Privacy Policy

Last updated: 2026-05-13

Sofya ("we," "us," or "our") is operated as a sole proprietorship by Yusuf Gurdogan, based in Turkey. This Privacy Policy describes what information we collect when you visit Sofya or use our API, how we use it, who we share it with, and the choices and rights you have. By using Sofya you agree to this Privacy Policy.

If you do not agree with any part of this policy, please do not use the Service.

1. Information We Collect

We collect the minimum information needed to run the Service.

a. Account information

When you sign in via our identity provider (GitHub OAuth), we receive your email address, your account identifier and username on that provider, and your profile information as permitted by you. If you create an account through other means, we store the email you provide and a hashed (not plain text) version of your password.

b. API key and billing metadata

We generate a unique API key for your account and store your remaining credits, your free-tier reset timestamp, your purchase history (amounts and timestamps only), and your last login method.

c. Operational logs

We log the count of API requests by endpoint, the credit cost charged, response latency, and HTTP status. We do not log the body of your requests or responses as a matter of course (see Section 2). Logs may include your IP address, browser or client type, and timestamps.

d. Payment information

If you top up credits, we do not see or store your card number, CVV, or full billing address. Our payment processor handles those fields and sends us only the amount paid, a transaction identifier, and the status of the charge.

e. Communications

If you contact us by email or other channel, we keep your message and our reply so we can follow up.

2. What We Do Not Collect or Store

Sofya is built to be lean about data. By default and as a matter of design:

  • We do not store the queries you send to /v1/search, /v1/fetch, /v1/extract, /v1/research, or to our MCP server beyond what is necessary to complete the in-flight request.
  • We do not store the response bodies returned to you (search results, fetched pages, extracted answers, or research reports).
  • We do not use your queries or responses to train, fine-tune, evaluate, or benchmark any artificial intelligence model, ours or anyone else's. See Section 4 of our Terms of Service for the contractual version of this commitment.
  • We do not sell your personal information.

Note on error monitoring: our infrastructure may transiently capture small fragments of failing requests (an error message, a partial URL, a status code) to help us diagnose and fix issues. These fragments are deleted on a short rolling window and are never used for training or analytics.

3. How We Use Information

We use the information we collect to:

  • Provide, maintain, secure, and improve the Service;
  • Authenticate you, generate and rotate your API key, and enforce rate limits;
  • Meter usage, charge credits, and apply your free-tier allowance;
  • Communicate with you about your account, billing, security incidents, or material changes to the Service;
  • Detect, prevent, and address abuse, fraud, security risks, or violations of our Terms;
  • Comply with legal obligations and respond to lawful requests.

4. How We Share Information

We share personal information only when needed and only with categories of third parties acting on our behalf. We do not sell your information.

  • Identity provider for authentication (e.g. when you sign in with a third-party identity provider).
  • Payment processor for charging top-ups and recording transactions.
  • AI providers for executing the AI portion of /v1/extract, /v1/research, and similar features. The minimum query text needed to produce your result is sent to these providers and is governed by their own terms.
  • Hosting and content-delivery providers that operate the servers and network on which the Service runs.
  • Error monitoring providers for the limited diagnostic purpose described in Section 2.
  • Operator alerting for low-volume internal notifications (e.g. status alerts) that do not include user-identifiable content.

We may also share information when required by law, to protect our rights or the rights of our users, to enforce our Terms, or in connection with a corporate transaction (such as a merger, acquisition, or asset sale), in which case the acquirer will be bound by terms at least as protective as this Policy.

5. Data Retention

We keep account-level data (email, identity-provider identifier, API key, credit balance, billing history) for as long as your account is active. When you delete your account, or ask us to delete it, we remove the personal information from our active systems within thirty (30) days, except where we are required to retain it for legal, tax, accounting, or fraud-prevention reasons, in which case we keep only what is required and only for as long as required.

Operational logs are retained on a short rolling window, after which they are deleted or aggregated into non-identifying statistics.

6. International Transfers

Sofya is operated from Turkey. Some of the third parties listed in Section 4 (in particular AI providers and payment processors) operate in the European Economic Area, the United Kingdom, the United States, and other jurisdictions. By using the Service you understand that your information may be processed in countries whose data protection laws differ from those of your country of residence. Where required, we rely on Standard Contractual Clauses or equivalent safeguards offered by those providers.

7. Your Rights

Depending on where you live, you may have one or more of the following rights:

a. GDPR (European Economic Area, United Kingdom)

  • Right to access the personal information we hold about you;
  • Right to rectification of inaccurate or incomplete information;
  • Right to erasure ("right to be forgotten");
  • Right to restrict processing;
  • Right to object to processing based on legitimate interests;
  • Right to data portability;
  • Right to lodge a complaint with your supervisory authority.

b. California (CCPA / CPRA) and other US state privacy laws

  • Right to know what personal information we collect and how we use it;
  • Right to access a copy of your information;
  • Right to deletion;
  • Right to correct inaccurate information;
  • Right to opt out of sale or sharing (we do not sell, and we do not "share" for cross-context behavioural advertising);
  • Right to non-discrimination for exercising your rights.

c. Turkey (KVKK)

  • Right to learn whether your personal data is being processed;
  • Right to request information about how it is being processed;
  • Right to demand correction, deletion, or destruction of your personal data;
  • Right to object to results that arise solely from automated analysis;
  • Right to claim compensation for damages from unlawful processing.

To exercise any of these rights, email us at privacy@sofya.co. We will respond within the timeframes required by the law that applies to you (typically thirty (30) days). We may need to verify your identity before acting on your request.

8. Cookies

Sofya uses only the cookies strictly necessary to keep you signed in and to protect against cross-site request forgery. We do not use cookies for advertising, analytics, behavioural tracking, or profiling. We do not deploy third-party analytics or tag managers on our site.

9. Children's Privacy

Sofya is not directed at children. We do not knowingly collect personal information from anyone under the age of eighteen (18). If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal information from loss, misuse, unauthorised access, disclosure, and alteration. API keys are sensitive credentials and are shown to you only once at creation; you can rotate yours at any time from your dashboard. No method of transmission or storage is one hundred percent (100%) secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or in-product notice. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy.

12. Contact

Questions, requests, or complaints about this Privacy Policy can be sent to:

privacy@sofya.co
Yusuf Gurdogan, sole proprietor
Sofya
Turkey