Soulink Privacy Policy
Last updated: October 5, 2025
This Privacy Policy explains how Soulink ("we", "us", or "our") collects, uses, discloses, and protects personal data when you use our website soulinkapp.com (the "Website") and our mobile/desktop applications (the "App"), together with the content and features offered through them (collectively, the "Services"). We serve users worldwide and apply the EU General Data Protection Regulation (GDPR) as our baseline standard, with regional supplements for the UK, United States, Brazil, Canada, Australia, and other jurisdictions.
Soulink offers AI-guided self-reflection sessions. We are not a medical or therapeutic service and do not provide healthcare, diagnosis, or treatment. We handle sensitive journal content with elevated safeguards and process such content only with your explicit consent.
1) Who We Are (Controller)
- Controller: PROMISOR GRUP DOOEL export–import Sopište, Street 2, No. 2, Gorno Sonje, Sopishte, EMBS 6731481; Tax Number 4080011523801, Republic of North Macedonia.
- Email: support@soulinkapp.com (support),contact@soulinkapp.com (privacy).
- Privacy Contact:Soulink Privacy Team. Contact: contact@soulinkapp.com.
- EU Representative (GDPR Art. 27): Dr. Ivana Goda, Konstanz, Germany. Designated in writing for EU data subject and supervisory authority communications. Contact: contact@soulinkapp.com.
- Supervisory Authority (MK): Agency for Personal Data Protection (АЗЛП), Boulevard Goce Delcev 18, 1000 Skopje; Phone: +389 2 3239 035; Email: info@privacy.mk.
We process data as a controller under the Law on Personal Data Protection (LPDP, Macedonia) and apply GDPR globally for consistency.
2) Scope & Eligibility
This Policy applies when you visit or use the Services. Where we process data that is irreversibly anonymized (for example, high-level usage trends that can no longer be linked to an individual), it is no longer personal data under GDPR and comparable laws. Do not use the Services if you are under 18. We do not knowingly process children's data and comply with applicable age rules (e.g., COPPA in the US and similar frameworks). We use age self-attestation during signup and may request additional verification if we suspect an account is underage. If we learn a user is underage, we delete the account and associated data.
3) Categories of Data We Process
A) Account & Identity: Name, email, username, password hash, country/region, language.
B) Content You Provide (Sensitive): Journal entries, dreams, chat messages, voice content (audio files/transcriptions), attachments ("Content"). Treated as special category data (e.g., revealing mental life or beliefs).
C) Subscription & Payments: Plan, status, billing country, payment tokens and receipts via processors.
D) Device & Usage: IP address, device identifiers, browser/app version, events, crash logs, aggregated analytics.
E) Support & Communications: Tickets, emails, survey responses, feedback.
F) Inferences: AI-derived insights (e.g., progress summaries) from your Content, used only for service provision.
We minimize identifiers in Content before sending prompts to AI processors (for example, by replacing names with labels or IDs where feasible) to reduce risks. Users should avoid including unnecessary personal identifiers in journal entries and uploads.
4) Purposes & Legal Bases (GDPR)
- Provide and operate the Services (account, sessions, continuity) — Contract (Art. 6(1)(b)).
- Process your Content to generate AI responses — Explicit consent for sensitive data (Art. 9(2)(a)) and Contract (Art. 6(1)(b)). We do not use Content for AI model training; vendors are contractually prohibited.
- Payments, fraud prevention — Contract; Legitimate interests (Art. 6(1)(f)).
- Improve, secure, and debug — Legitimate interests (quality and security).
- Legal compliance and enforcement — Legal obligation (Art. 6(1)(c)) / Legitimate interests.
Where we reasonably believe there is an imminent risk of serious harm, we may disclose limited information to competent authorities or emergency services under Art. 6(1)(d) GDPR (vital interests) and applicable law.
You may withdraw consent to Content processing at any time via app settings (without affecting prior processing); this deletes Content but may limit service.
5) Special Category Data & DPIA
Your journal Content may reveal mental life or beliefs and is treated as special category data under GDPR. We process such data only with your explicit consent, apply data minimization and pseudonymization, and conduct a Data Protection Impact Assessment (DPIA) due to the nature and scale of processing. DPIA completed pre-launch, identifying risks like data breaches; mitigations include encryption and access logs. Reviewed annually.
6) Where We Store Data (Data Residency)
- Primary hosting: AWS eu-central-1 (Frankfurt, Germany).
- Backups/Dr: AWS eu-central-1.
Account data, Content, and logs at rest are stored within the EU.
7) Sharing, Processors & International Transfers
We use processors to provide the Services and share only what is necessary, under contracts with confidentiality, security, and data protection clauses. We do not sell personal data.
Examples of processors:
| Vendor | Role | Location | Data Types | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure & database hosting | Germany (EU) | All | EEA storage |
| OpenAI | LLM API (chat responses) | USA | Pseudonymized prompts and responses | SCC Module 2 + Transfer Impact Assessment (TIA); where applicable, additional adequacy mechanisms may apply (e.g., EU–US Data Privacy Framework). No training or model improvement using user data. |
| Deepgram | Speech-to-text processing and text-to-speech | USA | Pseudonymized audio and transcripts | SCC Module 2 + TIA |
| ElevenLabs | Text-to-speech generation | USA | Pseudonymized text | SCC Module 2 + TIA |
| Plausible Analytics | Self-hosted analytics (no cookies) | EEA | Aggregated usage data | N/A |
International transfers outside the EEA/UK are safeguarded by Standard Contractual Clauses (SCCs, with UK IDTA/Addendum where relevant), Transfer Impact Assessments (TIAs), encryption, and data minimization. No transfers to high-risk countries without safeguards.
