Legal

Privacy Policy

Last updated: May 23, 2025 · Effective: May 23, 2025

Summary: Sofi CRM collects only the data necessary to provide the Service. We never sell your data. Payments are processed by Stripe — we never store card details. You can request deletion of your data at any time. Questions: support@soficrm.com

1. Who We Are

Sofi CRM ("we", "us", "our") operates the Sofi CRM platform — a fan relationship management SaaS product for Telegram content creators. This Privacy Policy describes how we collect, use, and protect your personal data when you use our website and Service.

Data controller contact: support@soficrm.com

2. Data We Collect

2.1 Account Data

When you register, we collect:

Full name
Email address
Hashed password (we never store your password in plain text)
Account creation date and tier

2.2 Telegram Credentials

To connect your Telegram account, we store:

Telegram API ID and API Hash (provided by you from my.telegram.org)
Phone number (for session authorization only)
Encrypted Telegram session file (stored locally on our server, per your tenant directory)

These credentials are used exclusively to operate the Sofi bot on your behalf. We do not use them for any other purpose.

2.3 Fan/Customer Data

The Service processes data about your Telegram fans on your behalf, including:

Telegram user IDs and display names
Message history (stored in your isolated per-tenant database)
Notes, tags, and engagement scores you create
Conversation stage data

You are the data controller for this fan data. We process it as your data processor. You are responsible for ensuring you have a lawful basis to collect and process this data.

2.4 Usage and Technical Data

IP address and browser type (landing page visits)
Pages visited and time spent
Server logs for security and debugging

2.5 Payment Data

We use Stripe, Inc. to process payments. When you subscribe:

Your card number, CVV, and expiry date are entered directly into Stripe's secure form — we never see or store your card details
We receive from Stripe: a token, last 4 digits of card, card type, billing country, and subscription status
We share with Stripe: your name, email address, and billing information to process your payment

Stripe may collect additional device and behavioral data for fraud prevention. See Stripe's Privacy Policy for details. Stripe is PCI DSS Level 1 certified — the highest level of payment security certification.

3. How We Use Your Data

Purpose	Legal Basis	Data Used
Provide and operate the Service	Contract performance	Account data, Telegram credentials, fan data
Process subscription payments	Contract performance	Name, email, billing info (via Stripe)
Send transactional emails (receipts, renewal notices, alerts)	Contract performance / Legitimate interest	Email address
Improve the Service and fix bugs	Legitimate interest	Usage data, server logs
Comply with legal obligations	Legal obligation	As required by law
Prevent fraud and abuse	Legitimate interest	IP address, usage patterns

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Third-Party Services

We share data with the following third parties only as necessary to operate the Service:

Stripe, Inc. — Payment processing. stripe.com/privacy
xAI / Grok API — AI language model for generating conversation responses. Fan messages are sent to Grok's API for processing. See xAI Privacy Policy.
Groq API — Voice transcription (Whisper model). Voice messages are sent to Groq for transcription. See Groq Privacy Policy.
DeepL — Optional translation service. See DeepL Privacy Policy.
ElevenLabs — Optional text-to-speech. See ElevenLabs Privacy Policy.
Telegram Messenger Inc. — The platform through which the Service operates. See Telegram Privacy Policy.

5. Data Storage and Security

Your data is stored on our servers in isolated per-tenant databases. Each account's data is strictly separated from other accounts.

We implement the following security measures:

Passwords are hashed using SHA-256 with salt — never stored in plain text
HTTPS/TLS encryption for all data in transit
Per-tenant database isolation
Stripe handles all payment card data (PCI DSS Level 1 compliant)
Telegram session files are stored server-side with restricted access

No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.

6. Data Retention

Account data: Retained while your account is active, plus 30 days after deletion request
Fan/conversation data: Retained while your account is active; deleted upon account termination
Payment records: Retained for 7 years for tax and legal compliance
Server logs: Retained for 90 days

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Request your data in a machine-readable format
Restriction: Request we limit processing of your data
Objection: Object to processing based on legitimate interest
Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at support@soficrm.com. We will respond within 30 days.

8. Cookies

We use essential cookies only:

Session cookie: Keeps you logged in during your browser session (expires when you close your browser or log out)
Stripe cookies: Used by Stripe for fraud detection on the payment page

We do not use tracking, analytics, or advertising cookies.

9. Children's Privacy

The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately and we will delete it.

9a. California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Opt-Out of Sale: We do not sell personal information. No opt-out is required.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at support@soficrm.com. We will respond within 45 days.

10. International Data Transfers

Your data may be processed by our third-party service providers (Stripe, xAI, Groq) in countries outside your jurisdiction. Where required, we rely on appropriate transfer mechanisms (such as standard contractual clauses) to ensure your data is adequately protected.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. Continued use of the Service constitutes acceptance of the updated policy.

12. Contact, DPO and Complaints

For privacy-related questions or requests:

Email: support@soficrm.com
Privacy requests: privacy@soficrm.com
Website: soficrm.com

We aim to respond to all privacy requests within 30 days.

If you are located in the European Economic Area (EEA) and believe we have not addressed your privacy concern adequately, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

If you are located in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.