← Back to Stratara

Sotto Privacy Policy

Effective date: 15 December 2025
Last updated: 20 December 2025

This Privacy Policy explains how Stratara Ltd ("Stratara", "we", "us") collects, uses, discloses, and protects information about you when you use the Sotto mobile app and related services ("Sotto").

By creating an account, connecting with a partner, or using Sotto, you acknowledge that you have read this Privacy Policy and understand how we process your information.

1. Who We Are and Scope of This Policy

Sotto is an AI-powered messaging app for couples operated by Stratara Ltd, an Israeli company.

This Privacy Policy applies to:

• The Sotto iOS app;
• The backend services and APIs that power Sotto;
• Sotto-specific pages and support channels on stratara.ai (including our legal pages and support email).

Other Stratara products may have their own privacy notices. Where we link to a different privacy notice, that notice governs that product or service.

This Privacy Policy should be read together with:

• The Sotto Terms of Use; and
• Any in-app notices or consent screens describing specific data uses (for example, AI processing, voice transcription, discreet notifications, optional location tags).

If anything in the Terms of Use conflicts with this Privacy Policy on how we handle personal data, this Privacy Policy prevails.

2. Key Principles at a Glance

We want Sotto's privacy approach to be understandable even if you do not read every detail. In summary:

2.1 Privacy-by-design, not privacy theatre

Sotto exists to help couples strengthen their relationship through meaningful AI insights. We minimise privacy exposure while still delivering the product.

2.2 Your full chat history is not our server's archive

• Your full message history and full-resolution media are stored on your devices.
• Our server is not intended to be a long-term archive of raw conversation content.

2.3 End-to-end encryption for partner messaging

Partner-to-partner messages and media are end-to-end encrypted for syncing/relay, meaning we cannot read them during normal delivery.

2.4 A limited exception for AI insights

AI cannot run on encrypted text. When you use AI features (like nightly relationship insights), Sotto processes bounded message chunks on our servers and shares limited data with our AI subprocessors for that purpose. We keep exposure short and delete raw processing inputs quickly.

2.5 No sale of personal data, no advertising profiles

We do not sell your personal data and we do not share it with advertisers for their own targeted advertising.

2.6 Optional features are optional

Features that share extra information (like location labels or battery level) are opt-in and can be turned off any time in settings.

2.7 First-party analytics approach

We focus on first-party, privacy-respectful analytics. We do not embed ad SDKs to track you across apps and websites.

2.8 Transparency about third parties

We maintain a public list of Sotto AI subprocessors here:
https://stratara.ai/legal/sotto/subprocessors

3. Controller, Representatives and Contact Details

3.1 Data Controller

The data controller responsible for processing your personal data in connection with Sotto is:

3.2 EU and UK Representatives

Under Article 27 GDPR and UK GDPR, non-EU/UK-established controllers may be required to appoint local representatives when offering goods or services to individuals in the European Economic Area ("EEA") or the United Kingdom ("UK").

Stratara will appoint such representatives once required based on our activities in those regions. When appointed, their contact details will be published in this section. Until then, you may contact us directly using the details below.

3.3 Data Protection Officer

When required by law or as our operations grow, we will appoint a Data Protection Officer ("DPO"). Once appointed, their contact details will be provided here. Until then, please use the contact details in section 3.4.

3.4 How to Contact Us About Privacy

For questions, requests, or complaints about this Privacy Policy or our handling of your data, you can contact us at:

Email: [email protected]
Subject line suggestion: "Sotto – Privacy request"

Support: [email protected]

We may ask you for additional information to verify your identity before responding to certain requests.

4. Information We Collect

This section describes the categories of information we process when you use Sotto. We may collect this information directly from you, from your device, from platform providers (such as Apple), or from our service providers.

We do not intentionally collect personal data that is not described in this Privacy Policy.

4.1 Account and Identity Data

When you create and use a Sotto account, we process data such as:

• Account identifier – a unique internal ID we generate.
• Couple identifier – a unique ID used to connect two partners and route data.
• Authentication and session data – login/session tokens, login timestamps, device/session identifiers.
• Contact details (if provided) – for example an email address if you sign up with email, contact support, or choose to add an email for account recovery or important service communications.
• Settings and preference flags – language, notification preferences, privacy toggles, and consent states (for example, whether AI processing is enabled).

This data is necessary to create and maintain your account, allow you to log in, connect you to your partner, and provide the service reliably.

4.2 Partner Connection and Sync Data

To connect two partners and keep Sotto consistent across devices, we process:

• Connection and pairing data (for example, invite codes or pairing tokens).
• Sync state and delivery metadata (what has been delivered to which device, timestamps, and delivery confirmations).
• Server-generated entity IDs for outputs (briefs, commitments, events, memory entries), so both devices reference the same objects without conflicts.

4.3 Messaging Content and Conversation Data (Important Distinctions)

Sotto processes messaging data in different ways depending on what the feature is doing.

A) Partner-to-partner message relay (end-to-end encrypted by default)

• What we process: encrypted message and media blobs in transit.
• What we do not process: readable message content (we cannot decrypt it in this pathway).
• Where it is stored: your devices are the long-term archive. The server acts as a relay and does not store your full conversation archive.

B) Limited "analysis bundles" for AI features (server-side processing)

If you enable AI insights (and other AI features that require it), Sotto processes:

• Recent message chunks (typically "yesterday", or other bounded chunks);
• Relevant context snippets needed to generate insights (not your full history by default);
• Transcripts and descriptions (text derived from voice notes and media, when those features are used).

These bundles are processed for the purpose of generating AI outputs and are retained only briefly (see section 10).

C) AI outputs (stored temporarily for syncing)

We process and may store:

• Nightly briefs and relationship insights;
• Memory entries and structured items like commitments, events, and profile facts.

These outputs may be stored server-side long enough to sync to both partners and then can be purged.

4.4 Media Data (Photos, Videos, Voice Notes)

Sotto supports media in chat. We distinguish between full-resolution media and minimal data used for AI features:

• Full-resolution photos/videos/voice notes: stored on your devices; when synced to your partner they are end-to-end encrypted for delivery.
• Voice transcription: voice audio may be sent for transcription (see section 7).
• Image/video descriptions: low-resolution previews may be sent for generating text descriptions (see section 7).

4.5 Presence and Real-Time Status Data

Sotto includes real-time features. We process:

• Presence status (e.g., whether you're currently in the chat), used for partner indicators and push suppression.
• Timestamps and operational metadata required for real-time operation.

Presence is designed to be ephemeral (see section 10).

4.6 Optional, Opt-In Features (You Control These)

If you enable these features, we process:

A) Location tags (labels only)

• The app may use your device's location permission to determine whether you are at a saved place.
• What we send/store: only a place label (e.g., "Home", "Work"), not GPS coordinates.

B) Battery sharing

Battery percentage (0–100) and charging state.

C) Motion tag ("On the move")

• Activity type (walking/driving/cycling) based on device motion sensors.
• Not your location.

4.7 Anonymous Usage Analytics (Opt-Out)

To understand how Sotto is used and improve it, we process aggregate usage metrics such as:

• Message counts by type (text/voice/image/video);
• Reactions sent;
• Briefs read;
• Sotto AI interactions (e.g., direct messages and @mentions);
• App opens and session duration.

We do not include message content in analytics.
Analytics can be disabled in Sotto settings (see section 12).

4.8 Crash Reporting and Performance Diagnostics

We use Apple's MetricKit framework for crash diagnostics and performance metrics:

• Crash types, termination reasons, stack traces;
• Performance metrics (CPU, memory, hangs);
• Device model, app version, OS version.

MetricKit reports are generated on-device. We do not embed third-party crash SDKs that send your crash data to external vendors.

4.9 Purchase and Subscription Data

If you subscribe to Sotto premium features:

• Apple processes payments through the App Store / StoreKit.
• We may process/store:
  • Subscription status (active/inactive);
  • Product identifiers;
  • Purchase timestamps and transaction/receipt metadata needed to validate entitlement and prevent fraud.

We do not receive your credit card number or bank account details from Apple.

4.10 Technical and Network Data

To operate and secure the service, we may process:

• IP address and network metadata (typically for security, rate limiting, abuse prevention, and diagnosing service issues);
• Device and app information (device model, OS version, app version, language/region settings);
• Push notification tokens.

We do not use this information to build advertising profiles.

4.11 Data We Explicitly Do Not Collect (or Do Not Collect Intentionally)

To avoid doubt, Sotto does not:

• Import your contacts/address book (unless we ever introduce an explicit contact feature and you consent — currently not required for core messaging);
• Read your SMS messages or phone call logs;
• Collect or store your precise GPS coordinates on our servers (location tags share labels only);
• Use advertising SDKs or sell data to advertisers;
• Track you across apps and websites for targeted advertising;
• Collect your payment card details (Apple handles payment details).

If we ever introduce a new feature that requires additional data categories, we will update this Privacy Policy and provide appropriate in-app notices before beginning that processing.

5. How We Use Your Information and Legal Bases

We use the information we process for the purposes described below. Under European data protection law, we must also have a "legal basis" for processing.

5.1 Providing and Operating Sotto (Messaging, Sync, Core Functionality)

Legal basis: performance of a contract; legitimate interests

We use your information to:

• Create and manage your account and couple connection;
• Authenticate you and keep sessions secure;
• Deliver encrypted messages and media between partners;
• Maintain sync consistency across devices;
• Provide core app features you request.

Without this processing, we cannot provide Sotto.

5.2 Providing AI Features (Insights, Summaries, Structured Relationship Features)

Legal basis: performance of a contract; consent (where required); legitimate interests

Sotto's purpose is relationship understanding through AI. We use bounded conversation context to:

• Generate relationship insights and briefs;
• Produce memory entries and structured items (commitments, events, profile facts) when you use those features;
• Improve the quality and reliability of the AI experience at a system level (for example, by analysing aggregated patterns and error rates, not by training on your raw conversations).

Where local law requires explicit consent for certain processing (especially where sensitive personal data may be involved), we ask for it through in-app notices/consent screens and provide controls to disable optional AI features.

5.3 Voice and Media AI Processing

Legal basis: performance of a contract; consent (where required)

We process voice notes and media to provide:

• Voice transcription (voice → text);
• Image/video descriptions (low-res preview → description).

Details are in section 7.

5.4 Security, Fraud Prevention, and Abuse

Legal basis: legitimate interests; legal obligations where applicable

We use account, device, network, and operational data to:

• Protect infrastructure from attacks and unauthorised access;
• Prevent abuse, spam, and misuse;
• Enforce our Terms and protect users.

In some cases we may be legally required to retain or disclose limited data.

5.5 Reliability, Diagnostics, and Product Improvement

Legal basis: legitimate interests

We use technical diagnostics and aggregate analytics to:

• Monitor stability and performance;
• Diagnose bugs and crashes;
• Improve reliability and UX.

We do this in a privacy-respectful way: we do not include message content in analytics, and we avoid third-party advertising analytics SDKs.

5.6 Subscription Entitlements and Accounting

Legal basis: performance of a contract; legal obligations; legitimate interests

We process subscription metadata to:

• Validate your premium access;
• Prevent fraud and chargeback abuse;
• Maintain records required for accounting and compliance.

5.7 Customer Support and Communications

Legal basis: performance of a contract; legitimate interests; consent (where required)

We use your information to:

• Respond to support requests;
• Communicate important service information (security notices, major changes, policy updates).

We do not send frequent marketing emails about unrelated products. If we ever introduce optional marketing communications, we will do so only where allowed by law and with a clear opt-out.

5.8 Legal and Compliance Purposes

Legal basis: legal obligations; legitimate interests

We may need to use and retain some information to:

• Comply with law and respond to lawful requests;
• Establish, exercise, or defend legal claims.

5.9 No Unannounced New Purposes

We will not use your personal data for purposes materially different from those described in this Privacy Policy without:

• Updating this Privacy Policy; and
• Where required by law, obtaining your additional consent before such new use.

6. Messaging, Encryption, and What Leaves Your Device

This section explains Sotto's privacy architecture in plain language.

6.1 Partner messaging uses end-to-end encryption (E2EE)

When you message your partner:

• Messages are encrypted on your device using couple-specific keys;
• Our server relays encrypted data to your partner;
• Only your devices can decrypt the messages;
• Encryption keys do not leave devices.

Result: under normal message delivery, we cannot read your message content.

6.2 Our server is not your message archive

Your full conversation archive lives on devices. Our server is designed as a relay for encrypted partner sync, not a long-term store of raw messages and media.

6.3 Why AI insights require limited server access

AI cannot analyse end-to-end encrypted content. To generate relationship insights, Sotto runs an analysis pipeline:

• Your device prepares a bounded bundle (typically a recent slice like "yesterday", plus limited relevant context);
• That bundle is encrypted for the analysis service;
• Our server decrypts it to run automated analysis and generate outputs;
• We delete the raw bundle shortly after processing and sync (see section 10).

This is a scoped exception to E2EE for the specific purpose of insight generation.

6.4 What we store server-side (and what we don't)

We may store:

• AI-generated outputs (briefs, insights, memory entries);
• Structured relationship data (commitments, events, profile facts);
• Sync state metadata.

We do not store:

• Your full readable message history as a long-term archive;
• Full-resolution media files as a long-term server archive.

7. Voice Notes and Media Processing (Transcription and Descriptions)

7.1 Voice notes (transcription)

If you send a voice note and transcription features are enabled:

• Voice audio may be sent to an AI subprocessor to create a text transcript.
• We aim to delete raw voice audio from our servers immediately after transcription completes.
• The transcript may be retained (for example, encrypted as part of the message) and may be included in bounded analysis bundles.

7.2 Images and videos (descriptions)

If you send an image or video and description features are enabled:

• We may send a low-resolution preview to an AI subprocessor to generate a text description.
• Full-resolution originals are not sent for this purpose.
• We aim to delete the preview from our servers immediately after the description is generated.

7.3 Why we do this

These features exist to:

• Make voice notes searchable/understandable in text;
• Improve context understanding for insights;
• Support discreet or context-aware notifications (where enabled).

8. AI Subprocessors and Third-Party Processing

Sotto uses third-party AI providers (subprocessors) for specific tasks (e.g., insight generation, transcription, classification). This necessarily means certain content is shared with those providers for processing.

8.1 Where to see the current list

We keep the current list of AI subprocessors, and what they are used for, here:
https://stratara.ai/legal/sotto/subprocessors

8.2 What data may be shared with AI subprocessors

Depending on the feature, this may include:

• Recent message chunks used for insights (bounded context);
• Transcripts of voice notes;
• Low-resolution media previews for generating descriptions;
• Message preview text for discreet notification filtering (if enabled).

8.3 How we choose and configure AI providers

Our intent is:

• Use commercial API access (not consumer chat products) where we can set enterprise/privacy controls;
• Use settings/contractual terms designed to prevent training on customer data where available;
• Minimise data shared and minimise retention.

However: we cannot fully control what happens inside third-party systems. We commit to transparency, minimisation, and choosing providers with strong privacy practices.

8.4 Human access to your content

• E2EE partner messages: we cannot read them via our normal messaging pipeline.
• AI processing: content is decrypted for automated processing. We do not have a routine practice of humans reading your messages. If we ever need content to debug an issue, we will generally ask you to provide it (or explicit consent), unless we are legally required to do otherwise.

9. How We Share Information

We share information only as needed to run Sotto.

9.1 Sharing with your partner

Sotto is a couple app. Information you send in chat is shared with your partner by design. Optional features (location labels, battery, motion tag) share additional information with your partner only if enabled.

9.2 Sharing with service providers

We share limited data with vendors who help us operate Sotto, such as:

• Hosting and infrastructure providers;
• Push notification delivery (Apple);
• AI subprocessors (see section 8).

They may process data only under our instructions and for providing their services to us.

9.3 No sale of personal data / no advertising sharing

We do not sell your personal data. We do not share your personal data with advertisers for their own targeted advertising.

9.4 Legal and safety disclosures

We may disclose information if we believe it is reasonably necessary to:

• Comply with law, regulation, legal process, or lawful requests;
• Protect the rights, safety, and security of users, Stratara, or the public.

Where legally permitted, we will try to notify you.

9.5 Business transfers

If Stratara is involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction, subject to appropriate safeguards.

10. Data Retention

We keep data only as long as needed for the purposes described above.

10.1 On-device retention (your archive)

Full message history and full-resolution media are stored on your devices until you delete them (or remove the app / wipe the device, subject to your own device backup settings).

10.2 Encrypted relay data (partner messaging)

Encrypted message/media blobs are relayed to support delivery. Sotto is designed so the server is not your long-term archive of raw messages.

10.3 AI analysis bundles (short-lived)

Raw bundles used for AI analysis are retained only as long as needed to process the insight and deliver results.

Bundles awaiting retry are deleted within a short window; encrypted bundles awaiting retry are deleted within 6 hours regardless of success.

10.4 Voice audio and media previews (short-lived)

• Voice audio used for transcription is deleted after transcription completes.
• Low-resolution previews used for image/video descriptions are deleted after the description is generated.

10.5 AI outputs and structured data (temporary on server)

AI-generated outputs and structured relationship data may be stored on our servers long enough to sync to both partners.

Once both partners have successfully synced, server copies can be purged. Devices may retain outputs longer to provide continuity in the app.

10.6 Presence, location tags, battery, motion

• Presence is real-time and typically exists only briefly (around 35 seconds) for live indicators and push suppression.
• Location tags are sent as labels and are not intended to be stored as history.
• Battery level is stored as the current value only and updated when it changes (or when disabled).
• Motion tag is sent as an activity label and is not intended to be stored as history.

10.7 Analytics and diagnostics

• Anonymous analytics is retained only as long as needed to understand product usage and improve the service, and is reviewed periodically.
• Crash/performance diagnostics are handled via MetricKit and used for stability and reliability.

10.8 Legal retention

In some cases, we may need to retain certain information for longer where required by law (for example, records relating to transactions and compliance).

