Privacy Policy

1) What we collect and why

• Account data (email, Clerk user ID, auth/session metadata) to provide access control and security.
• Billing data (plan/tier status, Stripe checkout/subscription identifiers) to process subscriptions and entitlement access.
• Portrait data (anchors, dimensions, context, preferences) to personalize Sjo recommendations.
• Conversation inputs/outputs for service operation, safety, and quality controls.
• Operational telemetry (rate limits, usage events, budget events) for abuse prevention and reliability.

2) How the portrait is built and stored

Sjo extracts preference signals from your conversations and stores them in secure profile records associated with your account (for example style anchors, category emphasis, lifestyle context). Values may update when new preferences clearly replace older ones.

3) AI training use (explicit opt-in)

Use of conversation data for training Sjo models requires a separate explicit opt-in choice. This is requested independently from Terms/Privacy acknowledgment and can be changed later.

4) Anonymized retailer insights

Sjo may provide aggregated, anonymized trend insights to retailers. Reports contain no individual-level rows. Before any retailer disclosure we enforce minimum pool sizes:

• Aggregated trend data (statistics with no identifier-level fields): disclosed only when the underlying pool includes at least 2,500 distinct member accounts.
• Identifier-level or segment-level data (any cut that could support re-identification or thin cohorts): disclosed only when the pool includes at least 10,000 distinct member accounts.

Below those ceilings we withhold the disclosure rather than release thinner cuts. This use is disclosed here and governed by applicable law.

5) Retention

• Account/legal records: retained while account is active and as required for legal/compliance obligations.
• Portrait and conversation-derived profile data: retained until user deletion request or account closure.
• Billing records: retained per accounting and tax requirements.
• Operational logs: retained for security/reliability windows and then deleted or aggregated.

Billing and purchase records are retained as required by law. All other profile and portrait data is permanently deleted on request.

6) GDPR and user rights

Sjo (operated from Sweden) is the data controller for personal data described in this policy. Processing legal bases (contract, legitimate interests, consent, legal obligation) are summarized in our Terms of Service, section 5.

You can request access, correction, deletion, restriction, objection, and data portability where applicable. Portability exports are provided in a commonly used, machine-readable format via Profile data-rights controls or by contacting us. You can also request erasure of portrait data points directly in-product for supported fields.

You may lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se or with your local EEA supervisory authority.

7) Processors and storage locations

• Clerk for authentication/session management.
• Stripe for billing and subscriptions.
• Anthropic (“Claude”) sees only what we send per reply request — your prompt, bounded thread context, and the taste-portrait excerpts we attach for that turn — and does not receive wholesale exports of your full portrait record, authentication records maintained by Clerk, or payment payloads processed by Stripe.
• MongoDB for profile and app data storage.
• Vercel for application hosting and runtime logs.

8) Cookies and third parties

Strictly necessary cookies are always enabled. Analytics and third-party non-essential cookies require consent. See our Cookie Policy for details.