Privacy Policy

1. Data Controller

The data controller for personal data processed through the SOVRA platform is:

• On The Spot Broker Ltd (trading as SOVRA)
• Email: uk@otsbroker.com
• ICO registration: pending

For all data protection enquiries, including exercising your rights, please contact us at uk@otsbroker.com.

2. Data We Collect

We collect and process the following categories of personal data:

Category	Data	Source
Account information	Full name, email address, company name, industry	Provided by you at registration or via SSO (Microsoft 365, Google Workspace)
Business data	Financial data, operational metrics, strategic documents, and other information you upload or enter	Provided by you through the platform
Usage data	API requests, feature usage, decisions created, agent interactions, timestamps	Collected automatically
Technical data	IP address, browser type, device information	Collected automatically
Payment data	Payment method details (card last four digits, billing address)	Processed by Stripe; we do not store full card numbers

3. How We Use Your Data

We process your personal data for the following purposes:

• Providing the Service: Processing your business data through AI agents (Claude) to generate strategic recommendations, analysis, and decision support.
• Account management: Creating and maintaining your account, authenticating access, managing subscriptions.
• Payment processing: Charging subscription fees, issuing invoices, managing billing.
• Service improvement: Analysing usage patterns to improve platform features, reliability, and performance.
• Communication: Sending service-related notices, security alerts, and (with your consent) product updates.
• Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from authorities.

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following legal bases:

Legal Basis	Processing Activity
Contract performance (Art 6(1)(b))	Providing the SOVRA platform, processing your business data through AI agents, account management, payment processing, and data export on termination.
Legitimate interests (Art 6(1)(f))	Service improvement, usage analytics, security monitoring, and fraud prevention. Our legitimate interest is maintaining and improving a secure, reliable platform. We have assessed that this processing does not override your rights and freedoms.
Legal obligation (Art 6(1)(c))	Compliance with tax, accounting, and regulatory requirements.
Consent (Art 6(1)(a))	Marketing communications (where applicable). You may withdraw consent at any time.

5. Third-Party Data Processors

We share personal data with the following third-party processors, each under appropriate data processing agreements:

Processor	Purpose	Location	Safeguards
Anthropic	AI processing (Claude models)	United States	Standard Contractual Clauses (SCCs) in place for international data transfers
Microsoft Azure	Infrastructure hosting, database	United Kingdom (UK South)	UK-based processing; Microsoft DPA
Stripe	Payment processing	United States / Ireland	PCI DSS Level 1 certified; SCCs in place
Redis (self-hosted)	Session caching, performance	United Kingdom (Azure)	Self-hosted on our Azure infrastructure; no third-party access

We do not sell your personal data to any third party. We do not share personal data with third parties for their own marketing purposes.

6. International Data Transfers

Your primary data is stored and processed within the United Kingdom on Microsoft Azure. Where data is transferred outside the UK (specifically to Anthropic and Stripe in the United States), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office (ICO).

7. Data Retention

• Active accounts: Your data is retained for the duration of your subscription.
• After cancellation: Your data is retained for 30 days following the end of your subscription to allow you to export it. After this period, your data is permanently deleted.
• Deletion on request: You may request deletion of your data at any time. We will process erasure requests within 30 days, subject to any legal retention obligations.
• Waitlist data: Email addresses and company information submitted through the waitlist are retained until you subscribe or request deletion.
• Financial records: Payment and invoice records are retained for 7 years as required by UK tax law.

8. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access (Art 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art 17) — Request deletion of your personal data ("right to be forgotten").
• Right to data portability (Art 20) — Receive your data in a structured, machine-readable format (CSV or JSON).
• Right to restriction (Art 18) — Request that we restrict processing of your data in certain circumstances.
• Right to object (Art 21) — Object to processing based on legitimate interests.
• Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please email uk@otsbroker.com. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

9. Cookies

SOVRA uses a minimal cookie approach:

Cookie	Type	Purpose	Duration
sovra_session	Strictly necessary	Maintains your authenticated session. Required for the Service to function.	Session (expires on browser close or after inactivity timeout)

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. The session cookie is classified as "strictly necessary" under the Privacy and Electronic Communications Regulations (PECR) and does not require consent.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-level security and multi-tenant data isolation in PostgreSQL.
• Authentication via Microsoft 365 and Google Workspace SSO.
• Regular security reviews and access controls.
• Per-tenant API keys and rate limiting.

11. Children's Data

SOVRA is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Data Protection Officer

For all data protection enquiries, you may contact our Data Protection Officer:

• Email: uk@otsbroker.com
• Please include "Data Protection" in the subject line.

14. Contact

If you have any questions about this Privacy Policy or our data practices, please contact:

• On The Spot Broker Ltd (trading as SOVRA)
• Email: uk@otsbroker.com