Privacy Policy
Last updated: 22 April 2026
Intellectual Property & Operator Notice
The Sophion platform and all associated intellectual property are owned by David Stone(and his designated heirs or transferees). Sophion is operated and managed within the United Kingdom by David Stone, trading as Sophion.org (sole trader). David Stone is the UK data controller under UK GDPR.
1. Introduction
David Stone, trading as Sophion.org ("we", "us", "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Sophion platform ("Service"). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
David Stone (trading as Sophion.org) is the data controller for personal data processed through the Service within the United Kingdom.
Data-protection contact: [email protected].
3. Data We Collect
3.1 Account Data
When you create an account, we collect your name, email address, and password (stored as a one-way hash).
3.2 Profile & Assessment Data
We collect your responses to learning personality assessments (VARK, Big Five, MBTI, DISC, EQ, Growth Mindset, Sophion Custom). This data is used to build your learning profile and personalise content. Assessment data is versioned and you can view your history at any time.
3.3 Document Data
When you upload documents, we store the file in encrypted cloud storage (AWS S3). Document metadata (filename, format, size, upload date) is stored in our database. Document content is processed by AI to generate personalised learning sections.
3.4 Usage Data
We collect information about how you use the Service, including pages visited, features used, and timestamps. If you consent to cookies, we use Google Analytics (GA4) to collect anonymous usage statistics.
3.5 Payment Data
Credit purchases are processed by Stripe. We do not store your card details. Stripe processes payments as an independent data controller under its own privacy policy.
4. Legal Basis for Processing
We process your data on the following legal bases:
- Contract: Processing necessary to provide the Service (account, documents, personalisation)
- Consent: Analytics cookies, marketing communications
- Legitimate Interest: Security monitoring, fraud prevention, service improvement
- Legal Obligation: Compliance with applicable laws
5. How We Use Your Data
- To provide and personalise the Service
- To generate AI-powered "For You" learning sections based on your profile
- To process credit purchases and maintain transaction records
- To send service notifications (processing updates, credit alerts)
- To moderate content and ensure platform safety
- To improve the Service through anonymised analytics
- To respond to support requests
6. Data Sharing & Sub-Processors
We share data with the following categories of recipients:
- AI Processing (Abacus.AI): Document content and profile data are sent to AI language models hosted by Abacus.AI for personalisation. This data is processed transiently for the purpose of generating personalised learning content. Abacus.AI infrastructure is located in the United States (AWS us-west-2, Oregon).
- Cloud Storage (AWS S3): Documents are stored on Amazon Web Services S3 with encryption at rest. Storage is currently in the United States (us-west-2).
- Application Hosting (Abacus.AI): The Sophion platform is hosted on Abacus.AI infrastructure in the United States.
- Database (PostgreSQL): Your account data, assessment results, and learning profiles are stored in a PostgreSQL database hosted by Abacus.AI in the United States.
- Payment Processing (Stripe): Stripe processes payments as an independent data controller. We do not store your card details.
- Analytics (Google Analytics): Anonymous usage statistics collected only with your explicit cookie consent.
- Email Delivery (Brevo S.A.S.): Transactional and marketing emails (e.g. waitlist confirmations, welcome emails, admin alerts) are sent via Brevo. Data shared includes your email address, first name, opt-in timestamps, and country code. Brevo infrastructure is located in the European Union (France/Germany).
We do not sell your personal data to third parties.
6.1 Sub-Processor Register
| Provider | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Abacus.AI | Hosting, database, AI processing | United States (AWS us-west-2) | Data Processing Agreement; encryption at rest and in transit |
| Amazon Web Services | File storage (S3) | United States (us-west-2) | Standard Contractual Clauses; ISO 27001; SOC 2 Type II |
| Stripe Inc. | Payment processing | United States / Ireland | Independent controller; PCI DSS Level 1; EU-US DPF certified |
| Google LLC | Analytics (GA4) | United States | Cookie consent required; EU-US DPF certified |
| Brevo S.A.S. (formerly Sendinblue) | Transactional & marketing email delivery, waitlist contact management | European Union (France / Germany) | Data Processing Agreement (implied on account creation); ISO 27001; GDPR-compliant EU hosting |
7. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion
- Documents: Retained while your account is active. You can delete individual documents at any time.
- Assessment data: Retained with version history while your account is active
- Transaction records: Retained for 7 years as required by financial regulations
- Security logs: Retained for 12 months
8. Your Rights
Under UK GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a portable format
- Restriction: Request restriction of processing
- Objection: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent at any time (e.g., cookie preferences)
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
9. Cookies
We use essential cookies for authentication and session management. Analytics cookies (Google Analytics) are only set with your explicit consent via our cookie banner. You can change your cookie preferences at any time via the cookie settings in the app footer.
Email tracking: Marketing emails sent via Brevo may contain a small tracking pixel to measure open rates. Transactional emails (e.g. account verification, waitlist confirmation) do not include tracking pixels. No cookies are set on the Sophion website by Brevo.
10. International Data Transfers
Your personal data is currently stored and processed in the United States (account information, learning profile, assessment results, uploaded documents, and AI-generated personalised content). Email delivery is processed in the European Union (Brevo S.A.S., France/Germany). The United States does not have a blanket adequacy decision under UK GDPR; the EU does.
10.1 Legal Basis for Transfer
We rely on the following mechanisms to lawfully transfer your data to the United States:
- Standard Contractual Clauses (SCCs): Our infrastructure providers (AWS, Abacus.AI) operate under Standard Contractual Clauses approved by the ICO/European Commission, supplemented by technical measures including encryption at rest and in transit.
- EU-US Data Privacy Framework: Where applicable, our sub-processors (Stripe, Google) are certified under the EU-US Data Privacy Framework.
- Your Explicit Consent: When you create an account, you provide explicit consent to the international transfer of your data to the United States for processing, as described in this policy.
10.2 Supplementary Measures
In addition to contractual safeguards, we implement the following technical measures:
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Database access is restricted by network security groups and requires authentication
- Document content is encrypted with platform-managed keys before storage
- AI processing is transient — document content is not retained by the AI provider after processing
- Access to personal data is limited to authorised personnel on a need-to-know basis
10.3 Transfer Impact Assessment
We have conducted a Transfer Impact Assessment (TIA) evaluating the legal framework in the United States, including the US CLOUD Act and FISA Section 702. Based on this assessment, we have determined that the supplementary technical measures described above, combined with the contractual safeguards in place, provide an adequate level of protection for your data. A copy of the TIA summary is available on request from [email protected].
10.4 Your Right to Object
You have the right to object to the international transfer of your data. If you object, we may not be able to provide you with the Service, as the platform infrastructure is currently hosted in the United States. To exercise this right, contact [email protected].
10.5 Future Data Residency
We are actively exploring options for UK and EU data residency, including regional database hosting, to provide users with the option of having their data stored within their own jurisdiction. Updates will be communicated via this policy and in-app notifications.
11. Data Security
We implement appropriate technical and organisational measures to protect your data, including: encrypted storage, secure authentication (bcrypt password hashing, JWT sessions), rate limiting, content moderation, and audit logging.
12. Children's Privacy
The Service is not intended for children under 13. Users aged 13–17 may use the Service with parental consent. We implement age verification and parental consent mechanisms as required.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top indicates the latest revision.
14. Contact & Complaints
For privacy enquiries: [email protected]
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.