Sofile

Legal

Privacy Policy

Last updated
Last updated: June 1, 2026
Version
Version: 2.1

1. Introduction

Sofile Tech LLC ("Sofile", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have in relation to it.

This policy applies to all users of the Sofile platform accessible at www.sofile.io (the "Service"). It covers data collected via the web application, marketing website, and any related communications.

We act as the data controller for personal data processed under this policy. Our contact details are at the end of this document.

2. Data We Collect and Why

2.1 Account Data

When you register for the Service, we collect:

  • Email address — used to identify your account, send transactional notifications, and provide support.
  • Password — stored in hashed form via AWS Cognito. We never store or have access to your plaintext password.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

2.2 Storage Provider Credentials

To connect third-party storage providers, you provide credentials such as:

  • AWS Access Key ID and Secret Access Key
  • Backblaze application key ID and application key
  • IBM COS API credentials
  • Google Cloud Storage service account keys
  • OAuth 2.0 tokens for Google Drive, Dropbox, and Microsoft OneDrive

These credentials are encrypted at rest using industry-standard encryption and in transit via TLS. They are used exclusively to perform storage operations on your behalf within the Service. They are never shared with third parties, used for any purpose other than executing the Service, or accessed by Sofile personnel except in the case of a documented support request with your explicit consent.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

2.3 Usage and Analytics Data

Website analytics (www.sofile.io)

We use Google Analytics 4 (GA4) to collect anonymized usage data on our marketing website, including pages visited, general geographic region (country-level), browser type and operating system, and session duration. GA4 is configured with IP anonymization enabled. Analytics cookies are only placed after explicit consent via our cookie banner for EU users. We do not use this data for advertising, profiling, or behavioral targeting.

Plugin analytics (Sofile Adobe plugin)

We use Mixpanel to collect anonymized product usage events within the Sofile plugin to understand how users interact with the product and where they encounter difficulties. Events include feature interactions and navigation patterns. No file content, storage credentials, or personally identifiable information is included in these events. Mixpanel receives an anonymized user identifier, not your email or name.

Legal basis: Consent (Art. 6(1)(a) GDPR) for EU users; Legitimate interests (Art. 6(1)(f) GDPR) for non-EU users.

2.4 Technical and Log Data

Our hosting infrastructure (AWS) automatically collects standard server log data, including IP addresses, access timestamps, and request metadata. This data is used for security monitoring and operational purposes and is retained for up to 90 days.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — specifically, the interest in maintaining the security and integrity of the Service.

2.5 Payment Data

We do not collect or store payment information. All payment processing is handled by Paddle.com Market Limited, our Merchant of Record. When you make a purchase, you transact directly with Paddle. We receive only a confirmation of payment status (success or failure) — no card numbers, bank details, or billing addresses are transmitted to or stored by us. Paddle's privacy policy applies to all payment data: paddle.com/privacy.

3. Data We Do Not Collect

For clarity, Sofile does not collect or store:

  • Your media files, videos, photos, or documents. All files remain on your connected storage providers.
  • Phone numbers or physical addresses.
  • Sensitive personal data (health, ethnicity, political opinions, etc.).
  • Data from children under 18 years of age.

4. Cookies

4.1 Essential Cookies

We use session cookies set by AWS Cognito to maintain your authenticated session. These are strictly necessary for the Service to function and do not require consent.

4.2 Analytics Cookies

We use Google Analytics 4 cookies (_ga, _ga_*, _gid) to collect the anonymized usage data described in section 2.3. For users in the European Economic Area (EEA) and UK, these cookies are only placed after you explicitly consent via our cookie banner. You may decline or withdraw consent at any time; this will not affect your ability to use the Service.

4.3 Managing Cookies

You can manage cookie preferences at any time via the cookie settings link in the footer of our website, or by adjusting your browser settings. Note that disabling essential cookies may prevent the Service from functioning correctly.

5. How We Share Your Data

We share personal data only with the following categories of recipients, and only to the extent necessary:

5.1 AWS (Amazon Web Services)

AWS provides our cloud infrastructure, including Cognito for user authentication and database services for storing encrypted credentials. AWS acts as a data processor under our instruction. AWS maintains EU-US Data Privacy Framework certification and provides Standard Contractual Clauses for international data transfers. AWS Privacy: aws.amazon.com/privacy.

5.2 Paddle

Paddle acts as our Merchant of Record and processes payments independently. They are an independent data controller for billing data. Paddle Privacy: paddle.com/privacy.

5.3 Google (Analytics)

Google LLC processes anonymized analytics data on our behalf via GA4. Data is processed in accordance with Google's data processing terms. Google Privacy: policies.google.com/privacy.

5.4 Mixpanel

Mixpanel Inc. processes anonymized product analytics events from the Sofile plugin on our behalf. Mixpanel Privacy: mixpanel.com/legal/privacy-policy.

5.5 No Sale of Data

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

6. International Data Transfers

Sofile Tech LLC is based in Armenia. Your data is stored and processed on AWS infrastructure in the EU (Amazon Web Services Europe S.a.r.l., Luxembourg) and potentially US regions. AWS provides appropriate safeguards for international transfers including Standard Contractual Clauses (SCCs) approved by the European Commission.

Google Analytics data may be processed in the United States. Google LLC is certified under the EU-US Data Privacy Framework.

7. Data Retention

We retain your personal data for the following periods:

  • Account data (email): Retained for the duration of your account. Deleted within 30 days of account deletion request.
  • Encrypted storage credentials: Deleted immediately upon disconnection of the relevant storage provider, or within 30 days of account deletion.
  • Server logs: Retained for up to 90 days.
  • Analytics data: Retained in GA4 for 14 months (Google's minimum configurable retention period) in anonymized/aggregated form.

Transaction records held by Paddle are subject to Paddle's retention policy for tax and legal compliance purposes.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): Request deletion of your personal data. You may also delete your account directly via the account settings panel.
  • Right to restriction (Art. 18 GDPR): Request that we limit the processing of your data in certain circumstances.
  • Right to data portability (Art. 20 GDPR): Request your account data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@sofile.io. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are an EU resident and believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your national data protection supervisory authority.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of all storage credentials at rest using industry-standard encryption.
  • TLS encryption for all data in transit.
  • Access controls limiting data access to authorized personnel only.
  • Regular review of security practices.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Children

The Service is not directed at or intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at info@sofile.io and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the Service at least 14 days before the changes take effect. The current version is always available at www.sofile.io.

12. Contact and Data Controller

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact:

Sofile Tech LLC
59 Komitas, ap. 205, Yerevan, Armenia, 0014
Email: info@sofile.io
Website: https://www.sofile.io