Privacy Policy

SophonixAI Technologies (“SophonixAI”, “we”, “us”, or “our”) operates the website at sophonixai.com and provides enterprise AI solutions, automation systems, and related consulting services (collectively, the “Services”).

This Privacy Policy applies to all personal data processed in connection with our website, inquiry forms, newsletter, and client engagements. By using our Services, you acknowledge the practices described in this policy.

We act as the data controller for personal data collected through our website and marketing activities. For data processed as part of delivering services to enterprise clients, we act as a data processor under the terms of a Data Processing Agreement (DPA).

We collect only the data necessary to provide our Services and communicate with you effectively.

Information You Provide Directly

• Contact & inquiry forms — Full name, work email address, company name, phone number (optional), job role, area of interest, and any message content you submit.
• Newsletter subscription — Email address only.
• Client onboarding — Additional business information provided during the engagement process (e.g., company size, technical environment, compliance requirements).

Information Collected Automatically

• Usage data — Pages visited, time on site, referring URL, browser type, operating system, and device type.
• IP address — Used for security monitoring and approximate geographic location (country/region level).
• Cookies and similar technologies — See our Cookie Policy for full details.

Information We Do Not Collect

We do not collect payment card details directly (handled by PCI-compliant processors), government identification numbers, biometric data, or sensitive personal data as defined under GDPR Article 9 unless explicitly required and consented to.

We use the data we collect for the following purposes:

• Responding to inquiries — Processing and replying to project requests, questions, and consultation requests submitted via our forms.
• Service delivery — Fulfilling contracted AI solutions, automation builds, and consulting engagements.
• Communications — Sending system updates, product announcements, and relevant content to newsletter subscribers.
• Website improvement — Analysing aggregated usage patterns to improve the performance and usability of our website.
• Security & fraud prevention — Monitoring for malicious activity, protecting the integrity of our systems.
• Legal compliance — Meeting our obligations under applicable laws and regulations.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

For individuals in the European Economic Area (EEA) and United Kingdom, we rely on the following legal bases under GDPR Article 6:

• Consent (Art. 6(1)(a)) — Newsletter subscriptions and any optional marketing communications. You may withdraw consent at any time.
• Contract performance (Art. 6(1)(b)) — Processing necessary to respond to your inquiry and deliver contracted services.
• Legitimate interests (Art. 6(1)(f)) — Website analytics, security monitoring, and improving our Services. We have conducted a Legitimate Interests Assessment (LIA) confirming these interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)) — Processing required to comply with applicable law, tax obligations, or regulatory requirements.

Where we rely on legitimate interests, you have the right to object to such processing. See “Your Rights” below.

We do not sell, rent, or trade your personal data to third parties. We share data only with trusted service providers (“sub-processors”) necessary to operate our Services:

• Resend (email delivery) — Transmits form submission notifications and newsletter emails. Data centre: United States. Safeguard: Standard Contractual Clauses.
• Vercel (website hosting & analytics) — Hosts the SophonixAI platform. Data centre: Global edge network. Safeguard: Standard Contractual Clauses.
• CRM / project management tools — May hold contact records for active client engagements. Specific tools disclosed upon request or within client DPAs.

All sub-processors are contractually bound to process data only as directed by us, maintain appropriate security standards, and not use data for their own commercial purposes.

We may also disclose data where required by law, court order, or governmental authority, or to protect the rights, property, or safety of SophonixAI, our clients, or the public.

This section is particularly important for enterprise clients.

We do not use client data to train, fine-tune, or improve any general-purpose or shared AI models. Client data processed as part of delivering our Services remains exclusively the property of the client and is never used for any purpose beyond the scope of the agreed engagement.

Specifically:

• Client proprietary data, documents, and outputs are never incorporated into foundational or shared model weights.
• AI models built for a specific client using that client’s data are owned by the client, subject to the terms of the relevant Statement of Work.
• Any anonymised, aggregated, or synthetic data used for internal research is derived in ways that make re-identification of individuals or clients technically infeasible.
• Clients may request a Data Processing Agreement (DPA) that formally governs these obligations for regulated industries.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected or as required by law:

• Inquiry / form submissions — 24 months from date of submission, unless an active engagement begins (in which case, retained for the duration of the engagement plus 5 years for legal and audit purposes).
• Newsletter subscribers — Until you unsubscribe. We conduct annual list hygiene to remove inactive subscribers.
• Website usage logs — 90 days, then automatically purged.
• Client engagement data — Per the terms of the client contract, typically 5–7 years for financial/audit records, with shorter periods for operational data.

When data is no longer required, we securely delete or anonymise it using industry-standard methods.

SophonixAI operates globally and may transfer personal data outside your country of residence. Where personal data originating from the EEA or UK is transferred to a country not recognised as providing adequate protection, we rely on:

• Standard Contractual Clauses (SCCs) — The European Commission-approved module for controller-to-processor transfers, incorporated into our sub-processor agreements.
• Adequacy decisions — Where the destination country has been granted adequacy status by the European Commission.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@sophonixai.com.

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your data where there is no overriding legitimate reason to continue processing.
• Right to restriction (Art. 18) — Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@sophonixai.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or relevant EU DPA).

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration:

• All data transmitted to and from our platform is encrypted in transit using TLS 1.2+.
• Data at rest is encrypted using AES-256.
• Access to personal data is restricted to authorised personnel on a need-to-know basis, enforced via role-based access controls.
• We conduct periodic security assessments and penetration testing.
• We maintain an incident response plan and will notify affected individuals and regulators of data breaches within 72 hours where required by law.

For security vulnerability reports, see our Security Disclosure Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last Updated” date at the top of this document.

For significant changes that affect how we process data you have already provided, we will notify you directly by email (where we hold your contact details) at least 14 days before the change takes effect.

Continued use of our Services after the effective date of any update constitutes acceptance of the revised policy.

For all privacy-related enquiries, requests to exercise your rights, or questions about this policy:

• Email: privacy@sophonixai.com
• General: hello@sophonixai.com
• Website: sophonixai.com

We aim to respond to all privacy requests within 5 business days and resolve them within 30 days as required by GDPR.