Exclusive Offer: Enjoy Complimentary Shipping on All USA Orders | Limited Time Only!

Sophia Fiori
Privacy Policy

Privacy Policy

Sophia ("Sophia", "we", "us", or "our") operates the Sophia platform on behalf of retail businesses ("Retailers") that use our software. This Privacy Policy explains how Sophia and Retailers collect, use, disclose, and protect personal information about consumers ("you") who interact with Retailer storefronts, websites, or applications powered by the Sophia platform.

Who controls your data? The Retailer you purchased from or interacted with is the primary data controller. Sophia acts as a service provider (under CCPA) and data processor (under GDPR) on the Retailer's behalf. For data requests, you may submit directly via this portal and we will coordinate with the applicable Retailer.

1. INFORMATION WE COLLECT

Information you provide directly

  • Name, email address, phone number, and mailing address
  • Purchase history, transaction records, and order details
  • Payment information (processed and stored by our PCI-compliant payment partners; Sophia does not store full card numbers)
  • Account credentials if you create a customer account with a Retailer
  • Communications you send to Retailer staff or customer service
  • Repair, customisation, or special order requests
  • Loyalty programme membership and redemption history

Information collected automatically

  • Device identifiers, IP address, and browser type when you visit a Retailer's website
  • Pages viewed, time spent, and navigation patterns (analytics)
  • Cookie and tracking technology data (see our Cookie Notice)

Information from third parties

  • Fraud prevention and identity verification services
  • Credit and financing providers (e.g. Synchrony Financial) if you apply for in-store financing
  • Social media platforms if you interact with a Retailer's social presence

Sensitive personal information (CPRA)

We may collect the following categories of sensitive personal information: precise geolocation (if you use store locator features with location enabled), and financial account information for financing applications. We use sensitive personal information only for the purpose it was collected and do not sell or share it for advertising purposes.

2. HOW WE USE YOUR INFORMATION

  • Fulfilling orders and providing services — processing purchases, repairs, and special orders
  • Customer support — responding to enquiries, complaints, and service requests
  • Account management — creating and maintaining your customer account and loyalty profile
  • Marketing communications — sending promotional emails, SMS, or catalogues where you have opted in or where permitted by applicable law
  • Analytics and improvement — understanding how customers use Retailer services to improve them
  • Fraud prevention and security — detecting and preventing fraudulent transactions
  • Legal compliance — meeting our obligations under applicable law, including tax and consumer protection requirements
  • Personalisation — recommending products or services based on your purchase history and preferences, where you have not opted out

3. HOW WE SHARE YOUR INFORMATION

Service providers

We share personal information with companies that provide services on our behalf, including payment processors, cloud hosting providers, email delivery services, analytics providers, and fraud detection services. These parties are contractually restricted from using your data for any purpose other than providing services to us.

Retailers

If you submit a data request through this portal, your information will be shared with the Retailer whose data we are processing on your behalf.

Business transfers

If Sophia is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a notice on our website prior to your information being transferred and becoming subject to a different privacy policy.

Legal requirements

We may disclose your information where required by law, court order, or governmental authority, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell your personal information

Sophia does not sell your personal information to third parties for monetary consideration. California residents may exercise their right to opt out of sharing for cross-context behavioural advertising using the Data Request form.

4. COOKIES AND TRACKING

We use cookies and similar tracking technologies on Retailer websites. For detailed information about the types of cookies used, how to manage your preferences, and your opt-out options, please see our Cookie Notice.

5. DATA RETENTION

We retain personal information for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law. Typical retention periods are:

  • Transaction records: 7 years (tax and accounting requirements)
  • Customer account data: duration of the account relationship plus 3 years
  • Marketing consent records: 3 years from last interaction
  • Data request records: 2 years (legal compliance)
  • Website analytics: 26 months (rolling)

When you request deletion of your personal information, we will delete or anonymise it within 45 days, except where retention is required by law (e.g. transaction records for tax purposes).

6. YOUR PRIVACY RIGHTS

Depending on your state of residence, you may have the following rights regarding your personal information. Submit a request via our Data Request form.

STATELAWYOUR RIGHTSRESPONSE WINDOW
CaliforniaCCPA / CPRAAccess, deletion, correction, portability, opt-out of sale/sharing, limit sensitive PI use, right to non-discrimination45 days (extendable to 90)
VirginiaVCDPAAccess, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal within 45 days of denial45 days (extendable to 45)
ColoradoCPAAccess, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal within 45 days45 days (extendable to 45)
ConnecticutCTDPAAccess, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal within 45 days45 days (extendable to 45)
TexasTDPSA (eff. Jul 2024)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
OregonOCPA (eff. Jul 2024)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
MontanaMCDPA (eff. Oct 2024)Access, deletion, correction, portability, opt-out of sale/sharing, limit sensitive PI use, right to non-discrimination45 days (extendable to 45)
DelawareDPDPA (eff. Jan 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
IowaICDPA (eff. Jan 2025)Access, deletion, portability, opt-out of sale & targeted advertising. Note: no correction right or profiling opt-out under this law. Right to appeal90 days
NebraskaNDPA (eff. Jan 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
New HampshireNHPA (eff. Jan 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
New JerseyNJDPA (eff. Jan 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
TennesseeTIPA (eff. Jul 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal within 60 days of denial45 days (extendable to 45)
MinnesotaMHMDA (eff. Jul 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Strong health data protections. Right to appeal45 days (extendable to 45)
MarylandMODPA (eff. Oct 2025)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Sale of sensitive data prohibited. Data minimisation required. Right to appeal45 days (extendable to 45)
IndianaIDCPA (eff. Jan 2026)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
KentuckyKCDPA (eff. Jan 2026)Access, deletion, correction, portability, opt-out of sale, targeted advertising & profiling. Right to appeal45 days (extendable to 45)
All other statesCompany policyWe honour access, deletion, and correction requests from all US residents as a matter of policy45 days

California Shine the Light — Civil Code §1798.83

California residents may request once per calendar year, free of charge, the categories of personal information we disclosed to third parties for their direct marketing purposes in the preceding year, and the names of those third parties. Submit a request via our Data Request form and note "Shine the Light" in the details field.

How to exercise your rights

Submit a request through our Data Request form. We will verify your identity before fulfilling any request by matching your submission against records on file. For deletion or sensitive requests, we may send a one-time verification code to your email address.

You will not be discriminated against for exercising your privacy rights. We will not deny you goods or services, charge you different prices, or provide you a different level of service because you exercised a right under applicable privacy law.

Authorised agents

You may designate an authorised agent to make a request on your behalf. We may require written authorisation or a signed power of attorney before fulfilling such requests, consistent with CCPA §1798.130(a)(3)(B) and equivalent state law requirements.

7. INTERNATIONAL TRANSFERS

Sophia is based in the United States. If you are located outside the US, please be aware that your personal information will be transferred to and processed in the United States, where privacy laws may differ from those in your jurisdiction. By using Retailer services powered by Sophia, you consent to this transfer.

8. CHILDREN'S PRIVACY

Our services are not directed at children under 13 (or under 16 in California). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will promptly delete it.

9. SECURITY

We implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS 1.2+) and at rest, access controls, and regular security assessments. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date above. For significant changes, we will provide additional notice, such as an email notification. Your continued use of Retailer services after changes take effect constitutes your acceptance of the revised policy.

11. CONTACT US

For privacy-related questions or to exercise your rights, please use our Data Request form or contact our Data Protection Officer: