Privacy Policy

1. Who We Are

Sombra is operated by SombraNotes, Inc., a Delaware corporation.

SombraNotes, Inc.
8 The Green
Dover, DE 19901
United States

info@sombra.io

For the purposes of applicable data protection laws, SombraNotes, Inc. is the data controller of your personal information.

2. Information We Collect

Information you provide directly:

• Account information: name, email address, firm name, role, and contact details when you register.
• Payment information: billing address and payment details processed through our payment providers (Stripe and Polar.sh). We do not store your full payment card details.
• Conversation data: meeting transcripts, audio recordings, and other content you upload or provide to Sombra Intelligence for processing.
• Communications: emails, support requests, and feedback you send us.

Information collected automatically:

• Usage data: pages visited, features used, actions taken within the Service, time spent, and error logs.
• Device and browser data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Analytics data: we use PostHog, Plausible, and Cloudflare Web Analytics to understand how our website and product are used.
• Cookies and tracking technologies: see Section 7 (Cookies) for details.

Information from third parties:

• Authentication data from Google or Microsoft when you use social login via Supabase.
• Data from third-party platforms you connect to Sombra, as authorised by you.

3. How We Use Your Information

We use your information to:

• Provide and operate the Service, including generating AI-powered file notes, research outputs, and compliance checks.
• Process payments and manage your subscription.
• Authenticate your identity and maintain account security.
• Personalise the Service through adaptive learning, which builds a writing profile specific to each adviser. This data is used solely to improve outputs for that adviser and is never shared with other customers or used to train foundation models.
• Send transactional communications (account confirmations, billing notices, security alerts).
• Send marketing communications about Sombra, where you have opted in or where we have a legitimate interest. You can unsubscribe at any time.
• Analyse usage patterns to improve the Service, fix bugs, and develop new features.
• Comply with legal obligations and enforce our Terms of Service.
• Protect against fraud, abuse, and security threats.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

AI and transcription providers. Your conversation data is processed by Anthropic (language models) and Deepgram (transcription) to deliver the Service. These providers process data on our behalf under contractual obligations. We do not permit them to use your data for their own purposes, including model training.

Payment providers. Stripe and Polar.sh process your payment information to manage subscriptions and billing.

Authentication provider. Supabase manages account authentication, including social login via Google and Microsoft.

Analytics and advertising. We use PostHog, Plausible, Cloudflare Web Analytics, LinkedIn Pixel, Meta Pixel, and X Ad Pixel to understand website usage and measure advertising effectiveness. These services may collect usage data and device information. See Section 7 for cookie details.

Legal requirements. We may disclose information when required by law, regulation, legal process, or enforceable governmental request.

Business transfers. In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

With your consent. We may share information with third parties when you have given explicit consent.

5. AI and Your Data

Sombra uses artificial intelligence to deliver its core features. This section explains how your data interacts with our AI systems.

Sombra Swarm agents operate primarily on publicly available data and data from third-party platforms you have authorised. They do not access your private client records unless you explicitly provide them.

Sombra Intelligence processes conversation data you provide (such as meeting transcripts and audio recordings) to generate file notes, learning profiles, and firm-wide intelligence insights.

Adaptive learning. Sombra Intelligence builds a writing profile for each individual adviser based on their edits and corrections. This profile is specific to that adviser and is used solely to improve outputs for their account. It is never shared with other customers.

No model training. We do not use your conversation data, file notes, or any Customer Data to train, fine-tune, or improve foundation AI models. Your data is processed to deliver the Service to you and for no other purpose.

Third-party AI providers. Data sent to Anthropic and Deepgram is processed under data processing agreements that prohibit those providers from using your data for their own model training or any purpose beyond delivering the Service.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained for the duration of your account and for a reasonable period after closure to comply with legal, accounting, or reporting obligations.
• Conversation data and AI outputs are retained while your account is active. Upon account termination, we make your data available for export for 30 days, after which it may be permanently deleted.
• Adaptive learning profiles are deleted when the associated adviser account is removed.
• Payment records are retained as required by applicable tax and financial reporting laws.
• Usage and analytics data may be retained in anonymised, aggregated form indefinitely for product improvement purposes. This data cannot identify individual users.

We will delete or anonymise your personal information when it is no longer needed for the purposes described in this policy, unless a longer retention period is required or permitted by law.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and within the Service.

Essential cookies are required for the Service to function, including authentication, session management, and security. These cannot be disabled.

Analytics cookies help us understand how the website and Service are used. We use:

• Plausible (privacy-focused, no personal data collected)
• Cloudflare Web Analytics (no cookies, no personal data)
• PostHog (product analytics, usage patterns)

Advertising cookies are used to measure the effectiveness of our marketing campaigns:

• LinkedIn Pixel
• Meta Pixel
• X Ad Pixel

These advertising pixels may collect information about your browsing activity across websites and may be used by the respective platforms to serve targeted advertising. You can manage your preferences for these through your browser settings or the privacy controls provided by each platform.

You can disable non-essential cookies through your browser settings. Disabling cookies may affect the functionality of the Service.

8. Data Security

We implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, and regular security assessments.

Your data is hosted in Australia.

In the event of a data breach that affects your personal information, we will notify you within 72 hours of becoming aware of the breach, consistent with applicable legal requirements. We will provide details of the nature of the breach, the data affected, and the steps we are taking to address it.

While we take reasonable steps to protect your information, no method of transmission or storage is completely secure. You are responsible for maintaining the security of your account credentials.

9. International Data Transfers

SombraNotes, Inc. is a United States company. Your data is hosted in Australia, but may be accessed or processed in the United States or other jurisdictions where our service providers operate (including Anthropic and Deepgram in the United States).

Where your data is transferred outside of your jurisdiction, we ensure that appropriate safeguards are in place, including contractual protections with our service providers.

Some of our third-party providers may not be regulated by the Australian Privacy Act 1988. While we require contractual commitments from all providers, you acknowledge that you may not be able to seek redress under Australian law directly against those providers.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request deletion of your personal information, subject to legal retention requirements.
• Data portability: request your data in a structured, commonly used format.
• Opt-out of marketing: unsubscribe from marketing communications at any time using the link in any marketing email or by contacting us.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

For Australian customers, these rights are provided under the Privacy Act 1988 and the Australian Privacy Principles (APPs). You also have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

To exercise any of these rights, contact us at info@sombra.io. We will respond within 30 days.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.

12. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party platforms that you authorise. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party service before providing your information.

Our use of information received from third-party platforms is governed by this Privacy Policy and the authorisations you grant when connecting those platforms.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service with at least 30 days' notice. The "Last updated" date at the top of this page indicates the most recent revision.

Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

SombraNotes, Inc.
8 The Green
Dover, DE 19901
United States

info@sombra.io

For Australian privacy complaints, you may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.