SOFI

Privacy Policy

What we collect, why we collect it, and what we do with it.

Last updated: May 10, 2026. This policy describes the privacy practices of SOFI.

1. Information we collect

We collect only the information needed to provide the SOFI platform:

  • Account: name, email, organization, role.
  • Payment: billing data processed via Stripe (we do not store card numbers).
  • Usage: provisioning, masking, refresh, and audit metrics needed to operate the service.
  • Support: ticket records and communications with our team.

2. Your database data

SOFI processes database metadata (schemas, column names, types, policy mappings) to detect PII and apply masking. In private deployments, production data, snapshots, and VDBs remain inside the customer environment unless a written agreement says otherwise.

DataSource passwords are encrypted with AES-256-GCM before they touch our storage. Customer-managed secrets can also be kept in your own vault or secret manager when configured for private deployment.

3. How we use your information

  • Operate and improve the SOFI platform.
  • Bill for active subscription usage.
  • Notify you of critical updates, security, and contractual changes.
  • Respond to support and investigate reported bugs.

We do not sell your data. We do not use your data to train third-party models.

4. Sharing with third parties

We share data only with essential subprocessors:

  • Infrastructure providers — only where SOFI hosts account or support systems.
  • Payment processors — billing and invoicing where applicable.
  • Observability providers — error and performance telemetry, configured to avoid production data.
  • Support systems — tickets and implementation communications.

5. Your rights (LGPD/GDPR)

Under LGPD and GDPR, you have the right to access, correct, export, and delete your personal data. To exercise any right, write to dpo@sofi.io.

6. Data retention

We keep your data while your account is active. After cancellation, we delete backups and data within 90 days, except where required by law to retain longer (tax, contractual).

7. Cookies

We use essential cookies for authentication (httpOnly, secure) and anonymized analytics. We do not use ad cookies or cross-site tracking.

8. Changes

Material changes to this policy will be notified to administrators by email or contractual notice at least 30 days before they take effect.

9. Contact

DPO: dpo@sofi.io
General privacy: privacy@sofi.io