Privacy Policy

Last updated: May 2026 · Effective: 6 May 2026

1. Who We Are

Somata Labs Ltd ("Somata", "we", "us", or "our") is the data controller responsible for the personal data processed through the Somata Creator platform and the somata.me website.

Somata Labs Ltd
6 Wrights Lane, London, W8 6TA
founders@somatalabs.ai

2. What Data We Collect

We collect and process the following categories of personal data:

Category	Data	Purpose
Account data	Name, email address, company name	Account creation, communication, billing
Biometric input data	Photographic reference images, height, weight, gender	Mesh generation — producing a dimensionally accurate digital human mesh
Generated output data	Mesh files, Somata ID metadata (generation date, source type, licensing tier, export history)	Service delivery, provenance tracking, licence verification
Usage data	IP address, browser type, pages visited, feature usage patterns	Service improvement, security, analytics
Payment data	Billing address, payment method details	Subscription management (processed by our payment provider; we do not store full card numbers)

3. Biometric Data — Special Category Processing

We recognise that photographic images and associated body measurements may constitute biometric data and/or special category data under the UK GDPR and equivalent regulations. We take this classification seriously and apply the following safeguards:

• Explicit consent: We process biometric input data only with your explicit, informed consent, obtained at the point of upload. You may withdraw this consent at any time.
• Purpose limitation: Biometric input data is used solely for mesh generation. We do not use it for identification, surveillance, facial recognition, or any purpose other than producing the mesh you requested.
• Data minimisation: We retain source photographs and biometric measurements only for as long as necessary to generate and deliver the mesh. Once the mesh is delivered, source imagery is deleted within 30 days unless you explicitly request retention for re-generation purposes.
• No third-party sharing: Biometric input data is never shared with, sold to, or made accessible to third parties. It is processed exclusively within our infrastructure.
• Security: Biometric data is encrypted at rest and in transit. Access is restricted to the automated pipeline that performs mesh generation.

4. Legal Basis for Processing (UK GDPR)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Account data and generated output data are processed as necessary to provide the Service you have subscribed to.
• Explicit consent (Art. 9(2)(a)): Biometric input data (photographs, body measurements) is processed on the basis of your explicit consent, which you provide at the point of upload.
• Legitimate interest (Art. 6(1)(f)): Usage data is processed for service improvement, security monitoring, and fraud prevention. We have assessed that these interests do not override your rights and freedoms.

5. The Somata ID Registry

Each mesh generated through the Service is assigned a Somata ID — a unique, persistent identifier. The Somata ID record contains:

• A unique identifier for the mesh
• Generation date and time
• Source type (e.g., "photographic reference")
• Licensing tier at time of generation
• Export format history
• The account ID of the generating user

Somata ID records do not contain the source photograph, biometric measurements, or any data from which the depicted individual could be identified. The registry is a provenance and licensing record, not a biometric database.

Somata ID records are retained indefinitely as they serve as the authoritative licensing record for generated meshes. Third parties may query the registry to verify the licensing status of a mesh, but queries return only licensing metadata — never personal data or source material.

6. Data Sharing

We share personal data only in the following limited circumstances:

• Payment processing: Billing data is shared with our payment provider to process subscription payments.
• Infrastructure providers: We use cloud hosting services to run the Service. These providers process data on our behalf under data processing agreements that require GDPR-equivalent protections.
• Analytics: We use Google Analytics to understand how users interact with our website. This involves the processing of anonymised usage data.
• Legal obligations: We may disclose personal data if required to do so by law, regulation, legal process, or governmental request.

We do not sell personal data. We do not share biometric input data with any third party under any circumstances.

7. International Transfers

Your data may be processed in countries outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, or equivalent mechanisms.

8. Data Retention

• Source photographs and biometric measurements: Deleted within 30 days of mesh delivery, unless you request retention.
• Account data: Retained for the duration of your account and for 12 months following account closure.
• Generated meshes: Available for download for the duration of your subscription. Deleted 90 days after account closure.
• Somata ID records: Retained indefinitely (provenance and licensing records).
• Usage data: Retained for 26 months in anonymised form.
• Payment data: Retained as required by financial regulations (typically 7 years for transaction records).

9. Your Rights

Under the UK GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data (subject to legal retention requirements and the persistence of Somata ID records).
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: Withdraw consent for biometric data processing at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at founders@somatalabs.ai. We will respond within 30 days.

10. Cookies and Tracking

Our website uses the following cookies and tracking technologies:

• Essential cookies: Required for the website and Service to function (e.g., session management, security tokens). These cannot be disabled.
• Analytics cookies: Google Analytics cookies to understand website usage patterns. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Cloudflare Turnstile: Used for bot prevention on registration forms. This service may set cookies as part of its verification process.

11. Children

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

You must not upload photographs of minors to the Service.

12. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption at rest and in transit, access controls, and regular security reviews.

No system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office in accordance with our legal obligations.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or through the Service. The "Last updated" date at the top of this page reflects the most recent revision.

14. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk/make-a-complaint

15. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at:

Somata Labs Ltd
6 Wrights Lane, London, W8 6TA
founders@somatalabs.ai