sotra — Privacy Policy

Last updated: 19 June 2026 Effective date: [TBD — date of publication]


1. Introduction

This Privacy Policy explains how sotra ("sotra", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our website at sotra.ai and our document-analysis service (the "Service").

sotra is operated by [TBD — legal entity name], a company registered in Estonia under registration number [TBD], with its registered office at [TBD — address] (the "Controller"). We are the data controller responsible for your personal data.

We are committed to protecting your privacy and to handling your data in accordance with the EU General Data Protection Regulation ("GDPR") and applicable Estonian data protection law.

If you have any questions about this Policy or your personal data, contact us at [TBD — e.g. privacy@sotra.ai].


2. Who this Policy applies to

The Service is intended for and operated within the European Economic Area ("EEA"). It is designed for users located in the EEA, and our data protection practices are built around the GDPR. If you access the Service from outside the EEA, your personal data will nonetheless be processed as described in this Policy, and you are responsible for compliance with any local laws applicable to you.

You must be at least 18 years old to use the Service. The Service is not directed at children, and we do not knowingly collect personal data from anyone under 18.


3. What personal data we collect

We collect and process the following categories of personal data:

a) Account data. When you create an account, we collect your email address and — depending on your sign-in method — basic profile information (such as your name) provided by your authentication provider (Google or Apple). If you register with email and password, we collect your email address; your password is handled and stored securely by our authentication provider and is never accessible to us in plain text.

b) Documents you upload. When you upload an insurance policy (PDF), we store the original file, the full text extracted from that file, and the file name and size.

Insurance documents you upload may themselves contain personal data — including your name, the names of other insured persons, vehicle identifiers (registration number, VIN), property addresses, policy numbers, and, depending on the type of insurance, potentially sensitive information (see Section 9).

c) Analysis results. We generate and store a structured analysis of each document. This analysis may include the name of the insured person, a list of insured persons, identifiers of insured vehicles, addresses of insured property, coverage details, and related information derived from your document.

d) Usage and technical data. To operate and monitor the Service, we record technical usage records associated with your account, such as the type of action performed, the AI model used, processing volume and duration, estimated processing cost, and periodic summaries of how much storage your account uses.

e) Cookies. We use a small number of cookies that are strictly necessary to operate the Service and to remember your preferences. See Section 8.

f) Security and administrative logs. Access to restricted administrative areas of the Service is logged, including the IP address, email address, and browser user-agent associated with the access attempt. In normal use of the Service, we do not collect your IP address for tracking purposes.

We do not use third-party analytics, advertising, or behavioural-tracking tools.


4. How and why we use your data, and our legal bases

We process your personal data for the following purposes:

PurposeLegal basis (GDPR Art. 6)
Creating and managing your account and providing access to the ServicePerformance of a contract — Art. 6(1)(b)
Storing your uploaded documents and analysing them so you can understand your coveragePerformance of a contract — Art. 6(1)(b)
Sending you service-related and transactional emails (e.g. policy-expiry reminders)Performance of a contract / legitimate interests — Art. 6(1)(b)/(f)
Maintaining the security and integrity of the Service, preventing abuse, and logging administrative accessLegitimate interests — Art. 6(1)(f)
Monitoring usage to operate, maintain, and improve the ServiceLegitimate interests — Art. 6(1)(f)
Complying with our legal obligationsLegal obligation — Art. 6(1)(c)

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms.


5. AI processing of your documents

A core feature of the Service is the automated analysis of your insurance documents using a third-party large language model provided by OpenAI.

When you request an analysis, the full text of your document (truncated where it exceeds a technical length limit) and your name are sent to OpenAI's API for the sole purpose of generating your analysis. We do not send your email address, IP address, or account identifier to OpenAI.

This processing is automated. It is used to help you understand and compare your insurance coverage and to highlight potential exclusions. It does not produce decisions that have legal or similarly significant effects on you; the analysis is informational, and you remain responsible for your own decisions. You can ask us how the analysis works and request human review of any output by contacting us.

OpenAI acts as our sub-processor and processes the text you submit solely to generate your analysis. International data transfers, including transfers to OpenAI, are addressed in Section 7.


6. Sub-processors and third parties

We share your personal data only with the service providers necessary to operate the Service:

Sub-processorRoleLocation of data
SupabaseAuthentication, database, and file storageFrankfurt, Germany (EU)
OpenAIAI analysis of document textUnited States
ResendSending transactional emailsUnited States

PDF text extraction is performed within our own infrastructure and does not involve a third party.

We do not sell your personal data, and we do not share it with advertisers.


7. International data transfers

Your documents and account data are stored within the EU (Frankfurt). However, some of our sub-processors (OpenAI, Resend) are located in the United States, which means certain personal data is transferred outside the EEA.

Where personal data is transferred outside the EEA, such transfers are made on the basis of appropriate safeguards recognised under the GDPR, such as the European Commission's Standard Contractual Clauses ("SCCs"). You can request more information about these safeguards by contacting us.


8. Cookies

We use only the following cookies:

  • Authentication cookies — set by our authentication provider to keep you signed in and to secure your session. These are strictly necessary for the Service to function.
  • Language preference cookie (sotra-lang) — remembers your chosen interface language. It contains only a language code and is stored for up to one year.

We do not use analytics, advertising, or tracking cookies. A separate Cookie Policy provides further detail.


9. Special-category (sensitive) data

Insurance documents you upload may contain special categories of personal data within the meaning of GDPR Article 9 — for example, health-related information in a health-insurance policy.

We do not seek out such data, but where your documents contain it, we process it solely to provide you with the analysis you have requested. By uploading such documents, you give your explicit consent to our processing of any special-category data they contain for that purpose. You can withdraw this consent at any time by deleting the relevant document or your account.


10. How long we keep your data

We keep your account data and uploaded documents, together with their extracted text and analyses, for as long as your account remains active, so that the Service continues to function for you.

When you delete your account, we delete your uploaded files, your stored document text, your analyses, and your account itself.

Temporary files created for the policy-comparison feature are automatically deleted within 7 days.

You can delete your account at any time from within the Service.


11. Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data (the "right to be forgotten");
  • Restrict processing in certain circumstances;
  • Data portability — receive your data in a structured, commonly used, machine-readable format;
  • Object to processing based on our legitimate interests;
  • Withdraw consent at any time, where processing is based on consent;
  • Lodge a complaint with a supervisory authority.

To exercise your right of access or data portability, contact us using the details in Section 12, and we will provide a copy of your personal data in a commonly used electronic format.


12. How to exercise your rights

You can:

  • delete your account and associated data directly within the Service;
  • for any other request (access, rectification, portability, restriction, objection, or withdrawal of consent), contact us at [TBD — e.g. privacy@sotra.ai].

We will respond to your request within one month, as required by the GDPR.


13. Security

We take reasonable technical and organisational measures to protect your personal data, including:

  • storing uploaded files in a private storage bucket that is not publicly accessible;
  • isolating each user's data so that you can only access your own records;
  • transmitting data over encrypted connections (HTTPS);
  • restricting administrative access and logging access attempts.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.


14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here and update the "Last updated" date. Where changes are material, we will take reasonable steps to notify you.


15. Contact and supervisory authority

For any questions or requests regarding this Policy or your personal data, contact us at:

[TBD — e.g. privacy@sotra.ai] [TBD — legal entity name and registered address]

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia — www.aki.ee — or with the supervisory authority in your country of residence.