soy.chat

Privacy Policy of SoyChat

In order to receive information about your Personal Data, the purposes and the parties the Data is shared with, contact the Owner.

Last Updated: 11/10/2025 (October 11, 2025)

Owner and Data Controller

Marcelo Vicente Guimarães Cardoso LTDA
Avenida Tancredo Neves, 2539, Sala 2609 - CEO Salvador Shopping Torre Londres
Caminho das Árvores, Salvador - BA, 41820-021, Brazil
CNPJ: 48.374.051/0001-00

Owner contact email: marcelo@soy.chat
Privacy matters: privacy@soy.chat
EU Representative: Marcelo Vicente Guimarães Cardoso

What the User should know at a glance

  • SoyChat processes personal data including uploaded documents, chat messages, and user account information
  • We use third-party AI providers to generate responses based on your uploaded documents
  • Our servers are located in Germany (EU), ensuring strong data protection standards
  • We do NOT sell your personal data to anyone
  • We do NOT use third-party tracking scripts or advertising networks
  • You have full rights to access, delete, and export your data
  • Users who upload documents act as data controllers and must comply with GDPR, LGPD, and other applicable data protection laws

Types of Data collected

Data We Collect from Users (Account Owners)

Account Information:

  • Name
  • Email address
  • Password (encrypted with industry-standard hashing)

Content and Documents:

  • Files and documents you upload for RAG processing
  • Text content provided for chat interfaces
  • Custom prompts and configurations
  • Chat interface settings and customizations

Usage Data:

  • Click events and feature usage (collected without cookies)
  • Session duration and timestamps
  • Pages accessed within soy.chat
  • Browser type and device information (anonymized)
  • General location (country/city level, derived from hashed IP address)

Payment Information:

  • Processed by Stripe (we do not store full payment card details)
  • Transaction IDs and payment status
  • Billing history
  • Subscription tier and status

Data We Collect from Visitors (Chat Users)

When end users ("Visitors") interact with chat interfaces created by Users:

  • Chat Messages: Questions and messages sent to the AI
  • AI Responses: Generated responses based on User's documents
  • Session Data: Timestamps, session IDs, chat interface ID
  • Technical Data: Hashed IP address, browser type, device type (anonymized)
  • Interaction Analytics: Click events within chat interface (anonymized)

Important: Visitors' chat data is primarily controlled by the User who created the chat interface. We process this data on behalf of Users as a data processor.

Data We Do NOT Collect

  • We do NOT use cookies or browser storage
  • We do NOT use third-party tracking pixels
  • We do NOT collect precise geolocation
  • We do NOT collect sensitive personal data (health, biometric, political views, etc.) unless Users explicitly upload such content

Mode and place of processing the Data

Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.

The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of SoyChat (administration, technical support, legal, system administration) or external parties (such as third-party technical service providers, AI providers, hosting providers, IT companies) appointed, if necessary, as Data Processors by the Owner.

The updated list of these parties may be requested from the Owner at any time.

Security Measures

We implement industry-standard security practices:

  • Encryption in transit: TLS 1.3 for all data transmission
  • Encryption at rest: AES-256 encryption for all stored data
  • Access controls: Role-based access with principle of least privilege
  • Authentication: Secure password hashing (bcrypt)
  • Monitoring: Continuous security monitoring and logging
  • Regular audits: Security assessments and updates
  • Data isolation: Each User's data is logically separated
  • Backup security: Encrypted backups with limited retention

Place

The Data is processed at the Owner's operational locations and in the following places:

Primary Data Storage: Germany (European Union)
Company Registration: Brazil
Operational Oversight: Spain (European Union)

Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section titled "International Data Transfers" below.

Retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users' consent.

Specific retention periods:

  • User Account Data: Until account deletion or 30 days after account closure
  • Uploaded Documents: Until deletion by User or account closure
  • Vector Embeddings: Deleted when source documents are deleted
  • Visitor Chat Messages: Configurable by chat owners based on their specific needs and legal requirements. Default retention period provided, but chat owners can customize retention settings to comply with their applicable laws and business needs
  • Analytics Data (anonymized): Up to 24 months
  • Payment Records: Retained for tax/legal compliance (typically 7 years as required by law)
  • Backup Data: Up to 30 days, then permanently deleted
  • Security Logs: Up to 12 months for security monitoring

Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

1. Account Management and Authentication

Purpose: To create and manage user accounts, authenticate users, and provide access to the Service.

Data processed: Email address, password (hashed), name, account settings

Legal basis:

  • GDPR: Contract performance (Art. 6(1)(b))
  • LGPD: Contract performance (Art. 7, V)

Retention: Until account deletion

2. AI-Powered Chat Service (RAG)

Purpose: To process uploaded documents, create vector embeddings, and generate AI responses to Visitor queries.

Data processed:

  • Uploaded documents and files
  • Vector embeddings created from documents
  • Chat messages from Visitors
  • AI-generated responses

Third-party services: We utilize multiple AI providers through our service infrastructure. We may integrate additional AI providers as needed for service optimization and performance.

Data Processing Agreements: We maintain appropriate data processing agreements with all AI providers to ensure compliance with applicable privacy laws

How it works:

  1. You upload documents → stored encrypted in Germany
  2. Documents are processed to create vector embeddings
  3. When Visitors send messages, relevant document sections are retrieved
  4. Messages + relevant content are sent to AI provider to generate responses
  5. AI provider does NOT store or train on your data (per our DPA)

Legal basis:

  • GDPR: Contract performance (Art. 6(1)(b))
  • LGPD: Contract performance (Art. 7, V)

Retention: Until you delete the documents or close your account

Important for Users: When you create chat interfaces, you act as a data controller for Visitor data. You must:

  • Have a lawful basis to process Visitor personal data
  • Provide privacy notices to Visitors
  • Obtain necessary consents
  • Comply with GDPR, LGPD, and other applicable laws

We act as your data processor for Visitor chat data.

3. Payment Processing

Purpose: To process subscription payments and manage billing.

Service provider: Stripe, Inc.

Data processed:

  • Payment card information (processed and stored by Stripe only)
  • Billing address
  • Transaction history
  • Subscription status

Stripe's Privacy Policy: https://stripe.com/privacy

Legal basis:

  • GDPR: Contract performance (Art. 6(1)(b))
  • LGPD: Contract performance (Art. 7, V)

Retention: Transaction records retained for tax/legal compliance as required by law

Important: We do NOT store your full payment card details. Stripe securely stores payment information and provides us only with transaction IDs and payment status.

4. Analytics and Service Improvement

Purpose: To understand how users interact with SoyChat and improve the Service.

Data processed:

  • Click events (which features are used)
  • Page views and navigation patterns
  • Session duration
  • Feature usage statistics
  • Error logs (with personal data redacted)

Method: First-party analytics (no third-party services)

No cookies: We do NOT use cookies or browser storage for tracking

IP addresses: Hashed immediately upon receipt; not stored in plaintext

Legal basis:

  • GDPR: Legitimate interest (Art. 6(1)(f)) - improving our Service
  • LGPD: Legitimate interest (Art. 7, IX)

Retention: Anonymized analytics data retained for up to 24 months

Opt-out: Contact us to opt out of analytics tracking

5. Customer Support

Purpose: To provide technical support and respond to inquiries.

Data processed:

  • Email communications
  • Support ticket content
  • Account information necessary to assist you

Legal basis:

  • GDPR: Contract performance (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f))
  • LGPD: Contract performance (Art. 7, V)

Retention: Support communications retained for up to 3 years

6. Security and Fraud Prevention

Purpose: To protect the Service, detect fraud, and prevent abuse.

Data processed:

  • Login attempts and access logs
  • Security events and alerts
  • IP addresses (hashed for security monitoring)

Legal basis:

  • GDPR: Legitimate interest (Art. 6(1)(f)) - security of our systems
  • LGPD: Legitimate interest (Art. 7, IX)

Retention: Security logs retained for up to 12 months

7. Legal Compliance

Purpose: To comply with legal obligations and respond to lawful requests.

