Privacy Policy

Last updated: 25 March 2026 · Effective: 25 March 2026 · Version 1.0

    This Privacy Policy explains how THC Projects SRL ("Soemel", "we", "us", "our") collects, uses, and protects your personal data when you use our services. We are committed to full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and Romanian data-protection law.
  

1. Data Controller

The data controller responsible for your personal data is:

Company: THC Projects SRL
Address: Craiova, Dolj County, Romania
Email: support@soemel.com
DPO / Privacy Contact: support@soemel.com

If you have any questions or concerns about how we handle your personal data, please contact us at the address above. We will respond within 30 days.

2. What Data We Collect

2.1 Account Information

When you register, we collect:

Name and/or display name
Email address
Phone number (for WhatsApp/Telegram integration)
Subscription plan and billing history
Account preferences and settings

2.2 Conversation Metadata

We log metadata about your sessions for operational purposes, including:

Timestamps of conversations
Message counts per session
Session identifiers and channel type (WhatsApp, Telegram, web)
Feature usage statistics (e.g. which tools were invoked)

    We do NOT store the content of your conversations. Your prompts and the AI's responses are processed in real time to generate a reply and are then discarded. We do not use conversation content for training AI models, and we do not retain message text on our servers after a session ends.
  

2.3 Payment Information

Payments are handled by Stripe, Inc. We receive from Stripe only tokenised references to your payment method (e.g. last 4 digits, card type, expiry). We never see or store your full card number or CVV.

2.4 Technical Data

IP address and approximate geolocation (country/city level)
Browser type and operating system (web interface only)
Error logs and crash reports (anonymised where possible)

2.5 Cookies & Tracking

We use minimal, strictly necessary cookies for session authentication. We do not use third-party advertising cookies or tracking pixels. See Section 7 for details.

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Providing the Soemel service (account management, AI responses)	Article 6(1)(b) — performance of contract
Processing payments and managing subscriptions	Article 6(1)(b) — performance of contract
Sending transactional emails (receipts, security alerts)	Article 6(1)(b) — performance of contract
Improving platform reliability and fixing bugs	Article 6(1)(f) — legitimate interests
Complying with legal obligations (tax records, GDPR requests)	Article 6(1)(c) — legal obligation
Sending product updates and marketing emails (optional)	Article 6(1)(a) — consent (opt-in)

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects without human review.

4. Data Retention

Account data: Retained for the duration of your account plus 90 days after deletion (to allow recovery from accidental deletion), then permanently erased.
Conversation metadata: Retained for up to 12 months for operational analytics, then deleted.
Conversation content: Not retained — discarded after processing.
Billing records: Retained for 5 years as required by Romanian and EU tax law.
Technical logs: Retained for up to 90 days, then automatically deleted.

5. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Ask us to correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. We will action erasure requests within 30 days. Note: billing records may be retained as required by law.
Right to Data Portability: Receive your data in a machine-readable format (JSON or CSV) for transfer to another service.
Right to Restriction of Processing: Ask us to limit how we process your data in certain circumstances.
Right to Object: Object to processing based on legitimate interests, including profiling.
Right to Withdraw Consent: Where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email support@soemel.com with subject line "GDPR Request – [right]". We will verify your identity and respond within 30 days.

You also have the right to lodge a complaint with the Romanian supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — www.dataprotection.ro.

6. International Transfers

We are an EU-based company (Romania) and process data primarily within the EU/EEA. However, some of our third-party service providers (Anthropic, Google, Stripe) may process data outside the EU. In such cases, we ensure adequate safeguards are in place, such as:

EU Standard Contractual Clauses (SCCs) where applicable
Adequacy decisions by the European Commission
Privacy Shield successor frameworks where applicable

7. Cookies

We use the following cookies:

Cookie	Type	Purpose	Duration
session_token	Strictly Necessary	Authenticates your logged-in session	Session / 30 days
csrf_token	Strictly Necessary	Prevents cross-site request forgery	Session

We do not use advertising, analytics, or social-media tracking cookies. No third-party cookies are set on soemel.com.

8. Third-Party Service Providers

We share limited personal data with the following trusted sub-processors to operate the service:

Provider	Role	Data Shared	Location
Anthropic, Inc.	AI model (Claude)	Conversation content (real-time, not stored)	USA (SCCs apply)
Google LLC	AI model (Gemini)	Conversation content (real-time, not stored)	USA/EU (SCCs apply)
Stripe, Inc.	Payment processing	Email, billing info	USA/EU (SCCs apply)
Hetzner Online GmbH	Server hosting	All data (hosting provider)	Germany (EU)

We do not sell, rent, or share your personal data with advertisers or data brokers.

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

TLS/HTTPS encryption for all data in transit
Encrypted storage for sensitive account fields
Access controls limiting data access to authorised personnel only
Regular security reviews and dependency updates

In the event of a personal data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Children's Privacy

Soemel is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at support@soemel.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and notify you by email or in-app notification at least 14 days before the changes take effect. Continued use of Soemel after that date constitutes acceptance of the updated policy.

12. Contact & DPO

For any privacy-related questions, data subject requests, or to contact our Data Protection Officer:

Email: support@soemel.com
Subject line: "GDPR Request" or "Privacy Inquiry"
Company: THC Projects SRL, Craiova, Romania