FAQS - SOBERSYNQ

FREQUENTLY ASKED QUESTIONS

1. Security & Privacy Basics

How is my data protected?

We use multiple layers of protection: Separation of data: identity info, payment tokens, and recovery content live in separate, protected stores.
Encryption: data is encrypted in transit (HTTPS/TLS) and at rest using strong industry standards.
Least-privilege access: production data is not visible to staff by default; all rare “break-glass” access is time-limited, approved, and audited.
Minimization: we collect the least amount of personal information needed to operate the service.

What information do you store about me?

Identity (PII): account email (and optional phone), consents, country/region, and account metadata.
Payments: we never store card numbers. We only keep payment processor tokens (e.g., Stripe customer/payment method IDs).
Recovery content: your journals/Oracle/step entries are stored without your real name, and linked to your account via internal references—not by email or card data.

Can staff read my private journals?

No, not by default. Access to raw recovery content is blocked for all staff. In a rare, documented support or legal scenario, a “break-glass” process may grant short-lived access for specific items, with manager approval, reason codes, and immutable audit logs. We design to avoid this wherever possible.

Do you use end-to-end encryption (E2EE)?

We provide a Private Mode option for highly sensitive notes: content is encrypted on your device before it’s sent to us, using a passphrase only you know. If you enable Private Mode and lose your passphrase, we cannot recover those entries. Some features (like server-side search) may be limited in Private Mode.

Will you sell my data?

No. We don’t sell personal information. If we share metrics with sponsors or partners, they’re aggregated and de-identified (e.g., total events hosted, anonymous engagement stats).

2. Accounts, Access

Can I use SOBERSINQ anonymously?

You need an email for sign-in, but you can use a display name (not your real name) in community spaces. Your recovery content is stored without real-name fields.

Do you support 2-factor authentication (2FA)?

Yes. We strongly recommend enabling 2FA in your account settings to protect against unauthorized access.

I lost my device—what should I do?

From a trusted device, sign in and log out all sessions in Security settings. Change your password and (if enabled) rotate your Private Mode passphrase for future entries.

How do I export or delete my data?

In Account → Privacy:Export: download your recovery entries and account data (common formats like JSON/CSV; Private Mode entries remain encrypted).
Delete: delete entries or your full account. Backups roll off on a schedule; some legal/audit records may be retained as required by law.

3. Payments & Nonprofit Status

How are payments handled?

Payments are processed by Stripe (PCI-DSS Level 1). We never see or store your card number—only Stripe tokens.
Why can’t I purchase inside the app?
To protect your privacy, we keep payments on our website (Stripe) so your billing info stays separate from recovery content. You can then log into the app for access.

Are there free options?

Yes. Our mission is accessibility. Sponsors and donors help us keep core features free. Optional premium features/events may be available.

4. Oracle, Safety & Boundaries

Is the Oracle giving medical, legal, or financial advice?

No. The Oracle provides supportive reflections and education, not professional advice. It won’t predict the future, diagnose, prescribe, or tell you to take financial risks.

What happens if I type something that sounds like a crisis?

The Oracle immediately pauses regular guidance and shows crisis resources (e.g., 988 in the U.S., relevant hotlines by country if available), with supportive language. We encourage contacting local emergency services if there is immediate danger.

Can the Oracle say harmful or mystical things like "you won't be here long"?

No. We block predictions, prophecy-like claims, and instructions that could cause fear, self-harm, financial loss, or unsafe behavior. The Oracle is designed to empower you, not direct your life choices.

What's different about SOBERSINQ's step work?

It’s personalized and paced to you. We honor traditional wisdom and also offer a modern, flexible framework that focuses on self-discovery, daily actions, and compassion.

5. Safety & Boundaries

Where is my data stored?

Data is stored in reputable, secure cloud infrastructure. For U.S. users, data is typically stored in the U.S. For other regions, storage location may vary by compliance needs.

How long do you keep logs and backups?

App logs: typically ~90 days for security/operations, then deleted or aggregated.
Backups: encrypted and kept only as long as needed for resilience; they roll off on a schedule.
Crisis-flagged sessions: see Logging & Admin Review below.

How do you handle law enforcement or government requests?

We require valid legal process (e.g., subpoena, court order, or warrant) and we notify users unless legally prohibited. If content is end-to-end encrypted in Private Mode, we cannot decrypt it. See our Law Enforcement Guidelines page for details.

6. Logging, Admin Review & Future-Proofing

Do you log crisis-flagged sessions?

We use multiple layers of protection: Separation of data: identity info, payment tokens, and recovery content live in separate, protected stores.
Encryption: data is encrypted in transit (HTTPS/TLS) and at rest using strong industry standards.
Least-privilege access: production data is not visible to staff by default; all rare “break-glass” access is time-limited, approved, and audited.
Minimization: we collect the least amount of personal information needed to operate the service.

Will you keep improving the Oracle and safety rules without app updates?

Yes. We maintain an Admin Portal where trained staff can update:

1. Response libraries (greetings, questions, takeaways)
2. Crisis keyword lists and resource links
3. Tone and session flow rules (non-code configurations) These updates let us rapidly improve safety and quality without redeploying the whole app.

7. Third-Party Services & Integrations

Which third-party vendors are involved?

Common services include:

1. Payments: Stripe (tokenized—no card storage by us)
2. AI processing: OpenAI models (we minimize personal information in requests)
3. Security/edge: modern WAF/DDoS/bot protections
4. Email & notifications: reputable transactional providers
5. We perform vendor reviews and limit what each provider can access.

Does OpenAI "see" my identity?

We avoid sending personal identifiers with recovery content. Where possible, we send pseudonymous references. If you enable Private Mode, select content is encrypted on your device first.

8. Community, Ambassadors & Events

Do ambassadors see my private data?

No. Ambassadors help coordinate events and outreach. They do not see your journals or private Oracle interactions.

How are events funded without selling data?

Through sponsors, donors, and grants. We may share aggregate, anonymized impact metrics (e.g., attendance totals), but not personal content.

9. Compliance, Rights & Policies

Are you HIPAA compliant?

SOBERSINQ is not a medical provider and generally doesn’t act as a HIPAA covered entity. We still follow strict privacy and security practices and use reputable vendors. If we ever provide HIPAA-regulated services, we will do so using compliant infrastructure and agreements.

What are my privacy rights (GDPR/CCPA etc.)?

You can access, correct, export, or delete your personal information. You may opt out of certain analytics and request restrictions where applicable. See our Privacy Policy for how to exercise your rights.