[ LEGAL ]

Privacy Policy

Last updated: January 1, 2025

Contents

  1. 1. Overview
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. Data Sharing & Third Parties
  5. 5. Data Security
  6. 6. Data Retention
  7. 7. Your Rights
  8. 8. Children's Privacy
  9. 9. Changes to This Policy
  10. 10. Contact

01.Overview

SovereignML ("we", "us", or "our") operates the SovereignML AI operations platform at sovereignml.com. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding your personal information. By creating an account or using our services, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the platform.

02.Data We Collect

Account Information

When you register, we collect your name, email address, and password (stored as a bcryptjs hash — never in plaintext). If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.

Agent & Deployment Data

We store the configuration of every agent you deploy: project name, region, compute tier, billing interval, and extra storage. We also generate and store a mock IP address for each agent. Root passwords, if provided, are encrypted at rest using AES-256-GCM with a per-instance initialization vector.

Billing Information

Billing is processed by Stripe. We do not store credit card numbers or payment details on our servers. We store Stripe subscription IDs, plan identifiers, billing intervals, status, and renewal dates. Your payment method is stored and managed exclusively by Stripe.

SSH Keys

If you add SSH keys via the dashboard, we store the public key material and fingerprint. Private keys are never transmitted to or stored by us.

Social & Contact Data

Optionally, you may add a Telegram ID, Twitter/X handle, or Discord ID to your account profile. This information is stored only if you provide it and can be removed at any time from Account Settings.

Usage & Log Data

We collect server-side logs for debugging and operational purposes. Logs may include request timestamps, endpoint paths, HTTP status codes, and error messages. Logs do not contain request bodies or sensitive user data.

Cookies & Sessions

We use JWT-based session cookies (via NextAuth v5) to keep you authenticated. These are httpOnly, secure cookies that do not contain your password or payment information — only a signed token encoding your user ID and role.

03.How We Use Your Data

  • To create and maintain your account
  • To provision, manage, and monitor your AI agents
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (password resets, deployment confirmations) via Resend
  • To enforce platform security, detect abuse, and apply rate limits
  • To provide customer support when you contact us
  • To improve the platform based on aggregate, anonymized usage patterns

04.Data Sharing & Third Parties

Stripe

Payment processing. Stripe's Privacy Policy applies to payment data. We share only what Stripe requires to process transactions — your email and subscription details.

Resend

Transactional email delivery. We share your email address with Resend solely to deliver platform emails (password resets, notifications). Resend does not use your data for marketing.

Google

If you use Google OAuth, Google shares your name, email, and profile picture with us per Google's OAuth scope. We do not share data back to Google.

No Advertising

We do not sell, rent, or share your personal data with advertisers, data brokers, or any third parties for marketing purposes.

Legal Requirements

We may disclose your data if required by law, court order, or to protect the rights and safety of SovereignML, our users, or the public.

05.Data Security

We implement industry-standard security measures: • Passwords are hashed with bcryptjs (10 salt rounds) — never stored or logged in plaintext • Root passwords are encrypted at rest using AES-256-GCM with per-instance IVs • Password reset tokens are stored as SHA-256 hashes — the plaintext token only ever exists in the reset email link • All data queries are scoped to your user ID — cross-user data access requires admin role • Session cookies are JWT-signed with a secret key, httpOnly, and secure • HTTPS is enforced on all production endpoints No system is completely secure. We encourage you to use a strong, unique password and enable two-factor authentication on any email account associated with SovereignML.

06.Data Retention

We retain your data for as long as your account is active. If you delete your account: • Your profile, agents, subscriptions, and SSH keys are permanently deleted from our database • Active Stripe subscriptions are cancelled • Server logs may retain anonymized request metadata for up to 30 days for operational purposes • Backup snapshots may retain data for up to 14 days before permanent deletion You can request account deletion by contacting us at the address below.

07.Your Rights

Depending on your jurisdiction, you may have the following rights: • Access: Request a copy of the personal data we hold about you • Correction: Update inaccurate or incomplete data via Account Settings • Deletion: Request permanent deletion of your account and associated data • Portability: Request your data in a structured, machine-readable format • Restriction: Request that we limit processing of your data in certain circumstances • Objection: Object to processing based on legitimate interests To exercise any of these rights, contact us at the address below. We will respond within 30 days.

08.Children's Privacy

SovereignML is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If we become aware that we have collected personal information from a child, we will delete it promptly.

09.Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify you by email or via a notice on the platform before the change takes effect. Continued use of SovereignML after changes take effect constitutes acceptance of the updated policy.

10.Contact

For privacy-related questions, data requests, or to report a concern, contact us at: SovereignML Email: privacy@sovereignml.com Website: sovereignml.com

© 2026 SovereignML. All rights reserved.

Terms of ServiceSLA