Data processed: Any data necessary to comply with legal obligations

Legal basis:

  • GDPR: Legal obligation (Art. 6(1)(c))
  • LGPD: Legal obligation (Art. 7, II)

Retention: As required by applicable law

How We Share Your Information

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

We share data only in the following limited circumstances:

Third-Party Service Providers

We share data with carefully selected service providers who help us operate the Service:

1. AI Provider: SoyChat utilizes multiple third-party AI providers through our service infrastructure. We may integrate additional AI providers as needed for service optimization and performance.

  • Purpose: To generate AI responses based on your documents
  • Data shared: Chat messages
  • Location: Global (including EU data centers)
  • Data Processing Agreement: Yes, in place
  • Their retention: Zero data retention - not used for training

2. Cloud Infrastructure: Our servers are located in Germany (EU).

  • Purpose: Hosting and data storage
  • Data shared: All service data (encrypted)
  • Location: Germany (EU)
  • Data Processing Agreement: Yes, in place

3. Payment Processor: Stripe

  • Purpose: Process subscription payments
  • Data shared: Billing information, payment card details
  • Location: Global (including EU data centers)
  • Their privacy policy: https://stripe.com/privacy

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to:

  • Comply with legal processes
  • Enforce our Terms of Service
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of others
  • Prevent fraud or security threats

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy and provide you options (including deletion).

With Your Consent

We may share your information for other purposes with your explicit consent.

International Data Transfers

Our company is registered in Brazil, but our servers are located in Germany (European Union), and we maintain operational presence in Spain (EU).

For EU Users

Your data remains within the EU (Germany servers), providing strong data protection under GDPR. No international data transfer outside the EU occurs for data storage.

However, our AI provider may process data outside the EU. We ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with GDPR-compliant terms
  • Adherence to GDPR Chapter V transfer requirements

For Brazilian Users

Your data is transferred to and stored in the EU (Germany). The European Union provides adequate data protection as recognized by Brazilian law.

We comply with LGPD Article 33 requirements for international data transfers:

  • The EU provides adequate level of data protection
  • Standard Contractual Clauses where additional protection needed
  • Full compliance with both LGPD and GDPR standards

For Other Users

If you access SoyChat from outside the EU or Brazil, your data will be transferred to and stored in the EU (Germany), which provides strong data protection standards under GDPR.

Further Information for Users in the European Union

This section applies to all Users in the European Union, according to the General Data Protection Regulation (the "GDPR"), and, for such Users, supersedes any other possibly divergent or conflicting information contained in the privacy policy.

Legal basis of processing

The Owner may process Personal Data relating to Users if one of the following applies:

  • Consent: Users have given their consent for one or more specific purposes (Art. 6(1)(a) GDPR)
  • Contract: Provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof (Art. 6(1)(b) GDPR)
  • Legal obligation: Processing is necessary for compliance with a legal obligation to which the Owner is subject (Art. 6(1)(c) GDPR)
  • Vital interests: Processing is necessary to protect the vital interests of the User or another natural person (Art. 6(1)(d) GDPR)
  • Public interest: Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner (Art. 6(1)(e) GDPR)
  • Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party (Art. 6(1)(f) GDPR)

In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

The rights of Users based on the General Data Protection Regulation (GDPR)

Users may exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to do the following, to the extent permitted by law:

1. Withdraw consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

2. Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details about the right to object are provided below.

3. Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.

4. Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.

5. Restrict the processing of their Data. Users have the right to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.

6. Have their Personal Data deleted or otherwise removed. Users have the right to obtain the erasure of their Data from the Owner ("Right to be Forgotten").

7. Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance ("Data Portability").

8. Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Users are also entitled to learn about the legal basis for Data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.

Details about the right to object to processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time, free of charge and without providing any justification. Where the User objects to processing for direct marketing purposes, the Personal Data will no longer be processed for such purposes. To learn whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible and always within one month, providing Users with the information required by law.

Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Owner to each recipient, if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. At the Users' request, the Owner will inform them about those recipients.

EU Representative

As we maintain operational presence in Spain (EU), our EU representative is:

Name: Marcelo Vicente Guimarães Cardoso
Email: marcelo@soy.chat

Supervisory Authority

Users have the right to lodge a complaint with their local data protection authority. Relevant authorities include:

EU Online Dispute Resolution Platform: https://ec.europa.eu/consumers/odr

Further information for Users in Brazil

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the entity running SoyChat and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as "we", "us", "our").

This section applies to all Users in Brazil (Users are referred to below, simply as "you", "your", "yours"), according to the "Lei Geral de Proteção de Dados" (the "LGPD"), and for such Users, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the term "personal information" as it is defined in the LGPD.

The grounds on which we process your personal information

We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

  • Your consent to the relevant processing activities (Art. 7, I);
  • Compliance with a legal or regulatory obligation that lies with us (Art. 7, II);
  • The carrying out of public policies provided in laws or regulations or based on contracts, agreements and similar legal instruments (Art. 7, III);
  • Studies conducted by research entities, preferably carried out on anonymized personal information (Art. 7, IV);
  • The carrying out of a contract and its preliminary procedures, in cases where you are a party to said contract (Art. 7, V);
  • The exercising of our rights in judicial, administrative or arbitration procedures (Art. 7, VI);
  • Protection or physical safety of yourself or a third party (Art. 7, VII);
  • The protection of health – in procedures carried out by health entities or professionals (Art. 7, VIII);
  • Our legitimate interests, provided that your fundamental rights and liberties do not prevail over such interests (Art. 7, IX); and
  • Credit protection (Art. 7, X).

To find out more about the legal bases, you can contact us at any time using the contact details provided in this document.

Categories of personal information processed

To find out what categories of your personal information are processed, you can read the section titled "Detailed information on the processing of Personal Data" within this document.

Summary of categories:

  • Identification data (name, email)
  • Account credentials (encrypted passwords)
  • Payment data (processed by Stripe)
  • Content data (uploaded documents, chat messages)
  • Usage data (anonymized analytics)
  • Technical data (hashed IP, browser type)

Why we process your personal information

To find out why we process your personal information, you can read the sections titled "Detailed information on the processing of Personal Data" within this document.

Primary purposes:

  • Provide AI-powered chat services (RAG)
  • Manage your account and authentication
  • Process payments and billing
  • Improve the Service through analytics
  • Provide customer support
  • Ensure security and prevent fraud
  • Comply with legal obligations

Your Brazilian privacy rights, how to file a request and our response to your requests

Your Brazilian privacy rights

You have the right to:

  1. Obtain confirmation of the existence of processing activities on your personal information;
  2. Access to your personal information;
  3. Have incomplete, inaccurate or outdated personal information rectified;
  4. Obtain the anonymization, blocking or elimination of your unnecessary or excessive personal information, or of information that is not being processed in compliance with the LGPD;
  5. Obtain information on the possibility to provide or deny your consent and the consequences thereof;
  6. Obtain information about the third parties with whom we share your personal information;
  7. Obtain, upon your express request, the portability of your personal information (except for anonymized information) to another service or product provider, provided that our commercial and industrial secrets are safeguarded;
  8. Obtain the deletion of your personal information being processed if the processing was based upon your consent, unless one or more exceptions provided for in art. 16 of the LGPD apply;
  9. Revoke your consent at any time;
  10. Lodge a complaint related to your personal information with the ANPD (the National Data Protection Authority) or with consumer protection bodies;
  11. Oppose a processing activity in cases where the processing is not carried out in compliance with the provisions of the law;
  12. Request clear and adequate information regarding the criteria and procedures used for an automated decision; and
  13. Request the review of decisions made solely on the basis of the automated processing of your personal information, which affect your interests.

You will never be discriminated against, or otherwise suffer any sort of detriment, if you exercise your rights.

How to file your request

You can file your express request to exercise your rights free from any charge, at any time, by:

  • Email: marcelo@soy.chat
  • Through your account: Use the "Privacy & Data" section in account settings
  • Via your legal representative: If you choose to be represented

How and when we will respond to your request

We will strive to promptly respond to your requests.

In any case, should it be impossible for us to do so, we'll make sure to communicate to you the factual or legal reasons that prevent us from immediately, or otherwise ever, complying with your requests. In cases where we are not processing your personal information, we will indicate to you the physical or legal person to whom you should address your requests, if we are in the position to do so.

For access or confirmation requests:

  • Immediate (simplified) response: We can provide a simplified answer immediately
  • Complete disclosure: Within 15 days from your request, we will provide:
    • Origin of your personal information
    • Confirmation on whether or not records exist
    • Criteria used for processing
    • Purposes of processing
    • (While safeguarding our commercial and industrial secrets)

For rectification, deletion, anonymization or blocking requests: We will immediately communicate your request to third parties with whom we have shared your personal information (including our AI provider) to enable them to also comply with your request — except where such communication is proven impossible or involves disproportionate effort.

ANPD Contact

Autoridade Nacional de Proteção de Dados (ANPD)
Website: https://www.gov.br/anpd
You have the right to lodge a complaint with ANPD regarding our processing of your personal information.

Transfer of personal information outside of Brazil permitted by the law

We transfer your personal information to the European Union (Germany) for data storage and processing. This transfer is permitted under LGPD Art. 33 because:

  • The EU provides adequate level of personal data protection (recognized adequacy)
  • We have implemented Standard Contractual Clauses with our service providers
  • The transfer is necessary for the execution of a contract (providing the Service)
  • We comply with all LGPD requirements for international data transfers

Further information for California consumers

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running SoyChat and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as "we", "us", "our").

This section applies to all Users (Users are referred to below, simply as "you", "your", "yours"), who are consumers residing in the state of California, United States of America, according to the "California Consumer Privacy Act of 2018" (the "CCPA"), as updated by the "California Privacy Rights Act" (the "CPRA") and subsequent regulations. For such consumers, this section supersedes any other possibly divergent or conflicting information contained in the privacy policy.

This part of the document uses the term "personal information" as defined in the California Consumer Privacy Act (CCPA/CPRA).

Notice at collection

Categories of personal information collected, used, sold, or shared

In this section we summarize the categories of personal information that we've collected, used, sold, or shared and the purposes thereof. You can read about these activities in detail in the section titled "Detailed information on the processing of Personal Data" within this document.

Information we collect: the categories of personal information we collect

We have collected the following categories of personal information about you:

  • Identifiers: Name, email address, account ID, IP address (hashed)
  • Commercial information: Subscription tier, payment history, transaction records
  • Internet or network activity: Browsing behavior on SoyChat, click events, feature usage
  • Professional or employment-related information: Company name (if provided)
  • Inferences: Preferences and characteristics derived from usage patterns

We do not collect sensitive personal information (as defined by CPRA) unless you explicitly upload such content to the Service.

We will not collect additional categories of personal information without notifying you.

What are the purposes for which we use your personal information?

We may use your personal information to allow the operational functioning of SoyChat and features thereof ("business purposes"). In such cases, your personal information will be processed in a fashion necessary and proportionate to the business purpose for which it was collected, and strictly within the limits of compatible operational purposes.

Business purposes include:

  • Providing and maintaining the Service
  • Processing AI chat requests
  • Managing your account and authentication
  • Processing payments
  • Customer support
  • Security and fraud prevention
  • Analytics and service improvement
  • Legal compliance

We may also use your personal information for other reasons such as for commercial purposes (as indicated within the section "Detailed information on the processing of Personal Data" within this document), as well as for complying with the law and defending our rights before the competent authorities where our rights and interests are threatened or we suffer an actual damage.

We won't process your information for unexpected purposes, or for purposes incompatible with the purposes originally disclosed, without your consent.

