Privacy Policy

1. Introduction

This Privacy Policy explains how Digimeri OÜ ("Soro", "we", "our", "us") collects, uses, shares, and protects your personal data when you use Soro (the "Service") or visit trysoro.com.

We are committed to processing your personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.

We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. For any privacy inquiry, write to info@trysoro.com and we will route it to the appropriate person.

2. Personal Data We Collect

2.1 Data You Provide

• Account data: name, email address, password (hashed), company name, country.
• Billing data: billing address, payment instrument details (processed and stored by our payment processor; we receive metadata and a token, not full card numbers), tax identification numbers where applicable.
• Brand and configuration data: website URL, brand voice settings, target audience, content preferences, language settings, integration credentials and access tokens for connected platforms (WordPress, Shopify, Wix, HubSpot, FTP, RSS, Google Search Console, and others).
• Communications: the contents of emails, support tickets, chat messages, and survey responses you send us.

2.2 Data Collected Automatically

• Usage data: features used, content generated, articles scheduled and published, settings changes, dashboard interactions, errors.
• Device and connection data: IP address, browser type and version, operating system, device identifiers, time zone, language settings, referring URLs.
• Cookies and similar technologies: see Section 7.

2.3 Data From Third Parties

• From your connected platforms: when you connect a platform such as Google Search Console, we receive metrics, page URLs, queries, and other data that platform exposes to us based on your authorization.
• From payment processors: transaction status, country, last four digits of payment instrument, fraud signals.
• From authentication providers: if you sign in with a third-party identity provider, we receive the identifiers and profile fields they share with us.

2.4 Special Categories

We do not intentionally collect special categories of personal data (such as health, racial or ethnic origin, religious beliefs, or biometric data). Do not enter such data into the Service.

3. How We Use Personal Data

We process personal data for the following purposes:

3.1 To Provide the Service (legal basis: performance of a contract, Article 6(1)(b) GDPR)

• Create and maintain your account.
• Generate keywords, articles, and images according to your settings.
• Publish content to your connected platforms.
• Display analytics from Google Search Console and similar sources.
• Provide customer support.

3.2 For Billing and Tax (legal basis: contract and legal obligation, Articles 6(1)(b) and 6(1)(c) GDPR)

• Process payments, refunds, and chargebacks.
• Calculate and remit VAT, sales tax, and similar indirect taxes (including under the EU OSS scheme).
• Retain accounting records as required by Estonian and EU law (typically seven years).

3.3 To Secure and Improve the Service (legal basis: legitimate interests, Article 6(1)(f) GDPR)

• Detect, prevent, and investigate fraud, abuse, security incidents, and Terms violations.
• Monitor performance and stability.
• Analyze usage in aggregate to improve features.
• Conduct internal product research and A/B tests.

We balance our legitimate interests against your rights and freedoms. You can object to processing based on legitimate interests at any time (see Section 9).

3.4 To Communicate With You (legal basis: contract and legitimate interests; consent for marketing where required)

• Send service announcements, security notices, billing notices, and product updates relevant to your account.
• Send marketing communications, with your prior consent where required by law. You can opt out at any time using the unsubscribe link in any marketing email or by emailing info@trysoro.com.

3.5 To Comply With Law (legal basis: legal obligation, Article 6(1)(c) GDPR)

• Respond to lawful requests from public authorities.
• Enforce our Terms.
• Comply with anti-money-laundering, sanctions, and other regulatory obligations.

3.6 No Training of Third-Party AI Models

We do not use Customer Content (including the content of articles you generate, your brand configuration, or your website content) to train third-party AI models. The AI providers we use to power the Service operate under contractual terms that prohibit training their models on customer API inputs and outputs.

4. How We Share Personal Data

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising as defined under the CCPA/CPRA, except as described in Section 8.4 below in relation to cookies.

We share personal data with:

4.1 Subprocessors

We rely on trusted third-party service providers to operate the Service. Categories include:

• Cloud infrastructure and hosting (data centers in the EU and the United States).
• Database, storage, and content delivery providers.
• Payment processing.
• Email and customer support platforms.
• Analytics, error monitoring, and product telemetry.
• Third-party AI model providers that generate content on our behalf.
• Identity and authentication providers.

All subprocessors are bound by data processing agreements requiring confidentiality, security, and GDPR compliance. The current list of subprocessors we rely on is available on request by emailing info@trysoro.com. We will notify you of material changes to our use of subprocessors through updates to this Privacy Policy and, where applicable, through any separate agreements you have with us.

4.2 Integration Partners You Connect

When you connect a third-party platform (WordPress, Shopify, Wix, HubSpot, Google Search Console, FTP server, and others), we exchange data with that platform as needed to perform the Service you have requested. Those platforms are independent controllers operating under their own privacy policies.

4.3 Legal and Safety

We may disclose personal data when we believe in good faith that disclosure is required to: (a) comply with a legal obligation, court order, or lawful government request; (b) protect the rights, property, or safety of Soro, our users, or others; (c) investigate or prevent fraud, security incidents, or violations of our Terms; (d) enforce or apply our agreements.

4.4 Corporate Transactions

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred to the relevant counterparty subject to standard confidentiality protections. We will notify affected users where required by law.

5. International Transfers

Soro is based in Estonia (European Union). Some of our subprocessors are located outside the EU/EEA, including in the United States and the United Kingdom.

