Privacy Policy
How Sorby collects, uses, shares, and protects personal data, and the rights people have under data-protection law. Applies to visitors of sorby.io, people who create a Sorby account, and people whose data ends up inside a Sorby workspace because a customer entered it.
Last updated: 27 May 2026.
Who we are
Sorby is the company that operates the Sorby Discovery service. The current operating entity, until incorporation, is Sorby's founder, a sole proprietor based in Tbilisi, Georgia. Upon incorporation, the operating entity will become Sorby, Inc., a Delaware C-Corporation. Notice will be given when the operating entity changes; the latest details will be posted on this page.
For all data-protection matters, use our contact form. We are not required to appoint a Data Protection Officer under GDPR Article 37 given our scale and the nature of our processing.
Controller or processor
Sorby plays two roles depending on whose data is involved.
We are the data controller for: visitors to sorby.io (cookies, request logs, contact-form submissions), and people who create a Sorby account (account-level data — name, email, hashed credentials, MFA, sign-in events). This Privacy Policy applies to that processing.
We are the data processor for: workspace content entered by our customers. The customer (your employer, in most cases) is the controller. They decide what data goes in and why; we process it on their documented instructions. Research participants and other end users whose data ends up in a workspace should contact the customer who runs that workspace — see Workspace data subjects below.
What we collect, why, and on what lawful basis
| Category | Examples | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Name, email, hashed password, MFA secrets, OAuth identifiers | Create and maintain your Sorby account; authenticate sign-in; secure the service | Performance of contract (Art. 6(1)(b)) |
| Workspace membership | Workspace IDs you belong to, your role | Route you to the right workspace and apply correct permissions | Performance of contract (Art. 6(1)(b)) |
| Sign-in and security events | IP, User-Agent, timestamp, success/failure | Detect abuse, investigate incidents, enforce rate limits | Legitimate interest (Art. 6(1)(f)) |
| Application logs | URL paths, request metadata, error stack traces | Debug, monitor uptime, investigate incidents | Legitimate interest (Art. 6(1)(f)) |
| Workspace content | Whatever the customer enters | Provide the Sorby Discovery service to the customer | The customer's lawful basis applies; not ours |
| Inbound contact | The contents of the email or form you send us | Respond to your message | Legitimate interest (Art. 6(1)(f)) |
| Cookies (essential) | Session cookies (Clerk), CSRF tokens | Keep you signed in; protect against forgery | Performance of contract — strictly necessary |
| Cookies (non-essential) | None today. | When that changes, this policy will be updated and a consent banner shown before any non-essential cookie is set. | Consent (when applicable) |
We do not process special-category personal data (Article 9 GDPR) for our own purposes. We do not knowingly collect personal data from children under 16; if you believe a child has given us personal data, use our contact form and we will delete it.
How we use AI
Sorby uses Anthropic's API for backlog parsing and assistive features. Anthropic does not train its models on data submitted via the API; this is contractual under their commercial terms.
Sorby itself does not train, fine-tune, or build any model on customer content or on personal data we hold as controller. We do not use AI to make solely automated decisions that produce legal or similarly significant effects on you; you have the right not to be subject to such decisions under Article 22 GDPR.
Who we share data with
We share personal data only with the following recipients, and only as needed to provide the service:
- Sub-processors that operate the infrastructure. Current list: /legal/sub-processors.
- Professional advisers (lawyers, accountants) under confidentiality.
- Authorities where legally required, after challenging requests that do not comply with applicable law.
- An acquirer or successor in the event of a merger, acquisition, or sale of substantially all assets — bound by this Policy or one at least as protective.
We do not sell or share personal data for advertising. We do not enrich, augment, or share customer data with marketing, advertising, analytics, or data-broker vendors.
International data transfers
Some sub-processors operate from the United States. Where personal data of EU/EEA or UK residents is transferred outside the EEA or UK, the transfer is covered by the European Commission's Standard Contractual Clauses (2021/914) and, for UK transfers, the UK International Data Transfer Addendum. These clauses are included by reference in our DPA — see /legal/dpa.
How long we keep data
| Category | Retention |
|---|---|
| Account data | Life of your account, plus 30 days after deletion to allow recovery. Then deleted. |
| Workspace membership | Same as the workspace it relates to. |
| Workspace content (we are processor) | Life of the customer subscription + 30-day grace + up to 30 days for backup ageing. After 60 days from termination, no copy exists. |
| Sign-in and security events | 12 months, then deleted. |
| Application logs | 30 days at the hosting provider, then aged out. |
| Inbound emails | Up to 24 months, unless earlier deletion is requested. |
| Backups | 7 days on the database free tier; PITR on the paid tier. Backups inherit retention from primary data. |
When the retention period ends, data is deleted from primary storage; encrypted backups age out and are overwritten on the schedule above. We also delete data earlier on request — see Your rights.
How we protect data
Our security model is documented at /security. Headlines: TLS 1.2+ in transit, AES-256 at rest, role-based access, MFA available to every user, append-only audit log, app-layer plus defence-in-depth tenant isolation, 72-hour breach notification.
If we discover a personal-data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required by Article 33 GDPR, and we will notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
Your rights
Under the GDPR and UK GDPR you have the right to:
Access (Art. 15)
Receive a copy of the personal data we hold about you.
Rectification (Art. 16)
Correct inaccurate or incomplete data.
Erasure (Art. 17)
Have your data deleted ("right to be forgotten").
Restriction (Art. 18)
Restrict processing in certain circumstances.
Portability (Art. 20)
Receive a portable copy in a structured, machine-readable format.
Object (Art. 21)
Object to processing based on legitimate interest, including profiling.
Withdraw consent
Withdraw consent at any time where consent is the lawful basis (without affecting lawfulness before withdrawal).
No solely automated decisions (Art. 22)
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions today.
Lodge a complaint
With your data-protection supervisory authority. EU: edpb.europa.eu; UK: ico.org.uk.
If you live in California, you have similar rights under the CCPA/CPRA, including the right to know, delete, correct, and opt-out of "sale" or "sharing" — we do not sell or share personal data for cross-context behavioural advertising.
To exercise any of these, use our contact form. We will verify your identity and reply within 30 days. You will not be charged for a request unless it is manifestly unfounded or excessive.
Workspace data subjects
If you are a research participant or other end user whose data was entered into a Sorby workspace by one of our customers, the customer is the data controller and we are the processor. Send your request to that customer. If you contact us directly, we will tell you who controls the workspace your data is in (where we can identify them), forward the request, and assist the customer in fulfilling it. We will not action the request ourselves, because we are not the controller.
Cookies
Today Sorby sets only strictly necessary cookies — session cookies and CSRF tokens placed by our authentication provider, Clerk, that keep you signed in and protect your form submissions. These do not require consent under EU law because they are strictly necessary to provide the service you have asked for.
We do not currently run analytics, advertising, or tracking cookies on sorby.io. When that changes, we will update this Policy and show a consent banner before any non-essential cookie is set. You can clear cookies at any time in your browser settings; doing so will sign you out of Sorby.
Marketing
We send transactional emails (sign-up confirmation, security notices, billing) on the lawful basis of performance of contract or legitimate interest. We do not send marketing emails to people who have not opted in. Every marketing email includes a one-click unsubscribe link and unsubscribing is honoured immediately.
Changes to this Policy
We will update this Policy when our practices, sub-processors, or legal obligations change. Material changes are announced by updating the Last updated date at the top of this page and emailing every workspace admin with an active subscription, at least 30 days before the change takes effect. Previous versions are available on request via our contact form.
Contact
For privacy questions, data-subject requests, or security disclosures, use our contact form.