Features Pricing Blog Log in Start free trial

Privacy Policy

Sofia Creative ("we," "us," or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what information we collect, how we use it, who we share it with, how we protect it, and what rights you have regarding your data.

This policy applies to all users of the Sofia Creative platform, website, and related services (collectively, the "Service"). By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Information You Provide

When you register for and use the Service, you provide us with information directly:

  • Account Information — Name, email address, password, and profile details you provide during registration.
  • Billing Information — Payment method details (credit card, bank card, or PayPal) processed through our payment providers (Stripe, VNPay, PayPal). We do not directly store your full credit card number or bank credentials — these are handled by the payment providers.
  • Workspace Data — Workspace names, brand settings (brand name, language, tone, glossary terms, forbidden claims), team member invitations and roles.
  • Content — Text content you create or generate, images you upload or generate, campaign briefs, brand documents, and any other materials you input into the Service.
  • Communications — Messages you send us through support channels, feedback forms, or bug reports.

1.2 Information Collected Automatically

When you use the Service, we automatically collect certain information:

  • Usage Data — Features you use, actions you take (content creation, approvals, publishing), timestamps of activity, and frequency of use.
  • Device and Browser Data — IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Log Data — Server logs recording requests, response times, error logs, and referring URLs.
  • Analytics Data — If Google Tag Manager (GTM) is enabled, we collect page views, feature interactions, and user flow data for product improvement and marketing analysis.

1.3 Information from Third Parties

When you connect third-party accounts (Facebook, Instagram, Twitter/X, LinkedIn, WordPress) for publishing, we receive:

  • OAuth access tokens (encrypted and stored securely)
  • Basic profile information from the connected platform (page name, account ID)
  • Publishing status and error responses from the platform's API

We do not receive or store your passwords for third-party platforms.

2. How We Use Your Information

We use your information for the following purposes:

2.1 Providing the Service

  • Operating your account and managing your workspaces
  • Processing your content through AI models (OpenAI, Anthropic, Google Gemini, Stability AI, Fal AI, xAI) to generate text, images, and other outputs you request
  • Executing content approval workflows and publishing to connected channels
  • Storing and retrieving your content, brand documents, and media files
  • Processing payments and managing your subscription

2.2 Improving the Service

  • Analyzing usage patterns to identify bugs, performance issues, and areas for improvement
  • Understanding which features are most valuable to users
  • Developing new features and capabilities based on usage data

2.3 Communication

  • Sending transactional emails: account confirmation, password reset, billing receipts, publishing notifications
  • Sending service-related announcements: maintenance windows, feature updates, Terms or Privacy Policy changes
  • Responding to support requests and bug reports

2.4 Legal and Safety

  • Complying with applicable laws, regulations, and legal processes
  • Detecting, preventing, and addressing fraud, abuse, or security issues
  • Enforcing our Terms of Service and protecting our rights and the rights of other users

3. How We Share Your Information

We do not sell your personal data to third parties. We share your information only in the following circumstances:

3.1 AI Service Providers

When you use AI features, your content prompts and brand context are sent to the AI provider you've selected (or the system default):

  • OpenAI — For GPT-based text generation and DALL-E image generation
  • Anthropic — For Claude-based text generation
  • Google — For Gemini-based text generation
  • Stability AI — For Stable Diffusion image generation, image editing
  • Fal AI — For specialized image generation models
  • xAI — For Grok-based text generation

Each provider processes this data according to their own privacy policies and API terms. We recommend reviewing the privacy policies of the AI providers relevant to your usage. We select providers that commit to not using customer API inputs for model training.

3.2 Payment Processors

Billing information is shared with our payment processors:

  • Stripe — Processes international credit/debit card payments. Subject to Stripe's Privacy Policy.
  • VNPay — Processes Vietnamese bank card and QR code payments. Subject to VNPay's terms.
  • PayPal — Processes PayPal payments. Subject to PayPal's Privacy Policy.

3.3 Publishing Platforms

When you publish content through the Service, the content (text, images, metadata) is transmitted to the connected platforms (WordPress, Facebook, Instagram, Twitter/X, LinkedIn) using the OAuth credentials you provided. Only the content you choose to publish is transmitted.

3.4 Stock Image Providers

When you search for stock images, search queries are sent to Pixabay, Pexels, and/or Unsplash APIs. No personal information is shared beyond the search query itself.

3.5 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

4. Cookies and Tracking Technologies

4.1 Cookies We Use

We use the following types of cookies:

  • Essential Cookies — Required for authentication, session management, and CSRF protection. These cannot be disabled without breaking the Service.
  • Preference Cookies — Store your settings such as language preference, dark mode, and sidebar state.
  • Analytics Cookies — If GTM is enabled, we use analytics cookies to understand feature usage and user flow. These help us improve the Service.

4.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies will prevent the Service from functioning properly. Analytics cookies can be blocked without affecting core functionality.

4.3 Do Not Track

We respect browser "Do Not Track" signals. When detected, analytics cookies are not set.

5. Data Storage and Security

5.1 Data Storage

Your data is stored on secure servers. Media files (images, documents) are stored on the configured storage provider (local server storage or Amazon S3, as configured by the system administrator).

5.2 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at Rest — Sensitive data (API keys, OAuth tokens) is encrypted at rest in our database.
  • Access Controls — Role-based access controls ensure team members only access data within their permitted scope.
  • Password Security — Passwords are hashed using bcrypt with appropriate salt rounds. We never store passwords in plain text.
  • API Key Security — AI provider API keys and payment credentials are encrypted and masked in the admin interface.

5.3 Security Limitations

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. We encourage you to use strong, unique passwords and enable any additional security features available in your account settings.

6. Data Retention

6.1 Active Account

We retain your data for as long as your account is active and as needed to provide the Service. This includes your account information, workspace data, content, and usage history.

6.2 After Account Deletion

When you delete your account or request data deletion:

  • Your account and personal profile are deleted within 30 days
  • Your content and workspace data are deleted within 90 days
  • Backup copies may persist for up to 180 days for disaster recovery purposes
  • Anonymized, aggregated usage data may be retained indefinitely for analytics purposes
  • Data required by law (billing records, tax documentation) is retained for the legally required period

6.3 Inactive Accounts

Free accounts that have been inactive for more than 12 consecutive months may be deleted after a 30-day notification period. Paid accounts are never deleted due to inactivity as long as the subscription is active.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

7.1 Access and Portability

You have the right to access the personal data we hold about you. You can view most of this information directly through your account settings, workspace settings, and content dashboard. You may request a copy of your data in a machine-readable format.

7.2 Correction

You have the right to correct inaccurate or incomplete personal data. You can update your account information, profile details, and workspace settings directly through the Service.

7.3 Deletion

You have the right to request deletion of your personal data. You can delete individual pieces of content, close workspaces, or delete your entire account through the Service. For bulk deletion requests, contact us directly.

7.4 Restriction and Objection

In certain circumstances, you may have the right to restrict or object to our processing of your personal data. Contact us to exercise these rights.

7.5 Exercising Your Rights

To exercise any of these rights, use the relevant features in your account settings or contact us using the information provided in the Contact section below. We will respond to requests within 30 days. We may ask you to verify your identity before processing certain requests.

8. International Data Transfers

Your data may be transferred to and processed in countries outside of your country of residence, including countries where AI providers operate their services. When we transfer data internationally, we ensure appropriate safeguards are in place to protect your data in accordance with applicable law.

9. Children's Privacy

The Service is not directed to individuals under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the "Last updated" date at the bottom of this page
  • For material changes that affect how we use your personal data, we will notify you via email or an in-app notification at least 15 days before the changes take effect
  • Your continued use of the Service after the effective date constitutes acceptance of the updated policy

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through:

  • The contact information provided in the footer of our website
  • Your account settings (for data access, correction, or deletion requests)
  • The bug report feature within the application

We aim to respond to all privacy-related inquiries within 30 days.

Last updated: March 2026.