Legal

Privacy Policy

Effective Date: April 16, 2026 · Version 1.0

Souped (“we,” “us,” “our”) is operated by Capicua Group Inc. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use souped.app and related services (the “Service”).

We believe privacy policies should be readable, not buried in legalese. If something is unclear, email us at privacy@souped.app and we will explain it in plain language.

Contents
  1. Who We Are
  2. What We Collect
  3. What We Do Not Collect
  4. How We Use Your Data
  5. How We Share Your Data
  6. Data Retention
  7. Cookies
  8. Your Rights
  9. International Transfers
  10. Security
  11. Children
  12. Changes to This Policy
  13. Contact Us

1. Who We Are

CompanyCapicua Group Inc. (DBA Souped)
Servicesouped.app
RoleData Controller (for account and behavioral data)
Privacy Contactprivacy@souped.app
Mailing Address1133 Broadway, Suite 530, New York, NY 10010

For the purposes of the EU General Data Protection Regulation (GDPR), Capicua Group Inc. is the data controller for the personal data described in this policy.

2. What We Collect

Information You Provide

CategoryExamplesWhy We Collect It
Account DataName, email address, company nameTo create and manage your account
Payment DataBilling address, subscription tierTo process payments (card details are handled entirely by Stripe — we never see or store your card number)
Communication DataSupport messages, feedback, survey responsesTo respond to your requests and improve the Service

Information We Collect Automatically

CategoryExamplesWhy We Collect It
Usage DataPages visited, features used, session duration, clicksTo understand how the Service is used and where to improve it
Device & Technical DataIP address, browser type, operating system, device type, screen sizeTo ensure the Service works correctly on your device
Cookie DataSession identifiers, analytics cookiesTo keep you logged in and measure aggregate usage (see Section 7)

Behavioral & Decision Data

CategoryExamplesWhy We Collect It
Decision-Making ActivityHow you interact with Souped’s decision and planning toolsTo power and improve Souped’s recommendations
Outcome DataResults and outcomes you recordTo measure the effectiveness of recommendations
Usage PatternsFeature usage frequency, workflow patternsTo improve the accuracy of Souped’s AI

This category is important and we want to be direct about it. We use aggregated, anonymized behavioral data to improve how Souped helps founders make better decisions. See Section 4 for details.

3. What We Do Not Collect for AI Training

We want to be equally clear about what we do not use:

  • Your code and project files. We do not collect, analyze, store, or use your source code or project files to train any AI model.
  • Your prompts to AI providers. When you use an AI provider through Souped (Claude, Codex, or others), your prompts are routed to your chosen provider. We do not store prompts for training purposes. Prompts may be temporarily processed in server memory to route requests and may appear in error or diagnostic logs, which are automatically purged within fourteen days.
  • Your deployment credentials. API keys, tokens, and secrets you use through the Service are never collected for any purpose beyond providing the Service.
  • Your proprietary content. Documents, designs, business plans, or other content you create or upload are yours. We do not use them to train models.

This applies to all tiers — Free, Pro, and Enterprise. There are no exceptions.

4. How We Use Your Data

Every use of your data maps to a specific purpose and legal basis.

PurposeData UsedLegal Basis (GDPR)
Provide and maintain the ServiceAccount Data, Usage Data, Device DataContractual necessity (Art. 6(1)(b))
Process payments and manage subscriptionsPayment DataContractual necessity (Art. 6(1)(b))
Send transactional communicationsAccount Data (email)Contractual necessity (Art. 6(1)(b))
Respond to support requestsCommunication Data, Account DataContractual necessity (Art. 6(1)(b))
Improve the Service based on usage patternsUsage Data, Device DataLegitimate interest (Art. 6(1)(f))
Improve AI recommendations using anonymized behavioral dataBehavioral & Decision Data (anonymized and aggregated)Consent (Art. 6(1)(a)) — you may opt out at any time
Detect fraud and prevent abuseUsage Data, Device Data, Account DataLegitimate interest (Art. 6(1)(f))
Comply with legal obligationsAs requiredLegal obligation (Art. 6(1)(c))

How Behavioral Data Improves Souped

We use anonymized, aggregated behavioral data to improve the accuracy of Souped’s recommendations. This data is stripped of all personally identifiable information before it is used for any purpose beyond providing the Service to you directly. No individual user is identifiable in the resulting dataset.

You can opt out. If you do not want your behavioral data used for AI improvement, you can opt out in your account settings at any time. Opting out does not affect your access to any features.

5. How We Share Your Data

We share your data only in the following circumstances:

AI Providers (Pass-Through)

When you use an AI provider through Souped, your requests are enhanced with contextual frameworks and routed to the provider you selected (e.g., Anthropic, OpenAI). Each AI provider’s own privacy policy governs how they handle your requests. A current list of AI providers we integrate with is available at souped.app/subprocessors.

Service Providers

Provider TypePurposeData Shared
Payment Processor (Stripe)Process paymentsBilling information (Stripe handles card data directly)
Analytics (Google Analytics, Hotjar, RB2B)Measure usage, behavior analytics, and visitor identificationUsage data, session recordings, visitor identification (with consent)
InfrastructureHost and deliver the ServiceData necessary to operate the Service

We require all service providers to process your data only on our instructions and in accordance with this Privacy Policy.

