Privacy Policy

This policy explains what data Sopu collects, why, where it lives, and the control you have over it. It is written to be read, not skimmed past.

Who we are

Sopu is operated by Sopu Software (business ID: 3520778-1), the data controller for the information described here. For any privacy request — access, correction, deletion, or a question — email support@sopu.app.

What we collect

We collect only what the product needs to work.

• Your email address. Sopu uses magic-link sign-in, so your email is your identity. We do not collect or store passwords.
• Your workspace contents. The contacts, interactions, notes, next actions, and invoices you create. This is the data you came to Sopu to keep.
• Interaction logs. The record of communication you log against a contact — the institutional memory Sopu exists to protect.
• Technical data for authentication. Your IP address and basic session metadata, used to issue and validate sign-in sessions and to protect your account from abuse.

We do not run third-party behavioural tracking or advertising. There is no Google Analytics, no Mixpanel, no Hotjar, no third-party tracker.

Why we collect it

• To provide the CRM: store, display, and search your workspace.
• To authenticate you: send magic links, maintain your session.
• To send transactional email: sign-in links and account-related notices. We do not send marketing email.
• To keep the service secure: detect and prevent abuse of accounts.

We process this data on the basis of performing our contract with you (running the service you signed up for) and our legitimate interest in keeping that service secure.

Where your data lives

• Hosting. Sopu runs on servers operated by Hetzner, within the EU.
• Transactional email. Sign-in links and account notices are delivered through Resend.
• Inbound contact email. Postmark provides the per-contact email addresses Sopu uses to capture replies from your contacts and log them into your workspace.
• Payments. When subscription billing launches, payments will be processed by Stripe. Sopu will not store your full card details — Stripe handles that. This policy will be updated when billing goes live.
• AI features. Sopu offers AI-assisted features in two modes. In the default mode, Sopu sends the minimum necessary content to a large-language-model provider (such as Groq, OpenAI, or Anthropic) to produce a result. In the bring-your-own-key mode, the request goes to the provider you connect, under your own agreement with them — Sopu is only the transport.

Each of these is a processor acting on our instructions, or — in the bring-your-own-key case — a provider you have your own relationship with.

How long we keep it

• While your workspace is active: for as long as you keep your account.
• After deletion: when you delete your account, your data enters a 30-day grace period during which deletion can still be reversed, then it is permanently removed. Backups roll off shortly after on their normal cycle.

Your rights

Under the GDPR you have the right to:

• Access — export a copy of your workspace data at any time from Settings.
• Portability — that same export is provided in a structured, machine-readable format.
• Rectification — correct any data directly, by editing it in the product.
• Erasure — delete your account and its data from Settings; see the retention section above for timing.
• Object or restrict — contact us and we will address it.

To exercise any right not covered by an in-product control, email support@sopu.app. You also have the right to lodge a complaint with your local data protection authority.

Cookies

Sopu uses only strictly necessary cookies — for your sign-in session. No tracking cookies. See the Cookie Policy for detail.

Changes to this policy

If this policy changes materially, we will note it here and update the date at the top. Continued use of Sopu after a change means you accept the revised policy.

Contact

support@sopu.app — privacy questions and requests.