Skip to main content
Sign In

Data Processing Addendum

Voyanix processes personal data on your behalf to deliver the Service. This page summarizes how, who else is involved, and what contractual protections are in place.

Last updated: May 6, 2026

This Data Processing Addendum (“DPA”) supplements our Terms of Service and Privacy Policy. It governs how Voyanix LLC (“Voyanix”) processes personal data on your behalf when you use the Soren application.

1. Roles

For data you submit through the Service (your reflections, dreams, Soren conversations, etc.):

  • You are the data subject and primary controller of your own personal data.
  • Voyanix is also a controller for the data we collect to operate the Service (account email, billing records, security logs).
  • Our sub-processors (below) act on Voyanix's instructions and do not process your data for their own purposes beyond what the law and their own published terms allow (e.g., Stripe's fraud-prevention obligations).

2. Sub-processors

Voyanix engages the following sub-processors to deliver the Service. Each is bound by a written data processing agreement that includes confidentiality, security, breach notification, and (for EU transfers) the European Commission's Standard Contractual Clauses or the UK Addendum.

Clerk (Clerk Inc., USA)

  • Purpose: Authentication, session management, password reset.
  • Data: Your email, hashed credentials, session tokens, IP, user-agent, sign-in events.
  • DPA / SCCs: Clerk's standard DPA including SCC Module 2.

Stripe (Stripe Inc., USA)

  • Purpose: Payment processing, subscription billing, fraud prevention.
  • Data: Billing email, payment method (held by Stripe, not by Voyanix), transaction records, IP for fraud-prevention.
  • DPA / SCCs: Stripe's Data Processing Agreement and SCCs.

Google Cloud Platform (Google LLC, USA)

  • Purpose: Application hosting (Cloud Run), database (Firestore), file storage (Cloud Storage), AI processing (Vertex AI / Gemini).
  • Data: All hero data we store; for AI: the prompt context (your Mountain, recent reflections, conversation thread) sent to Gemini at inference time.
  • Region: us-central1 (Iowa, USA).
  • DPA / SCCs: Google Cloud's Cloud Data Processing Addendum and SCCs.
  • AI training:Per Vertex AI's terms, your prompts and responses are notused to train Google's general-purpose models.

Brevo (Brevo SAS, France)

  • Purpose: Transactional email (account confirmations, deletion requests, data export notifications).
  • Data: Your email and the contents of the transactional message.
  • Region: EU.
  • DPA: Brevo's Data Processing Agreement.

3. International data transfers

Most of our infrastructure is in the US (Google Cloud us-central1). For heroes in the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, executed with each sub-processor.

Supplementary safeguards include:

  • Encryption in transit (TLS 1.2+) and at rest.
  • Role-based access controls and audit logging.
  • Multi-region disaster recovery; primary processing remains in us-central1.

4. Security commitments

Voyanix and its sub-processors maintain:

  • Defense-in-depth controls (network segmentation, principle of least privilege, audited access).
  • Regular vulnerability scanning of dependencies.
  • Encryption of all hero data at rest and in transit.
  • Multi-factor authentication for all administrative access.
  • Breach-notification procedures: we will notify affected heroes and applicable supervisory authorities within 72 hours of confirming a personal-data breach (GDPR Art. 33).

5. Audit rights

You have the right to request information confirming our compliance with this DPA. For most requests, our audited sub-processor reports (SOC 2 from Google Cloud and Stripe; ISO 27001 from Clerk) are sufficient. Email privacy@voyanix.com to request copies.

6. Assisting with data subject rights

Voyanix provides you with the means to fulfill data-subject rights through the Service:

  • Access / portability — Settings → Export my data.
  • Erasure — Settings → Delete my account. Hard-deletion executes 30 days after request; cancellable during that window.
  • Rectification, restriction, objection — email privacy@voyanix.com.

7. Changes

Voyanix may update this DPA as the Service or its sub-processors change. We will publish the new version here, update the “Last updated” date, and (for material changes) notify you in the app.

8. Contact

Voyanix LLC
Email: privacy@voyanix.com
Support: hero@voyanix.com