sokkosai
Sign in Start · €10
Legal · GDPR · last updated 2026-05-27

Privacy Policy

What we collect, what we never collect, and who else touches your data. We deliberately keep the surface small — passwords, phone numbers, and analytics aren't on this list because we don't collect them.

1. Who we are

SoKKoS AI — eenmanszaak (sole proprietorship in the Netherlands), KvK 42029374, BTW-id NL005441743B74, Beuningen, Gelderland, NL. Contact: hello@sokkosai.com. We're the data controller for everything described below.

2. What we collect

The smallest amount that lets us run an agent for you and send you a receipt.

  • Email address — required for authentication (magic-link or Google OAuth) and billing notifications. Stored in Azure Table Storage (West Europe).
  • Google profile basics (name, picture) — only if you choose “Sign in with Google”. Used to greet you in the dashboard. Disconnect any time and we delete the cached copy.
  • IP address — logged for rate-limiting and fraud prevention. Kept for up to 30 days in raw form, then hashed (one-way) for aggregate stats.
  • Payment metadata — transaction IDs, amount, currency, method (SEPA / iDEAL / card / PayPal). Processed by Mollie B.V. in Amsterdam. We never see your card number or bank credentials — only the receipt.
  • Server logs — request paths, response codes, timing. No request bodies. Retained 30 days for debugging, then rotated.

3. What we never collect

  • Passwords. Sign-in is magic-link (email) or Google OAuth only. We have nothing to leak.
  • The content of your AI API keys. Your Google Gemini / OpenAI / Anthropic keys are encrypted at rest inside your VPS container; the decryption key never leaves the container.
  • Voice recordings beyond live processing. If you use the voice agent, audio is streamed to the model provider in real time and discarded immediately after the response. We do not persist recordings.
  • Tracking / analytics cookies. No Google Analytics, no Meta Pixel, no Hotjar — nothing of that family. See §5.
  • Phone numbers. Support is asynchronous; we have no phone field.

4. Sub-processors

To run the service we rely on a small set of named processors. Each has its own privacy policy you can read.

  • Google LLC — Sign in with Google (OAuth) & Gemini API. policies.google.com/privacy
  • Mollie B.V. (Amsterdam, NL) — payment processing. mollie.com/privacy
  • Resend — transactional email (magic-link, billing receipts). resend.com/legal/privacy-policy
  • Microsoft Azure — hosting for the public site and customer database (region: West Europe / Sweden Central).
  • Cloudflare, Inc. — DNS, edge proxy, DDoS mitigation.
  • Hetzner Online GmbH — per-customer VPS hosting (region: Germany or Finland, your choice or auto-selected by proximity).

If we add or change a sub-processor that materially affects what data is processed, we'll update this page and notify active customers by email at least 30 days before the change takes effect (see Terms §10).

5. Cookies

We set one cookie — the session cookie that keeps you signed in.

  • Name: __Host-session (HttpOnly, Secure, SameSite=None)
  • Lifetime: 90 days, sliding window
  • Domain: .sokkosai.com
  • Purpose: maintaining your authenticated session across requests

No analytics cookies. No advertising cookies. No third-party tracking pixels. You don't need a cookie banner because the session cookie is strictly necessary (Art. 5(3) ePrivacy exemption) and that's all there is.

6. Your rights (GDPR Articles 15–22)

If you're in the EU/EEA, you have the right to:

  • Access — ask what data we hold about you.
  • Rectify — correct anything that's wrong.
  • Erase (“right to be forgotten”) — delete your account and associated data.
  • Restrict — pause processing while a question is unresolved.
  • Port — receive a machine-readable copy of your data.
  • Object — object to processing based on legitimate interest.

Most of these are self-service in your dashboard. For anything that isn't, email hello@sokkosai.com and we'll respond within 30 days. See the GDPR rights page for the exact request format and how each right maps to a self-service action.

7. Retention periods

  • Account record — until you delete your account.
  • Session cookie — 90 days, sliding (resets on each visit).
  • Magic-link tokens — 15 minutes, then unconditionally purged.
  • Payment records — 7 years (mandatory under Dutch tax law, Art. 52 AWR).
  • Server logs — 30 days raw, then aggregated.
  • IP addresses — 30 days raw, then hashed.
  • VPS container after cancellation — 7 days grace, then destroyed (see Terms §7).

8. International transfers

Your core data stays inside the EU/EEA — Azure (West Europe / Sweden Central), Hetzner (Germany / Finland), Mollie (Amsterdam).

Two named processors may transfer data outside the EU under Standard Contractual Clauses (SCCs) approved by the European Commission:

  • Google (OAuth login + Gemini API) — some processing may occur in the US.
  • Cloudflare — edge proxy with global PoPs; traffic may transit US infrastructure even though your origin is in the EU.

Both processors have signed SCCs and publish their cross-border safeguards. You can opt out of Google by using magic-link sign-in and bringing an EU-region API key from another provider.

9. Security

  • TLS 1.3 for everything in transit (Cloudflare-terminated, modern cipher suites).
  • HttpOnly + Secure + SameSite=None cookies; not readable by JavaScript.
  • Encryption at rest on Azure Storage (AES-256) and on Hetzner volumes (LUKS).
  • No plaintext passwords stored anywhere — we don't accept them in the first place.
  • Secrets in a KV store, not in code repositories.
  • Least-privilege access — the one admin account uses hardware-key 2FA.

If you find a security issue, please email hello@sokkosai.com with “security” in the subject. We acknowledge within 48h.

10. Children

The service is not directed at people under 16. We don't knowingly collect data from minors. If you believe a minor has signed up, email us and we'll delete the account.

11. Contact & complaints

Data-protection questions — hello@sokkosai.com. We respond within 30 days.

You can also lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens.

SoKKoS AI
KvK 42029374 · BTW NL005441743B74
Beuningen, Gelderland, NL
Last updated 2026-05-27

↑ Back to top