soXal

privacy policy

Privacy Policy

Last updated: 2026-05-15

This Privacy Policy explains what data soXal, LLC (“soXal,” “we,” “us”) collects when you use soxal.co and the soXal platform, how we use it, who we share it with, and what control you have over it.

The short version: we collect what we need to run the platform. Your production data stays org-scoped. Your personal documents (xHand) stay user-scoped. Your wellness entries stay private. We never sell your data. We never use your data to train AI models. Anonymized aggregates are opt-in.

1. Data we collect

Account data

  • Email address — used for magic-link sign-in and account communications
  • Display name — optional; you can set or update it anytime
  • Org membership — which org(s) you belong to and your role within them

Content you upload

  • Production documents — advances, riders, gear sheets, contact sheets, post-mortems, photos. Stored in Supabase Storage under your org’s scoped path.
  • Personal records (xHand) — pay stubs, W-2s, 1099s, call sheets, mileage logs. Stored under your user-scoped path.
  • Wellness entries (1% Better) — text + score data you log. Stored against your user ID.
  • Crew rolodex data — names, phones, emails, roles you add manually or via the contact-sheet extractor. Stored against your org.

Derived data we generate from your content

  • Parsed text — we extract text from PDFs, Word docs, and spreadsheets so the AI TD can read them
  • Embeddings — numerical vectors representing the meaning of your text chunks, used for semantic search. Stored in pgvector. Not human-readable.
  • Structured extractions — e.g. paystub fields, contact rows, decision-log entries
  • AI TD answers + citations — logged in the decisions table per question

Analytics

  • Page views — path, referrer, user agent family (Chrome/Safari/Firefox), country/region, device kind (mobile/desktop). We do NOT store raw IPs — we SHA-256 hash them.
  • Events — custom client-side events such as “demo_question_asked,” same privacy mechanics
  • Microsoft Clarity — heatmaps and session replays on public marketing pages only (env-gated; disabled in private beta when key isn’t set). Clarity does NOT capture content from authenticated /app/* surfaces.
  • Usage events — every paid AI call (Anthropic, Voyage) gets a row with estimated cost, so we can keep spend transparent in the admin control room. Doesn’t include the prompt body.

Do Not Track

We respect the browser’s Do Not Track signal. If your browser sends DNT, we skip page-view + event analytics entirely.

2. How we use your data

  • To run the service — auth, render your dashboard, answer your AI TD questions, embed your docs for search
  • To bill you (when paid tier launches) — subscription processing via Stripe
  • To track our spend — per-org AI call costs in the admin control room
  • To improve the service — aggregated, anonymized metrics. We do NOT train AI models on your content.
  • To meet legal obligations — tax records, court orders, valid legal process

3. How your data is scoped

soXal’s privacy moat is row-level security (RLS) in Postgres. The rules are enforced at the database layer, not just the application:

  • Org-scoped data — shows, documents, document_chunks, gear sheets, crew calls, outcomes, crew_members, decisions. Only members of the owning org can read or modify these rows.
  • User-scoped data — personal_documents (xHand), entries (1% Better), profiles. Only you can read or modify your own rows.
  • Globally readable — venues, vendors (basic facts only). The org’s relationship with a vendor (pricing, performance notes) is org-private; the vendor’s public identity is shared.
  • Admin-only — beta requests, /about access, usage events, rate events, build sessions, page views, custom events. Visible only to soXal staff for operations.

4. Third-party processors

We use these vendors to provide soXal. Each has their own privacy practices; using soXal means you consent to their handling of your data for these purposes.

  • Supabase — database, auth, storage, edge functions. Data resides on AWS US-East infrastructure. Encrypted in transit and at rest.
  • Anthropic (Claude) — AI inference for AI TD’s Q&A, the classifier, and structured extractors. Anthropic does NOT train on API-submitted content per their commercial terms. Per-request data passes through Anthropic’s API and is not retained for training.
  • Voyage AI — embeddings. Same posture: API content is not used for training per Voyage’s terms.
  • Vercel — web hosting + serverless functions. Standard request logs apply.
  • Microsoft Clarity — heatmaps and session replays on public pages only. Anonymized; no PII captured. Env-gated.
  • Stripe (when paid tier launches) — payment processing. We never see or store your card details.
  • Cloudflare — CDN and DDoS protection. Standard edge logs.

5. Cookies & local storage

We use the minimum cookies needed to run the service:

  • Auth session — Supabase-managed; identifies you across requests
  • CSRF token — protects against cross-site request forgery
  • Analytics session id — ephemeral, stored in localStorage; rotates per browser session; not used to identify you across devices
  • Theme preference — dark/light mode setting in localStorage

We do not use third-party advertising cookies or cross-site tracking cookies.

6. Data retention

  • Active account data — retained as long as your account is active
  • Deleted account — we remove your personal account data within 30 days of deletion request. Org-scoped documents you uploaded may remain visible to remaining org members if the org account stays active.
  • Analytics — aggregated indefinitely; raw page-view + event rows after 365 days are pruned or aggregated.
  • Backups — encrypted database backups retained for 7 days by Supabase. Personal data persists in backups until they roll off.

7. Your rights

You have the following rights:

  • Access — you can view all your data inside the app or request an export by emailing allen@soxal.co
  • Correction — you can edit your profile, documents, and entries directly in the app
  • Deletion — email allen@soxal.co to delete your account
  • Portability — export your data in machine-readable form (JSON/CSV) on request
  • Opt-out of analytics — set your browser’s Do Not Track flag, or email us to opt out manually
  • Opt-out of aggregates — your org admin controls whether your org contributes to anonymized industry aggregates

8. California Residents (CCPA)

If you’re a California resident, you have additional rights under the California Consumer Privacy Act:

  • Know what personal information we collect about you (see Section 1)
  • Know whether we sell your data — we DO NOT sell personal information
  • Request deletion of your personal information
  • Opt out of sale of personal information (not applicable; we don’t sell it)
  • Non-discrimination for exercising your rights

To exercise these rights, email allen@soxal.co.

9. European Residents (GDPR)

If you’re in the EU or UK, GDPR applies. Our legal basis for processing:

  • Contract — processing required to provide the service you signed up for
  • Legitimate interest — analytics, fraud prevention, service improvement
  • Consent — where required (e.g. session replays on public pages)

EU/UK users have all rights enumerated in Section 7 plus the right to lodge a complaint with your national data protection authority.

10. Children

soXal is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a child, email allen@soxal.co and we’ll delete it.

11. International transfers

soXal operates from California. If you’re outside the US, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses where required for EU/UK data transfers.

12. Security

We implement reasonable security measures including TLS in transit, encryption at rest, row-level security, role-scoped access control, hashed IP storage, rate limiting, and prompt-injection-hardened AI prompts. No system is perfectly secure; we’ll notify affected users of any data breach as required by law.

13. SMS / text messaging program

soXal Dispatch sends SMS text messages to union members for crew dispatch — job offers, accept/decline acknowledgements, and call reminders. You opt in when you are enrolled on your local’s dispatch (out-of-work) list by a business agent, or by enabling SMS in your account settings.

  • We do not sell or share your mobile number. Mobile phone numbers and SMS opt-in consent are never sold, rented, or shared with third parties or affiliates for their own marketing or promotional purposes. Numbers are used only to operate the dispatch service and are disclosed solely to our SMS delivery processor (Twilio) to transmit these messages.
  • Message frequency varies. Frequency depends on dispatch call volume — typically a few messages per week, more during busy periods, and none when there are no calls.
  • Message and data rates may apply. Standard message and data rates from your mobile carrier may apply to messages you send or receive.
  • Opt out anytime. Reply STOP to any message to unsubscribe; reply HELP for help. You can also manage SMS in your account at /dispatch/settings/notifications. Opting out of SMS does not remove you from the dispatch list — contact your dispatch office for other contact methods.
  • Consent to receive SMS is not a condition of union membership or of any purchase.

14. Changes to this policy

We may update this Privacy Policy. Significant changes will be announced via email or in-app notice. Your continued use of soXal after changes means you accept the updated policy.

15. Contact

Privacy questions, requests, or complaints:

soXal, LLC
475 Washington Blvd
Marina del Rey, CA 90292
USA
allen@soxal.co

— End of Privacy Policy —