Privacy Policy

Last updated: 17 July 2026

Who We Are

Sörk is operated by Mihkel Hõbemägi, a sole proprietor (FIE) registered in the Estonian Business Register under registry code 17408604, based in Tallinn, Estonia. We are the data controller for the personal data described in this policy, except where we act as a processor for an Enterprise customer (see "Our Role" below).

For any privacy question or request, contact us at info@soerk.app.

Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Sörk, our retrospective and feedback platform. Sörk is used to talk about work — so some of what you write here is candid, and may describe colleagues or workplace problems. We have tried to be specific about what that means for your data rather than hide it behind general language.

Information We Collect

Account Information

When you register, we collect and store:

  • Your name and email address
  • Your password, stored only as a salted hash — never in readable form
  • Company name, team name, and projects, where you choose to provide them
  • Your subscription tier and account preferences, such as theme and notification settings
  • Identifiers from our payment provider linking your account to your subscription

Session Content

This is the heart of the product, and it is free text you write. We store:

  • Sessions you create — name, date, project, phase, icebreaker, and any session summary
  • Feedback items — the feedback text itself, its type, the expected outcome you attach to it, votes, and the author name where feedback is not anonymous
  • Commitments — title, description, the person assigned, priority, due dates, completion status, and any notes or evidence recorded about the outcome
  • Participant records for each session — display name, role, and when you joined and were last active
  • Any custom feedback templates you create

Because this content is written by you and about your work, it may contain personal data about other people — colleagues you name, or situations you describe. Please only include what is necessary and appropriate.

Anonymous Feedback

When you submit feedback anonymously, your name is not shown to other participants. To be clear about what this does and does not mean: the feedback is still stored in our database as a record, and the content itself may identify you to people who recognise the situation you describe. Anonymity is a display setting between participants, not technical deniability toward us.

Guest Participants

People who join a shared session without an account provide only a display name, which is stored with the session and in their browser. The demo session saves nothing at all.

Enterprise Account Data

For organisations using an Enterprise account, we additionally store the company name, administrator login credentials, billing email, company logo, team structures and membership, invitation records including invitee email addresses, and an activity log recording administrator actions with the acting person's email address.

Usage and Technical Data

We and our analytics providers collect:

  • Technical logs needed to operate and secure the service, including IP address
  • Aggregate traffic measurements from our hosting provider, which do not identify you individually
  • If, and only if, you accept analytics cookies on our public pages: pages visited, device type, browser, approximate location derived from IP address, and the site that referred you

We do not run third-party analytics inside the signed-in application, so your sessions, feedback, and commitments are not reported to any analytics provider.

How We Use Your Information

We use the collected information to:

  • Provide, operate, and maintain the service
  • Process and manage your feedback sessions and commitments
  • Produce the analytics, health statistics, and summaries shown in the product, which are calculated from what you enter
  • Send you notifications about sessions and commitment deadlines, where enabled
  • Process payments and manage your subscription
  • Respond to your support requests
  • Communicate with you about updates and service changes
  • Detect and prevent fraud, abuse, or security issues
  • Understand how the product is used so we can improve it

We do not sell your personal data, we do not use your session content for advertising, and we do not use it to train machine learning models. Sörk does not send your content to any AI or large language model provider.

Legal Bases for Processing

Under the GDPR, we rely on the following legal bases:

  • Performance of a contract: creating and running your account, storing your sessions and commitments, processing payments, and sending service emails
  • Consent: analytics and other non-essential cookies, and optional marketing communications. You may withdraw consent at any time
  • Legitimate interests: keeping the service secure, preventing abuse, and improving the product — balanced against your rights and interests
  • Legal obligation: retaining accounting and tax records for paid subscriptions

Our Role: Controller and Processor

When you sign up for Sörk yourself, we are the data controller for your account and content.

Where an organisation provides Sörk to you through an Enterprise account, that organisation is the controller for its members' data and we act as its processor, handling that data on its instructions under a data processing agreement. Administrators of an Enterprise account can see membership and usage information about their workspace and an activity log of administrator actions. If your account came from your employer, please direct access and deletion requests to them first — we will assist them in responding.

