Skip to content
← Back to Soira

Privacy Policy

Effective date: 21 June 2026

Soira (“Soira”, “we”, “us”, “our”) is a resource hub and private diary for parents and caregivers of autistic and neurodivergent children. We know the information you keep here is sensitive — it concerns your family and your child. This policy explains what we collect, why, how we protect it, who we share it with, the choices you have, and how the rules differ depending on where you live. It applies to the Soira website and mobile app (the “Service”).

Who is responsible for your data

Soira is the controller of the personal information processed through the Service. Soira is operated from Johor Bahru, Malaysia. For any privacy request or question — or to reach the person responsible for data protection — contact us at hello@soira.ai.

Information we collect

  • Account information — your name, email address, and an encrypted password hash (we never store your password in plain text). If you sign in with Apple or Google, we receive a unique identifier and the email/name you authorise that provider to share. We also store your preferred language and subscription tier.
  • Child profile information— the child's name, birth date, gender (if you provide it), your relationship to them, diagnosis status if you choose to record it, and any notes you add.
  • Diary entries — the content, category (for example mood, behaviour, sleep, food, medication, therapy, milestones), and date of the entries you write.
  • Care Circle information— the email addresses, names, roles, and relationships of people you invite to a child's Care Circle.
  • Lumi AI conversations— the messages you send to our AI guide and its replies. See “How Lumi, our AI guide, works” below.
  • Subscription and payment information — your subscription status and billing history. Payments are handled by our payment processors; we do not collect or store your full card number or equivalent payment credentials.
  • Technical, device, and security data — limited logs and a security audit trail (for example sign-in events and rate-limit triggers), error diagnostics, and a small number of essential cookies and identifiers (a sign-in session cookie and, for signed-out visitors who use Lumi, an anonymous device cookie used only to apply free-usage limits). We do not use advertising or third-party tracking cookies.

How we use your information and our legal bases

We use your information solely to provide and protect the Service: to operate your account, store and display your diary and child profiles back to you and the Care Circle members you authorise, generate AI responses when you use Lumi, process subscriptions, send transactional emails (verification, password reset, invitations, and important service notices), and detect and prevent abuse.

Depending on your location, the lawful bases we rely on are: the performance of our agreement with you (operating your account and the features you use); your consent (which you give for sensitive child information and for using Lumi, and which you can withdraw at any time); our legitimate interests in keeping the Service secure and working; and compliance with legal obligations.

We do not sell your personal data, we do not share it with advertisers, and we do not use your diary content or your child's information to train AI models.

How Lumi, our AI guide, works

Lumi is an AI guide powered by Google's Gemini models. When you chat with Lumi, your messages are sent to Google to generate a reply. If you open Lumi while a specific child is selected, we also send a small, bounded context to help ground the suggestions: a few profile facts (such as approximate age, gender, and diagnosis status) and a short digest of that child's diary entries from roughly the last 30 days. We never send the child's name to the AI provider.

We use Google's paid AI service. Under Google's terms for that service, Google does not use your prompts or the AI's responses to train its models; data may be processed transiently and retained for a limited period only for security, abuse prevention, and legal compliance. Before your first chat, Lumi shows a consent notice explaining that it is an AI guide and not a clinician. AI responses are generated automatically and can be inaccurate or incomplete; Lumi does not make any decision that produces a legal or similarly significant effect about you or your child.

How we protect your data

Sensitive fields — child names and notes, diary entry content, and Lumi message content — are encrypted at rest using AES-256-GCM, so they are not readable directly in the database. Traffic is served over HTTPS (TLS). Access is rate-limited, and security-relevant actions are recorded in an audit log.

Children's information

Soira is intended for use by parents and caregivers who are adults, not by children, and it is not directed to children. The information about a child in Soira is provided by the adult who owns the account. Information about a child's health and development can be a special category of data under laws such as the GDPR; we process it on the basis of your explicit consent and the controls you set. Please only record information you are entitled to share, and use the Care Circle controls to limit who can see it. If you believe a child's data has been added without authority, contact us at hello@soira.ai and we will act promptly.

Care Circle sharing

When you invite someone to a child's Care Circle, they can see that child's information and diary at the permission level you set (for example, viewer or editor). You control these invitations and can change a member's permissions or remove them at any time.

Service providers we share data with

We use a small number of trusted providers (processors) to run Soira. They process data only on our instructions and under their own security and data-protection obligations:

  • Google (Gemini AI)— generates Lumi's responses, as described above.
  • Railway — application hosting and managed PostgreSQL database (Singapore region).
  • Cloudflare — network delivery and security.
  • Resend — sends transactional email (it sees the recipient address and email content).
  • Sentry — error monitoring and diagnostics.
  • RevenueCat and Stripe — manage subscriptions and process payments. In-app purchases on mobile are also handled by the Apple App Store or Google Play.
  • Apple and Google — only if you choose to sign in with them.

International data transfers

Soira is operated from Malaysia and hosted in Singapore, and some of our providers process data in other countries (including the United States and the European Union). Where we transfer personal data across borders, we rely on appropriate safeguards — such as the providers' standard contractual clauses and data-processing agreements — to protect your information consistent with this policy and applicable law.

Data retention and deletion

We keep your information for as long as your account is active. You can delete your account and all associated data at any time from Settings. When you delete your account it enters a 30-day grace period during which signing back in cancels the deletion; after the grace period the data is permanently and irreversibly removed. In addition:

  • Free-tier Lumi conversations are purged after about 7 days.
  • Accounts with no sign-in for 24 months may be flagged for deletion after notice.
  • Security audit-log entries are kept for up to 1 year.
  • We retain irreversibly anonymised, aggregate statistics that cannot identify you or your child; because they are no longer personal data, they are not subject to deletion.

Your rights

Depending on where you live, you may have the right to access, correct, export (data portability), or delete your personal data, to object to or restrict certain processing, and to withdraw consent at any time without affecting processing already carried out. You can delete your account directly in Settings, and you can download a machine-readable export of your data from your account. For any other request, email us at hello@soira.ai and we will respond within the time required by applicable law. You also have the right to lodge a complaint with your local data-protection authority.

Regional information

Wherever you are, we aim to apply a single high standard of protection. Some specific notes:

  • European Economic Area & United Kingdom (GDPR/UK GDPR) — you have the rights described above, including data portability and the right to complain to your supervisory authority. We process child health and development data only with your explicit consent.
  • Malaysia (PDPA) — we handle personal data in line with the Personal Data Protection Act, including its data-breach notification and data-portability requirements.
  • GCC countries (e.g. UAE, Saudi Arabia) — we comply with applicable personal-data-protection laws, including consent and cross-border transfer requirements.
  • Indonesia (PDP Law) and Egypt (Data Protection Law) — we process personal data on the legal bases described above and honour the rights those laws provide.
  • California (CCPA/CPRA)— we do not sell or “share” your personal information, and we honour access and deletion requests.

Data breaches

If a personal-data breach occurs that is likely to affect you, we will notify the relevant data-protection authority and, where required, affected users without undue delay and in line with applicable law.

Changes to this policy

We may update this policy as Soira evolves. When we make material changes, we will update the effective date above and, where appropriate, notify you.

Contact

For any privacy question or request, contact us at hello@soira.ai.

This document explains how Soira works in plain language and is provided for transparency. It is not a substitute for independent legal advice. If anything here is unclear, contact us at hello@soira.ai before relying on it.