Privacy Policy

1. Data Controller

mamarx GmbH

Chodowieckistr. 15, 10405 Berlin, Germany

Email: privacy@sota.io

Managing Director: Malte Marx

2. Overview of Data Processing

We only process personal data to the extent necessary to provide the sota.io platform. We do not process data for advertising purposes or profiling.

3. Hosting

The platform is hosted on servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). Hetzner processes data exclusively within the EU (location: Falkenstein, Germany).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable hosting).

4. Server Log Files

Each time you access our website, the following data is automatically collected:

  • IP address (anonymized)
  • Date and time of the request
  • Page/URL accessed
  • HTTP status code
  • Browser type and version
  • Operating system

This data is collected to ensure reliable operation and is deleted after 7 days.

Legal basis: Art. 6(1)(f) GDPR.

5. User Accounts and Authentication

A user account is required to use the platform. Authentication is handled through Supabase (Supabase Inc., region: EU/Frankfurt).

Data processed:

  • Email address
  • Email verification codes (temporary, not stored)
  • Time of registration and last login

Legal basis: Art. 6(1)(b) GDPR (contract performance).

6. Beta Waitlist

You can sign up for our beta waitlist on our website. Only your email address is collected and stored in our database (Supabase, EU region Frankfurt).

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time.

7. Cookies

We only use technically necessary cookies for authentication (session cookies). No tracking or analytics cookies are used.

Legal basis: Art. 6(1)(f) GDPR.

8. No Analytics Tools

We do not use any analytics or tracking tools (such as Google Analytics). No tracking of your browsing behavior takes place.

9. Data Sharing with Third Parties

Personal data is not shared with third parties, except:

  • With our hosting provider (Hetzner) for hosting purposes
  • With Supabase for authentication and data storage (EU region)
  • With payment provider Stripe for subscription billing (data minimised: email + Stripe customer ID only)
  • With Anthropic PBC (USA), only if you choose to install our Claude integration. See Section 10 below for details.

Apart from the optional Claude integration (Section 10), no data is transferred to countries outside the EU.

10. Optional Claude / Anthropic Integration

sota.io offers an optional integration with Anthropic's Claude AI assistant (Claude Desktop, Claude.ai web). This integration is opt-in — it is only active if you explicitly install the sota.io connector inside your Claude client.

When the integration is installed:

  • Sub-processor: Anthropic PBC, San Francisco, USA. Anthropic acts as a sub-processor under our DPA (Art. 28 GDPR).
  • Data flow: Tool invocations issued by Claude on your behalf (e.g. "deploy this app") transit Anthropic's infrastructure (US-hosted) before reaching sota.io's MCP endpoint (EU-hosted, Hetzner Germany). The deployment payload itself — your code, environment variables, database — never leaves the EU.
  • What Anthropic sees: the names and arguments of MCP tool calls (e.g. "create-project, name=My App"), tool responses (text summaries), and the OAuth access token bound to your sota.io account. Anthropic does not see your raw application code, your database contents, or your environment variables — those flow directly between your Claude client and sota.io's EU endpoint via the encrypted MCP channel.
  • Anthropic privacy policy: https://www.anthropic.com/legal/privacy
  • Legal basis for the US transfer: Art. 49(1)(a) GDPR (your explicit consent given when you click "Add to Claude"). The transfer is necessary for the specific service you requested.
  • Revocation: You can revoke the Claude integration at any time at sota.io/dashboard/integrations/claude or by removing the connector from your Claude client. Revocation invalidates all OAuth tokens issued to Claude for your account within minutes.
  • Data retention: Claude-issued API keys are tagged source=claude in our database for audit purposes. They are deleted within 30 days of revocation. Audit logs (which Claude-issued token invoked which tool, with timestamps) are retained for 90 days for security reasons.

Legal basis: Art. 6(1)(a) GDPR (consent) + Art. 49(1)(a) GDPR (explicit consent for the US transfer).

11. Your Rights

You have the following rights:

  • Access (Art. 15 GDPR): Right to information about your stored data
  • Rectification (Art. 16 GDPR): Right to correct inaccurate data
  • Erasure (Art. 17 GDPR): Right to deletion of your data
  • Restriction (Art. 18 GDPR): Right to restrict processing
  • Data Portability (Art. 20 GDPR): Right to receive your data in a machine-readable format
  • Objection (Art. 21 GDPR): Right to object to processing
  • Withdrawal (Art. 7(3) GDPR): Right to withdraw given consent

To exercise your rights, contact: privacy@sota.io

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority:

Berlin Commissioner for Data Protection and Freedom of Information

Alt-Moabit 59-61, 10555 Berlin, Germany

13. Last Updated

As of: May 2026 (Claude integration section added)