Privacy Policy Terms of Service Security Policy Refund Policy

Privacy Policy

Last updated: January 15, 2025

Overview

At Sotabox, we respect the privacy rights of our users and recognize the importance of protecting your information. We provide an AI-powered content management and knowledge platform, and our products—Smart Library, Smart Workspace, and AI Tools—make it easier for people to organize knowledge, collaborate on projects, and get work done more efficiently.

This Privacy Policy explains how information (including personal data as defined under GDPR and other applicable privacy laws) is collected, retained, used, disclosed, and transferred by Sotabox, and the choices you have regarding your personal information. This Privacy Policy applies to information collected, used, or shared by Sotabox when you use or access our websites, products, mobile applications, or services (collectively, the "Sotabox Services"), including when you attend a Sotabox event or otherwise interact with us.

1. Business Accounts

If you use the Sotabox Services as part of a business, entity, or non-profit (collectively, "Organization") that has an agreement with Sotabox, then the terms of that agreement between the Organization and Sotabox will supersede this Privacy Policy where the terms overlap.

If your Organization has a Data Processing Agreement (DPA) with Sotabox, that agreement governs how we process personal data on behalf of your Organization.

2. Changes to This Policy

We may change this Privacy Policy from time to time. If we make any changes, we will revise the "Last updated" date at the top of this Privacy Policy. If there are material changes to this Privacy Policy, we may notify you or your Organization more directly by email or post a notice on Sotabox's website prior to the changes becoming effective.

We encourage you to periodically review our Privacy Policy to stay informed about our data protection practices and the ways you can help protect your privacy.

3. Information We Collect

Sotabox collects information in the following ways:

3.1 Information You Provide

We collect information you directly provide to Sotabox when you:

  • Create an Account: Name, email address, password, organization name, job title
  • Subscribe to a Plan: Billing information, payment card details (processed by our payment provider), billing address
  • Use Our Services: Content you upload, create, or share (documents, files, notes, projects, tasks)
  • Communicate with Us: Support requests, feedback, survey responses, emails
  • Attend Events: Registration information, dietary preferences, accessibility requirements
  • Apply for Jobs: Resume, cover letter, professional history

3.2 Information We Collect Automatically

When you use the Sotabox Services, we automatically collect certain information, including:

  • Usage Data: Features used, actions taken, time spent, search queries, interaction patterns
  • Device Information: Device type, operating system, browser type, unique device identifiers
  • Log Data: IP address, access times, pages viewed, referring URL, error logs
  • Location Data: General location based on IP address (we do not collect precise GPS location)
  • Cookies and Similar Technologies: Information collected through cookies, pixels, and similar technologies (see Section 10)

3.3 Information from Third Parties

We may collect information from third parties, including:

  • Integrations: When you connect third-party services (e.g., Google Drive, Slack, Microsoft 365), we may receive information from those services as authorized by you
  • Single Sign-On: If you use SSO to access Sotabox, we receive authentication information from your identity provider
  • Business Partners: We may receive contact information from business partners for marketing purposes
  • Public Sources: We may collect publicly available information to improve our services

4. How We Use Your Information

Sotabox uses the information we collect for the following purposes:

4.1 Providing and Improving Services

  • Operating, maintaining, and improving the Sotabox Services
  • Processing transactions and sending related information
  • Providing customer support and responding to inquiries
  • Personalizing your experience and providing content recommendations
  • Developing new features and services

4.2 AI Features

  • Processing your Content through AI features you request (Chat with Files, Insight Search, Deep Research, etc.)
  • Generating AI-powered insights, summaries, and recommendations based on your Content
  • Transcribing meetings and audio files when you use Meeting Transcription

Important: We do NOT use your Content to train our AI models. Your data remains private and is only processed to provide the specific AI features you request.

4.3 Communications

  • Sending service-related notices (security alerts, updates, billing reminders)
  • Responding to your comments, questions, and requests
  • Sending marketing communications (with your consent where required)
  • Providing news about Sotabox products, services, and events

4.4 Safety and Security

  • Detecting, preventing, and addressing fraud, abuse, and security issues
  • Protecting the rights, property, and safety of Sotabox, our users, and the public
  • Complying with legal obligations
  • Enforcing our Terms of Service and other policies

4.5 Analytics and Research

  • Understanding how users interact with our Services
  • Measuring the effectiveness of our marketing campaigns
  • Conducting research and analysis to improve our Services
  • Creating aggregated, anonymized data for statistical purposes

5. How We Share Your Information

We will not share personal information about you or any Content with third parties except as described in this Privacy Policy or with your consent.

5.1 Service Providers

We share information with third-party vendors and service providers who perform services on our behalf, such as:

  • Cloud hosting and infrastructure providers
  • Payment processors
  • Customer support tools
  • Analytics providers
  • Email delivery services
  • AI model providers (for processing your requests only, not for training)

These service providers are bound by contractual obligations to protect your information and may only use it for the purposes we specify.

5.2 Integrations

When you choose to use third-party integrations (e.g., Google Drive, Slack, Microsoft 365), information may be shared with those services as necessary to provide the integration functionality. Your use of these integrations is subject to the third party's privacy policy.

5.3 Organization Administrators

If you use Sotabox through an Organization account, the administrators of that Organization may have access to your account information, usage data, and Content in accordance with the Organization's policies.

5.4 Legal Requirements

We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government agencies). We will notify you of such requests when legally permitted.

5.5 Business Transfers

If Sotabox is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information.

5.6 With Your Consent

We may share information with third parties when you give us explicit consent to do so.

5.7 What We Do NOT Do

  • We do NOT sell your personal information to third parties
  • We do NOT use your Content to train AI models without your explicit consent
  • We do NOT share your Content with other customers or make it publicly accessible (unless you choose to share it)

6. Data Security

Sotabox is committed to protecting your personal information. We implement appropriate technical and organizational measures to help protect your information from unauthorized access, loss, theft, misuse, and alteration.

Security Measures

  • Encryption at Rest: All Content is encrypted using AES-256 encryption when stored in our data centers
  • Encryption in Transit: All data transmitted between you and our Services is protected using TLS 1.3
  • Access Controls: Strict access controls and authentication requirements for our systems
  • Security Monitoring: 24/7 monitoring and logging of our infrastructure
  • Regular Audits: Annual third-party security audits and penetration testing
  • Employee Training: Regular security awareness training for all employees

For more details about our security practices, please visit our Security Policy.

7. Your Privacy Rights and Choices

We believe you should have control over your personal information. Depending on your location, you may have the following rights:

7.1 Access and Portability

You can request a copy of the personal information we hold about you. You can also request that we provide your data in a portable format.

7.2 Correction

You can update or correct inaccurate personal information through your account settings or by contacting us.

7.3 Deletion

You can request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, legitimate business purposes).

7.4 Restriction and Objection

You can request that we restrict or stop processing your personal information in certain circumstances.

7.5 Withdraw Consent

Where we rely on your consent to process your information, you can withdraw that consent at any time.

7.6 Marketing Opt-Out

You can opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Updating your preferences in your account settings
  • Emailing us at privacy@sotabox.com

7.7 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@sotabox.com. We will respond to your request within 30 days (or sooner if required by law). We may need to verify your identity before processing your request.

8. Data Retention

We retain your information for as long as necessary to provide the Sotabox Services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods

  • Account Information: Retained while your account is active and for a reasonable period afterward
  • Content: Retained while your account is active. Upon account deletion, Content is deleted within 30 days, with backup copies purged within 90 days
  • Usage Data: Generally retained for 2 years for analytics purposes, then anonymized or deleted
  • Billing Records: Retained for 7 years as required by tax and accounting laws
  • Support Communications: Retained for 3 years to improve our services

Account Deletion

When you delete your account:

  • Your Content will be permanently deleted within 30 days
  • Backup copies will be purged within 90 days
  • Some information may be retained as required by law or for legitimate business purposes
  • Anonymized or aggregated data may be retained indefinitely

9. International Data Transfers

Sotabox operates globally and may transfer your information to countries other than your country of residence. When we transfer personal information across borders, we implement appropriate safeguards to protect your information.

Transfer Mechanisms

  • Standard Contractual Clauses: We use EU-approved Standard Contractual Clauses for transfers from the EEA, UK, and Switzerland
  • Data Privacy Framework: We comply with applicable data privacy frameworks for transatlantic data transfers
  • Adequacy Decisions: We may transfer data to countries with adequate data protection laws

Data Residency

Enterprise customers may have options to specify data residency requirements. Please contact us for more information about data residency options.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your use of the Sotabox Services.

Types of Cookies We Use

  • Essential Cookies: Required for the Services to function properly (authentication, security, preferences)
  • Analytics Cookies: Help us understand how users interact with our Services
  • Marketing Cookies: Used to deliver relevant advertisements (only with your consent)
  • Functionality Cookies: Remember your preferences and settings

Your Cookie Choices

You can manage your cookie preferences through:

  • Our cookie consent banner when you first visit our website
  • Your browser settings to block or delete cookies
  • Your account privacy settings

Note that blocking certain cookies may affect the functionality of the Sotabox Services.

11. AI and Machine Learning

Our Services include AI-powered features. Here's how we handle your data in relation to AI:

11.1 How AI Processes Your Data

  • AI features process your Content only when you explicitly use those features
  • Processing occurs in real-time to provide the requested functionality
  • AI outputs are generated based solely on your Content and queries

11.2 What We Do NOT Do

  • We do NOT train AI models on your Content
  • We do NOT share your Content with AI model providers for training purposes
  • We do NOT retain your Content longer than necessary to provide the requested AI feature

11.3 AI Model Providers

We work with third-party AI model providers to power certain features. These providers:

  • Process your requests in real-time only
  • Are contractually prohibited from using your Content for training
  • Are bound by strict data protection agreements

12. Children's Privacy

The Sotabox Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided us with personal information, please contact us at privacy@sotabox.com.

If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information as soon as possible.

13. Regional Privacy Information

13.1 European Economic Area (EEA), UK, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have additional rights under GDPR and similar laws:

  • Legal Basis: We process your data based on consent, contract performance, legitimate interests, or legal obligations
  • Data Protection Authority: You have the right to lodge a complaint with your local data protection authority
  • Data Protection Officer: You can contact our DPO at dpo@sotabox.com

13.2 California (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect and how we use it
  • Right to delete your personal information
  • Right to opt-out of the sale of personal information (note: we do not sell personal information)
  • Right to non-discrimination for exercising your privacy rights
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information

13.3 Other U.S. States

Residents of other U.S. states with privacy laws (Virginia, Colorado, Connecticut, Utah, etc.) may have similar rights. Please contact us to exercise your rights.

13.4 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), including the right to access, correct, delete, and port your data.

14. Third-Party Links and Services

The Sotabox Services may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days.

Complaints

If you have a complaint about our handling of your personal information:

  1. Contact us first at privacy@sotabox.com
  2. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority