Privacy Policy

1. Who We Are

Sodasoft LLC is the data controller for personal data processed through the LegalBanner platform.

2. Information We Collect

3. How We Use Your Information

We use your information to provide, maintain, and improve the Service; process payments and send billing information; send important service notifications; respond to support requests; monitor for security threats and prevent abuse; and comply with legal obligations.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we process your data under the following legal bases per Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Use
• Legitimate interests (Art. 6(1)(f)): Analytics, security, fraud prevention, and product improvement
• Consent (Art. 6(1)(a)): Optional analytics and marketing communications (you may withdraw at any time)
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations

5. Third-Party Data Processors

We share your data with trusted service providers who process it on our behalf:

• Supabase — Database and authentication (hosted in AWS eu-west-2)
• Stripe, Inc. — Payment processing (United States)
• Vercel, Inc. — Application hosting and edge delivery (Global CDN)
• Resend, Inc. — Transactional email (United States)

6. Data Retention

Account data is retained for the duration of your account plus 30 days after deletion. Consent event logs are retained for 7 days (Free plan), 1 year (Starter), or 5 years (Pro). Payment records are retained for 7 years as required by law. Audit logs are retained for 2 years.

7. Your Rights (GDPR — EEA and UK Users)

Under the GDPR, you have the right to access your personal data (Art. 15), correct inaccurate data (Art. 16), request deletion of your data (Art. 17), receive your data in a portable format (Art. 20), restrict how we use your data (Art. 18), object to processing based on legitimate interests (Art. 21), and lodge a complaint with your local supervisory authority (such as the ICO for UK residents).

To exercise any of these rights, email support@legalbanner.com with the subject "Data Rights Request."

8. Your Rights (CCPA — California Residents)

California residents have the right to know what personal information we collect, use, and share; delete personal information we have collected; opt out of the sale of personal information (note: we do not sell personal data); and non-discrimination for exercising CCPA rights.

To submit a CCPA request, email support@legalbanner.com with the subject "CCPA Request."

9. International Data Transfers

Sodasoft is based in the United States. If you access the Service from the EEA or UK, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism for these transfers.

10. Security

We implement industry-standard security measures including encryption of data in transit (TLS 1.2+), encryption of data at rest (AES-256), Row-Level Security (RLS) on all database tables, and regular security reviews. No internet transmission is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or via a notice in the Service at least 14 days before they take effect.

13. Contact Us

For privacy inquiries and data requests: