Privacy Policy

Information you provide

• Account data: name, email address, job title, organization name
• Content: SOPs, process descriptions, uploaded documents, and other content you create or import
• Communications: support emails and feedback you send to us
• Payment data: billing information processed by Stripe (we do not store card numbers)

Information collected automatically

• Usage data: pages visited, features used, actions taken within the Service
• Log data: IP address, browser type, operating system, referring URLs, timestamps
• Cookies: session cookies for authentication; analytics cookies via Vercel Analytics
• Error data: crash reports and stack traces collected via Sentry

We use the information we collect to:

• Provide, operate, and improve the Service
• Process transactions and send related administrative communications
• Send product updates, security alerts, and support messages
• Respond to your comments and questions
• Monitor and analyze usage patterns to improve user experience
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

We use Anthropic's Claude API to power AI drafting features. Content you submit for AI generation is sent to Anthropic's API for processing. Please review Anthropic's privacy policy at anthropic.com/privacy.

We do not sell your personal information. We share information only in the following circumstances:

• Service providers: we share data with subprocessors who help us operate the Service, including Supabase (database/auth), Vercel (hosting), Anthropic (AI), Resend (email), Stripe (payments), and AWS (infrastructure). All subprocessors are bound by data processing agreements.
• Within your organization: content you create is visible to other members of your SOP Studio organization per your role configuration.
• Legal requirements: we may disclose information when required by law, subpoena, or to protect the rights and safety of our users or the public.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

SOP Studio offers a HIPAA Mode for organizations that process Protected Health Information (PHI). When HIPAA Mode is enabled and a Business Associate Agreement (BAA) is in place, we implement additional safeguards including enhanced audit logging, restricted AI processing, and PHI-aware access controls.

PHI stored in the Service is subject to the terms of your executed BAA, which takes precedence over this general Privacy Policy with respect to PHI. If you process PHI without enabling HIPAA Mode and executing a BAA, you do so at your own risk and in violation of our Terms of Service.

We retain your Customer Data for as long as your account is active. Upon account termination, we retain data for 30 days to allow export, after which it is deleted from our systems. Backups may persist for up to 90 days. Audit logs may be retained longer as required by law.

You may request deletion of your data at any time by contacting privacy@sopstudio.io.

We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest, row-level security in our database, role-based access control, and regular security reviews. We use Sentry to monitor for application errors and security anomalies.

Despite these measures, no system is completely secure. You are responsible for maintaining the security of your account credentials. Please notify us immediately at security@sopstudio.io if you suspect unauthorized access to your account.

We use strictly necessary cookies for authentication (Supabase session cookies) and analytics cookies via Vercel Analytics, which is privacy-friendly and does not use third-party ad tracking. You can disable cookies in your browser settings, though this may affect Service functionality.

Depending on your location, you may have the following rights:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate data
• Deletion: request deletion of your personal data
• Portability: request your data in a machine-readable format
• Objection: object to certain processing activities

To exercise these rights, contact us at privacy@sopstudio.io. We will respond within 30 days. We may need to verify your identity before fulfilling requests.

California residents have additional rights under the California Consumer Privacy Act. We do not sell personal information. You have the right to know what personal information we collect and how it is used, and to request deletion. To submit a CCPA request, contact privacy@sopstudio.io.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we learn we have collected information from a minor, we will delete it promptly.

SOP Studio is operated from the United States. If you are located outside the US, your information will be transferred to and processed in the US. By using the Service, you consent to this transfer. We rely on standard contractual clauses where required by applicable data protection law.

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice in the Service at least 14 days before changes take effect. Your continued use after the effective date constitutes acceptance of the updated policy.

Questions, concerns, or requests related to this Privacy Policy should be directed to:
privacy@sopstudio.io
McBix Consulting LLC