Socaity SOCAITY
Legal

Privacy Policy

Effective date: March 2026. Compliant with GDPR (Regulation (EU) 2016/679) and Spanish data protection law (LOPDGDD).

1. Identity of the Data Controller

Pursuant to Article 13 of the General Data Protection Regulation (GDPR), we inform you that the data controller for the personal data collected through this website and our services is:

  • Legal name: Socaity S.L.
  • CIF/NIF: B-21931068
  • Registered address: Carrer de Venecuela, 2, 1e, 07014 Palma de Mallorca, Illes Balears, Spain
  • Contact email: info@socaity.ai
  • Privacy contact: privacy@socaity.ai

2. Data Protection Contact

You can contact us regarding any data protection matter at privacy@socaity.ai.

Note: Socaity S.L. does not currently have a formally appointed Data Protection Officer (DPO). As a company with fewer than 250 employees whose core activity does not consist of large-scale systematic monitoring of individuals or large-scale processing of special category data, a DPO is not mandatory under Article 37 GDPR. All data protection enquiries are handled by our privacy contact above.

3. Data We Collect

3.1 Personal Data

Information you provide directly to us when creating an account or using our services:

  • Full name and email address
  • Billing address (if provided for invoicing)
  • Any other information you voluntarily submit via forms or support requests

3.2 Usage Data

Technical information automatically collected when you interact with our services:

  • IP address, device type, browser type, and operating system
  • Pages visited, features used, and timestamps of interactions
  • API call metadata (endpoint, response time, error codes)

3.3 Payment Data

Payment card details are processed directly by Stripe Inc. on our behalf. We do not store or process raw card numbers. We retain only the transaction reference and billing record required by law.

3.4 Authentication Data

Authentication tokens and session data are managed via Supabase. If you use OAuth login (Google or GitHub), we receive only the profile information permitted by your chosen provider (typically name, email, and avatar).

3.5 AI Service Data

When you use our AI APIs, we may process inputs you submit (such as text prompts, images, or files) and the outputs generated by AI models. By default, this data is private to your account. You may opt-in to sharing outputs publicly. You may withdraw this consent at any time from your account settings.

4. Purposes of Processing and Legal Basis

We process your personal data for the following purposes, each resting on a specific legal basis under Article 6 GDPR:

Account creation and service delivery

Processing your name, email, and account credentials to register your account and provide the contracted services.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

Payment processing

Transmitting billing information to our payment processor (Stripe) to complete transactions and issue invoices.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

Customer support

Using your contact and account information to respond to enquiries, diagnose issues, and resolve complaints.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — to maintain service quality and user satisfaction

Service improvement and analytics

Analysing aggregated usage patterns to improve reliability, performance, and the product roadmap.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — to develop and improve our services

Legal compliance

Retaining billing records and responding to lawful requests from public authorities.
Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

Marketing communications

Sending newsletters, product updates, or promotional offers to users who have explicitly opted in.
Legal basis: Consent (Art. 6(1)(a) GDPR) — you may withdraw consent at any time by unsubscribing

5. Third-Party Processors

We engage the following sub-processors to deliver our services. Each is bound by a Data Processing Agreement (DPA) consistent with GDPR requirements:

Supabase Inc.

Role: Authentication and database hosting (user accounts, API keys)
Location: United States (AWS)
Transfer mechanism: Standard Contractual Clauses (SCCs)

Stripe Inc.

Role: Payment processing and billing
Location: United States
Transfer mechanism: SCCs + Stripe's GDPR Data Processing Addendum

Scaleway SAS

Role: Cloud infrastructure and object storage
Location: France (EU — no international transfer)
Transfer mechanism: EU-based — GDPR directly applicable

RunPod Inc.

Role: GPU compute infrastructure for AI model inference
Location: United States
Transfer mechanism: Standard Contractual Clauses (SCCs)

Microsoft Azure

Role: Cloud infrastructure services
Location: Ireland (EU region — no international transfer)
Transfer mechanism: EU-based — GDPR directly applicable

Google LLC

Role: OAuth authentication (if you choose to sign in with Google)
Location: United States
Transfer mechanism: Standard Contractual Clauses (SCCs)

GitHub Inc. (Microsoft)

Role: OAuth authentication (if you choose to sign in with GitHub)
Location: United States
Transfer mechanism: Standard Contractual Clauses (SCCs)

6. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), principally in the United States. For these transfers, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR, supplemented where applicable by the processor's own GDPR-compliant Data Processing Addendum.

We prefer EU-based infrastructure where operationally feasible (Scaleway SAS — France; Microsoft Azure — Ireland region). AI inference workloads that require GPU compute may be routed through US-based providers under the SCC safeguard described above.

7. Data Retention

  • Account data: Retained for the duration of your account, plus 30 days after deletion to allow recovery before permanent erasure.
  • Billing records: Retained for 6 years from the date of the transaction, as required by Spanish tax law (Ley 58/2003, General Tributaria).
  • Usage and access logs: Retained for 12 months for security and service improvement purposes.
  • AI service inputs/outputs: Retained according to your account settings. You may configure permanent storage or request deletion at any time.

8. Your Rights Under GDPR

Subject to applicable law, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy of it.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD), at www.aepd.es.

9. How to Exercise Your Rights

To exercise any of the rights listed above, please contact us at privacy@socaity.ai. Please include your full name and the email address associated with your account so we can verify your identity. We will respond within 30 days of receipt of your request, as required by Article 12 GDPR. If your request is complex or numerous, we may extend this period by a further 60 days, notifying you of the extension within the initial 30-day period.

10. Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@socaity.ai and we will delete such data promptly.

In Spain, the minimum age for consent to information society services is 14 years pursuant to Article 7 of the LOPDGDD (Ley Orgánica 3/2018). However, our services are designed for business and developer users and are not intended for minors of any age.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 GDPR. Our measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest for sensitive personal data
  • Role-based access controls limiting employee access to personal data
  • Regular security reviews and vulnerability assessments
  • Incident response procedures for data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email to the address associated with your account and/or via a prominent notice within the platform at least 14 days before the change takes effect. We encourage you to review this policy periodically.

Continued use of our services after the effective date of any change constitutes your acceptance of the updated policy.