Privacy Policy

This Privacy Policy describes how soa.run handles data and files when you use our tools. We keep things minimal by design — if a practice below is unclear, please contact us.

No Data Sharing

We do not share your files or personal data with third parties for marketing or advertising purposes. Files and information you provide are used only to perform the requested tool operation, unless you explicitly opt in to share them.

File Handling & Retention

Files uploaded to the server are kept only as long as needed to complete processing. Any file on the server more than 30 minutes old is deleted automatically.

In many cases files are not uploaded to the server at all — most processing happens directly in your browser. When an upload is required (for example to combine or convert large files), we only store what is necessary for the operation and remove it as described above.

No Login / No Accounts

The service does not require you to create an account or log in to use the tools. There are no user profiles or persistent personal accounts managed by soa.run.

Ads and Sustainability

Ads may be displayed to help sustain the project. Ads are shown only to support the service and may be shown after a tool has successfully completed a requested task or at appropriate times in the user flow. We do not sell personal data to advertisers.

Operational Logs & Abuse Prevention

We record minimal operational logs to detect abuse, debug issues, and improve reliability. Typical fields included in logs are: timestamp, client IP address, HTTP method, request URL, user agent, processing time, and (when applicable) file size. These logs are written to server logs (console / host logging) and are used only for operational and security purposes.

What Is Stored & Where

- Server logs: may contain IP addresses and the fields listed above. These are typical runtime logs produced by the server process.

- Redis (operational): rate limiting uses Redis sorted-sets keyed by an identifier (in this project the client IP is used as the identifier). The security metrics endpoint may read Redis keys such as `security:top_ips` and `security:recent_blocked` if populated. Note: some metrics storage code is simplified and may require explicit enabling in production.

- Browser-only processing: where possible, files are processed in the browser and are never uploaded to the server. When uploads are required (e.g. for heavy conversions), files are retained only as long as needed and removed per the retention rules below.

Data Retention

Files uploaded to the server are deleted automatically when older than 30 minutes. Logs and short-term Redis keys used for rate limiting and metrics are rotated according to operational needs; consider these when configuring backups or long-term log sinks.

Applicable Laws & Compliance

The following privacy laws are commonly applicable depending on where users or the service are located — this list is informational and not legal advice:

• GDPR (EU) — IP addresses and other identifiers may be personal data; ensure a legal basis for processing, provide rights (access, deletion), and document processing activities.
• CCPA / CPRA (California) — provides rights around access, deletion, and opting out of sale of personal information; we do not sell personal data.
• LGPD (Brazil) — similar requirements to GDPR for personal data protection.
• PIPEDA (Canada) and other national laws — consider local requirements for notice and user rights.

Practical recommendations: include a clear legal basis and contact for data requests, avoid unnecessary long-term storage of IPs, publish a data retention schedule, and execute data processing agreements with any third-party providers you use.

Third-Party Services

We may use third-party services (hosting, analytics, content delivery, ad partners) to operate and improve the site. When we do, we choose providers that follow strong privacy practices. Any data shared with providers is limited to what is necessary to provide the corresponding service.

Cookies

We use minimal cookies required for site functionality and optional analytics. You can control cookie preferences in your browser.

Contact & Requests

If you have questions, requests to delete data, or other privacy concerns, please use the contact option on the site. We will respond and handle requests in a timely manner.

Changes to This Policy

We may update this policy to reflect changes to our practices. When we make significant changes, we will provide notice on the site.