Privacy policy

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:

This policy explains how personal data is processed when you visit somaintegral.io, submit the design-partner application form, or contact us by email. Soma is currently a pre-launch marketing website. The product itself (knowledge base, AI agents, document workflows) is not yet available through this site; the described data processing only covers the marketing website and the limited token-gated areas referenced in section 3(e).

a) Server log files

Each request to this site is logged by our hosting provider (Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA). Log entries include the IP address, timestamp, user-agent, referrer, and the URL requested. These logs are used exclusively to operate, secure, and debug the service.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable, secure web service). Vercel acts as a processor under a Data Processing Agreement; data may be processed in the United States under the EU–US Data Privacy Framework (Vercel is certified). Retention: typically 30 days.

b) Design-partner application form

When you submit the form on this site, we process: your name, role, company name, company size, work email, therapeutic area, and the free-text description of the problem you want Soma to solve. The data is sent by email to the controller and used solely to evaluate your fit for the design-partner cohort and to respond to you.

Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interest in evaluating partnership fit). Retention: applications are kept for up to 24 months after the last contact, then deleted. Earlier deletion on request.

c) Email contact

If you contact us by email, the contents of your message, your email address, and any voluntarily provided information are processed for the purpose of handling your enquiry. Legal basis: Art. 6(1)(b) and (f) GDPR.

d) Cookieless reach measurement

If you opt in to analytics (see section 4), we run a small, self-hosted reach-measurement system. No third-party analytics provider (Google, Plausible, Vercel Analytics) is used. Per page-view we store: the path you visited, the referrer domain (host only, no path), an anonymous session ID generated locally in your browser’s sessionStorage (which expires when you close the tab and is never shared cross-site), a coarse device class (mobile / desktop / tablet / bot), the country code derived from your IP at the network edge, the time you stayed on the page, and how far you scrolled. We do not store your IP address, your user-agent string, or any persistent cookie.

Legal basis: § 25(1) TDDDG (storage in your sessionStorage) and Art. 6(1)(a) GDPR (consent). Retention: 90 days. The data is stored in our database (see section 5 — Database processor).

e) Token-gated areas (/launch, /pitch)

Two areas of the site are personally invited and only reachable with a one-time link: /launch (a founder-onboarding wizard) and /pitch (the investor pitch deck). If you receive such a link and use it:

• /launch — the wizard collects the information you enter (text answers plus any files you choose to attach; typical files are brand assets, screenshots, or short notes). On submit, all answers and attachments are emailed via Brevo (see section 6) to the controller; a copy of the answers is also stored in our database (see section 5). Attachment size limit: 25 MB total per submission. We do not run automated processing on attachments. Legal basis: Art. 6(1)(b) GDPR (contract preparation) and Art. 6(1)(f) GDPR (operating the onboarding workflow). Retention: up to 24 months after the last contact.
• /pitch — pure presentation page, no input. We do not record visits or scroll behaviour on this route (it is explicitly excluded from the analytics in section 3(d)).

If you have received such a link without expecting it, please email us at rosa@somaintegral.io and we will invalidate it.

Soma uses a granular consent system with three categories. Your decision is stored in your browser’s localStorage under the key soma-consent-v1. You can change or revoke your decision at any time via the “Cookie settings” link in the footer.

• Necessary — always active. Required for the consent decision itself, basic security, and accessibility. No legal basis required beyond § 25(2) no. 2 TDDDG.
• Analytics — optional. Enables our self-hosted cookieless reach measurement described in section 3(d). No third-party analytics provider is used. No browser cookie is set; an anonymous session ID is stored in sessionStorage for the duration of the tab. Legal basis: § 25(1) TDDDG and Art. 6(1)(a) GDPR.
• Marketing — optional. Reserved for external embeds (e.g. video, social media). Currently no marketing cookies are loaded. Legal basis if and when activated: § 25(1) TDDDG and Art. 6(1)(a) GDPR.

a) Hosting (Vercel)

This website is hosted by Vercel Inc. Static assets are served from Vercel’s global edge network; dynamic requests are processed in the Frankfurt (Germany) region by default. A Data Processing Agreement under Art. 28 GDPR is in place. Vercel may transfer data to the United States; such transfers are covered by the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses.

More information: vercel.com/legal/privacy-policy.

b) Database processor (Neon)

Where the data described in sections 3(b), 3(d), and 3(e) is persisted to a database, we use Neon (Neon Inc., 209 Park Road, Burlingame, CA 94010, USA) as a managed Postgres provider. Neon is provisioned through the Vercel Marketplace and configured to run in the EU (Frankfurt) region. A Data Processing Agreement under Art. 28 GDPR is in place. Any data transfers to the United States are covered by the EU–US Data Privacy Framework (Neon is certified) and, where applicable, Standard Contractual Clauses.

More information: neon.com/privacy-policy.

Form submissions are delivered by email through Brevo (Sendinblue SAS, 7 rue de Madrid, 75008 Paris, France). Brevo processes the email content (your form inputs and your email address) strictly to deliver the message. A Data Processing Agreement under Art. 28 GDPR is in place. Brevo is an EU-based provider and processes the data within the European Union. More information: brevo.com/legal/privacypolicy.

The site links to LinkedIn (a service of LinkedIn Ireland Unlimited Company). No content from LinkedIn is loaded until you actively click such a link. Once you do, LinkedIn’s own privacy policy applies.

You have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict processing (Art. 18), data portability (Art. 20), and to object to processing (Art. 21) of your personal data. Where processing is based on consent you may withdraw it at any time without affecting the lawfulness of past processing.

To exercise any of these rights, contact us at rosa@somaintegral.io. You also have the right to lodge a complaint with a supervisory authority — the competent authority for the controller is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (Stuttgart, Germany).

The site is served over TLS. Form data is transmitted over an encrypted connection. Access to applications is limited to the controller and necessary processors.

We may update this policy as the product, the cookie scope, or the legal landscape evolves. The date at the top of the page reflects the latest version.