Privacy Policy

This privacy policy explains how Sovereign Systems collects, uses, and protects your personal data. It covers two distinct scopes: (1) the marketing website at sovereignsystems.cc, and (2) the SOSA DevOps desktop application. These have fundamentally different data architectures. We comply with GDPR (EU) and PDPA (Thailand).

Sovereign Systems, based in Thailand. Email: [email protected]

Website scope: account data (email, display name), session cookies for authentication, and cookieless analytics via Cloudflare Web Analytics. Desktop application scope: nothing. SOSA DevOps is local-first. All application data — prompts, AI responses, session history, audit logs — is stored on your device only. Sovereign Systems has no server that receives or stores your interaction data.

Sovereign Systems does not collect: — Prompts, AI responses, or session content from SOSA DevOps — Telemetry, usage statistics, or feature analytics from the desktop app — Crash dumps or error reports from the desktop app — Audio files, project files, MIDI data, or creative content — Browsing history, location data, or contact lists — Third-party tracking cookies or advertising identifiers — Keystroke data, screen recordings, or biometric data The desktop application has no upload path, no sync path, and no telemetry pipeline.

Website data is used for: authentication (verify your identity), essential service communications (account and security notices). We do not send marketing emails without explicit opt-in. We do not use your data for advertising or sell it to third parties.

Vault A is a local, append-only cryptographic audit chain stored at vault/audit-chain.jsonl on your device. Each entry contains a timestamp, event type, character counts, and content hashes — never the raw text of your prompts or responses. Hashes are one-way (SHA-256); nothing in Vault A can be reversed into your content. Vault A is the tamper-evident record of what happened. It never leaves your device. Sovereign Systems cannot read it.

Vault B is a local interaction log stored at vault/interaction-log.jsonl on your device. It contains your prompts, AI responses, and any RAG context retrieved — in cleartext. It is stored locally for your own review, model evaluation, and export. Vault B never leaves your device. You can view it from Tools → Open Interaction Log, export sessions in TXT, PDF, or JSONL format, and delete sessions via a type-to-confirm gate. Vault B is yours — Sovereign Systems cannot read it.

SOSA DevOps v1.0 does not yet include a fully wired PII Scrubber for local AI queries. In v1.0, your prompts are written to Vault B as you typed them. If you paste a password, API key, or other sensitive credential into chat, it will land in Vault B in cleartext. Mitigations: (1) do not paste secrets into chat, (2) if you do, delete the session from the Vault B viewer, (3) use full-disk encryption on your machine. The PII Scrubber ships in v1.1. This section will be updated when it does.

SOSA DevOps connects to a local Ollama runtime that you install separately. Models run on your hardware. Your prompts are sent to 127.0.0.1:11434 — a loopback address that does not leave your device. Models do not learn from you; Ollama performs inference only, weights are frozen. Sovereign Systems never receives your prompts.

SOSA DevOps v1.0 ships with no external AI providers wired. The External Providers tab shows all providers as Disabled. No prompt, response, or content leaves your device via the application. When external providers are wired in v1.1+, every outbound request will pass through the Privacy Filter before leaving the device. Vault A and Vault B will continue to log all interactions. This policy will be updated to document each provider, the data sent, and the applicable transfer safeguards.

The following processors handle website data on our behalf: Supabase (United States) — authentication and database. SOC 2 Type II certified. Cloudflare (United States) — website hosting, CDN, and R2 storage. SOC 2 Type II and ISO 27001 certified. Cloudflare Web Analytics is cookieless and collects no personally identifiable information. All processors are bound by Data Processing Agreements (DPAs) requiring GDPR and PDPA compliance. The desktop application has no processors — all data is local.

Website scope: your personal data may be processed in the United States by Supabase and Cloudflare. For GDPR compliance (Chapter V) we rely on Standard Contractual Clauses (SCCs). For PDPA compliance (Sections 28-29) we rely on contractual safeguards as no PDPC adequacy list has been published as of 2026. Desktop application scope: no cross-border transfers occur in v1.0. All data is local to your device.

Website account data is retained while your account is active. Upon account deletion, personal data is removed within 30 days. Encrypted backups are purged within 90 days. Desktop application data: retained on your device under your control. Delete sessions from the Vault B viewer, or uninstall and delete the application data directory for complete removal.

Essential cookies only: an HTTP-only, Secure session cookie set by Supabase to maintain your signed-in state, and ss_cookie_consent to record your acknowledgment of this notice. We do not use tracking, analytics, advertising, or third-party cookies. Cloudflare Web Analytics is entirely cookieless.

If you are in the EEA: access, rectification, erasure, data portability, objection, restriction, withdrawal of consent, and right to lodge a complaint with your supervisory authority. Contact [email protected]. We respond within 30 days. For desktop app data: your rights are exercised directly — your data is on your machine. View (Tools → Open Interaction Log), export (per-session TXT/PDF/JSONL), delete (per-session or full uninstall).

Access, correction, deletion, objection, data portability, and withdrawal of consent. Withdrawal must be as easy as giving consent. File complaints with the Personal Data Protection Committee (PDPC) at pdpc.or.th. Contact [email protected].

A conventional data breach — unauthorised access to a server database — is structurally limited by SOSA DevOps's architecture. We do not operate a server holding your interaction data. If we discover a security incident affecting any data we do hold (e.g. the website mailing list or application signing keys), we will notify the PDPC and relevant EU supervisory authority within 72 hours, and affected individuals without undue delay if there is high risk to their rights and freedoms.

Our services are not directed at children. Under GDPR, we do not knowingly collect data from children under 16. Under PDPA, children under 10 require parental consent. Contact [email protected] if you believe a child has provided data.

Material changes — such as adding telemetry, wiring an external provider, or changing the local-only invariant — will be announced 30 days in advance by email and in-application banner. Minor changes (clarifications, typo fixes) are documented in the project changelog.

Privacy questions: [email protected] AI-specific questions: [email protected] Security disclosure: [email protected] Legal questions: [email protected]