This Privacy Policy explains how Suoja ("we," "us," or "our") collects, uses, and protects information when you use our AI safety platform, including our browser extension, mobile application, and web dashboards.
Suoja's core purpose is protecting people from harmful AI outputs. We apply that same protective philosophy to your personal data. We collect only what is necessary, we do not sell your data, and we are transparent about everything we do.
1 Overview
Suoja is an AI safety platform that monitors AI-generated content in real time to detect and flag harmful outputs including self-harm suggestions, violence encouragement, and psychological manipulation.
When you use Suoja, we collect limited information necessary to provide this protection. We operate under the following core principles:
- Minimum necessary data: We collect only what is required to deliver protection and improve accuracy.
- No data selling: We do not sell, rent, or trade your personal information to third parties.
- Purpose limitation: Data collected for safety scanning is not used for advertising or profiling.
- Transparency: We clearly disclose what we collect and why.
- User control: You can access, correct, or delete your data at any time.
2 Information We Collect
2.1 Account Information
When you create a Suoja account, we collect:
- Email address
- Name (display name only)
- Password (stored as a one-way cryptographic hash — we cannot read your password)
- Organization name (if applicable)
2.2 Incident Data (from the browser extension)
When our extension detects potentially harmful AI-generated content, we log the following:
| Data element | What it contains | Why we collect it |
|---|---|---|
| Risk level | High, medium, or low | To prioritize alerts and reporting |
| Category | Self-harm, violence, or manipulation | To categorize incidents for review |
| Detection summary | One-sentence description of what was detected | To inform the user and administrator |
| Platform name | e.g., "ChatGPT" or "Character.AI" | To identify which AI tool was involved |
| Timestamp | Date and time of detection | For incident log and trend analysis |
| Confidence score | 0.0–1.0 numeric score | To indicate detection certainty |
Important: Suoja does NOT store the full text of AI conversations. We store only the detection metadata listed above — not the content of what you typed or what the AI said. Your conversations remain private.
2.3 Usage Data
We collect basic usage information to improve Suoja:
- Number of scans performed
- Extension settings and preferences
- Login timestamps
- Dashboard page views (no tracking pixels or behavioral analytics)
2.4 Technical Data
- IP address (used for rate limiting and security — not stored long term)
- Browser type and version (for extension compatibility)
- Operating system
3 How We Use Your Information
We use the information we collect for the following purposes:
- Delivering protection: Scanning AI-generated content and alerting you to harmful outputs
- Account management: Creating and maintaining your Suoja account
- Incident reporting: Providing you and your administrator with incident logs and statistics
- Service improvement: Improving detection accuracy and reducing false positives
- Security: Detecting and preventing unauthorized access or abuse
- Communications: Sending service-related emails (alerts, account notifications)
- Legal compliance: Complying with applicable laws and regulations
We do not use your data for: advertising, user profiling, behavioral targeting, selling to third parties, or any purpose unrelated to AI safety protection.
4 Data Sharing
We do not sell your personal data. We share data only in the following limited circumstances:
4.1 Within your organization
If you use Suoja through an organization account (school, hospital, employer), your incident data is visible to the designated administrator of that organization. This is a core feature of the platform — administrators need this data to fulfill their duty of care obligations.
4.2 Service providers
We use the following third-party services to operate Suoja:
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude API) | AI-powered harm analysis | Text snippets of AI responses — no personal identifiers |
| Supabase | Database hosting | Account and incident data — encrypted at rest |
| Render | Backend API hosting | API requests — no persistent storage |
| Netlify | Dashboard hosting | Static files only — no user data |
| Google Workspace | Email (alerts) | Email address and alert content only |
4.3 Legal requirements
We may disclose your information if required by law, subpoena, court order, or to protect the safety of any person. We will notify you of such requests where legally permitted.
4.4 Emergency situations
If we detect content that indicates an imminent risk to life, we may share relevant information with emergency services or crisis intervention organizations. This is a rare and last-resort measure taken solely in the interest of user safety.
5 Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account closure.
- Incident logs: Retained for 12 months by default. Organization admins may configure shorter retention periods.
- Usage data: Aggregated and anonymized after 90 days.
- IP addresses: Not stored beyond 24 hours (used only for rate limiting).
You may request deletion of your data at any time by contacting privacy@suoja.tech.
6 Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and associated data
- Portability: Request your data in a machine-readable format
- Objection: Object to certain types of processing
- Withdrawal of consent: Withdraw consent where processing is based on consent
To exercise any of these rights, contact us at privacy@suoja.tech. We will respond within 30 days.
7 Children's Privacy
Suoja is designed in part to protect minors from harmful AI content. However, our platform itself is intended for use by adults (18+) or minors under the direct supervision of a parent, guardian, or educational institution.
We do not knowingly collect personal information directly from children under 13 without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@suoja.tech.
Schools and organizations deploying Suoja for students under 13 must ensure they have obtained appropriate parental consents as required by COPPA and applicable local laws.
8 Security
We implement industry-standard security measures to protect your data:
- All data transmitted over HTTPS/TLS encryption
- Passwords stored using bcrypt hashing — we cannot read your password
- JWT-based authentication with role-based access control
- Database encrypted at rest via Supabase
- Rate limiting to prevent unauthorized access attempts
- Regular security reviews of our codebase
No system is 100% secure. If you discover a security vulnerability in Suoja, please report it responsibly to security@suoja.tech.
9 Browser Extension Specifics
Our browser extension operates under the following specific privacy principles:
9.1 What the extension reads
The extension reads AI-generated text responses on monitored platforms (ChatGPT, Claude, Gemini, etc.) solely for the purpose of harm detection. It does not read:
- Your keystrokes or what you type to the AI
- Content on non-AI websites
- Passwords, credit card numbers, or form data
- Browsing history outside of monitored AI platforms
- Personal files on your device
9.2 What is sent to our servers
When a potential harm is detected, a text snippet of the AI's response is sent to the Anthropic Claude API for analysis. This snippet contains no personal identifiers. If no harm is detected, nothing is sent to our servers.
9.3 Local storage
The extension uses your browser's local storage to save your API key, settings, and a limited incident log. This data stays on your device unless you are logged into a Suoja account, in which case incidents are synced to your account.
The extension only activates on AI platform domains explicitly listed in its manifest. It does not monitor general web browsing.
10 Cookies
Our web dashboards use minimal cookies:
- Authentication token: Stored in localStorage to keep you logged in. Session-based, cleared on logout.
- No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking cookies.
- No persistent identifiers: We do not track you across other websites.
11 Third-Party Services
Suoja integrates with Anthropic's Claude API for AI-powered harm analysis. When text is sent to Claude for analysis, it is subject to Anthropic's privacy policy at anthropic.com/privacy. We configure our API calls to minimize data retention by Anthropic.
Links to third-party websites from our platform are provided for your convenience. We are not responsible for the privacy practices of those websites.
12 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users
- Display a notice in the Suoja dashboard
Continued use of Suoja after the effective date of changes constitutes acceptance of the updated policy.
Contact Us
For privacy-related questions, data requests, or concerns, contact us at: