How Sorvyn collects, uses, and protects your personal data.
Sorvyn ("we", "us", "our") is an AI automation platform for service businesses. We provide pre-built workflow automations that help businesses save time on repetitive tasks such as reading and recording supplier invoices, meeting summaries, email categorization, lead follow-up, and daily digests.
Sorvyn is operated by MR.MEDIA S.A.R.L-S, a company established in Luxembourg, European Union, trading as Sorvyn.
Data Controller: MR.MEDIA S.A.R.L-S (trading as Sorvyn)
Registration: RCS Luxembourg B291701
Contact: patrick@sorvyn.ai
Jurisdiction: Luxembourg, European Union
When you use Sorvyn to process data about your own clients or contacts (for example, an accounting firm using Sorvyn to read its clients' invoices), you are the data controller and Sorvyn acts as your processor under a separate Data Processing Agreement. This privacy policy describes how we handle your own account data, for which Sorvyn is the controller. See our sub-processors page and security overview for the full picture.
When you use Sorvyn, we collect the following categories of personal data:
Your name, email address, and profile picture from your Google account when you sign in via Google OAuth.
Access to your Gmail, Google Calendar, and Google Drive — only to the extent required to run your activated automations.
Execution logs, time saved per automation, success/failure status, and metadata from your workflow runs.
Subscription status and billing history. Payment card details are processed and stored by Stripe — we never see or store your card number.
Settings you provide when activating workflows, such as email addresses, category rules, and automation preferences.
IP address, browser type, and access timestamps automatically logged by our hosting provider (Vercel) for security purposes.
Important: We practice data minimization. We only collect what is strictly necessary to deliver your automations. We do not sell your data. We do not use your data for advertising.
We use your personal data for the following purposes:
We do not use your data to train AI models, sell to third parties, or serve advertisements.
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
Sorvyn uses the third-party sub-processors below to deliver our platform. Each acts as a data processor under our instruction, is bound by a data processing agreement, and applies its own security controls. The table below is a summary; our sub-processors page is the full, always-current list, split by whether a provider touches your business data (documents you submit) or only your account data (billing and login).
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google OAuth | User authentication and access to Gmail, Calendar, Drive | Account info, email content, calendar events | View → |
| Supabase | Database storage and authentication backend | Account data, workflow configs, execution logs | View → |
| Stripe | Payment processing and subscription management | Email address, subscription status | View → |
| Anthropic (Claude API) | AI processing for automation content generation | Email content, meeting notes (processed, not stored) | View → |
| n8n | Workflow automation execution engine | Automation configurations, execution data | View → |
| OpenAI (Whisper) | Audio/video transcription for Sorvyn Notes and Sorvyn Social only | Recording content (processed, not used for training) | View → |
| Loops | Account and lifecycle emails (welcome, trial reminders) | Email address, name | View → |
| Vercel | Platform hosting and content delivery | IP address, browser type, access logs | View → |
Regarding AI providers (Anthropic and OpenAI): When your automations read documents, email content, or recordings, that content is sent to Anthropic's Claude API (and, for Notes and Social transcription, OpenAI's Whisper) for processing. Under their commercial data processing terms, neither provider uses your data to train their models, and the content is not retained long-term (Anthropic deletes within 30 days of termination).
International transfers: Your data is hosted in the EU wherever the provider allows it (Supabase in Ireland, our self-hosted n8n). Where a sub-processor is established in the United States (Anthropic, OpenAI, Stripe, Loops, Vercel), the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs), which are part of each provider's data processing agreement that we have in place.
We retain your personal data for as long as necessary to provide our services and comply with legal obligations:
When you delete your account, we permanently delete all personal data within 30 days, except where retention is required by law.
As a resident of the European Union (or any user of Sorvyn), you have the following rights regarding your personal data:
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your personal data ("right to be forgotten").
Request that we restrict processing of your data in certain circumstances.
Receive your data in a structured, machine-readable format.
Object to processing of your data for certain purposes.
Withdraw your Google account permissions at any time via Google account settings.
File a complaint with the Luxembourg data protection authority (CNPD).
To exercise any of these rights, contact us at patrick@sorvyn.ai. We will respond within 30 days.
Luxembourg Supervisory Authority: Commission Nationale pour la Protection des Données (CNPD)
Website: cnpd.public.lu
Address: 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
Sorvyn uses minimal cookies strictly necessary for the platform to function:
Because we only use strictly necessary cookies, we are not required to display a cookie consent banner under the ePrivacy Directive. However, you can clear cookies at any time through your browser settings, which will log you out of Sorvyn.
Sorvyn is a professional business automation platform intended for use by adults and businesses. We do not knowingly collect personal data from individuals under the age of 16.
If you believe a minor has provided us with personal data, please contact us at patrick@sorvyn.ai and we will delete it promptly.
We may update this Privacy Policy from time to time as our platform evolves or legal requirements change. When we make material changes, we will:
Your continued use of Sorvyn after the effective date of any changes constitutes your acceptance of the updated policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us: