepgram (US)	High-quality voice transcription	Audio files	US	Standard Contractual Clauses (SCC)
Sentry (US)	Error tracking and monitoring	Device information, error logs	US	Standard Contractual Clauses (SCC)
Paddle.com Market Limited (UK)	Web subscription billing as Merchant of Record (collects payment, remits VAT/sales tax on our behalf)	Billing name, address, country, payment method tokens, transaction history	UK / US (subprocessors)	UK GDPR adequacy + Standard Contractual Clauses (SCC) for non-UK subprocessors
RevenueCat (US)	Mobile subscription management and entitlement reconciliation	Subscription status, store transaction events, device identifiers	US	Standard Contractual Clauses (SCC)
Apple / Google	Mobile in-app purchases (App Store / Google Play Billing), social login	Payment information processed by the platform, authentication tokens	US	Standard Contractual Clauses (SCC)

4.2 International Transfers Outside the EEA

Some of the above providers are located outside the European Economic Area (EEA). In such cases, we ensure an adequate level of protection by entering into EU Standard Contractual Clauses (SCC) in accordance with Article 46 of the GDPR.

4.3 Transparency Regarding AI Data Processing

Voice data: Transmitted to OpenAI Whisper API or Deepgram API for conversion to text. Data is immediately deleted from the provider's servers after conversion.

Text data: Transmitted to OpenAI GPT-4o-mini API for summaries, tone conversion, and insight generation.

No AI training: We apply OpenAI's zero data retention policy (or training exclusion under the API Terms), ensuring that user data is not used for AI model training.

Prompt injection protection: Security measures are in place to prevent user inputs from being used to exploit the AI system.

5. Data Security

We implement the following technical and organizational measures to protect personal data:

Encryption in transit: All data transmissions are encrypted using TLS 1.2 or higher.

Encryption at rest: Databases and file storage are encrypted using AES-256.

Password protection: Passwords are stored using one-way bcrypt hash encryption.

Access control: Role-based access control (Row Level Security) ensures users can only access their own data.

Authentication security: JWT token-based authentication with session expiration policies.

Regular audits: Regular security vulnerability assessments and software updates.

6. Data Retention and Deletion

Data Type	Retention Period	Deletion Method
Account information	Duration of account	Deleted within 30 days of account deletion request
Voice recording files	Until deleted by user	User can delete directly within the app
Transcription text and AI outputs	Until deleted by user	User can delete directly within the app
Error logs (Sentry)	Maximum 90 days	Automatically deleted
Payment records	Legal obligation period (5 years under Norwegian Accounting Act)	Deleted after expiration of legal period
Marketing consent records	Until consent is withdrawn	Processed immediately upon withdrawal request

Account deletion: When a user requests account deletion, all personal data is permanently deleted within 30 days, except for data subject to legal retention obligations. A 30-day grace period allows for account recovery before deletion.

7. Your Rights (GDPR Articles 15–22)

EEA residents may exercise the following rights under the GDPR:

Right	Description
Right of access (Art. 15)	You may request a copy of your personal data held by us.
Right to rectification (Art. 16)	You may request correction of inaccurate or incomplete personal data.
Right to erasure (right to be forgotten) (Art. 17)	You may request deletion of your personal data under certain conditions.
Right to restriction of processing (Art. 18)	You may request restriction of processing in certain circumstances.
Right to data portability (Art. 20)	You may receive your personal data in a structured format or have it transferred to another service.
Right to object (Art. 21)	You may object to processing based on legitimate interests.
Rights related to automated decision-making (Art. 22)	You have the right not to be subject to decisions based solely on automated processing.
Right to withdraw consent	You may withdraw consent at any time for consent-based processing.

How to Exercise Your Rights

Email: contact@sorialabs.no

In-app settings: Settings > Account > Data Management

We will respond within **30 days** of receiving your request. If the request is complex or numerous, an additional 60 days may be required, in which case we will notify you in advance.

We may request additional information for identity verification.

Filing a Complaint with a Supervisory Authority

If you have concerns about our processing of personal data, you may file a complaint with the Norwegian Data Protection Authority (Datatilsynet).

Datatilsynet (Norwegian Data Protection Authority)

Website: https://www.datatilsynet.no

Email: postkasse@datatilsynet.no

You may also file a complaint with the EU/EEA supervisory authority in your country of residence or workplace.

8. Cookies and Similar Technologies

8.1 Web Service (sorialabs.no)

Our website uses the following cookies:

Cookie Type	Purpose	Legal Basis
Essential cookies	Login session maintenance, security	Legitimate interest
Analytics cookies	Service usage pattern analysis	Consent

8.2 Mobile App

The mobile app does not use browser cookies. Authentication tokens are securely stored in the device's secure storage (iOS Keychain / Android Keystore).

9. Children's Personal Data

This Service is not intended for children under the age of 16 (in accordance with Norwegian and EEA standards). If we become aware that personal data of a child under 16 has been collected, we will immediately delete such data. If you believe that a child's personal data has been collected, please contact us at contact@sorialabs.no.

10. Changes to This Privacy Policy

This policy may be amended due to changes in law, changes to the Service, or business necessity.

Material changes affecting data subject rights: We will provide reasonable advance notice (at least 30 days where required by applicable law) via email and in-app notification.

Minor changes: We will update this page and revise the "Last Updated" date at the top.

Continued use of the Service after the effective date of any change constitutes acceptance of the revised policy. If you do not agree with the changes, you may discontinue use and request deletion of your account before the effective date.

11. Data Protection Officer (DPO) and Contact

For questions, concerns, or requests to exercise your rights regarding personal data processing, please contact us:

Email: contact@sorialabs.no

Mail: Soria Labs AS, [Address], Norway

We commit to responding to all inquiries within 30 days.

This Privacy Policy is available in English, Korean, and Norwegian. In case of any discrepancy, the English version shall prevail.