Legal
Privacy Policy
1. Who we are
Sopmodo is a software service that helps organisations turn voice-narrated walk-throughs into written standard operating procedures (SOPs). This Privacy Policy explains how we handle personal data when you use the Sopmodo web app or the Sopmodo Android application (together, the “Service”).
Sopmodo is established in the European Union and is the controller of the data described in this notice.
This Policy is provided in accordance with Articles 12, 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
2. Our role, and the role of your employer
Sopmodo is a B2B service. We work with two distinct populations of data subjects and we wear two different hats depending on whose data we are processing.
2.1 When you sign in as an account holder, we are the controller (Art. 4(7))
If you create or sign in to a Sopmodo account, we directly collect and decide how to use your account information (your work email, display name, role, authentication identifiers). For that information we are the controller.
2.2 When you record SOPs on behalf of your organisation, your employer is the controller, we are the processor (Art. 4(8); Art. 28)
When you use the Service to record, generate, or store SOP content for your organisation, that is, the audio you speak into the phone, the photos you take, the steps the AI drafts from those inputs, the values you fill in custom template fields, your employer (the customer organisation that holds the Sopmodo subscription) is the controller of that personal data. We process it on their documented instructions, under a separate Data Processing Agreement.
If you have questions about how your employer uses SOP content recorded on Sopmodo, contact your employer’s IT, HR or DPO function first.
3. What personal data we process
3.1 Account data (we are the controller)
| Category | Examples | Source |
|---|---|---|
| Identity | Display name, email address | You / your administrator |
| Authentication | AWS Cognito user ID (sub), hashed password (held by AWS Cognito, not by us) | You / AWS Cognito |
| Account state | Role (admin / member), organisation membership, account-creation timestamp, deactivation timestamp | The Service |
| Session | Encrypted session and refresh tokens stored in httpOnly, Secure, SameSite=Lax cookies | The Service |
3.2 SOP content (your employer is the controller; we are the processor)
| Category | Examples |
|---|---|
| Voice recordings | Short-form spoken narration captured by the Android app during recording sessions. Audio is processed on-device by the phone, transmitted directly to OpenAI Whisper for transcription, and is not persisted on Sopmodo servers (see §5.3). |
| Transcripts and step text | The textual output produced by the AI pipeline; reviewed and edited by your colleagues. |
| Photos | JPEG images captured during recording, uploaded to AWS S3, and embedded in the resulting SOP. |
| Custom template values | Values your administrator has asked operators to fill in per SOP (e.g. Client, Batch Number). |
| SOP metadata | Title, tags, author, status, timestamps. |
Voice recordings, transcripts, and photos may incidentally include personal data about colleagues, customers, or members of the public visible or audible during recording. Your employer is responsible for ensuring that they have a lawful basis under Art. 6 (and where applicable Art. 9) for that processing.
3.3 Service telemetry (we are the controller)
| Category | Examples |
|---|---|
| AI usage telemetry | Per-pipeline run: chat tokens consumed, audio duration, model used, total credit cost, timestamp, the originating user and organisation. We do not store the prompt or completion content here. |
| Application logs | Standard request/error logs from the web app and API. Aggregated and retained for limited debugging windows. |
| Webapp essential cookies | sm_access, sm_refresh, sm_username, strictly necessary for authentication. |
We do not run third-party analytics, advertising trackers, or marketing pixels. We do not set any non-essential cookies.
4. Why we process your data: purposes and lawful bases (Art. 6)
| Purpose | Personal data used | Lawful basis |
|---|---|---|
| Authenticating you and granting access to the Service | Identity, authentication, account state | Contract (Art. 6(1)(b)) |
| Operating the Service (storing SOPs, photos, custom fields) | SOP content | Contract (Art. 6(1)(b)) for account holders. For SOP content about other people, your employer's lawful basis applies. |
| Securing the Service and detecting abuse | Application logs, session data | Legitimate interests (Art. 6(1)(f)) |
| Measuring and billing AI consumption | Usage telemetry | Contract (Art. 6(1)(b)) |
| Communicating service-essential changes | Email address, display name | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Whatever is necessary | Legal obligation (Art. 6(1)(c)) |
We do not rely on consent for any of the activities above, because all processing is necessary for the Service to function. We do not engage in direct marketing.
5. Who else processes your data
5.1 Sub-processors
We use the following sub-processors to deliver the Service. All are bound by data-processing terms reflecting Art. 28 GDPR.
| Sub-processor | Role | Where it runs |
|---|---|---|
| Amazon Web Services EMEA SARL, Amazon Cognito | User authentication (passwords, sessions, password resets) | EU (Ireland, eu-west-1) |
| Amazon Web Services EMEA SARL, Amazon S3 | Photo storage | EU (Ireland, eu-west-1) |
| Amazon Web Services EMEA SARL, Amazon RDS for PostgreSQL | Application database (account data, SOP text, telemetry) | EU (Ireland, eu-west-1) |
| OpenAI, L.L.C., Whisper API | Audio transcription (audio is sent directly from the Android device, see §5.3) | United States |
| OpenAI, L.L.C., Chat Completions API (including vision) | Drafting of SOP steps from transcripts and photos | United States |
We do not sell personal data and we do not share personal data with third parties for marketing.
