Privacy Policy

• We collect account details (name, email), security credentials (tokens), usage logs, and—if you connect integrations—data retrieved from those integrations (e.g., GA4 reporting data).
• We store, process, and transform integration data on our secure servers to deliver the core functionality of Sofia—enabling natural language queries and generating insights from your connected sources.
• We use your data to provide, secure, and improve Sofia; to support you; to comply with law; and—where permitted—to communicate with you.
• We do not sell personal information. We do not use Google Analytics or other integration data for advertising.
• You can disconnect Google or other integrations at any time, and you can request deletion of your Sofia account and associated data by emailing info@asksofia.ai.
• We follow Google’s User Data Policy (Limited Use) for all Google user data. Human access to Google user data is limited and governed by strict controls.

Scope

This Policy applies to visitors and users of asksofia.ai and related sites, applications, and services that link to it. If you access Sofia on behalf of a company, that company is our "Customer" and we process certain data on its behalf.

Personal data we collect

We collect information in these categories:

1. Account & identity information: Name, email address, password (if you sign up with email/password), profile settings, tenant/workspace name. If you sign in with Google, we receive your email, basic profile and an ID via OpenID Connect (see Google OAuth below).
2. Authentication & security: Authentication tokens (including OAuth refresh/access tokens), session identifiers, IP address, device/browser metadata, and security logs (login time, provider, success/failure).
3. Product usage: App interactions (e.g., queries you run, features used), diagnostic logs, crash/error reports, performance telemetry. We may store transient caches of query results to accelerate responses.
4. Integration data you choose to connect: If you connect third‑party services (e.g., Google Analytics 4 via the Google Analytics Data API, Shopify, Stripe, or HubSpot), we access and save reports, events, and metrics necessary to deliver requested functionality. We then process and transform this data into a unified schema to run natural language queries, generate insights, and display results. This stored and processed data forms the basis of Sofia’s insights functionality. We retain such data securely and in accordance with our retention policy (see below).
5. Payments & billing: If you purchase a paid plan, payments are processed by our payment provider (e.g., Stripe). We receive limited billing metadata (e.g., last4, card brand, expiration month/year) and do not store full card numbers.
6. Support & communications: Content of messages you send us (email or in‑app), survey responses, and marketing preferences.
7. Cookies & similar technologies: We use strictly necessary cookies for authentication and security, and functional cookies to remember preferences. We may use aggregated analytics to improve the product; we do not use third‑party ad tracking pixels on authenticated app pages.

Google OAuth, GA4 data, and Limited Use

When you connect Google Analytics 4, we use Google OAuth and the Google Analytics APIs in accordance with Google’s User Data Policy and Limited Use requirements:

• OAuth scopes requested
  • openid, email, profile (for sign‑in)
  • https://www.googleapis.com/auth/analytics.readonly (read GA data)
• How we use Google data: We use Google user data solely to provide you with Sofia’s features—e.g., listing available GA4 properties, pulling reports, transforming them into a unified schema, and enabling natural language queries. We store and process this data on our servers to provide insights back to you. We do not use Google data for serving ads. We do not transfer Google user data to third parties except as necessary to provide the services (e.g., secure cloud hosting) or comply with law. Human access is limited to cases with your consent, for security/abuse investigations, or to comply with law, and is controlled via least‑privilege access and logging.
• Disconnecting, access, and deletion: You can disconnect Sofia’s access to your Google account at any time at myaccount.google.com/permissions (Google Account → Security → Third‑party access). You can also request deletion of any stored GA4 data by emailing info@asksofia.ai from your account email. Upon account deletion, we revoke tokens and delete associated Google data held by Sofia, subject to any legal retention obligations.

Why we use data (purposes & legal bases)

We use personal data for:

• Providing the service (create/secure your account; connect integrations; pull, transform, and store integration data; process queries; display insights).
  • Legal basis: performance of a contract; legitimate interests.
• Improving and securing Sofia (diagnostics, analytics, troubleshooting, preventing abuse).
  • Legal basis: legitimate interests.
• Communications (service notices, security alerts, support responses; optional product updates).
  • Legal basis: performance of a contract; legitimate interests; consent where required.
• Payments & invoicing (process transactions, prevent fraud).
  • Legal basis: performance of a contract; legitimate interests.
• Legal compliance (respond to lawful requests; enforce our Terms).
  • Legal basis: legal obligation; legitimate interests.

How we share information

We do not sell personal information. We share limited data with:

• Service providers / sub‑processors (cloud hosting and storage, authentication, payments, email delivery, logging/monitoring). These providers process data under contract and only as instructed.
• Third‑party integrations you connect (e.g., GA4 APIs). We only transmit/receive data necessary for the integration you enable.
• Corporate transactions (merger, acquisition, financing, or sale). We will continue to protect your data and notify you of material changes.
• Legal, safety, and security (to comply with law or protect rights and safety).

International transfers

We may process data in Canada, the United States, and other countries where we or our service providers operate. When transferring personal data internationally, we use lawful transfer mechanisms (e.g., SCCs where applicable) and implement appropriate safeguards.

Security

We use industry‑standard safeguards to protect data, including encryption in transit (HTTPS/TLS), access controls, and monitoring. While no method is perfectly secure, we continually improve our technical and organizational measures. Production data access is restricted to authorized personnel on a least‑privilege basis.

Retention

We retain account data for the life of your account and for a reasonable period thereafter to comply with law, resolve disputes, and enforce agreements. Stored integration data and processed insights are generally retained as long as your account remains active and may be deleted within 90 days of account deletion, unless required longer by law. Transient caches of analytics query results are typically retained for up to 30 days to improve performance and may be purged sooner upon request. Logs are generally retained for 90 days unless required longer for security or legal reasons.

Your rights

Your rights depend on your location and applicable law (e.g., PIPEDA in Canada, GDPR/UK GDPR in the EEA/UK, CCPA/CPRA in California). Subject to limits, you may have the right to:

• Access, correct, or delete your personal data;
• Port your data;
• Object to or restrict certain processing;
• Withdraw consent where processing is based on consent; and
• Lodge a complaint with a data protection authority (e.g., the Office of the Privacy Commissioner of Canada, your local EU DPA, or the UK ICO).

To exercise rights, email info@asksofia.ai from the email tied to your account. We may verify your identity before fulfilling a request.

Your choices

• Email preferences: You can unsubscribe from marketing emails using the link in those emails. You will continue to receive essential service emails.
• Cookies: You can control cookies in your browser. Some features require essential cookies.
• Disconnect integrations: You can revoke Google access at any time at myaccount.google.com/permissions.

Children’s privacy

Sofia is intended for business use and is not directed to children. We do not knowingly collect personal information from individuals under 16 (or as defined by local law). If you believe a child has provided us information, contact info@asksofia.ai and we will take appropriate steps.

Changes to this Policy

We may update this Policy to reflect changes to practices or legal requirements. We will post the updated version with a new effective date. If changes are material, we will provide additional notice.

How to contact us

Analytico (Sofia AI)
375 University Avenue, Unit 102
Toronto, Ontario, M5G 2J5, Canada
Email: info@asksofia.ai
Phone: +1 (647) 948-8090