Privacy Policy

SoulCode ("we," "us," "our") is a personal development web application operated by Theo Thomas, doing business as Apeiron. This policy explains what data we collect, why we collect it, how it is stored, and what control you have over it.

By using SoulCode at soulcode.uk, you agree to the practices described below.

We do not collect your IP address, browser fingerprint, device identifiers, or location data. We do not use cookies for tracking or advertising. The only cookies present are those required by our infrastructure providers for session management.

Your data is used solely to provide the SoulCode experience:

Account data authenticates you and links your profile across sessions. Soul profile data and check-in data power AI-generated insights, stat tracking, and the Dream Engine (your trajectory over time). Mirror conversations are sent to AI providers to generate responses in the context of your soul profile. Debt, academic, fitness, and inventory data persist your personal dashboards. Career profile data powers resume generation, job application auto-fill (via the optional browser extension), and the professional profile display. Resume text is extracted and sent to AI providers for structured parsing into your career profile fields. Job search queries are sent through our proxy to the JSearch API to return job listings. Public soul data and friendship records enable the Soul Web social features, including friend search by name, friend requests, and stat comparison. Forwarded email data is processed by AI to extract structured financial information (payment amounts, balances, due dates) and route it to the appropriate module in your dashboard. Bank transaction data from CSV imports is stored locally in your browser and is never transmitted to our servers. Telemetry data helps us understand which features matter most so we can improve the product. Mirror session tracking data enforces free-tier limits and tracks purchased session balances. AI rate limit data enforces fair-use limits on free soul synthesis (1 per hour, 3 per day). Payment data activates your subscription, Founding Soul status, or purchased Mirror session packs. Push notification subscription data is used solely to deliver the notifications you have opted into (streak reminders, debt due dates, weekly progress summaries). The Pulse daily log tracks your energy and intention patterns over time to power contextual nudges and streak tracking — this data is stored locally in your browser and is not transmitted to our servers. Soul Card images are uploaded to Supabase Storage when you share your card, enabling social previews (Open Graph images) when your share link is posted on social media or messaging apps. Cosmetic ownership and trade records power the Soul Artifacts system, including equipped card visuals, trade provenance, and inventory. Share view counts help you see how many people have viewed your shared Soul Card.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We do not use your data to train AI models.

SoulCode relies on the following third-party services to operate. Each processes data only as necessary to perform its function:

AI prompts are sent through our Cloudflare Worker proxy, which adds API keys server-side. Your API keys are never exposed to your browser. Per OpenAI's and Anthropic's API data usage policies, data sent via their APIs is not used to train their models.

Your data is stored in a Supabase-hosted PostgreSQL database with row-level security (RLS) policies that ensure each user can only access their own data. All data is encrypted in transit via HTTPS/TLS. Supabase encrypts data at rest using AES-256.

Authentication is available via Google OAuth 2.0 with the PKCE (Proof Key for Code Exchange) flow, or via email and password. Google OAuth means we never see, store, or handle your Google password. For email/password accounts, passwords are hashed by Supabase using bcrypt and are never stored in plain text. Optional two-factor authentication (TOTP) adds an additional layer of security.

Some data (theme preferences, budget categories, asset lists, workout presets, Pulse daily logs) is stored locally in your browser's localStorage and is never transmitted to our servers.

Soul Card images are stored in a Supabase Storage bucket with public read access (so share links can display the image) and authenticated write access (only you can upload or replace your own card image).

We retain your data for as long as your account exists. Activity briefings are automatically trimmed to the most recent 50 entries per user. Telemetry records (gate hits) are trimmed to the most recent 1,000 entries per user.

Financial data: Budget categories, debt accounts, asset records, and imported bank transactions are stored for as long as your account exists. Bank CSV imports are parsed entirely within your browser — only the extracted date, description, and amount fields are stored locally in your browser's localStorage. Raw CSV files are never uploaded to our servers. We do not store bank account numbers, sort codes, routing numbers, or any bank credentials at any time.

Email scan data: Forwarded email import records are stored in our database for as long as your account exists. Raw email text snippets stored for debugging are limited to 500 characters and can be purged by deleting individual import records or your entire account.

If you delete your account, all data associated with your user ID is permanently removed from our database via cascading deletion. localStorage data can be cleared through your browser settings at any time.

The Email Scanner is an optional feature that lets you forward financial emails (statements, payment confirmations, alerts) to a personal scan address in the format data+{your-token}@soulcode.uk. This section explains how forwarded email data is handled.

How it works: When you enable the Email Scanner, we generate a unique token linked to your account. You set up a forwarding rule in your email provider to send financial emails to your personal scan address. Our Cloudflare Email Worker receives the forwarded email, extracts the sender, subject, and a text snippet of the body (up to 5,000 characters), and sends that snippet to Anthropic's API for structured parsing. The parsed result (amounts, balances, due dates, creditor names) is written to your account in Supabase.

What we store: Sender address, subject line, parsed financial data (JSON), the module it was routed to (debt, budget, or assets), a raw text snippet (up to 500 characters) for debugging, and whether the import has been applied. We do not store full email bodies, attachments, images, or any content beyond the extracted text snippet.

What we do not do: We do not access your email inbox directly. We do not store your email provider credentials. We do not read emails you have not explicitly forwarded. The forwarding rule is set up entirely within your email provider and can be removed at any time.

AI processing: The text snippet of each forwarded email is sent to Anthropic's API for classification and data extraction. Per Anthropic's API data usage policy, data sent via their API is not used to train their models. The AI prompt contains only the sender, subject, and body text — no other account data is included.

Opting out: You can stop the Email Scanner at any time by removing the forwarding rule in your email provider. Existing imported records remain in your account until you delete them or delete your account.

Soul Web is a social feature that lets you connect with other SoulCode users. This section explains how your data is handled in social interactions.

Public Soul profile: When you are signed in, a lightweight public profile is automatically synced to the public_souls table in our database. This includes your display name, archetype, stat values, level, chapter, motto, and card visualization style. This data is used to display your Soul Card to friends and in search results. It does not include your onboarding answers, Mirror conversations, financial data, academic data, fitness data, or any other private information.

Friend search: Other users can search for you by display name. Search queries match against the display_name field in public_souls only. If you do not want to appear in search results, you can change your display name to something non-identifiable.

Friend requests: When you send or receive a friend request, we store a record of the requester, recipient, and status (pending, accepted, or declined). Accepted friends can view each other's public Soul Card, including stat values for comparison.

Realtime updates: We use Supabase Realtime to push live updates to your Soul Web when a friend updates their Soul Card or when you receive a friend request. These subscriptions are scoped to your account and are cleaned up on sign-out.

Share links: When you share your Soul Card via a link, the link includes your user ID. Anyone with the link can view a public display of your animated Soul Card, including your display name, archetype, stats, level, motto, and visualization style. Signed-in viewers can send you a friend request directly from this page.

Auto-friend on share signup: If a person who is not yet a SoulCode user clicks your share link and signs up for an account, a mutual friendship between you and the new user is automatically created (status: accepted). Both parties have opted in — you by sharing the link, and the new user by signing up through it. Either party can remove the friendship at any time.

SoulCode offers optional browser push notifications for streak reminders, debt due date alerts, and weekly progress summaries. This section explains how notification data is handled.

Opt-in only: Push notifications are never enabled without your explicit permission. During onboarding or in Settings, you can choose to enable notifications. Your browser will prompt you to grant notification permission — we cannot send notifications unless you approve this prompt.

What we store: When you enable notifications, your browser generates a push subscription object containing an endpoint URL and encryption keys. We store this in our database, linked to your user ID. We also store your notification preferences (which categories you want: streaks, debt reminders, weekly summaries).

How notifications are sent: A scheduled Cloudflare Worker checks for users who should receive notifications (e.g., streak at risk, debt payment due tomorrow) and sends push messages through the Web Push protocol. Messages are encrypted end-to-end using the keys in your subscription.

Opting out: You can disable notifications at any time through the SoulCode Settings tab or through your browser's notification settings. Disabling removes your push subscription from our database.

SoulCode includes a cosmetic system that lets you personalize your Soul Card with visual items such as borders, styles, effects, and chapter-earned cosmetics.

What we store: A catalog of available cosmetic items, your ownership records (which items you have earned or purchased), which cosmetics you have equipped on your Soul Card, and a trade/gift history that records the sender, recipient, item, and timestamp of each transaction. Trade records include provenance tracking (original owner) to maintain item authenticity.

How cosmetics are earned: Some cosmetics are unlocked by reaching XP level milestones or chapter thresholds. Others may be purchasable through the cosmetic marketplace (coming soon). Earned cosmetics are permanently tied to your account.

Trading and gifting: You may trade or gift cosmetic items to friends through the Soul Web. Trade records are stored to maintain provenance. We do not facilitate real-money trading between users.

SoulCode offers an optional Chrome browser extension that helps you auto-fill job application forms using your career profile data. This section explains how the extension handles your data.

Session bridge: When you visit soulcode.uk while the extension is installed, the extension reads your authentication session and career profile from the browser's localStorage on soulcode.uk. This data is passed to the extension's background service worker and stored in the extension's local storage (chrome.storage.local). This enables the extension to function on other websites without requiring a separate login.

Form auto-fill: When you click the "Fill" button on a job application page, the extension matches form fields (by name, id, placeholder, and label text) to your career profile data and fills them in. The extension only writes data into form fields — it does not read, collect, or transmit any data from the pages you visit.

Data storage: The extension stores your career profile and authentication token locally in the extension's storage on your device. This data is never transmitted to any server other than soulcode.uk (to verify your session) and Supabase (to fetch your career profile if not cached locally).

No tracking: The extension does not track which pages you visit, which forms you fill, or any browsing activity. It activates only when you explicitly click the fill button or when it detects a job application page (to show a floating shortcut button).

Removal: Uninstalling the extension removes all locally stored data. Your career profile data in SoulCode is not affected.

You can take the following actions at any time:

View your data: Your soul profile, stats, check-in history, and all other data are visible directly within the app.

Reset your soul: The dashboard includes a reset function that clears your soul profile and mirror conversation history.

Delete your account: Contact us at the email below to request full account deletion. We will remove all data associated with your account from Supabase within 30 days.

Revoke Google access: You can revoke SoulCode's access to your Google account at any time through your Google Account permissions.

Export your data: The Soul Card export feature lets you download a portable snapshot of your soul profile.

If you are located in the European Economic Area (EEA), United Kingdom, or California, you may have additional rights under the GDPR, UK GDPR, or CCPA respectively, including the right to access, correct, delete, or port your personal data, and the right to object to or restrict certain processing. To exercise these rights, contact us using the information below.

SoulCode is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

We may update this privacy policy as SoulCode evolves. If we make material changes, we will update the "Last Updated" date at the top of this page. Continued use of SoulCode after changes constitutes acceptance of the updated policy.

For privacy questions, data requests, or concerns:

Theo Thomas / Apeiron
Email: theophiluscthomas@gmail.com
Website: soulcode.uk