Privacy Policy

SODA is a room operating system for live events, built and operated by Equalpoint, Inc., a Delaware corporation headquartered in Cleveland, Ohio. When you use SODA at an event, Equalpoint is the data controller for the information you provide through the SODA platform. The host organization that runs the event is a data processor acting on Equalpoint’s behalf for event operations.

Equalpoint, Inc., Cleveland, Ohio

SODA collects the minimum information needed to connect you with the people in the room and to remember those connections afterward. Here is every category, what it is, and why we collect it.

Your sign-in information. When you sign in, we collect your email address. If you choose to sign in with Google, Apple, or LinkedIn, we also receive the basic profile that provider shares, typically your name and email. We use this to create and authenticate your account. We do not collect your phone number.

Your profile. You may choose to add a display name, a role (what you do), an offer (what you bring to a room), a need (what you are looking for), and a photo. All are optional except the email used to sign in. Your profile is visible to other guests at the same event.

Your attendance at an event. When you check in by scanning the QR code, we record that you attended and link your profile to that event. This is how the room knows you are present.

Your connections. When SODA connects you with another guest, a shared connection record is created, co-owned by both guests. It includes a warmth score calculated from how recently you have been in contact. The warmth score is derived mathematically and never stored as a permanent rating; it is recalculated each time it is needed.

Follow-up drafts. If you use SODA to generate a suggested follow-up message, the draft is created by an AI system and shown to you for review. It is only sent if you explicitly approve it. If you discard a draft, we log that you discarded it (but not the contents) so the AI can improve over time.

Private nudges. A host may send a private nudge to a specific guest. Nudge contents are visible only to the recipient and are not shared with other guests or accessible to other hosts.

Event metadata. We record the events you attend, the dates, and aggregate activity within each event. We do not sell this data.

Technical information. We collect standard technical data to operate the service: device type, browser type, error reports, and usage patterns. Error reports are stripped of personal information before being logged.

We use the information above for the following purposes only:

• To authenticate you and maintain your session across events
• To show your profile to other guests at the same event
• To track your connections and display your warmth with each connection
• To generate and send follow-up draft suggestions, with your approval
• To deliver event recaps to your email after an event closes
• To help hosts run events and manage access to their rooms
• To improve AI-generated draft suggestions, using anonymized discard signals
• To operate, maintain, and improve the SODA platform

We do not use your information for advertising, we do not sell it to third parties, and we do not use it for any purpose not listed here.

We retain your profile and connection records for as long as you have an account. If you request deletion, we delete your profile, your attendance records, and your side of any shared connection records within 30 days. Because connections are co-owned, the other guest’s record of the connection may remain visible to them after you delete your account, but your identifying information is removed from it.

Draft contents are never stored after a draft is sent or discarded. Discard signals (that a draft was declined, not what it said) are retained for model improvement. Error logs are retained for 90 days and contain no personal information.

We use the following third-party services to operate SODA. Each receives only the data it needs to perform its function.

Supabase (supabase.com). Our database, authentication, and real-time infrastructure provider. Your profile, connections, attendance, and event data are stored in Supabase under a data processing agreement. Supabase stores data in the United States.

Vercel (vercel.com). Our hosting provider. Vercel serves the SODA application and processes standard web request data to deliver the service.

Resend (resend.com). Our transactional email provider. We send your sign-in codes and post-event recaps through Resend, which processes your email address on our behalf.

Anthropic (anthropic.com). The provider of the AI model that generates follow-up draft suggestions. When you request a draft, connection context is sent to the Anthropic API. We do not send your full profile or personal identifiers, only the contextual information needed to generate a relevant draft.

Sentry (sentry.io). Our error monitoring provider. Error reports are stripped of all personal information (email addresses, sign-in codes, message contents, authentication tokens) before leaving the application. Sentry receives only anonymized technical data.

We do not share your information with any other third parties. Event hosts can see aggregate event data and the profiles of guests who attended their event, but they cannot export individual guest data or access connection contents.

You have the right to access the personal information we hold about you, to correct inaccurate information, to request deletion of your account and data, and to ask us what data we hold and how we use it. To exercise any of these rights, contact us at datagov@equalpoint.com. We will respond within 30 days.

If you are a California resident, you have additional rights under CCPA/CPRA, including the right to know the categories of personal information we collect, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.

If you are in the European Union or United Kingdom, the GDPR applies to our processing of your personal data. Our legal basis for processing is consent and legitimate interests. You have the right to lodge a complaint with a data protection authority.

SODA is not directed to children under the age of 13, and we do not knowingly collect personal information from anyone under 13. SODA is designed for use at adult and professional events. If you believe we have inadvertently collected information from a minor, contact us at datagov@equalpoint.com and we will delete it promptly.

All data is stored with row-level security, meaning each record is accessible only to authorized users. All data in transit is encrypted using TLS. API keys and secrets are stored server-side only and are never exposed to client devices. We maintain an access log of any administrative access to user data.

If you discover a security vulnerability in SODA, please contact us at datagov@equalpoint.com rather than disclosing it publicly.

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. Continued use of SODA after that date constitutes acceptance of the updated policy.

Equalpoint, Inc. Cleveland, Ohio — datagov@equalpoint.com