Privacy Policy

Last updated: 17 June 2026

Your privacy is important to us. This Privacy Policy explains how Synthetic Companion Ltd collects, uses, and protects your personal data when you use the HeySophia service. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Synthetic Companion Ltd is the data controller for your personal information. We operate the HeySophia platform, an AI-powered virtual companion service based in the United Kingdom.

2. Information We Collect

2.1 Account Information

When you register, we collect:

• Email address
• A display name of your choosing
• An encrypted (hashed) version of your password — we never store your password in plain text

2.2 Conversation Data

Your chat messages are stored in our database to provide the conversational service. These messages are associated with your account and are not shared with any third parties beyond our AI service provider (OpenRouter) for the sole purpose of generating responses.

2.3 Payment Information

We do not collect, store, or process your credit card or banking details. All payments are handled entirely by Stripe, a PCI-DSS Level 1 certified payment processor. When you make a purchase, you interact directly with Stripe's secure infrastructure. We only receive confirmation of the transaction (payment successful/failed) and the amount purchased, which we use to credit your account with virtual coins.

2.4 Usage Data

We collect anonymised technical data such as browser type, device type, and pages visited, to help us improve the service. This data does not personally identify you.

3. How We Use Your Information

We use your personal data for the following purposes:

• To create and manage your account
• To provide the AI conversational service
• To process payments (via Stripe) and manage your virtual credits
• To send essential service notifications (e.g., password resets, security alerts)
• To comply with legal obligations

We do not use your personal data for advertising, profiling, or selling to third parties.

4. Legal Basis for Processing (UK GDPR)

Under UK GDPR, we process your personal data on the following legal bases:

• Contractual necessity — to provide the service you signed up for
• Legitimate interests — to maintain platform security and prevent fraud
• Legal obligation — where required by law (e.g., tax records)
• Consent — for non-essential communications, where you can withdraw consent at any time

5. Data Sharing

We share the minimum necessary data with the following service providers:

• Stripe — for payment processing. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
• OpenRouter — for AI language model processing. Messages are sent to OpenRouter to generate responses. See OpenRouter's Privacy Policy.

We do not sell, rent, or trade your personal data to any third party.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law (e.g., financial transaction records for 6 years as required by UK tax law). Anonymised usage data may be retained for analytical purposes.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right to access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your personal data
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at heysophia.team@gmail.com. We will respond within 30 days.

8. Security

We take the security of your personal data seriously. We implement appropriate technical and organisational measures, including:

• Passwords are hashed using bcrypt with a cost factor of 12
• Session cookies are signed and HTTP-only
• All communications between your browser and our servers use HTTPS/TLS encryption
• Payment data is never stored on our servers — handled entirely by Stripe

9. Cookies

We use a single essential session cookie to keep you logged in. This cookie is strictly necessary for the service to function and does not track you across the web. By using the service, you consent to this essential cookie.

10. International Data Transfers

Our servers are located in the United Kingdom. When you use our service, your data is processed within the UK. Some of our service providers (such as OpenRouter) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved under UK GDPR.

11. Children's Privacy

Our service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete such data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have any questions about this Privacy Policy or your data rights, please contact:

Data Controller: Synthetic Companion Ltd
Email: heysophia.team@gmail.com
Address: London, United Kingdom

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters. Visit ico.org.uk for more information.

← Back to HeySophia