5.2 International transfers (Art. 44 to 49)
OpenAI processing involves transferring personal data to the United States. We rely on the following safeguards for that transfer:
- The EU-U.S. Data Privacy Framework, where OpenAI is certified;
- Where the DPF is not applicable, the European Commission’s 2021 Standard Contractual Clauses (Module 2, Controller to Processor) between Sopmodo and OpenAI;
- A transfer impact assessment (TIA) that we have completed and review periodically.
A copy of the SCCs or our current TIA summary is available on request to Sopmodo through your organisation’s administrator.
AWS sub-processing of personal data takes place inside the European Economic Area (Ireland) and does not require third-country transfer safeguards under Art. 44.
5.3 What goes to OpenAI, and what does not
This is important enough to repeat in plain terms.
When you record on the Android app, the app:
- Captures audio on the device.
- Sends short audio segments directly from your phone to OpenAI’s Whisper API for transcription. The audio bytes do not pass through Sopmodo servers.
- Sends the resulting transcript and (optionally) downsampled photos directly to OpenAI’s Chat Completions API to draft step-by-step instructions. Again, the call is made from your device, not from our backend.
- Discards the raw audio file from device storage after the pipeline completes successfully.
- Uploads only the final SOP (titles, step text, full-resolution photos) to Sopmodo’s servers.
What we do not send to OpenAI:
- Your account email or display name.
- Other users’ account data.
- Your organisation’s other SOPs.
- Any data unrelated to the recording you just made.
OpenAI’s API terms (as of this draft’s version) state that data submitted via API is not used to train OpenAI’s models. We will update this Policy if that changes.
6. How long we keep your data: retention (Art. 5(1)(e))
| Data | Retention |
|---|---|
| Account data | For as long as the account is active. Deleted or anonymised within 30 days of account deletion. |
| SOP content (controlled by your employer) | For as long as your employer's subscription is active, or until your employer instructs us to delete it. On termination, deleted or returned per the DPA within 30 days. |
| Voice recordings (transient) | Not persisted server-side. Held on the recording device for the duration of the AI pipeline and then deleted automatically. |
| AI usage telemetry | Up to 24 months for billing reconciliation and trend analysis. |
| Application / security logs | 30 to 90 days |
| Backups | Database backups retain previously-deleted records for up to 35 days before being overwritten. |
You can request earlier deletion (see §7).
7. Your rights (Art. 15 to 22)
When we are the controller of your data, you have the following rights:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): ask us to correct inaccurate data.
- Right to erasure (Art. 17): ask us to delete your data where Art. 17(1) applies.
- Right to restrict processing (Art. 18): ask us to pause processing while a dispute is resolved.
- Right to data portability (Art. 20): receive your account data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Automated decision-making (Art. 22): the Service does not subject you to a decision based solely on automated processing that produces legal or similarly significant effects. The AI pipeline drafts text that humans then review and edit.
When we are the processor, address rights requests to your employer first. We will assist your employer in fulfilling them as required by Art. 28(3)(e).
To exercise any of these rights, ask your organisation’s administrator to contact Sopmodo on your behalf. We respond within one month (Art. 12(3)), extendable by up to two further months for complex requests.
8. Right to lodge a complaint (Art. 77)
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
9. Security (Art. 32)
- TLS 1.2+ for data in transit;
- AES-256 encryption at rest for AWS S3, RDS, and EBS volumes;
- Authentication via AWS Cognito (passwords never seen by Sopmodo staff);
- Strict role-based access control with the principle of least privilege;
- Centralised logging and alerting for security-relevant events;
- Backups with restricted access;
- A breach response procedure aligned with Art. 33 to 34.
If we discover a personal data breach affecting your data, we will notify the relevant supervisory authority within 72 hours (Art. 33) and notify you directly where the breach is likely to result in a high risk to your rights and freedoms (Art. 34).
10. Children
The Service is a workplace tool. We do not knowingly collect personal data from anyone under the age of 16.
11. Cookies and similar technologies
We set only the cookies strictly necessary to operate the Service:
| Cookie | Purpose | Lifetime |
|---|---|---|
| sm_access | Holds the short-lived authentication token. | Until expiry of the access token (typically minutes). |
| sm_refresh | Allows silent re-authentication so you do not need to sign in repeatedly. | 30 days |
| sm_username | Used by the refresh flow to identify the account against AWS Cognito. | 30 days |
All three cookies are httpOnly, Secure, and SameSite=Lax. We do not use cookies for analytics, advertising, or any non-essential purpose. Because the cookies are strictly necessary under Art. 5(3) of the ePrivacy Directive, no consent banner is required.
12. Changes to this Policy
We will update this Policy when the Service changes materially, when our sub-processors change, or when applicable law requires. Changes are notified by email to the administrator on your organisation’s account and by an updated “Last reviewed” date at the top of this page.
13. Contact
For sub-processor SCC copies, DPA requests, or rights requests, contact Sopmodo through your organisation’s administrator.