Visit our Office

Privacy Policy & DPA

Last updated December 11, 2025

GDPR/UK GDPR COMPLIANT

1. Introduction

This Privacy Policy explains how Sophya Inc. (“SoWork,” “we,” “our,” or “us”) collects, uses, discloses, and protects your information when you access or use SoWork services (sowork.com, app.sowork.com, and related applications).

SoWork is committed to privacy and complies with:

EU GDPR
UK GDPR
BC privacy law
CCPA/CPRA (California)
Australian Privacy Act

We design our systems to minimize data, encrypt data in transit and at rest, and honor all deletion, access, and export rights.If you have questions, you may contact us at:
aloha@sowork.com

2. What Data We Collect and Why

We collect only the data required to provide and improve SoWork. Below is a summary:

Account Information

Name, email, password (hashed), team/organization information
Purpose: Create and manage your account
Lawful basis: Contract

Usage Data

IP address, browser, device type
Interaction events in the app (clicks, features used, session durations) via Google Analytics and Amplitude
Purpose: Improve performance, product quality
Lawful basis: Legitimate interest (EU/UK); analytics consent where required

Workspace Content

Messages, reactions, status text, uploaded images, meeting metadata
Purpose: Provide the SoWork environment and its collaboration features
Lawful basis: Contract

Payment Information

Provided directly to Stripe; SoWork does not store full card details
Purpose: Process payments
Lawful basis: Contract

Support Interactions

Emails, chat messages, bug reports
Purpose: Provide support
Lawful basis: Legitimate interest

We do not sell personal information.

3. Lawful Bases for Processing (GDPR/UK GDPR)

4. How We Share Information

We only share information with vendors necessary to operate SoWork:

Subprocessors

AWS (USA) – infrastructure
Google Cloud (USA) – infrastructure + backups
Stream/StreamChat (USA) – messaging infrastructure
Stripe (USA) – payments
Google Analytics – analytics
Amplitude – analytics

Each subprocessor is bound by a Data Processing Agreement (DPA) and Standard Contractual Clauses.We do not share information with advertisers and do not sell data.

5. International Transfers (EU/UK → USA)

Because SoWork and its infrastructure are located in the United States, your data will be transferred outside the EU and UK.To protect these transfers, we use:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK Addendum to the SCCs
Technical measures including encryption, access controls, and strict role-based permissions

6. Data Retention

We retain data only as long as necessary:

After deletion requests, data is removed from live systems and from backups within 30 days.

7. Your Rights (GDPR & UK GDPR)

If you are located in the EU, UK, or EEA, you have the right to:

Access your personal data
Request deletion of your data
Request correction or updates
Restrict processing
Object to processing
Receive your data in portable form
Withdraw consent at any time
File a complaint with your data protection authority

You may exercise these rights at aloha@sowork.com.

EU/UK Representative (Article 27) Based on our assessment, SoWork qualifies for the exemption from appointing an EU/UK representative because:

our processing of EU/UK personal data is occasional,
does not involve large-scale special-category data,
and presents low risk to individuals.

We continue to monitor this status.

8. Cookies and Tracking Technologies

We use cookies for functionality and analytics.Types of cookies:

Essential cookies – required for login and workspace operation
Analytics cookies – Google Analytics, Amplitude
Preference cookies – remember your settings

Where required, we obtain consent for non-essential cookies.

9. Security

We use industry-standard security measures, including:

TLS encryption in transit
Encryption at rest
Role-based access controls
Regular security reviews
Audit logging

10. Children’s Privacy

SoWork is not intended for children under 13, and we do not knowingly collect data from them.

11. How to Contact Us

aloha@sowork.com

COOKIE POLICY (GDPR/UK COMPLIANT)

1. What Are Cookies?

Cookies are small text files stored on your device to make SoWork function properly and improve your experience.

2. How We Use Cookies

Essential CookiesRequired for login, session management, and workspace functionality.

Analytics Cookies used for understanding usage patterns via:

Google Analytics
Amplitude

These cookies are loaded only after user consent where required.

3. Cookie Choices

You may:

Accept all cookies
Reject non-essential cookies
Withdraw consent at any time

Browser settings may also block cookies.

SoWork — DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is incorporated into the SoWork Terms of Service (“Agreement”) and applies where SoWork processes Personal Data on behalf of a Customer subject to GDPR, UK GDPR, or similar laws.By using the Services, Customer agrees to this DPA.

1. Roles and Responsibilities

Customer is the Controller of Personal Data.

SoWork is the Processor, processing Personal Data only to provide the Services.
Each party will comply with applicable Data Protection Laws.

2. Customer Instructions

SoWork will process Personal Data only:

(a) to provide the Services,
(b) according to Customer’s documented instructions,
(c) as required by law.SoWork will notify Customer if an instruction appears unlawful.

3. Confidentiality

SoWork ensures personnel with access to Personal Data are bound by confidentiality obligations.

4. Subprocessors

Customer authorizes SoWork to use subprocessors necessary to provide the Services, including:

AWS (USA)
Google Cloud (USA)
StreamChat (USA)
Stripe (USA)
Google Analytics
Amplitude

SoWork will impose data-protection obligations on all subprocessors and remains responsible for their compliance.

5. Security Measures

SoWork will implement technical and organizational measures appropriate to the risk, including encryption, access controls, network security, monitoring, and regular reviews.

6. Data Subject Requests

SoWork will assist Customer in responding to data subject rights requests (access, deletion, correction, portability, objection) relevant to data processed through the Services.

7. Personal Data Breaches

SoWork will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data.

8. International Transfers

Where Personal Data is transferred to the United States:

The EU Standard Contractual Clauses (SCCs, Module 2) are incorporated into this DPA.
The UK Addendum applies for UK GDPR.
SoWork will implement supplementary measures including encryption, access controls, and logging.

Execution of this DPA constitutes execution of the SCCs.

9. Deletion of Data

Upon termination of the Services or upon request, SoWork will delete Personal Data from active systems without undue delay and from backups within 90 days, unless retention is required by law.

10. Audit Rights

Customer may:

(a) request summaries of SoWork’s security measures, or
(b) conduct a reasonable remote audit once per year upon written notice.

On-site audits are permitted only if required by law.If such documentation is insufficient for Customer to meet its legal obligations under GDPR or UK GDPR, Customer may conduct a remote audit of SoWork’s relevant systems no more than once per 12-month period, with at least 30 days’ prior written notice.

All audits shall be conducted at Customer’s sole cost and expense. This includes, without limitation:

Customer’s internal costs,
fees of any third-party auditor,
SoWork’s reasonable costs for time, personnel, engineering assistance, and administrative overhead associated with facilitating the audit.

SoWork will require Customer to sign a confidentiality agreement and to agree in writing to reimburse all audit-related costs before the audit begins.