Where we transfer personal data outside the EU/EEA to a country that has not been recognized by the European Commission as providing an adequate level of protection, we rely on appropriate safeguards, including:

• The European Commission's Standard Contractual Clauses;
• The UK International Data Transfer Addendum and the Swiss Data Protection Authority's clauses, where applicable;
• The EU-US Data Privacy Framework, where the recipient is certified;
• Additional supplementary measures as recommended by the European Data Protection Board.

You can request a copy of the safeguards in place for a specific transfer by writing to info@trysoro.com.

6. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected.

• Account and configuration data: for the duration of your account, plus up to 90 days after closure to allow recovery and dispute resolution.
• Billing, tax, and accounting records: seven years from the relevant transaction, as required by Estonian law.
• Support and communication records: up to three years after the last interaction.
• Security logs and audit trails: up to two years.
• Marketing consent records: for as long as the consent is valid, plus a reasonable period to demonstrate compliance.

After applicable retention periods, we delete or irreversibly anonymize personal data.

7. Cookies and Similar Technologies

We use cookies, pixels, local storage, and similar technologies on trysoro.com and within the Service. The categories we use are:

7.1 Strictly Necessary

Required for the Service or website to function - authentication, session management, security (including CSRF protection), load balancing, fraud prevention, and remembering your cookie preferences. These cannot be switched off in our systems. Without them, the Service will not work correctly.

7.2 Functional

Remember your preferences, language, and similar settings so we can give you a more personalized experience.

7.3 Analytics

Help us understand how our website and Service are used so that we can improve them. Analytics technologies collect aggregated information such as page views, session duration, referral sources, and feature usage.

7.4 Marketing and Advertising

Used to measure the performance of our advertising (including on platforms such as Meta and Google), to attribute conversions to the campaigns that produced them, and to show you relevant advertising on third-party platforms. These technologies may share limited information (such as your IP address, browser identifier, and the pages you visit on trysoro.com) with our advertising partners.

7.5 Your Choices

Where required by applicable law (including the EU ePrivacy Directive, the UK Privacy and Electronic Communications Regulations, and equivalent laws in California and other jurisdictions), we obtain your prior consent before loading analytics and marketing technologies. You can accept, reject, or customize non-essential cookies through our cookie consent interface, and you can change your preferences at any time. Rejecting non-essential cookies will not affect your ability to use the Service.

You can also control cookies through your browser settings, including blocking or deleting them. Disabling strictly necessary cookies may prevent the Service from functioning.

Where we rely on third-party technologies (for example, from Meta or Google for advertising and analytics), those providers process data under their own privacy policies as independent or joint controllers, and we encourage you to review their terms.

8. Your Rights

8.1 Rights Under GDPR and UK GDPR

Subject to applicable conditions and exceptions, you have the right to:

• Access the personal data we hold about you and receive a copy.
• Rectification of inaccurate or incomplete data.
• Erasure of personal data ("right to be forgotten").
• Restriction of processing in certain circumstances.
• Data portability - receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
• Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing before withdrawal).
• Lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee). You may also complain to the authority in your country of residence.

To exercise these rights, email info@trysoro.com. We respond within 30 days, which may be extended by up to two further months for complex requests. We may need to verify your identity before responding.

8.2 Rights of California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of third parties with which we share it.
• Access the specific pieces of personal information we hold about you.
• Delete your personal information, subject to certain exceptions.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. We do not sell personal information for monetary consideration. We may "share" limited identifiers with analytics and advertising partners for cross-context behavioral advertising; you can opt out by emailing info@trysoro.com or using the cookie banner.
• Limit the use of sensitive personal information.
• Non-discrimination for exercising your rights.

To exercise these rights, email info@trysoro.com with the subject line "California Privacy Request." We may verify your identity through email confirmation and account information. Authorized agents must provide signed permission from the consumer.

8.3 Other Jurisdictions

Residents of other jurisdictions (including Brazil, Canada, Australia, and various US states with comprehensive privacy laws) may have similar rights. Email info@trysoro.com to exercise them.

9. Security

We implement appropriate technical and organizational measures designed to protect personal data, including:

• Encryption in transit (HTTPS/TLS) and at rest;
• Secure authentication, including hashed passwords and access tokens;
• Role-based access controls and the principle of least privilege;
• Network security controls and monitoring;
• Regular security updates and vulnerability management;
• Incident detection and response procedures.

No method of transmission or storage is 100% secure. We will notify supervisory authorities and affected users of personal data breaches in accordance with applicable law, including within 72 hours where required by Article 33 GDPR.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact info@trysoro.com and we will take appropriate steps to delete it. In jurisdictions where a lower age of consent applies, the higher protective standard prevails to the extent permitted by law.

11. AI Processing

The Service uses artificial intelligence to research keywords, generate articles, generate images, and assist with related tasks. You should be aware that:

• AI output is generated probabilistically and may be inaccurate, incomplete, or similar to outputs generated for other users.
• We do not use Customer Content to train third-party AI models, and our AI providers operate under contractual terms that prohibit such training on API data.
• Inputs and outputs are processed by third-party AI providers under data processing terms and confidentiality obligations. See our subprocessor list for current providers and locations.
• Automated decision-making within the meaning of Article 22 GDPR (decisions producing legal or similarly significant effects without human involvement) is not used in the Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If a change is material, we will notify you by email and/or in-product notice before it takes effect. Non-material changes (clarifications, corrections, contact details) take effect when posted. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy questions, complaints, or to exercise your rights: