Privacy Policy

Last Updated: March 8, 2026

Location of Data Processing: Switzerland

1. Introduction

SOTP ("we," "us," or "the Service") provides a real-time collaborative drawing and chat platform. This Privacy Policy explains our commitment to your privacy in compliance with the Swiss Federal Act on Data Protection (nLPD/FADP) and the EU General Data Protection Regulation (GDPR).

2. Data Controller

The individual responsible for processing your personal data is:

  • Name: Avdyl Avduli
  • Email: contact@sotp.ch

3. Access Control & Membership

To ensure the security and accountability of our collaborative environment, SOTP follows a Member-Only access model:

  • Authenticated Access: Core features—including drawing on the canvas, participating in the real-time chat, and saving work to a personal gallery—are strictly inaccessible to non-logged-in users.
  • Guest Limitations: Unauthenticated visitors can only access a public landing page and cannot interact with the canvas or the chat system.

4. Data We Collect & Third Parties

We apply the principle of Data Minimization, collecting only what is essential for the service:

  • Authentication: SOTP offers both Google OAuth and direct account registration. When using Google, we receive your email, name, and profile picture. When registering directly, we store your email and a securely hashed version of your password. We never store plain-text passwords.
  • User Contributions: We store the pixel updates (strokes) you make on the canvas and the messages you send in the chat.
  • Gallery Interactions (AI Recommendations): To provide a personalized experience, we record interactions such as likes, shares, and saved canvases. This data is used exclusively to improve our gallery recommendation system within the app.

5. Storage Technologies & Lifecycles

We use various storage methods to balance security with user experience:

A. Secure Cookies (Authentication)

Tokens are stored as HttpOnly and Secure cookies to prevent theft via Cross-Site Scripting (XSS):

  • Access Token: Valid for 5 minutes, allowing authorized requests to our API and WebSocket Gateway.
  • Refresh Token: Valid for 7 days, enabling you to remain logged in between sessions without repeated OAuth prompts.
B. Browser Storage (Preferences & Session)
  • sotp-theme (Local Storage): Stores your preference for Light or Dark mode persistently.
  • user:friends:seen-requests & user:friends:seen-blocked (Local Storage): Stores IDs of friend requests or blocked users you have already viewed to manage notification badges.
  • sotp-authorize-room (Session Storage): Stores a temporary access code for your current room. This allows you to re-enter a room without re-authentication during a single session. This data is automatically deleted when you close your browser tab.

6. Data Hosting & "Zero-Log" Policy

  • Swiss Hosting: All application servers and the database are physically located in Switzerland, ensuring your data is protected by Swiss law.
  • No IP Logging: We do not log your IP address, further protecting your anonymity during use.

7. Data Retention & The Right to be Forgotten

We provide a robust Delete Account feature:

  • Full Deletion: Triggering this action permanently removes your user profile and all personal canvases you have created from our database.
  • Anonymization: Any remaining interaction data on shared canvases (pixels or chat messages) is stripped of all personal identifiers and linked only to an anonymous ID.

8. Your Rights

Under the nLPD and GDPR, you have the right to:

  • Access your data.
  • Correct inaccurate information.
  • Delete your data ("Right to be Forgotten").
  • Export your data in a structured, machine-readable format.

9. Legal Notice / Impressum

SOTP

Rue de Lausanne 64

1020 Renens, Switzerland

Email: contact@sotp.ch

The design, code, and site content are protected by intellectual property laws. Users retain ownership of the works they publish.