Privacy Policy

Last updated: 2026-05-01

This Privacy Policy describes how SortaRich ("we", "us", or "our"), operated by Atlas & Lila, Inc., collects, uses, and shares information about you when you use sortarich.com and related properties (the "Service"). For our full Terms of Service, see /terms.

1. What we collect

Information you provide directly:

  • Email address — when you sign up via email-code or Google OAuth. Used for account identification, account-related communications, and (with your implied consent at signup) product updates.
  • Profile data you optionally enter — household composition (partner and children's birth months/years), home city, monthly income or vacation budget, passport country, and other quiz answers used to personalize destination rankings. We do not require any of this; you can use the Service with minimal information.
  • Quiz responses — your answers to the personalization quiz (preferences across climate, safety, cost, healthcare, education, etc.) and the derived weight vector used to rank destinations.
  • Favorites and notification preferences — cities you've bookmarked and notification settings you've configured.

Information collected automatically:

  • Network information — IP address, approximate geographic location (country/region from IP), HTTP referrer, user-agent string, language preference.
  • Usage analytics — pages viewed, interaction events (clicks, quiz progress), session duration, and screen size. Collected through Cloudflare Web Analytics and Microsoft Clarity (which may also record session replays of your interactions for usability research).
  • Local storage — auth tokens (JWT), quiz state, preferences, cache markers, and a lightweight "last active" timestamp. This data lives in your browser; we read it only when you visit the Service.
  • Cookies — a single lightweight authentication cookie (sg_auth) carrying your email and display name as a server-side rendering hint when you're signed in. We do not use third-party advertising or cross-site tracking cookies.

Information collected from third parties:

  • Google OAuth — if you sign in with Google, we receive your email address, display name, and profile picture URL from Google. We do not receive your Google contacts, calendar, or other Google data.
  • Stripe — when you complete a payment, Stripe sends us a webhook with the payment outcome, the Stripe Customer ID, and the PaymentIntent ID. We do not receive your full credit-card number or CVV — those stay with Stripe.

2. How we use your information

  • To rank and personalize destinations based on your quiz answers and profile.
  • To compute purchasing-power-parity comparisons relative to your home country.
  • To process payments via Stripe and grant access to paid features.
  • To send you account-related emails (verification codes, payment receipts via Stripe).
  • To analyze how the Service is used (which pages, which features, where users drop off), so we can improve it.
  • To detect and prevent abuse (rate-limiting, fraud detection on payments, security monitoring).
  • To comply with legal obligations.

3. Legal basis (EU/EEA users)

If you are located in the European Economic Area or the United Kingdom, our legal basis for processing your information depends on the data and the purpose:

  • Contract performance — for account creation, quiz personalization, and payment processing (you can't get the Service without these).
  • Legitimate interest — for security, fraud prevention, analytics, and product improvement.
  • Consent — for non-essential marketing communications (you can opt out at any time).
  • Legal obligation — when required by law (tax records, response to valid legal process).

4. Who we share data with

We do not sell your personal information. We share data only with the following categories of third parties, and only to the extent necessary to operate the Service:

  • Cloudflare (hosting, edge caching, analytics, KV/D1/R2 storage) — receives all HTTP requests and serves all responses. See Cloudflare's privacy policy.
  • Stripe, Inc. (payment processing) — receives email, payment method, and any address you enter at checkout. See Stripe's privacy policy.
  • Google LLC (Google OAuth, when you choose that sign-in method) — completes the sign-in flow on Google's domain. See Google's privacy policy.
  • Microsoft Corporation (Microsoft Clarity, usage analytics + session replay) — receives anonymized event streams about how you use the Service. See Microsoft's privacy statement.
  • Amazon Web Services (transactional email delivery via SES) — receives your email address and the message body when we send you account communications. See AWS's privacy notice.
  • DigitalOcean (hosts the geographic data backend) — geographic data only; no personal information is stored on DigitalOcean infrastructure.
  • Legal authorities — when compelled by valid legal process (subpoena, court order). We will, where legally permitted, notify you before such disclosure.
  • In a business transaction — if we are acquired or merge with another entity, your data may transfer as part of that transaction.

5. Data retention

  • Account data (email, profile, quiz, favorites) — retained for as long as your account exists. Deleted within 30 days of account closure.
  • Payment records (entitlements) — retained indefinitely for audit, refund/dispute handling, and tax compliance, even after account closure.
  • Stripe webhook event log — automatically deleted after 30 days (we keep only the canonical entitlement record long-term).
  • Server access logs — retained for up to 30 days for security and debugging.
  • Analytics data — retained per the third-party processor's defaults (Cloudflare ~7 days, Microsoft Clarity ~13 months).

6. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate information. Most of your profile data is editable directly in Settings.
  • Deletion — request that we delete your personal information. Note: payment records (entitlements) are retained for audit/tax compliance even after account deletion, but are anonymized where possible.
  • Portability — request a machine-readable copy of the data you provided to us.
  • Objection / withdrawal of consent — opt out of non-essential processing (marketing emails, optional analytics) at any time.
  • Lodge a complaint — with your local data protection authority (e.g., ICO in the UK, your national DPA in the EU).

To exercise any of these rights, contact us at hello@sortarich.com. We will respond within 30 days.

7. California residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of "sale" or "sharing" of personal information. We do not sell your personal information. We do not knowingly share personal information for cross-context behavioral advertising. To exercise CCPA/CPRA rights, contact us at the email above.

8. International data transfers

SortaRich is operated from the United States, with infrastructure provided by Cloudflare's global edge network (data is processed at the edge nearest to you). If you access the Service from outside the U.S., your data may be transferred to, stored in, or processed in countries with different data protection laws than your own. By using the Service, you consent to this transfer.

9. Children's privacy

SortaRich is not directed to children under 13 (or under 16 in the EU/UK), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it. Note that the Service does allow you to enter household composition including children's birth years for personalization purposes — that data is about your household members and is treated as part of your account.

10. Security

We implement reasonable technical and organizational measures to protect your personal information, including encryption in transit (TLS), encryption at rest for sensitive fields, JWT-based authentication, and access controls. However, no system is perfectly secure; you transmit data to us at your own risk.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced at least 14 days in advance via email or a prominent notice on the Service. The "Last updated" date at the top reflects the most recent revision.

12. Contact us

For privacy-related questions or to exercise your rights, contact us at hello@sortarich.com. You can also reach Atlas & Lila, Inc. at the same address for any general inquiries.

See also our Terms of Service.