SOAPless
Sign Up

Privacy Policy

Last updated: March 22, 2026

1. Introduction

SOAPless ("SOAPless," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

This policy describes our current data handling practices and is intended to support obligations that may apply under frameworks such as the GDPR, CCPA, and Japan's Act on the Protection of Personal Information (APPI). It is not a certification statement.

2. Data Controller

SOAPless, operated by miravy (個人情報取扱事業者), is the data controller for personal data processed through the Service. For privacy inquiries, data subject requests, or APPI-related disclosure requests, contact us at hello@soapless.miravy.com.

3. Data We Collect

3.1 Information You Provide

  • Account information: Email address, full name, and company name when you register for an account.
  • Payment information: Billing details processed and stored by Stripe. We do not store credit card numbers on our servers.
  • WSDL URLs: The URLs of SOAP services you register with the platform.
  • Support communications: Messages you send to our support team.

3.2 Information We Collect Automatically

  • Usage metadata: API call timestamps, operation names, HTTP status codes, response times, service identifiers, and error classifications. Error messages are truncated and sanitized to remove potential personal data. We do not log request or response bodies.
  • Device information: Browser type and operating system. Note: IP addresses may be temporarily processed by our infrastructure providers (Vercel, Supabase) but are not stored by the SOAPless application layer.
  • Website analytics: On public marketing pages, docs, and blog pages, Google Analytics may collect page view, referrer, approximate location, browser, and device metadata. This analytics setup is not used to inspect SOAP request bodies, API payloads, or dashboard form contents.
  • Authentication cookies: Session tokens for maintaining your login state.

3.3 Data We Do NOT Collect

  • SOAP request/response bodies: We do not log, store, or inspect the content of API requests or responses passing through our proxy.
  • SOAP credentials in plaintext: Any credentials for upstream SOAP services are encrypted using AES-256-GCM at rest and decrypted only at the moment of proxying a request.

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you have subscribed to (Article 6(1)(b)).
  • Legitimate interests: Analytics, fraud prevention, and service improvement (Article 6(1)(f)).
  • Legal obligation: Compliance with tax, billing, and regulatory requirements (Article 6(1)(c)).
  • Consent: For optional communications such as product updates, where applicable (Article 6(1)(a)).

5. How We Use Your Data

  • Providing, maintaining, and improving the Service;
  • Processing payments and managing subscriptions;
  • Generating usage analytics and dashboards for your account;
  • Detecting and preventing fraud and abuse;
  • Communicating service updates, security alerts, and support;
  • Complying with legal obligations.

6. Third-Party Data Processors

We share your data with the following third-party processors, each bound by data processing agreements:

ProcessorPurposeLocation
SupabaseDatabase hosting and authenticationUnited States (AWS)
StripePayment processing and subscription managementUnited States
Google AnalyticsWebsite analytics for public pages and documentationGlobal
VercelApplication hosting and edge deliveryGlobal (edge network)

We do not sell your personal data to any third party.

7. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our processors operate. For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Adequacy decisions where applicable;
  • Processor-specific certifications and compliance frameworks.

For transfers involving Japanese personal data, we comply with the APPI requirements for cross-border data transfers, including ensuring equivalent levels of protection.

8. Data Retention

  • Account data: Deleted immediately upon account deletion. All associated data (services, API keys, usage logs) is removed via cascading database deletion.
  • Usage metadata: Automatically cleaned up based on your plan: 7 days on Free, 30 days on Starter, 90 days on Pro. All logs are deleted immediately on account deletion.
  • Payment records: Payment processing is handled by Stripe. SOAPless does not store credit card numbers or payment details. Stripe retains billing records per their own privacy policy.
  • SOAP credentials: Encrypted at rest. Deleted immediately upon service removal or account deletion.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure:Request deletion of your personal data ("right to be forgotten").
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Restrict Processing: Request limitation of processing under certain circumstances.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

CCPA-specific rights: California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

APPI-specific rights: Japanese residents may request disclosure, correction, suspension of use, or deletion of personal data under the APPI.

To exercise any of these rights, contact us at hello@soapless.miravy.com. We will respond within 30 days (or as required by applicable law).

10. Cookie Usage

SOAPless uses a Supabase authentication session cookie to maintain your login state in the dashboard. On public website pages, we also use Google Analytics for aggregate traffic and pageview measurement. We do not use advertising cookies or ad retargeting pixels.

For more details, see our Cookie Policy.

11. Data Processing Agreement

A Data Processing Agreement (DPA) is available on request for customers who require one for GDPR compliance. Contact hello@soapless.miravy.com to request a signed DPA.

12. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the revised policy on our website with an updated "Last updated" date. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Information

For privacy-related inquiries or to exercise your rights:

SOAPless
Email: hello@soapless.miravy.com

For complaints, you may also contact your local data protection authority (EU/EEA residents), the California Attorney General (California residents), or the Personal Information Protection Commission (Japanese residents).