Privacy Policy

1. Introduction

Welcome to Sosco ("Company," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://www.sosco.io and use our services (collectively, the "Services").

We are a company registered in Portugal at Rua Brito Capelo, 560, Matosinhos, Porto 4450-667. As such, we comply with the General Data Protection Regulation (GDPR) and applicable Portuguese data protection laws.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Services. By using our Services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.

2. Information We Collect

Personal Information You Provide

We collect personal information that you voluntarily provide to us when you:

• Register for an account
• Subscribe to our services
• Fill out forms or surveys
• Contact us for support
• Participate in promotions or events

The personal information we collect may include:

• Identity Data: Name, username, job title, company name
• Contact Data: Email address, telephone number, billing address
• Account Data: Username, password, account preferences
• Financial Data: Payment card details, billing information (processed securely through our payment provider Stripe)
• Profile Data: Your interests, preferences, feedback, and survey responses

Information Automatically Collected

When you access our Services, we automatically collect certain information, including:

• Device Information: Device type, operating system, unique device identifiers, browser type and version
• Log Data: IP address, access times, pages viewed, referring URL, and actions taken on our Services
• Usage Data: Information about how you use our Services, including features used and time spent
• Location Data: General location based on your IP address (country/region level)

Information from Third Parties

We may receive information about you from third parties, including:

• Authentication providers (when you sign in with Google, Microsoft, or other SSO providers)
• Analytics providers
• Payment processors

3. How We Use Your Information

We use the information we collect for various purposes, including to:

• Provide our Services: Create and manage your account, process transactions, and deliver the services you request
• Improve our Services: Understand how users interact with our Services, identify trends, and develop new features
• Communicate with you: Send service-related notices, respond to inquiries, and provide customer support
• Marketing: Send promotional communications (with your consent) about products, services, and events
• Security: Detect, prevent, and address fraud, abuse, security risks, and technical issues
• Legal compliance: Comply with applicable laws, regulations, and legal processes
• Analytics: Monitor and analyze usage patterns and trends to improve user experience

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our contract with you (e.g., providing the Services you subscribed to)
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these do not override your rights (e.g., improving our Services, fraud prevention)
• Consent: Where you have given explicit consent to process your data for specific purposes (e.g., marketing communications)
• Legal Obligation: Processing necessary to comply with legal requirements

5. Data Sharing and Disclosure

We may share your information in the following circumstances:

Service Providers

We share data with third-party vendors who perform services on our behalf, such as:

• Cloud hosting (Vercel, AWS)
• Payment processing (Stripe)
• Email services
• Analytics (PostHog)
• Customer support tools

These providers are contractually bound to protect your data and use it only for the purposes we specify.

Legal Requirements

We may disclose your information if required by law or in response to valid legal requests by public authorities.

Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

With Your Consent

We may share your information for other purposes with your explicit consent.

We do not sell your personal information to third parties.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Account data: Retained while your account is active and for a reasonable period afterward for legal and business purposes
• Transaction data: Retained for 7 years to comply with tax and accounting obligations
• Marketing preferences: Retained until you withdraw consent or update your preferences
• Support communications: Retained for up to 3 years after resolution

When data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies.

7. Your Rights (GDPR)

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, please contact us at legal@sosco.io. We will respond to your request within 30 days.

For EU residents, you may also contact the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with our Services.

Types of Cookies We Use

• Essential Cookies: Required for the Services to function properly (e.g., authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how visitors use our Services
• Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

• View what cookies are stored and delete them individually
• Block third-party cookies
• Block all cookies
• Clear all cookies when you close the browser

Note that blocking certain cookies may affect the functionality of our Services.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms
• Regular security assessments and audits
• Access controls limiting who can access personal data
• Employee training on data protection
• Incident response procedures

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent data protection in the destination country
• Other legally approved transfer mechanisms

By using our Services, you consent to the transfer of your information to countries outside the EEA that may have different data protection rules.

11. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at legal@sosco.io.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or through a prominent notice on our Services
• Where required by law, obtain your consent to the changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

For any privacy-related concerns, you may also file a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD) at www.cnpd.pt.