Who Can See Your Content

  • Participants in a session can see the feedback, commitments, and outcomes in that session. Anonymous feedback appears without an author name
  • Anyone holding the link to a shared session can view and take part in that session, so treat session links as confidential
  • Administrators of an Enterprise account can see their organisation's membership, usage statistics, and administrator activity log
  • Our staff can access data where strictly necessary to operate the service, provide support, investigate abuse, or comply with the law
  • Our service providers, listed below, process data on our behalf under contract

We may also disclose information where required by law, or to protect our rights, safety, or property. If we are involved in a merger, acquisition, or sale of assets, your data may transfer to the acquiring entity, and we will notify you before it becomes subject to a different privacy policy.

Service Providers

We use the following third-party providers, each of which processes some of your data:

  • Supabase: database, authentication, and backend infrastructure — stores your account and all session content
  • Vercel: application hosting, and Vercel Web Analytics for aggregate usage measurement
  • Google Analytics 4: website analytics on our public marketing pages only, and only if you accept analytics cookies — receives page views, device and browser information, and an identifier stored in cookies. It is never loaded on signed-in application pages, and nothing is sent to Google unless you opt in
  • Creem: payment and subscription processing — receives your billing details. We never receive your full card number
  • Resend: delivery of transactional email such as session summaries, deadline reminders, and Enterprise invitations — receives recipient email addresses and message content
  • Featurebase: the in-product feedback and feature request widget — receives your user identifier, email address, and subscription tier when you are signed in

Cookies and Tracking

We use cookies and similar browser storage for the following purposes:

  • Essential: your Supabase authentication token, which keeps you signed in
  • Preferences: data stored locally in your browser — your app mode, active view, calendar and sorting preferences, locally cached templates, your intended plan during signup, and, for guests, your display name
  • Analytics (opt-in): if you accept, Google Analytics sets its own cookies (the _ga family) to measure usage across visits. We ask first, and we only use it on our public pages — never inside the app
  • Analytics (cookieless): Vercel Web Analytics collects aggregate measurements. It sets no cookies and does not identify you or follow you across other sites, so it needs no consent prompt
  • Support: the Featurebase widget may set storage of its own when loaded

We do not use advertising cookies, and we do not sell data to advertising networks. Google Analytics is strictly opt-in: on your first visit to a public page we ask, and unless you choose “Accept”, the script is never loaded and no request is made to Google at all. Declining is a single click and we remember it. To change your mind either way, clear this site’s data in your browser settings and the banner will ask again on your next visit. You can also block or delete cookies through your browser, or opt out of Google Analytics everywhere using Google's opt-out browser add-on. Blocking essential cookies will prevent you from signing in.

Data Storage, Location, and Transfers

Your account data and session content are stored in our Supabase database hosted in Switzerland. Switzerland is recognised by the European Commission as providing an adequate level of data protection, so transfers of personal data from the EEA to Switzerland do not require additional safeguards. All data transmission is encrypted using industry-standard TLS, and data is encrypted at rest by our infrastructure providers.

Some of our service providers are based outside the European Economic Area, or may process data outside it — this includes Google, Creem, Resend, and Featurebase. Where personal data is transferred outside the EEA, we rely on an adequacy decision by the European Commission, or on Standard Contractual Clauses together with appropriate additional safeguards.

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. No system is completely secure, and we cannot guarantee absolute security. If a data breach affects your personal data and is likely to result in a high risk to your rights, we will notify you and the relevant supervisory authority as required by law.

Data Retention

We retain your information for as long as your account is active. If you delete your account, we delete your personal information within 30 days, with these exceptions:

  • Invoices and accounting records for paid subscriptions are kept for the period required by Estonian accounting and tax law, currently seven years
  • Content you contributed to a session owned by someone else, including an Enterprise workspace, remains with that session, since it belongs to that owner's records
  • Backups are rotated on a schedule, so residual copies may persist for a short period after deletion

Your Rights

Under the GDPR, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and associated data
  • Receive your data in a portable, machine-readable format
  • Restrict or object to processing based on our legitimate interests
  • Withdraw consent at any time, without affecting processing already carried out
  • Opt out of non-essential communications

To exercise these rights, email info@soerk.app. We respond within one month. You can also change your details and delete your account directly in your account settings.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or with the supervisory authority in your country of residence.

Children's Privacy

Our service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date, and, where the change significantly affects your rights, by email.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at info@soerk.app. Our full registered address is available on request and in the Estonian Business Register under registry code 17408604.