Skip to main content

Privacy Policy

Last updated: March 2026

1. Information We Collect

Account data: When you sign in with Google, we receive your name, email, and profile picture from Google OAuth.

Session data: The messages you exchange with Sorca during sessions, including timestamps and depth levels.

Payment data: Subscription payments are processed by Stripe. We do not store your card details. We store your Stripe customer ID and subscription status.

Usage data: Session counts, feature usage, and basic analytics.

2. How We Use Your Data

Session continuity: Your session history powers the Thread feature, allowing Sorca to reference past conversations.

Service improvement: Aggregated, anonymised usage patterns help us improve Sorca.

Billing: To manage your subscription and enforce usage limits.

We do not sell your data. We do not use your conversations to train AI models.

2a. Therapy Edition Data (If Applicable)

If you use Sorca's therapy-support features, we also collect:

  • Therapy profile: Session schedule, therapist name (if provided), and therapy-related preferences.
  • Homework data: Assignments, check-in responses, and completion progress.
  • Session debriefs: Post-therapy reflections and key insights.
  • Coping anchors: Grounding techniques you save.
  • Week summaries: AI-generated weekly reflections.

Therapist sharing: If you grant consent to share data with a therapist, they will be able to view the specific categories you've consented to (week summaries, homework progress, pattern alerts, or mood data). This consent is explicit, revocable at any time, and fully audited per GDPR Article 7.

Safe messaging mode: If distress patterns are detected, Sorca may automatically engage grounding mode. This is for your safety and does not involve human review unless you explicitly contact support.

3. Data Storage

Your data is stored in Google Cloud Firestore (Firebase). Data is encrypted at rest and in transit. Servers are located in the United States and Europe.

Session data is also cached in your browser's localStorage as a fallback.

4. Third-Party Services

Google Gemini: Your messages are sent to Google's Gemini API to generate Sorca's questions. See Google's AI privacy policy for details.

Stripe: Payment processing. See Stripe's privacy policy.

Firebase Authentication: For secure sign-in. See Google's privacy policy.

5. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

6. Your Rights

Under GDPR and similar regulations, you have the right to:

  • Access all data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing of your data

To exercise these rights, contact us at the project repository.

7. Data Retention

Session data is retained for as long as your account exists. If you delete your account, all associated data will be permanently deleted within 30 days.

8. Children

Sorca is not intended for users under 16 years of age. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes via the application.