Privacy Policy

Last updated: March 2026


Soda Labs Ltd ("Soda," "we," "us") builds an AI productivity app for macOS and a companion Chrome extension. This policy explains what data we collect, why, and what we do with it.


We've tried to write this in plain language. If something is unclear, email us at privacy@getsoda.app.


What Soda does

Soda runs in the background on your Mac, picks up on the context of your work, and takes action on your behalf. That might mean surfacing relevant information during a call, updating your CRM, or running an automation you've configured.

To do this, Soda needs to understand what you're working on. That means collecting context from your screen, your browser, your calls, and the tools you've connected.

Data we collect

From the Mac app

Screen context. Depending on how you're using Soda, the app may capture screen content or metadata from the active window (such as the app name, window title, or visible content). This is used to understand what you're working on so Soda can surface relevant information or trigger automations.

Call audio and transcription. When Soda is listening during a call, it captures audio, transcribes it in real time, and then discards the audio. We do not store raw audio. Transcripts are retained on our servers for up to 90 days and then automatically deleted.

Integration data. When you connect tools like your CRM, calendar, or email, Soda accesses data from those services to perform actions on your behalf. We only access what is needed for the specific integrations and automations you've configured.

Account information. Your name, email address, and authentication credentials used to create and manage your Soda account.


From the Chrome extension

The Chrome extension acts as a companion to the Mac app. It sends browser context to the Mac app via native messaging so Soda can understand what you're doing in Chrome. It does not modify your browsing experience or inject UI into web pages.

The extension collects and sends two types of data to the Mac app:

Page data (sent on tab switch, page load, or when requested by the Mac app):

  • The full URL and title of the current page

  • Page metadata including meta descriptions, Open Graph tags, page language, headings, form summaries, link count, and detected page type

  • A stripped DOM tree structure of visible elements, including tag names, class names, IDs, ARIA roles and labels

  • Plain text content of the page

  • The currently focused form element and its value

Interaction updates (sent on form focus, button clicks, typing, and navigation events):

  • The current page URL and title

  • A buffer of user interactions, including form field focus and blur events, input values, button click labels, and page navigation changes

  • The currently focused element and its value

What the extension does not collect: The extension does not read browser history, bookmarks, cookies, saved passwords, or data from tabs you are not actively viewing.

Important note on form fields: The extension captures values from input fields and text areas you interact with. While password fields rendered as type="password" are standard practice to exclude, you should be aware that the extension captures visible form field content broadly. We recommend caution when entering sensitive information while the extension is active.


From the website and analytics

Website. When you visit getsoda.app, we collect standard server logs (IP address, browser type, pages visited).

Product analytics. We use PostHog (hosted in the EU) to collect anonymised usage telemetry from the extension and app. This includes sanitised URLs (with identifiers replaced), event names, aggregate counts (such as word count or extraction duration), and an anonymous or account level user ID. Analytics data does not include raw page content, input values, or DOM trees.

How we use your data

We use the data described above to:

  • Provide Soda's core functionality: understanding your work context and acting on it

  • Run automations and recipes you've configured

  • Connect to and interact with third party tools on your behalf

  • Improve Soda's performance, reliability, and features

  • Communicate with you about your account or the product

We do not sell your data. We do not use your data to train AI models. We do not serve ads.

Third party services

To power Soda's AI features, we send relevant context to the following third party providers:

  • OpenAI (San Francisco, US)

  • Anthropic (San Francisco, US)

  • Google Gemini (US)

When we send data to these providers, we send only the context needed for the specific task. Each provider processes data according to their own privacy policies and data processing agreements. We use API access that does not permit these providers to use your data for training their models.

We also use:

  • PostHog (EU hosted) for anonymised product analytics

  • Supabase for authentication and data storage

Data retention

  • Call audio is discarded immediately after transcription. It is not stored.

  • Transcripts, page data, and contextual data are automatically deleted after 90 days.

  • Account information is retained for as long as your account is active.

  • Analytics data is retained according to PostHog's standard retention policies.

When you delete your account, we delete all personal data associated with it within 30 days.

Data storage and security

Your data is stored on servers operated by our infrastructure providers. We use encryption in transit (TLS) and at rest. Access to user data is restricted to authorised personnel and is logged.

Some data is processed on your device (on your Mac) and never leaves it. Where data is sent to our servers or third party providers, it is transmitted securely.

Your rights

If you are in the UK or EEA, you have rights under data protection law, including the right to:

  • Access the personal data we hold about you

  • Correct inaccurate data

  • Request deletion of your data

  • Object to or restrict certain processing

  • Request a copy of your data in a portable format

  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@getsoda.app. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority.

International transfers

We are a UK company. Some of your data is processed by third party providers based in the United States (OpenAI, Anthropic, Google). These transfers are made under appropriate safeguards, including standard contractual clauses where applicable.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you via email or through the app. The "last updated" date at the top of this page reflects the most recent revision.

Contact

Soda Labs Ltd Email: privacy@getsoda.app

For data protection enquiries, write to us at the address above.