SOPX logo SOPX

Privacy Policy

Last updated on April 30, 2026

This Privacy Policy describes how Appolius d.o.o. (“we”, “us”, or “our”), the company that operates SOPX, collects, uses, and protects personal data when you use the SOPX website and web application. By accessing or using SOPX, you consent to the practices described in this policy.

We are committed to protecting your personal data. We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act of the Republic of Slovenia.

Definitions

Personal data means any information relating to an identified or identifiable natural person. Processing means any operation performed on personal data, including collection, storage, use, transmission, and deletion. Data controller means the entity that determines the purposes and means of processing your personal data; in this Privacy Policy, that entity is us. Data processor means a third party that processes personal data on behalf of the data controller, under a written data processing agreement.

Data Controller

We are the data controller responsible for your personal data, with our registered office in the Republic of Slovenia. For all data protection matters, contact us at [email protected].

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Contract performance — processing necessary to provide the SOPX service to you under your subscription agreement, including account management, processing uploaded content to generate SOPs, and billing.
  • Legitimate interests — processing necessary for the security of the service, fraud prevention, and improving service reliability, where these interests are not overridden by your rights.
  • Legal obligation — processing required to comply with applicable laws and regulations.
  • Consent — where you have given explicit consent, such as for optional cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Data We Collect

Account data. When you register, we collect your name, email address, and either a password (stored in hashed form) or, if you choose Google or Microsoft sign-in, the authentication identifier provided by that provider. With Google or Microsoft sign-in, the provider authenticates you and shares your name, email address, and (where applicable) profile picture with us. We do not receive your Google or Microsoft password, and Google and Microsoft do not receive information about your activity within SOPX. Authentication via these providers is governed by Google’s Privacy Policy and Microsoft’s Privacy Statement. We also collect your organization name and subscription plan details.

Content data. When you use SOPX, we store the videos you upload, the audio extracted from those videos for transcription, the generated SOPs and work instructions, and any edits you make to that content.

Usage and log data. We automatically collect technical data necessary to operate the service, including IP address, browser type, device type, timestamps of actions performed in the application, and error logs.

Billing data. See “Payments and Merchant of Record” below for how subscription billing data is handled.

Website data. When you visit our website, device and log data (IP address, date and time of visit) are collected automatically. This data is used for security and analytics purposes.

AI Processing of Your Content

SOPX uses artificial intelligence to transcribe audio from uploaded videos and to analyze video content in order to generate structured work instructions and SOPs. This processing is the core function of the service.

To deliver this functionality, audio and video content you upload is transmitted to third-party AI service providers who act as data processors on our behalf. These providers process your content solely to provide the transcription and analysis service and are subject to applicable data protection terms that prohibit them from using your content for any other purpose, including training AI models.

You should be aware that videos and audio you upload may contain personal data of individuals appearing in or speaking in that content. You are responsible for ensuring you have a lawful basis under applicable data protection law to upload and process such content using SOPX.

Payments and Merchant of Record

Subscriptions to SOPX are sold and invoiced through a third-party payment provider that acts as Merchant of Record on our behalf. The payment provider stores your full card details under PCI-DSS Level 1 certification; we never see or store your full card number or CVC. From the payment provider we receive limited billing information such as your subscription status, plan and seat counts, billing email, billing address, country, Tax or VAT ID, transaction history, and the last four digits and brand of your card (for display in the billing portal). Charges may appear on your bank or card statement as LINK.COM or LINK.COM* SOPX AI. The payment provider’s identity is available on request at [email protected].

International Data Transfers

We are based in the Republic of Slovenia. Your account data, generated SOPs, and uploaded content are stored on servers located within the European Union. Some processing — including AI inference and transcription, object storage and content delivery, payment processing, and authentication via third-party identity providers — may occur in the United States or other jurisdictions outside the European Economic Area. These transfers rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, which provide appropriate safeguards for the transfer of personal data to third countries under Article 46 of the GDPR.

Sub-processors

We engage third-party service providers to operate SOPX. The categories of sub-processors and their role include:

  • Cloud hosting and infrastructure (within the European Union) — primary application servers and storage of your account data, generated SOPs, and uploaded content.
  • Object storage, content delivery, and DNS — to deliver the service reliably.
  • AI services — for video analysis, audio transcription, and content generation.
  • Authentication providers — if you choose to sign in with a Google or Microsoft account, that provider authenticates you.
  • Payment and billing — see “Payments and Merchant of Record” above.
  • Customer communications — transactional and account-related email.

Each sub-processor is subject to its applicable data protection terms and uses your data only to provide the contracted service. A current list of named sub-processors is published at /legal/subprocessors/.

Data Control and Security

We implement technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include encrypted data transmission (TLS), access controls limiting data access to authorized personnel only, and regular security reviews of our infrastructure.

Data Retention

We retain your personal data and content for as long as your account is active. When you cancel your subscription or delete your account, all your data, including uploaded videos, generated SOPs, transcripts, and account information, is permanently deleted from our systems. Deletion is irreversible. We retain billing, invoice, and tax records for at least 10 years, as required under the Slovenian Tax Procedure Act (ZDavP-2) and the Value Added Tax Act (ZDDV-1).

Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may request correction of inaccurate or incomplete personal data.
  • Right to erasure — you may request deletion of your personal data. You can delete your account and all associated data directly from your account settings.
  • Right to restriction — you may request that we restrict processing of your personal data in certain circumstances.
  • Right to data portability — you may request a copy of your data in a structured, machine-readable format.
  • Right to object — you may object to processing based on legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec, www.ip-rs.si) or another competent supervisory authority in the EU member state of your habitual residence.

Minimum Age

SOPX is not intended for use by individuals under the age of 16. By using the service, you confirm that you are at least 16 years of age. If we become aware that personal data has been collected from a person under 16 without verifiable parental consent, we will delete that data promptly.

Contact Forms and Inquiries

If you submit a form on our website, the following personal data will be collected: name, email address, and your message. We use this data solely to respond to your inquiry. This data is retained until your inquiry is resolved and for a reasonable period thereafter, or until you withdraw your consent.

We store personal data submitted through forms securely and do not transfer it to third parties except where necessary to respond to your inquiry.

Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Where changes are material, we will notify you by email or through a notice within the service before the changes take effect. Your continued use of SOPX after the updated policy takes effect constitutes your acceptance of the changes.

This website and web application use cookies and similar technologies to operate core functionality and to understand how the service is used.

Strictly necessary cookies are required for the service to function. These include session authentication cookies that keep you logged in and security cookies that protect against cross-site request forgery. These cookies cannot be disabled without breaking the service.

Analytics. We use a self-hosted instance of Plausible Analytics, running on our own EU infrastructure, to measure aggregate traffic to our marketing website. Plausible does not set cookies and does not collect personal data as defined under GDPR. No analytics data is shared with third parties.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies.

You can control cookie settings through your browser. Disabling strictly necessary cookies will prevent you from logging in and using the service.

Contact Us

If you have any questions or requests regarding this Privacy Policy or the personal data we hold about you, please contact us at [email protected].