Privacy Policy

1. Introduction

Sori ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights when you use the Sori Chrome extension and website (sori-translator.com).

2. Information We Collect

2.1 Account Information (registered users only)

When you create an account, we collect:

• Your email address

You can sign up with email/password or via Google OAuth. If you sign in with Google, we receive your email address and basic profile information (name and profile picture) from Google. Your password (if applicable) is handled entirely by Supabase Auth, it is hashed before storage and we never have access to it. You can revoke Sori's access to your Google account at any time by visiting your Google Account permissions.

2.2 Usage Data

To enforce daily translation quotas, we track:

• A randomly generated anonymous identifier (for users without an account)
• The number of words translated per day
• The number of dictionary lookups per day
• The timestamp of your last translation or lookup request

We also collect aggregated translation statistics (e.g., language pairs used, request counts) to improve the service. These statistics are not linked to individual users or translation content.

We do not store the text you translate. Translation requests are sent to OpenAI in real-time and are not saved on our servers.

2.3 Error Logs

To diagnose and fix issues, we may log errors that occur during your use of the extension. Error logs may include the error type, error message, and contextual information about where the error occurred. They do not include the text you translate.

2.4 Bug Reports & Feedback

If you submit a bug report or feedback (e.g., on uninstall), we collect:

• The description or feedback text you write
• The reason(s) you selected (for feedback forms)
• The timestamp of submission

These submissions are voluntary and contain only what you choose to write.

2.5 Payment Information

Payments are processed by Stripe. We do not store your card number or billing details on our servers. We only receive your subscription tier from Stripe.

2.6 Data Stored Locally on Your Device

The extension stores the following in Chrome's local storage, this data stays on your device and is not sent to us:

• Your authentication session token
• Your language and translation mode preferences

3. How We Use Your Information

• To provide the translation and dictionary service
• To enforce daily usage quotas based on your subscription tier
• To process payments and manage your subscription
• To respond to bug reports and improve the service
• To send account-related emails (e.g., password reset, welcome email)

We do not use your data for advertising or sell it to third parties.

4. Third-Party Services

We use the following third-party services, each with their own privacy policies:

• Supabase: authentication and database (stores your email, hashed password, and usage data)
• Google: OAuth sign-in provider (shares your email and basic profile information with us when you sign in with Google)
• OpenAI: processes your translation requests in real-time (text is not stored by us)
• Stripe: payment processing (handles your card details securely)
• Vercel: hosts the Sori website (sori-translator.com)
• Render: hosts the Sori backend API (may log IP addresses and request metadata for operational purposes)
• Resend: sends transactional emails (e.g., welcome, password reset, security notifications)

5. Data Retention

• Account data: Retained until you delete your account. When you delete your account, your authentication data is removed, but anonymized usage statistics (word count, lookup count) may be retained
• Anonymous usage data: Retained indefinitely for quota enforcement purposes
• Bug reports & feedback: Retained indefinitely to help improve the service, but contain no personally identifiable information unless you choose to include it
• Error logs: Retained for diagnostic purposes and periodically cleaned up
• Translation text: Never stored, processed in real-time only
• Payment records: Retained by Stripe as required by law

6. Data Security

We take reasonable measures to protect your data, including encrypted connections (HTTPS), secure authentication, input sanitization, rate limiting, and access controls. However, no system is 100% secure and we cannot guarantee absolute security.

7. Your Rights

You have the right to:

• Access the personal data we hold about you
• Delete your account and associated data (via Account Settings → Delete Account)
• Correct inaccurate information
• Request a copy of your data

To exercise any of these rights, contact us at our help page.

8. Children's Privacy

Sori is not intended for users under 13 years of age (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page when we do. Continued use of the extension after changes constitutes acceptance of the updated policy.

10. Contact

If you have any questions about this Privacy Policy, please reach out via our help page.

Regional Annexes

The following annexes provide additional information required by the data protection laws of specific regions. If you are located in one of these regions, the relevant annex applies to you in addition to the main policy above.

Annex A: European Economic Area, Switzerland & United Kingdom

This annex applies if you are located in the EU, EEA, Switzerland, or the United Kingdom, where the General Data Protection Regulation (GDPR) or UK GDPR governs the processing of your personal data.

A.1 Legal Bases for Processing

We process your personal data under the following lawful bases:

• Contract performance: To provide the translation service, manage your account, and process your subscription.
• Legal obligation: To comply with applicable tax, fraud prevention, and regulatory requirements.
• Consent: Where you have given explicit consent, for example when submitting a bug report or feedback form. You may withdraw consent at any time.
• Legitimate interests: To maintain and improve the service, enforce usage quotas, and ensure security, provided these interests do not override your fundamental rights and freedoms.

A.2 Additional Rights

In addition to the rights listed in Section 7, you also have the right to:

• Data portability: Receive your personal data in a structured, commonly used, and machine-readable format.
• Object to processing: Object to processing carried out on the basis of our legitimate interests.
• Restrict processing: Request that we limit how your data is used while a complaint or objection is being resolved.
• Lodge a complaint: File a complaint with your local data protection supervisory authority.

To exercise these rights, please contact us via our help page.

A.3 Automated Decision-Making

We do not carry out any solely automated decision-making that produces legal effects or similarly significant effects on you, as described in Article 22 of the GDPR.

A.4 International Data Transfers

Your data may be transferred to and processed in countries outside the EU/EEA or UK (for example, by our hosting and API providers). Where this occurs, we rely on adequacy decisions, Standard Contractual Clauses, or other appropriate safeguards to ensure your data receives an equivalent level of protection.

Annex B: California, United States

This annex applies if you are a California resident, as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

B.1 Your California Privacy Rights

As a California resident, you have the right to:

• Know the categories and specific pieces of personal information we have collected about you.
• Access the personal information we hold about you.
• Delete personal information we have collected, to the extent permitted by law.
• Opt out of the sale or sharing of your personal information for cross-context behavioral advertising.

To exercise these rights, please contact us via our help page.

B.2 No Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

B.3 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, a different quality of service, or be denied access for exercising your privacy rights.

Annex C: Japan

This annex applies if you are located in Japan, where the Act on the Protection of Personal Information (APPI) governs the handling of your personal data.

C.1 Purpose of Use

We clearly disclose the purposes for which your personal information is used (as described in Section 3 of this policy) and process your data only within those stated purposes.

C.2 Your Rights Under APPI

You have the right to:

• Request disclosure of the personal information we hold about you.
• Request correction, addition, or deletion of inaccurate personal information.
• Request suspension of use or provision to third parties where processing exceeds the stated purpose or was obtained improperly.

To exercise these rights, please contact us via our help page.

C.3 Overseas Third-Party Providers

Where your personal data is provided to third-party services located outside Japan (as listed in Section 4), those recipients are required to maintain security measures consistent with the APPI.

Annex D: Republic of Korea

This annex applies if you are located in the Republic of Korea, where the Personal Information Protection Act (PIPA) governs the processing of your personal data.

D.1 Purpose and Lawfulness

Your personal data is collected and processed for specific, explicit, and lawful purposes as described in this policy. We obtain consent or rely on other lawful bases before processing.

D.2 Third-Party Disclosure and Outsourcing

Where we entrust data processing to third parties (as listed in Section 4), we maintain written agreements specifying the purpose, scope, and required technical and organizational security measures. We supervise these parties on an ongoing basis.

D.3 International Data Transfers

When your data is transferred outside Korea, we inform you of the purpose, recipient, items transferred, and retention period. Where required, we obtain separate consent. Overseas recipients are required to maintain security measures compliant with PIPA.

D.4 Your Rights Under PIPA

You have the right to:

• Request access to your personal information.
• Request correction or deletion of inaccurate or unnecessary personal information.
• Request suspension of processing.
• Withdraw your consent at any time.

To exercise these rights, please contact us via our help page.

D.5 Security Measures

We implement technical and organizational measures to protect your personal data, including access controls, encryption of data in transit, and incident response procedures.

D.6 Breach Notification

In the event of a personal data breach, we will notify the Personal Information Protection Commission (PIPC) and affected individuals as required by PIPA.