GDPR & Your Privacy Rights
Last updated: March 20, 2026 · Effective: March 20, 2026
This page describes your rights under the General Data Protection Regulation (GDPR) and equivalent data protection laws. These rights apply to individuals located in the European Economic Area (EEA), United Kingdom, and Switzerland. SOMA Technologies, Inc. acts as the data controller for personal data processed through our services.
Why We Process Your Data
Under the GDPR, we must have a lawful basis for processing your personal data. The legal bases we rely on are:
Processing necessary to deliver the services you signed up for (e.g. generating coaching briefs, storing your training data).
For health and biometric data (Article 9 special category data), marketing emails, and optional analytics. You may withdraw consent at any time.
For fraud prevention, platform security, and improving our AI models using anonymised, aggregated data.
Where we are required by law to retain or disclose certain data.
Your Rights Under the GDPR
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data. This includes your account information, health data, usage history, and any derived insights. We will provide this information within 30 days of a verified request.
HOW TO EXERCISE THIS RIGHT
Request your data export from Account Settings → Data & Privacy → Download My Data, or contact privacy@trainwithsoma.com.
Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay. You also have the right to have incomplete personal data completed, taking into account the purposes of the processing.
HOW TO EXERCISE THIS RIGHT
Update most information directly in your account profile. For data you cannot edit yourself, contact privacy@trainwithsoma.com with the specific correction requested.
Right to Erasure / Right to be Forgotten (Article 17)
You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, you withdraw consent and no other legal basis exists, or you object to processing and there are no overriding legitimate interests. Upon a valid deletion request, all personally identifiable data will be permanently removed within 30 days. Note: we may retain certain data if required by law or for legitimate legal claims.
HOW TO EXERCISE THIS RIGHT
Delete your account from Account Settings → Delete Account, or send a deletion request to privacy@trainwithsoma.com. We will confirm completion within 30 days.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your data in certain circumstances — for example, while the accuracy of your data is being contested, or while an objection to processing is being assessed. During restriction, we will only store your data and will not process it for any other purpose without your consent.
HOW TO EXERCISE THIS RIGHT
Contact privacy@trainwithsoma.com to request restriction of processing, specifying the grounds for your request.
Right to Data Portability (Article 20)
Where we process your data by automated means on the basis of consent or contract, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller. This right applies to data you have directly provided to us.
HOW TO EXERCISE THIS RIGHT
Request a portable data export from Account Settings → Data & Privacy → Download My Data (JSON/CSV). For large data sets or custom formats, contact privacy@trainwithsoma.com.
Right to Object (Article 21)
You have the right to object at any time to processing of your personal data for direct marketing purposes (your data will no longer be processed for this purpose upon receipt of your objection) and to processing based on legitimate interests (we will cease processing unless we demonstrate compelling legitimate grounds that override your interests).
HOW TO EXERCISE THIS RIGHT
Unsubscribe from marketing emails via the link in any email, or contact privacy@trainwithsoma.com to object to other forms of processing.
Right Not to be Subject to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you. SOMA uses automated processing to generate coaching recommendations, but these recommendations do not produce legal effects or similarly significant consequences. You may request human review of any automated recommendation.
HOW TO EXERCISE THIS RIGHT
Contact privacy@trainwithsoma.com to request human review of any automated decision or to learn more about the logic behind specific recommendations.
Special Category Data (Health & Biometrics)
Health and biometric data (including HRV, heart rate, sleep data, and fitness metrics) is classified as "special category data" under Article 9 of the GDPR and is subject to stricter protections. We process this data only on the basis of your explicit, specific consent, which you provide when connecting a wearable device or manually entering health data.
You may withdraw consent for processing special category data at any time by disconnecting your wearable devices in Account Settings or by contacting privacy@trainwithsoma.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
International Data Transfers
SOMA is headquartered in the United States. If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to and processed in the United States and other countries that may not have data protection laws equivalent to those in your country of residence.
We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers, supplemented by appropriate technical and organisational safeguards. You may request a copy of the relevant transfer mechanism by contacting privacy@trainwithsoma.com.
How to Submit a Request
To exercise any of your rights, you may use the self-service tools available in your account settings or submit a formal request to our Data Protection Officer. We will respond to all valid requests within 30 days. In complex cases, we may extend this period by a further 60 days with notice.
We may ask you to verify your identity before processing your request to prevent unauthorised access to your data. Requests are free of charge unless they are manifestly unfounded or excessive.
Contact our Data Protection Officer
Email: privacy@trainwithsoma.com
Subject line: "GDPR Data Request — [Your Right]"
SOMA Technologies, Inc., 340 Pine Street, Suite 800, San Francisco, CA 94104, USA
Right to Lodge a Complaint
If you believe that we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your national authority at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ico.org.uk).
We encourage you to contact us directly first so we have the opportunity to address your concerns.