Privacy Policy
Privacy Policy
Last updated: 15 March 2026 Effective date: 15 March 2026
1. Introduction
This Privacy Policy explains how Soragai (sorag.ai), collects, uses, stores, and protects your personal data when you use our Service.
We are established in Romania and process personal data in accordance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) and applicable Romanian data protection law.
Data Controller: Soragai Email: hello@sorag.ai Full legal details available on request.
2. Data We Collect
2.1 Account Data
When you register, we collect your email address and a hashed password. We do not store your password in plain text.
2.2 Usage Data
We collect records of your generations including prompts, model selections, parameters, generation status, and output file paths. This data is necessary to deliver the Service.
2.3 Billing Data
Payment processing is handled by Stripe. We do not store payment card details. We retain billing records including subscription status, transaction amounts, and Stripe customer identifiers.
2.4 Communication Data
If you contact us by email, we retain the content of that correspondence.
2.5 Technical Data
We collect server-side logs for security and error monitoring. Logs include IP addresses, request timestamps, and HTTP status codes. Logs are retained for 30 days and then deleted.
2.6 Analytics Data
We use Plausible Analytics, a privacy-respecting analytics tool. Plausible does not use cookies, does not track users across websites, and does not collect personal data as defined under GDPR. It collects only aggregated, anonymised site usage statistics. No consent is required for Plausible under GDPR.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (verification, password reset, billing, low credits warning) | Performance of contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Improving the Service | Legitimate interests (Art. 6(1)(f)) |
| Using Generated Content for model training and promotional purposes | Consent, as described in the Terms of Service (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)©) |
4. Data Sharing and Third Parties
We share personal data with the following categories of third parties:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing | USA (Standard Contractual Clauses) |
| Brevo (Sendinblue) | Transactional email | EU |
| PiAPI | AI generation pipeline | See below |
| Hetzner Online GmbH | Server infrastructure | Germany, EU |
| Plausible Analytics | Cookieless analytics | EU |
PiAPI and Upstream Model Providers
When you submit a generation request, your prompt and any reference images are transmitted to PiAPI, which routes them to the relevant AI model provider (Kuaishou, ByteDance, OpenAI, or Google). Each provider processes this data in accordance with their own privacy policies. Data may be transferred outside the EU to the USA and to China (Kuaishou, ByteDance) under applicable transfer mechanisms or as necessary for the performance of the contract.
We do not sell your personal data to third parties.
5. Data Transfers Outside the EU
Some of our service providers are located outside the EU/EEA. Where we transfer personal data to third countries, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Stripe, Google)
- Adequacy decisions where applicable
- Necessity for contract performance for transfers to AI model providers (Kuaishou, ByteDance, OpenAI) where no other transfer mechanism applies
You acknowledge that use of models operated by Kuaishou (China) and ByteDance (China) involves transfer of your Input data to servers that may be located in China, a country that does not have an adequacy decision from the European Commission.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account, plus 30 days after deletion request |
| Generation records | Duration of account |
| Generated Content files | Duration of account or until manually deleted |
| Billing records | 10 years (Romanian accounting law requirement) |
| Server logs | 30 days |
| Email correspondence | 2 years |
7. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (“right to be forgotten”)
- Right to restriction — request we limit processing of your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
To exercise any of these rights, contact us at hello@sorag.ai. We will respond within 30 days. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the Romanian supervisory authority:
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti anspdcp.eu
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords hashed with bcrypt
- All data transmitted over HTTPS/TLS
- Access tokens with short expiry (30 minutes)
- Database accessible only via Tailscale private network
- API keys stored in HashiCorp Vault, never in source code
No system is completely secure. If you believe your account has been compromised, contact us immediately at hello@sorag.ai.
9. Children
The Service is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice on the Service at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
11. Contact
For any privacy-related queries or to exercise your rights:
Soragai Email: hello@sorag.ai