About This Policy
This Privacy Policy explains how Suoja Inc. ("Suoja," "we," "us," or "our") collects, uses, and protects information when you use our AI safety platform, including our browser extension and web dashboards.
Suoja is an AI safety platform that monitors AI-generated content in real time to detect and flag harmful outputs including self-harm suggestions, violence encouragement, and psychological manipulation. We apply that same protective philosophy to your personal data — we collect only what is necessary, we do not sell your data, and we are transparent about everything we do.
Information We Collect
1.1 Account Information
When you create a Suoja account, we collect:
- Email address
- Name (display name only)
- Password (stored as a one-way cryptographic hash — we cannot read your password)
- Organization name (if applicable)
1.2 Incident Data (from the browser extension)
When our extension detects potentially harmful AI-generated content, we log the following:
| Data element | What it contains | Why we collect it |
|---|---|---|
| Risk level | High, medium, or low | To prioritize alerts and reporting |
| Category | Self-harm, violence, or manipulation | To categorize incidents for review |
| Detection summary | One-sentence description of what was detected | To inform the user and administrator |
| Platform name | e.g., "ChatGPT" or "Character.AI" | To identify which AI tool was involved |
| Timestamp | Date and time of detection | For incident log and trend analysis |
| Confidence score | 0.0–1.0 numeric score | To indicate detection certainty |
1.3 Usage Data
We collect basic usage information to improve Suoja:
- Number of scans performed
- Extension settings and preferences
- Login timestamps
- Dashboard page views (no tracking pixels or behavioral analytics)
1.4 Technical Data
- IP address (used for rate limiting and security — not stored long term)
- Browser type and version (for extension compatibility)
- Operating system
How We Use Your Information
We use the information we collect for the following purposes:
- Delivering protection: Scanning AI-generated content and alerting you to harmful outputs
- Account management: Creating and maintaining your Suoja account
- Incident reporting: Providing you and your administrator with incident logs and statistics
- Service improvement: Improving detection accuracy and reducing false positives
- Security: Detecting and preventing unauthorized access or abuse
- Communications: Sending service-related emails (alerts, account notifications)
- Legal compliance: Complying with applicable laws and regulations
Data Sharing
We do not sell your personal data. We share data only in the following limited circumstances:
3.1 Within your organization
If you use Suoja through an organization account (school, hospital, employer), your incident data is visible to the designated administrator of that organization. This is a core feature of the platform — administrators need this data to fulfill their duty of care obligations.
3.2 Service providers
We use the following third-party services to operate Suoja:
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude API) | AI-powered harm analysis | Text snippets of AI responses — no personal identifiers |
| Supabase | Database hosting | Account and incident data — encrypted at rest |
| Render | Backend API hosting | API requests — no persistent storage |
| Netlify | Dashboard hosting | Static files only — no user data |
| Google Workspace | Email (alerts) | Email address and alert content only |
3.3 Legal requirements
We may disclose your information if required by law, subpoena, court order, or to protect the safety of any person. We will notify you of such requests where legally permitted.
3.4 Emergency situations
If we detect content that indicates an imminent risk to life, we may share relevant information with emergency services or crisis intervention organizations. This is a rare and last-resort measure taken solely in the interest of user safety.
Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account closure.
- Incident logs: Retained for 12 months by default. Organization admins may configure shorter retention periods.
- Usage data: Aggregated and anonymized after 90 days.
- IP addresses: Not stored beyond 24 hours (used only for rate limiting).
You may request deletion of your data at any time by contacting privacy@suoja.tech.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and associated data
- Portability: Request your data in a machine-readable format
- Objection: Object to certain types of processing
- Withdrawal of consent: Withdraw consent where processing is based on consent
To exercise any of these rights, contact us at privacy@suoja.tech. We will respond within 30 days.
California Privacy Rights (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act. Suoja does not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA and CPRA. California residents may exercise their rights to access, correct, delete, or limit the use of their personal information by contacting privacy@suoja.tech.
Children's Privacy and COPPA Compliance
Suoja is designed to protect minors from harmful AI content. When a parent or legal guardian enrolls a child in Suoja, we collect limited data about that child's AI interactions for the express purpose of detecting harmful content and alerting the guardian.
For children under 13, we operate in compliance with the Children's Online Privacy Protection Act (COPPA):
- We collect personal data from a child only after verified parental or guardian consent
- We collect only the minimum data necessary to provide protection
- We do not condition the child's use of any feature on disclosing more data than is reasonably necessary
- Parents and guardians may review their child's data, request deletion, or withdraw consent at any time by contacting privacy@suoja.tech
- We do not use child data for advertising, profiling, or any purpose outside of safety detection
Schools and organizations deploying Suoja for students under 13 must ensure they have obtained appropriate parental or institutional consents as required by COPPA, FERPA, and applicable state laws.
Children age 13 or older may use Suoja with a guardian account configured by a parent or guardian who maintains visibility over the child's protection settings.
Security
We implement industry-standard security measures to protect your data:
- All data transmitted over HTTPS/TLS encryption
- Passwords stored using bcrypt hashing — we cannot read your password
- JWT-based authentication with role-based access control
- Database encrypted at rest via Supabase
- Rate limiting to prevent unauthorized access attempts
- Regular security reviews of our codebase
No system is 100% secure. If you discover a security vulnerability in Suoja, please report it responsibly to security@suoja.tech.
Browser Extension Specifics
9.1 What the extension reads
The extension reads AI-generated text responses on monitored platforms (ChatGPT, Claude, Gemini, etc.) solely for the purpose of harm detection. It does not read:
- Your keystrokes or what you type to the AI
- Content on non-AI websites
- Passwords, credit card numbers, or form data
- Browsing history outside of monitored AI platforms
- Personal files on your device
9.2 What is sent to our servers
When a potential harm is detected, a text snippet of the AI's response is sent to the Anthropic Claude API for analysis. This snippet contains no personal identifiers. If no harm is detected, nothing is sent to our servers.
9.3 Local storage
The extension uses your browser's local storage to save your API key, settings, and a limited incident log. This data stays on your device unless you are logged into a Suoja account, in which case incidents are synced to your account.
Cookies
Our web dashboards use minimal cookies:
- Authentication token: Stored in localStorage to keep you logged in. Session-based, cleared on logout.
- No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking cookies.
- No persistent identifiers: We do not track you across other websites.
Third-Party Services
Suoja integrates with Anthropic's Claude API for AI-powered harm analysis. When text is sent to Claude for analysis, it is subject to Anthropic's privacy policy at anthropic.com/privacy. We configure our API calls to minimize data retention by Anthropic.
Links to third-party websites from our platform are provided for your convenience. We are not responsible for the privacy practices of those websites.
International Users
Suoja is currently operated from the United States and intended for use in the United States. If you access Suoja from outside the United States, you do so at your own initiative and are responsible for compliance with local laws. We are working to expand our compliance framework to support international users, including provisions required under the European Union General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act, and other applicable frameworks. Until that expansion is complete, Suoja accounts created outside the United States may be limited in functionality or unavailable.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users
- Display a notice in the Suoja dashboard
Continued use of Suoja after the effective date of changes constitutes acceptance of the updated policy.
Privacy Questions or Data Requests?
Contact our team — we will respond within 30 days.
Privacy contact
privacy@suoja.techSecurity reports
security@suoja.techSuoja Inc.