How long do we keep your personal information?

Unless stated otherwise inside the "Detailed information on the processing of Personal Data" section, we will not retain your personal information for longer than is reasonably necessary for the purpose(s) they have been collected for.

See the "Retention time" section above for specific retention periods.

How we collect information: what are the sources of the personal information we collect?

We collect the above-mentioned categories of personal information, either directly or indirectly, from you when you use SoyChat.

For example:

  • You directly provide your personal information when you create an account, upload documents, or contact support
  • You indirectly provide personal information when you navigate SoyChat, as information about you is automatically observed and collected (usage analytics)

How we use the information we collect: disclosing of your personal information with third parties for a business purpose

We disclose your personal information to the following categories of third parties for business purposes:

  1. AI service providers (to generate chat responses)
  2. Cloud infrastructure providers (to store data)
  3. Payment processors (to process subscriptions)

For our purposes, the word "third party" means "a person who is not any of the following: a service provider or a contractor, as defined by the CCPA."

We have Data Processing Agreements with all service providers to ensure they handle your data appropriately and do not use it for their own purposes.

No sale or sharing of your personal information

We do not sell or share your personal information as defined by the CCPA/CPRA.

We do not:

  • Sell your data for monetary consideration
  • Share your data for cross-context behavioral advertising
  • Share your data with data brokers

In case we should decide to sell or share personal information in the future, we will inform you beforehand and will grant your right to opt out of such sale or sharing.

Your privacy rights under the California Consumer Privacy Act and how to exercise them

The right to access personal information: the right to know and to portability

You have the right to request that we disclose to you:

  • The categories of personal information that we collect about you;
  • The sources from which the personal information is collected;
  • The business or commercial purposes for which we use your information;
  • The categories of third parties to whom we disclose such information;
  • The specific pieces of personal information we have collected about you.

You also have the right to know what personal information is sold or shared and to whom (though we do not sell or share your information).

The disclosure described above will be limited to the personal information collected or used over the past 12 months.

If we deliver our response electronically, the information enclosed will be "portable", i.e. delivered in an easily usable format (JSON/CSV) to enable you to transmit the information to another entity without hindrance — provided that this is technically feasible.

The right to request the deletion of your personal information

You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on SoyChat, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights, etc.).

If no legal exception applies, as a result of exercising your right, we will delete your personal information and notify our service providers and all third parties to whom we have disclosed the personal information to do so — provided that this is technically feasible and doesn't involve disproportionate effort.

The right to correct inaccurate personal information

You have the right to request that we correct any inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of the processing of the personal information.

The right to opt out of sale or sharing of personal information

You have the right to opt out of the sale or sharing of your personal information.

However, we do not sell or share your personal information, so this right does not currently apply.

The right to limit the use of your sensitive personal information

We do not collect or process sensitive personal information (as defined by CPRA) in the regular operation of our Service, unless you explicitly upload such content.

If you upload sensitive personal information, you can request its deletion at any time.

The right of no retaliation following opt-out or exercise of other rights (the right to non-discrimination)

We will not discriminate against you for exercising your rights under the CCPA/CPRA. This means that we will not discriminate against you, including, but not limited to, by denying goods or services, charging you a different price, or providing a different level or quality of goods or services just because you exercised your consumer privacy rights.

However, if you refuse to provide your personal information to us or ask us to delete your personal information, and that personal information is necessary for us to provide you with the Service, we may not be able to complete that transaction.

To the extent permitted by the law, we may offer you promotions, discounts, and other deals in exchange for collecting, keeping, or processing your personal information, provided that the financial incentive offered is reasonably related to the value of your personal information.

How to exercise your rights

To exercise the rights described above, you need to submit your verifiable request to us by:

  • Email: privacy@soy.chat
  • Account settings: Use the "Privacy & Data" section
  • Contact form: Available on our website

For us to respond to your request, it's necessary that we know who you are. Therefore, you can only exercise the above rights by making a verifiable request which must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative;
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We will respond to your request within 45 days.