8) Cookies & Consent
We use strictly necessary cookies for login, security, and load balancing. For analytics, we use cookie-less, privacy-focused analytics (e.g., self-hosted Plausible) configured to avoid cross-site tracking. In the EEA/UK, we obtain consent via a cookie banner and honor your preferences. We honor Global Privacy Control (GPC) signals where technically feasible. “Do Not Track” (DNT) signals are not uniformly supported across browsers, but we avoid behavioral advertising and cross-site tracking regardless. See our Cookie Policy for details.
9) Security
- Encryption in transit (TLS 1.3+) and at rest (AES-256 via AWS KMS).
- Network isolation, WAF, least-privilege access, 2FA for admins, audit logging.
- Regular backups, vulnerability management, annual audits, and incident response procedures.
If a personal data breach occurs, we notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay if high risk. No method is 100% secure; we continuously improve safeguards.
10) Retention
| Data Type | Retention Period |
|---|---|
| Account & Billing | Active account + 6 years (for tax law) |
| Content (Chat / Voice / Journal) | Up to 90 days for service continuity; deleted within 30 days of withdrawal or account deletion |
| Logs and Analytics | 30 days on a rolling basis |
| Support and Consent Records | 24 months after last interaction |
After retention expires, data is securely deleted or irreversibly anonymized. Deletion requests remove Content from active systems promptly; residual copies may persist in encrypted backups until they cycle out (up to 90 days), unless we are legally required to retain specific records longer (e.g., tax/accounting).
We retain a minimal server-side record of your consent decisions for up to 24 months for compliance auditing.
11) Your Rights & Choices
GDPR/EEA/UK & MK: Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent for Content processing at any time (without affecting prior processing). Submit requests via in-app settings (Export/Delete) or email: contact@soulinkapp.com. We verify identity and respond within 1 month (extendable by 2 months for complex cases). If denied, appeal within 30 days by replying to our decision email. Complaints: Contact your local authority or the Macedonian AZLP. We encourage contacting us first.
12) Automated Decision-Making
Soulink generates AI outputs in response to your inputs, but we do not engage in solely automated decision-making that produces legal or similarly significant effects under GDPR Art. 22. You always control whether to act on AI suggestions.
13) Not Healthcare; Sensitive Topics
Soulink provides reflective, creative, and educational AI-guided dialogue experiences. It is not a psychiatric, psychological, or medical service and does not diagnose, treat, or prevent mental health conditions. Users are responsible for their own well-being and should contact local emergency services or a qualified healthcare professional if experiencing suicidal thoughts, psychosis, or emotional crisis. Soulink and PROMISOR GRUP DOOEL explicitly disclaim any liability for personal, emotional, or psychological outcomes arising from the use of the Service.
14) Regional Supplements
A) United States (CPRA/CCPA, VCDPA, CPA, etc.):
We do not sell or share personal information for cross-context behavioral advertising. We use personal information only to provide and secure the Services and for limited business purposes. Rights include access, deletion, correction, portability, and opt-out of sale/share/targeted advertising and certain profiling. Exercise via contact@soulinkapp.com; we honor Global Privacy Control (GPC) signals. Sensitive personal information (e.g., mental life data in Content) is used only for requested Services and security/compliance; not for inferring characteristics for marketing. Appeals available by replying to denial emails.
B) Brazil (LGPD):
Controller: PROMISOR GRUP DOOEL. Rights include confirmation, access, correction, anonymization, portability, deletion, and sharing info. Legal bases: Consent, contract, legitimate interests. Contact: contact@soulinkapp.com. ANPD oversight applies.
C) Canada (PIPEDA):
We follow PIPEDA principles (accountability, consent, safeguards, etc.). Transfers to foreign providers under comparable safeguards.
D) United Kingdom (UK GDPR):
References to GDPR include UK GDPR and Data Protection Act 2018. Transfers rely on UK IDTA or UK Addendum to SCCs. Complain to ICO (ico.org.uk).
E) Australia (Privacy Act 1988/APPs) & Others:
Align with Australian Privacy Principles; no overseas disclosure without consent (APP 8). Comparable frameworks in other jurisdictions receive GDPR-level controls.
15) Subprocessors & Updates
We maintain an up-to-date subprocessors list (above). Changes notified via email (30 days prior for material additions).
16) Changes to This Policy
We may update this Policy. Material changes notified by email or in-app, effective no earlier than 30 days after notice (unless required sooner by law).
17) Contact
- Email: contact@soulinkapp.com
- Postal: PROMISOR GRUP DOOEL export–import Sopište, Attn: Privacy, Street 2, No. 2, Gorno Sonje, Sopishte, Republic of North Macedonia.
- EU Rep: As above.
Legal Entity & Jurisdiction
Controller and Operator: PROMISOR GRUP DOOEL export–import Sopište, Street 2, No. 2, Gorno Sonje, Sopishte, Republic of North Macedonia. EMBS: 6731481; Tax Number: 4080011523801. Email: contact@soulinkapp.com. Soulink™ is a brand owned and operated by PROMISOR GRUP DOOEL.
This Privacy Policy and any dispute shall be governed by the laws of the Republic of North Macedonia. Disputes resolved exclusively before the competent courts of Skopje.
Signed on behalf of the Soulink Team
Date: October 2025
Version History: v1.0 (October 5, 2025) – Initial global policy with GDPR baseline.