Skip to content
Sotion
Sign Up

Privacy Policy

Our privacy policy and how we use your data

Last updated: 13 May 2026

Cloakist Ltd, trading as Sotion (“Sotion”, “we”, “us”), is the data controller for the personal data we collect when you use the Sotion service. We are registered in England and Wales (company number 12772481).

This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have under the UK General Data Protection Regulation (“UK GDPR”) and the EU GDPR.

1. Who this applies to

This policy applies to:

  • Visitors to sotion.so and our marketing pages.
  • Customers and team members who hold a Sotion account.
  • People who contact us by email, our contact form, or social channels.

When you publish a site through Sotion, you act as the data controller for the personal data of your own site visitors, and we act as your data processor for that data. See the Data Processing section below.

2. What we collect

Account information

Name, email address, password (stored hashed), profile picture, workspace name, and any team members you invite.

Billing information

Plan, billing email, country, and VAT/tax number. Card details are handled by Stripe and never stored on our servers.

Content you publish

To publish a site we cache the Notion content you choose, your custom domain, branding assets, and access-control rules. We also process the email addresses of any members or readers you authorise to access gated content.

Usage and technical data

IP address, device and browser information, pages visited, referrer, timestamps, and similar diagnostics. These are collected for security, abuse prevention, and product improvement.

Support communications

When you contact us, we keep a record of the conversation and any attachments so we can help you and improve our support.

Cookies and similar technologies

See our Cookie Policy for details.

We do not knowingly collect sensitive personal data (e.g. health, biometric, political opinion). Please do not provide such data through Sotion unless we have agreed it in writing.

3. Why we use it (lawful basis)

  • Contract. Creating and operating your account, hosting your sites, providing customer support, and billing you.
  • Legitimate interests. Securing the Service, preventing fraud and abuse, monitoring performance, improving our product, and sending you operational or product updates about features you already use. We balance these interests against your rights.
  • Consent.Marketing emails about features you don’t already use, optional analytics cookies, and anything else where we ask for it. You can withdraw consent at any time.
  • Legal obligation. Keeping tax records, responding to lawful requests from authorities, and meeting other legal duties.

4. Who we share it with

We do not sell your personal data. We share it with the following categories of recipient when needed to run the Service:

  • Sub-processors that help us operate Sotion. The current list is:
    • Supabase— database, authentication, and file storage (EU).
    • Cloudflare— hosting, CDN, DNS, SSL, DDoS protection (global).
    • Stripe— payment processing (US/EU).
    • Resend— transactional email delivery (US/EU).
    • Notion— reading the public Notion content you choose to publish through Sotion.
    • Vercel— hosting for the Sotion application (US/EU).
    • PostHog— product analytics, where enabled (EU).
  • Professional advisers (accountants, lawyers) under duties of confidentiality.
  • Authorities where we are legally required to respond to a valid request.
  • Successors in the event of a merger, acquisition, or sale of all or part of our business.

We require all sub-processors to provide adequate safeguards for personal data and to act only on our instructions.

5. International transfers

Some of our sub-processors operate outside the UK and EEA. Where personal data is transferred to a country without an adequacy decision, we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or other appropriate safeguards. You can request a copy of these safeguards by emailing [email protected].

6. How long we keep it

  • Account data— while your account is active. If you delete your account, we remove or anonymise your data within 30 days, except as noted below.
  • Site content and member data— deleted within 30 days of account closure or site deletion.
  • Billing records— retained for 7 years to comply with tax law.
  • Backups— cycled out within 90 days of deletion.
  • Support emails— retained for up to 3 years.
  • Analytics— retained for up to 12 months in aggregated or anonymised form.

7. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest for our database and file storage, hashed passwords, isolated production environments, least-privilege access, and audit logging. We review our security regularly and require the same of our sub-processors.

No service is perfectly secure. If we become aware of a personal data breach that is likely to result in risk to your rights, we will notify you and the relevant supervisory authority as required by law.

8. Your rights

Under the UK and EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have data deleted where we no longer have a lawful reason to keep it.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing relies on consent.
  • Not be subject to decisions based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may need to verify your identity first.

If you are unhappy with our response, you can complain to the UK Information Commissioner’s Office (ico.org.uk) or to your local EU data protection authority.

9. Data processing for customers

When you publish a site through Sotion and configure access rules, you act as the controller of your visitors’ and members’ personal data. We act as your processor and only process that data on your documented instructions, which include these Terms and the published features of the Service. We will:

  • Help you respond to data subject requests on request.
  • Tell you of any new sub-processor before they start (this page is the authoritative list).
  • Notify you without undue delay if we become aware of a breach affecting your data.
  • On request, delete or return personal data when our service ends, except where we are required by law to keep it.

If you need a signed Data Processing Agreement (DPA), email [email protected].

10. Marketing

We may email you about features and updates relevant to your use of Sotion. You can unsubscribe from any marketing email using the link in the footer, or by emailing us. Operational emails about your account (billing, security, service notices) cannot be opted out of while your account is active.

11. Children

Sotion is not intended for people under 16. We do not knowingly collect personal data from children. If you believe a child has given us personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify you in the Service or by email at least 30 days before they take effect. The “last updated” date above shows when this policy was last revised.

13. Contact

For any privacy question, email [email protected].

Cloakist Ltd, registered in England and Wales (company number 12772481).