Privacy Policy

Last updated: April 22, 2026

This Privacy Policy explains how Leviathan Systems Ltd ("we", "us", "our"), a company registered in England and Wales, collects, uses, and protects your information when you use the Sovra mobile application and related services (the "Service").

1. Summary & Privacy by Design

The Service is built on the principle of data sovereignty.

On-Device Storage: Your messages, attachments, and notes are stored in encrypted storage on your physical device.
Transient Processing: Our servers act as a relay. We do not store the content of your communications on our backend.
Zero-Knowledge: We have no technical means to access your decrypted user data.
No Data Sales: We do not sell your data or use it for advertising or cross-app tracking.

2. Information We Access

Depending on which integrations you enable, the Service may access the following:

Gmail: Email messages, threads, attachments, labels, and your basic Google profile (name, email, profile picture).
iCloud Mail (IMAP): Message data from folders you connect.
Contacts: Used strictly for displaying sender identities within the app.
Subscription Data: Processed via RevenueCat. On iOS, we use the Identifier for Vendor (IDFV) solely for fraud prevention and subscription management. It is not used for advertising.
Diagnostic Logs: Minimal technical traces (error logs) to maintain Service integrity.

3. Google User Data & Limited Use Disclosure

Sovra's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request

gmail.modify — to fetch and display your messages, threads, labels, and attachments, and to mark messages as read, archive, or label them based on actions you take in the app.
gmail.send — to send replies, forwards, and new messages that you compose.
userinfo.profile and userinfo.email — to identify your Google account inside the app.

How Google user data is handled

No AI Training: Google user data is not used to train, develop, or improve any generalized AI or Machine Learning models.
No Human Access: No employee or contractor reads your Gmail data except (a) with your explicit consent for support, (b) to investigate abuse, or (c) where required by law.
Relay Storage: Email content held in server memory during relay operations is immediately discarded and never written to disk.
Storage: Gmail message bodies, headers, and attachments are stored in encrypted on-device storage so the app can work offline. They are not stored in our backend database.
Prohibited Uses: Gmail data is never sold or shared with third parties for advertising, credit determination, or any purpose unrelated to providing the user-facing features of Sovra. It will not be transferred to or used by data brokers, consumer reporting agencies, or any party for such purposes.

Revoking Google access

You can disconnect your Google account from inside the app at any time, or revoke access directly at myaccount.google.com/permissions. Revoking access stops further sync and removes your tokens from our backend.

4. Data Storage and Retention

Local Data: All decrypted message content stays on your device.
Backend Metadata: We store only OAuth refresh tokens and minimal account-link metadata (email address).
Retention: OAuth tokens are permanently deleted upon account disconnection or deletion. We do not retain tokens beyond the life of your active integration.
Third-party processors: Replit (US) hosts our backend infrastructure. RevenueCat processes subscription receipts.

5. Your Rights and Account Deletion

Under the UK GDPR, you have rights including access, rectification, and erasure.

Account Deletion: You can delete your account and all associated backend data at any time via the "Delete Account" button in the App Settings or by emailing privacy@leviathan-sys.com.
Revocation: You may revoke API access at any time via your Google or Apple account security settings.
Access and export: Contact us at the address below to request a copy of any personal data we hold on our backend.
Depending on your jurisdiction, you may have additional rights under the UK GDPR, EU GDPR, or CCPA — we will honour verified requests as required by law.

6. Security

We utilise industry-standard TLS for data in transit and OS-level secure storage (Keychain on iOS) for credentials on-device. All user data stored locally is encrypted with AES-256-GCM. No system is perfectly secure; please use a device passcode and keep your operating system up to date.

7. Governing Law and Jurisdiction

This Privacy Policy and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. You agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim.

8. Contact Us

Leviathan Systems Ltd
Email: privacy@leviathan-sys.com