GDPR/UK GDPR COMPLIANT
1. Introduction
This Privacy Policy explains how Sophya Inc. (“SoWork,” “we,” “our,” or “us”) collects, uses, discloses, and protects your information when you access or use SoWork services (sowork.com, app.sowork.com, and related applications).
SoWork is committed to privacy and complies with:
EU GDPR
UK GDPR
BC privacy law
CCPA/CPRA (California)
Australian Privacy Act
We design our systems to minimize data, encrypt data in transit and at rest, and honor all deletion, access, and export rights.If you have questions, you may contact us at:
aloha@sowork.com
2. What Data We Collect and Why
We collect only the data required to provide and improve SoWork. Below is a summary:
Account Information
Name, email, password (hashed), team/organization information
Purpose: Create and manage your account
Lawful basis: Contract
Usage Data
IP address, browser, device type
Interaction events in the app (clicks, features used, session durations) via Google Analytics and Amplitude
Purpose: Improve performance, product quality
Lawful basis: Legitimate interest (EU/UK); analytics consent where required
Workspace Content
Messages, reactions, status text, uploaded images, meeting metadata
Purpose: Provide the SoWork environment and its collaboration features
Lawful basis: Contract
Payment Information
Provided directly to Stripe; SoWork does not store full card details
Purpose: Process payments
Lawful basis: Contract
Support Interactions
Emails, chat messages, bug reports
Purpose: Provide support
Lawful basis: Legitimate interest
We do not sell personal information.
3. Lawful Bases for Processing (GDPR/UK GDPR)
4. How We Share Information
We only share information with vendors necessary to operate SoWork:
Subprocessors
AWS (USA) – infrastructure
Google Cloud (USA) – infrastructure + backups
Stream/StreamChat (USA) – messaging infrastructure
Stripe (USA) – payments
Google Analytics – analytics
Amplitude – analytics
Each subprocessor is bound by a Data Processing Agreement (DPA) and Standard Contractual Clauses.We do not share information with advertisers and do not sell data.
5. International Transfers (EU/UK → USA)
Because SoWork and its infrastructure are located in the United States, your data will be transferred outside the EU and UK.To protect these transfers, we use:
Standard Contractual Clauses (SCCs) approved by the European Commission
UK Addendum to the SCCs
Technical measures including encryption, access controls, and strict role-based permissions
6. Data Retention
We retain data only as long as necessary:
After deletion requests, data is removed from live systems and from backups within 30 days.
7. Your Rights (GDPR & UK GDPR)
If you are located in the EU, UK, or EEA, you have the right to:
Access your personal data
Request deletion of your data
Request correction or updates
Restrict processing
Object to processing
Receive your data in portable form
Withdraw consent at any time
File a complaint with your data protection authority
You may exercise these rights at aloha@sowork.com.
EU/UK Representative (Article 27) Based on our assessment, SoWork qualifies for the exemption from appointing an EU/UK representative because:
our processing of EU/UK personal data is occasional,
does not involve large-scale special-category data,
and presents low risk to individuals.
We continue to monitor this status.
8. Cookies and Tracking Technologies
We use cookies for functionality and analytics.Types of cookies:
Essential cookies – required for login and workspace operation
Analytics cookies – Google Analytics, Amplitude
Preference cookies – remember your settings
Where required, we obtain consent for non-essential cookies.
9. Security
We use industry-standard security measures, including:
TLS encryption in transit
Encryption at rest
Role-based access controls
Regular security reviews
Audit logging
10. Children’s Privacy
SoWork is not intended for children under 13, and we do not knowingly collect data from them.
11. How to Contact Us
COOKIE POLICY (GDPR/UK COMPLIANT)
1. What Are Cookies?
Cookies are small text files stored on your device to make SoWork function properly and improve your experience.
2. How We Use Cookies
Essential CookiesRequired for login, session management, and workspace functionality.
Analytics Cookies used for understanding usage patterns via:
Google Analytics
Amplitude
These cookies are loaded only after user consent where required.
3. Cookie Choices
You may:
Accept all cookies
Reject non-essential cookies
Withdraw consent at any time
Browser settings may also block cookies.
SoWork — DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is incorporated into the SoWork Terms of Service (“Agreement”) and applies where SoWork processes Personal Data on behalf of a Customer subject to GDPR, UK GDPR, or similar laws.By using the Services, Customer agrees to this DPA.
1. Roles and Responsibilities
Customer is the Controller of Personal Data.
SoWork is the Processor, processing Personal Data only to provide the Services.
Each party will comply with applicable Data Protection Laws.
2. Customer Instructions
SoWork will process Personal Data only:
(a) to provide the Services,
(b) according to Customer’s documented instructions,
(c) as required by law.SoWork will notify Customer if an instruction appears unlawful.
3. Confidentiality
SoWork ensures personnel with access to Personal Data are bound by confidentiality obligations.
4. Subprocessors
Customer authorizes SoWork to use subprocessors necessary to provide the Services, including:
AWS (USA)
Google Cloud (USA)
StreamChat (USA)
Stripe (USA)
Google Analytics
Amplitude
SoWork will impose data-protection obligations on all subprocessors and remains responsible for their compliance.
5. Security Measures
SoWork will implement technical and organizational measures appropriate to the risk, including encryption, access controls, network security, monitoring, and regular reviews.
6. Data Subject Requests
SoWork will assist Customer in responding to data subject rights requests (access, deletion, correction, portability, objection) relevant to data processed through the Services.
7. Personal Data Breaches
SoWork will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data.
8. International Transfers
Where Personal Data is transferred to the United States:
The EU Standard Contractual Clauses (SCCs, Module 2) are incorporated into this DPA.
The UK Addendum applies for UK GDPR.
SoWork will implement supplementary measures including encryption, access controls, and logging.
Execution of this DPA constitutes execution of the SCCs.
9. Deletion of Data
Upon termination of the Services or upon request, SoWork will delete Personal Data from active systems without undue delay and from backups within 90 days, unless retention is required by law.
10. Audit Rights
Customer may:
(a) request summaries of SoWork’s security measures, or
(b) conduct a reasonable remote audit once per year upon written notice.
On-site audits are permitted only if required by law.If such documentation is insufficient for Customer to meet its legal obligations under GDPR or UK GDPR, Customer may conduct a remote audit of SoWork’s relevant systems no more than once per 12-month period, with at least 30 days’ prior written notice.
All audits shall be conducted at Customer’s sole cost and expense. This includes, without limitation:
Customer’s internal costs,
fees of any third-party auditor,
SoWork’s reasonable costs for time, personnel, engineering assistance, and administrative overhead associated with facilitating the audit.
SoWork will require Customer to sign a confidentiality agreement and to agree in writing to reimburse all audit-related costs before the audit begins.
11. Liability and Governing Law
Liability under this DPA is subject to the limitations in the Agreement.
For EU transfers, Irish law governs the SCCs.
For UK transfers, the UK Addendum applies.This DPA is effective automatically and does not require a signature.
Use of SoWork after the effective date constitutes acceptance.