Privacy Policy

Last updated: April 8, 2026

The short version

Your data is yours. We store what you give us so the product works. We don't sell it, we don't share it with advertisers, and we don't use it to train AI models. You can export or delete everything at any time.

What we collect

Information you provide

  • Account information: Your email address and password (hashed with Argon2id).
  • Profile data: Your name, bio, communication preferences, topic interests, and privacy rules.
  • Payment information: If you subscribe to a paid plan, Stripe processes your payment. We never see or store your card number.

Information collected automatically

  • Usage data: Page views and feature usage with first-party analytics (no third-party trackers).
  • Session data: IP address and user agent for active sessions. Deleted when the session expires.

Information we never collect

  • Your AI conversations (the extension processes data locally)
  • Browsing history outside of AI platforms
  • Contacts, files, or other personal data

How we use your data

  • Provide the service: Compile your profile, enforce privacy rules, sync via the browser extension.
  • Improve the product: Aggregated, anonymous usage patterns.
  • Communicate with you: Transactional emails and occasional product updates. Opt out of non-essential emails anytime.

How we protect your data

  • Encryption at rest: AES-256-GCM.
  • Encryption in transit: TLS 1.3.
  • Password hashing: Argon2id (65536 KB, 3 iterations).
  • Secure sessions: JWT in HttpOnly, Secure, SameSite=Strict cookies.
  • CSRF protection: Double-submit cookie pattern on all state-changing requests.
  • Infrastructure: AWS with encryption, access controls, and monitoring.

Data retention

  • Active accounts: Data retained while your account is active.
  • Deleted accounts: Permanently removed within 30 days.
  • Session data: Purged when sessions expire (30 days max).

Your rights

From your account settings, you can:

  • Export: Download all your data as JSON.
  • Delete: Permanently delete your account and all data.
  • Correct: Edit any information in your profile.
  • Restrict: Disable specific features or rules.

EU/EEA users have additional rights under GDPR — see European residents below, or visit our GDPR rights page. California residents have CCPA rights — see California residents.

Sub-processors

The following third parties process personal data on our behalf to deliver the service. All are bound by data processing agreements.

Sub-processorPurposeData sharedLocation
Amazon Web ServicesHosting, storage, computeAccount data, SSD, audit logsUS-East
StripePayment processingEmail, payment methodUS / EU
Amazon SESTransactional emailEmail address, message bodyUS
Google OAuthSocial sign-in (opt-in)Email, Google account IDUS
Google Gemini / Anthropic / OpenAILLM-powered Adaptation (Pro+ opt-in)Transcript excerpts (never retained by us)US
SentryError monitoringAnonymous error reportsUS / EU

We publish new sub-processors before adding them. Subscribe at privacy@soullayer.ai for notifications.

European residents (GDPR)

If you are in the European Economic Area, UK, or Switzerland, you have rights under the GDPR:

  • Access & portability (Article 15, 20): Export your full data bundle from Settings → "Export all data". See our GDPR rights page.
  • Rectification (Article 16): Edit any profile information at any time.
  • Erasure (Article 17): Delete your account from Settings. 30-day grace period; permanent after.
  • Restriction & objection (Articles 18, 21): Disable specific features, opt out of adaptation, rules, or analytics.
  • Automated decision-making (Article 22): Our LLM-powered adaptation requires explicit opt-in, and every proposed change is reviewable by you before it takes effect.
  • Complaint: Lodge a complaint with your local supervisory authority.

Our legal bases are: (a) contract performance for core service operation, (b) your consent for adaptation & analytics, and (c) legitimate interest for security and fraud prevention.

California residents (CCPA / CPRA)

If you are a California resident, the CCPA / CPRA gives you the following rights:

  • Right to know: Request a list of the categories and specific pieces of personal information we have collected.
  • Right to delete: Request deletion of your personal information.
  • Right to correct: Request correction of inaccurate information.
  • Right to opt out of sale / sharing: We do not sell or share personal information for cross-contextual behavioral advertising. You are already opted out.
  • Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes outside what you authorize.
  • Non-discrimination: We will not deny service, charge different prices, or reduce quality for exercising your rights.

Exercise these rights at privacy@soullayer.ai or from Settings. We verify requests by re-authenticating your account.

Cookies

  • sl_access: Auth token (HttpOnly, 1 hour).
  • sl_refresh: Refresh token (HttpOnly, 30 days).
  • sl_csrf: CSRF token (24 hours).

No tracking or advertising cookies.

Children's privacy

Not intended for users under 16.

Changes

Material changes communicated via email at least 30 days in advance.

Contact

privacy@soullayer.ai