Privacy Policy

Effective 9 February 2025

We know that your privacy is important, and we're committed to protecting it. This Privacy Policy explains, in a clear and simple way, how we collect, use, and protect your personal data when you use our generative AI services ("Services").

Sorena is a Swedish company based in Stockholm ("We", "Us" or "Sorena AI").

All data is encrypted at rest and in transit. None of the cloud providers we partner with have access to the data, as per our enterprise agreements.

Who collects your data?

Sorena AI as data controller

Sorena AI is the data controller. This means that Sorena AI is the entity that decides how and why your personal data is collected and used.

Sorena AI as data processor

If you use our Services to process personal data on behalf of your business, you are the data controller, and Sorena AI is the data processor. This means that you decide how and why the personal data is processed, and we process such data on your behalf and according to your instructions to provide you with the Services. This Privacy Policy only covers the processing activities we carry out as a data controller. It does not apply to the processing activities we carry out as a data processor on your behalf, which are governed by our Data Processing Agreement.

What data do we collect?

Data you provide directly to us

Identity, account and contact data when you create your account on our platform or subscribe to our newsletter. We also collect any Feedback (screenshots and comments) you choose to provide. You must be of legal age (18 years or older in Sweden) to provide us with any personal data.

Personal data generated by your use of our Services

When you use the Services, we automatically collect security logs, technical information through cookies, and Output (content generated by the Services based on your Input). If you include personal data in your Input, then such personal data may be included in the Output.

Personal data that is indirectly provided to us

Data publicly available on the Internet: Our models are trained on data that is publicly available on the Internet, which may contain personal data, even if we use good practices to filter out such personal data.

Why do we use your data?

Service Provision & Improvement

We use your data to provide the Services and generate aggregated and anonymized statistics to enhance functionality and performance.

General Administration

For security management, sending important non-marketing communications about service updates or account information, and managing technically required cookies.

Model Development

We do not use your Input and Output to train our models.

Marketing Operations

For sending newsletters (with consent), lead development, event invitations, and managing our business relationship with you.

Commercial Management

For contract administration, invoicing, and payment processing.

Dispute Resolution

To investigate and resolve disputes, enforce our contract, and protect our legal rights.

Data Subject Requests

To respond to your requests regarding your personal data rights.

How long do we keep your data?

Service & Account Data

Account data is kept while you're registered plus 1 year after termination. Input and Output data is kept for 30 days for abuse monitoring. Fine-tuning data is kept until you delete it or your account. For technical support, we keep data until request processing plus 5 years for records.

Security & Technical Data

Security logs are kept for 1 rolling year. Cookies are kept as long as you consent to their use.

Commercial & Legal Records

Contracts are kept for contract duration plus 7 years. Invoices are kept for 7 years from year-end. For disputes, data is kept until appeal periods end, with possible archival extension.

Marketing & Business Data

Newsletter contact data until unsubscribe, leads for 3 years from collection, B2B customer data for contract duration plus 3 years. Privacy requests are kept for 6 years after processing.

Who do we share your data with?

Internal Access

Authorized team members who need access to perform their jobs.

Service Providers

Cloudflare, Inc (Security, Cloud Services, AI Services), Amazon.com, Inc (Cloud Services, AI Services), Microsoft Corporation (Cloud Services, AI Services), GitHub, Inc (Security, Code, CI/CD, Cloud Services, AI Services), OpenAI, Inc (AI Services), Anthropic PBC (AI Services), Google LLC (AI Services), Hetzner Online GmbH (Cloud Services), Bahnhof AB (Cloud Services). All providers are audited and bound by data protection agreements and none of the providers have access to your data.

Financial & Legal

Banks and financial organizations, regulatory authorities like the Swedish data protection authority (Integritetsskyddsmyndigheten), courts, mediators, accountants, auditors, lawyers, bailiffs, and debt collection agencies when appropriate.

International Transfers

We prioritize EU providers compliant with GDPR. For non-EU providers, we ensure adequate safeguards under Article 46 of GDPR and include the latest European Commission's Standard Contractual Clauses.

Data Breach Notification

Notification Timeline

In the event of a data breach that may affect your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Notification Content

Our notification will include the nature of the breach, categories of data affected, potential consequences, measures taken to address the breach, and recommendations for you to mitigate potential adverse effects.

Ongoing Communication

We maintain transparent communication throughout the incident response process and provide regular updates on our dedicated security status page.

Prevention Measures

We continuously monitor our systems, conduct regular security assessments, and maintain incident response plans to prevent and quickly address any security incidents.

Your rights

Access

You have the right to know if we process your personal data. You also have the right to request a copy of such personal data and to obtain further information about the way we process your personal data.

Rectification

You have the right to update or correct your personal data.

Deletion

You have the right to delete and/or ask us to delete your personal data.

Objection

You have the right to object to the processing of your personal data. This right does not apply when we have a legal obligation to process your personal data.

Consent Withdrawal

You have the right to withdraw your consent to the processing of your personal data at any time.

Limitation

You have the right to ask us to freeze the processing of your personal data.

Portability

You have the right to obtain and transfer your personal data to another entity.

Post-mortem Rights

You have the right to tell us how you would like us to process your personal data after your death.

Lodge a Complaint

You have the right to lodge a complaint before the competent data protection authority, including the Swedish data protection authority (Integritetsskyddsmyndigheten).

How to Exercise Your Rights

You can exercise these rights by sending us an email at [email protected] or by making a request using our Support Center available on your account.

Cookies & Tracking

Essential Technical Cookies

These cookies are strictly necessary for the proper functioning of the website and cannot technically be deactivated from the site. However, you can manage these cookies through your browser settings.

Performance & Analytics Cookies

These cookies help us to understand the customer's use of our website. All data collected is anonymous and we do not retain information that will identify you personally. Google Analytics is not included and allowed inside of the internal portal.

Cookie Management

Upon your initial visit, a banner will prompt you to accept or decline non-essential cookies. You can manage preferences through our cookie banner or your browser settings. Note that deleting or blocking cookies may affect your user experience and limit access to certain parts of the site.

Contact Us

If you have any questions about our privacy policy or how we handle your data, please don't hesitate to reach out.

[email protected]

Data Protection Officer

For specific inquiries about your data protection rights or to report a privacy concern, contact our DPO directly.

[email protected]