11. Security Measures

We use technical and organisational measures designed to protect personal data, including:

• Encryption in transit;
• End-to-end encryption for partner messaging and media relay;
• Encryption at rest for server-stored data where applicable (e.g., stored outputs and sync state);
• Access controls and least-privilege principles;
• Monitoring, logging, and operational safeguards focused on security and reliability.

No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will act promptly and notify you where required by law.

12. Your Choices and Controls

12.1 In-app privacy settings

Depending on the feature set available in your version of Sotto, you can control:

• Location tags: Settings → Privacy & Security → Location Tags
• Battery sharing: Settings → Privacy & Security → Battery Sharing
• Discreet notifications: Settings → Privacy & Security → Discreet Notifications
• Motion tag: Settings → Privacy & Security → Location Tags → "On the move"
• Anonymous usage analytics: Settings → Privacy → Anonymous Analysis Data

If you turn a feature off, we stop collecting/sharing data for that feature going forward.

12.2 iOS permissions

You can control app permissions in iOS Settings, such as:

• Notifications;
• Microphone (voice notes);
• Photos/Camera (sending media);
• Location and Motion (only if you enable location tags / motion tag features).

If you revoke a permission, Sotto stops accessing that data through that permission.

12.3 AI processing consent

Where required (and as a general transparency practice), Sotto provides clear notices about:

• What data is sent to AI subprocessors;
• What features require AI processing;
• How to disable optional AI-related features.

If a feature depends on AI processing and you do not enable it, that feature will not function.

13. Account Deletion and Deleting Your Data

13.1 In-app account deletion

Sotto provides an in-app mechanism to delete your account where account creation is supported.

When you delete your account:

• We delete personal data associated with your account from our systems unless we are legally required to keep it.
• Data stored only on your devices is removed when you delete it there, remove the app, or wipe the device (subject to your device backup settings).

13.2 Important note about your partner's device

Sotto is shared by design. Even if you delete your account:

• Your partner may still have copies of messages/media on their device (because they are a participant in the conversation).

13.3 How to request deletion or help

Privacy requests: [email protected]

Support: [email protected]

14. Your Rights

Depending on where you live, you may have rights to:

• Access your personal data;
• Correct inaccurate data;
• Delete your personal data;
• Object to or restrict certain processing;
• Data portability (where applicable);
• Withdraw consent (where processing is based on consent).

14.1 How to exercise your rights

Contact [email protected]. We may need to verify your identity.

14.2 Practical limits (E2EE design)

Because your full message history is stored on devices and partner-to-partner content is end-to-end encrypted, we may not be able to provide server-side copies of your full message history (we generally do not have it). We can help with:

• Account-level data we control;
• Server-stored outputs/structured data (to the extent we retain it);
• Support and guidance on deleting data from your devices.

14.3 California notice (CCPA/CPRA)

• We do not "sell" your personal information.
• We do not "share" personal information for cross-context behavioural advertising.
• You may still have rights to know, delete, or correct information we hold, subject to legal exceptions.

14.4 Complaints

If you are in the EEA/UK/Switzerland, you may have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to resolve the issue.

15. International Data Transfers

Stratara is based in Israel. Our service providers (including AI subprocessors) may process data in other countries.

Where applicable laws require safeguards for international transfers, we use appropriate measures (such as contractual protections) designed to protect personal data.

16. Sensitive Data, Profiling, and Automated Decision-Making

16.1 Sensitive personal data in conversations

Couples may naturally discuss highly sensitive topics (health, sexuality, family issues, religion, etc.). Sotto does not require you to share such information, but you may choose to.

If you enable AI insights, the bounded conversation chunks used for analysis may include sensitive information if you include it in your chat. We process that content only to provide the service and generate the insights you requested, not for advertising or unrelated profiling.

16.2 Profiling and "relationship insights"

Sotto may generate insights that involve interpreting patterns in conversation (for example, recurring themes or communication styles). These are intended to support reflection and conversation between partners.

We do not use Sotto insights to:

• Make automated decisions that produce legal or similarly significant effects on you (e.g., credit, employment, housing);
• Build advertising profiles;
• Sell data to data brokers.

17. Children

Sotto is not directed at children and is intended for users aged 16 and over. If we learn we have collected personal data from a child under 16, we will take steps to delete it.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes (for example, changing what data we collect, how we use it, or introducing a new AI subprocessor for sensitive processing), we will:

• Update the "Last updated" date; and
• Provide an appropriate notice in the app or by other reasonable means.

19. Contact

Privacy: [email protected]

Support: [email protected]