Legal & Safety

We may disclose your data if required to:

  • Comply with applicable law, regulation, or legal process
  • Respond to a valid subpoena, court order, or government request
  • Protect the safety, rights, or property of Souped, our users, or the public
  • Detect and prevent fraud or security threats

Business Transfers

If Capicua Group Inc. is involved in a merger, acquisition, or sale of substantially all assets, your data may be transferred to the acquiring entity. We will notify you via email before your data is transferred and becomes subject to a different privacy policy.

What We Do Not Do

  • We do not sell your personal data.
  • We do not share your data with advertising networks.
  • We do not share your data with third parties for their own marketing purposes.
  • We do not share your data with third parties for their own model training.

6. Data Retention

We retain your data for specific periods based on its category:

CategoryRetention PeriodWhat Happens After
Account DataDuration of your account + thirty days after deletionPermanently deleted
Payment RecordsSeven years after transactionDeleted (retained for tax and legal compliance)
Usage DataTwenty-four months (rolling)Anonymized and aggregated; raw data deleted
Behavioral & Decision DataDuration of your account (raw data)Raw data deleted thirty days after account closure. Anonymized, aggregated derivative data is retained — it is no longer personal data.
Communication DataTwenty-four monthsDeleted
Device & Technical DataTwenty-four months (rolling)Deleted
Backup CopiesUp to ninety days after primary data deletionPermanently deleted

7. Cookies

We use a minimal set of cookies:

Cookie TypePurposeConsent Required?
Strictly NecessaryKeep you logged in, maintain session state, ensure securityNo (essential for Service operation)
AnalyticsMeasure usage patterns, heatmaps, and session recordings (Google Analytics, Hotjar, RB2B)Yes (opt-in via cookie banner)

We use analytics cookies from Google Analytics, Hotjar, and RB2B to understand how the Service is used and to improve the experience. These cookies are only set with your consent via our cookie banner.

We do not use advertising cookies or third-party ad network cookies for the purpose of serving ads.

You can manage your cookie preferences at any time through the cookie settings link in the footer of souped.app.

8. Your Rights

For All Users

Regardless of where you are located, you can:

  • Access your personal data by requesting a copy
  • Correct inaccurate personal data
  • Delete your account and personal data (via account settings or by emailing privacy@souped.app)
  • Export your data in a machine-readable format
  • Opt out of behavioral data collection for AI improvement (via account settings)

Additional Rights for EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you also have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interest
  • Data portability — receive your data in a structured, commonly used format
  • Withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)
  • Lodge a complaint with your local data protection authority

For cross-border data transfers from the EEA/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.

Additional Rights for US Residents

If you are a resident of California, Colorado, Connecticut, Virginia, or other states with comprehensive privacy laws, you have the right to:

  • Know what personal information we collect and how we use it
  • Delete your personal information
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share your data, but the right exists)
  • Non-discrimination for exercising your privacy rights

We honor Global Privacy Control (GPC) signals automatically. We do not sell or share personal information as defined by the California Consumer Privacy Act (CCPA/CPRA). For more information, visit souped.app/do-not-sell.

How to Exercise Your Rights

  • Self-service: Account settings at souped.app provide deletion, export, and opt-out controls.
  • Email: privacy@souped.app
  • Response time: We will respond within thirty days (GDPR) or forty-five days (CCPA). If we need additional time, we will notify you.

We will never require you to send physical mail to exercise your privacy rights.

9. International Data Transfers

Souped is operated by Capicua Group Inc. in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the EEA, UK, or Switzerland:

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor) for data transfers to the United States.
  • Where applicable, we rely on the EU-US Data Privacy Framework and its UK and Swiss extensions.

A list of our current subprocessors and their locations is available at souped.app/subprocessors.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.2 or higher)
  • Encryption at rest for stored data
  • Access controls limiting data access to authorized personnel
  • Regular security assessments
  • Incident response procedures

No system is 100 percent secure. If we become aware of a security breach that affects your personal data, we will notify you and any applicable regulatory authority in accordance with applicable law (within seventy-two hours for GDPR-covered incidents).

11. Children

Souped is designed for business professionals. The Service is not directed to anyone under eighteen years of age. We do not knowingly collect personal information from anyone under eighteen. If we learn that we have collected personal data from someone under 18, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at privacy@souped.app.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  1. We will send you an email notification at least thirty days before the changes take effect.
  2. We will update the “Last Updated” date at the top of this page.
  3. We will describe the changes in the notification.

If you disagree with the changes, you may delete your account before they take effect.

13. Contact Us

If you have questions about this Privacy Policy or our data practices:

Emailprivacy@souped.app
Mailing AddressCapicua Group Inc., 1133 Broadway, Suite 530, New York, NY 10010
For GDPR inquiriesprivacy@souped.app (subject line: “GDPR Request”)
For CCPA inquiriesprivacy@souped.app (subject line: “CCPA Request”)

This Privacy Policy is provided in English. If translated into other languages, the English version controls in the event of a conflict.