Sterrasol Legal

Privacy Policy

Sterrasol.ai

Effective Date: May 1, 2025 | Last Updated: April 22, 2026

Version 1.0

1. About This Policy and Its Applicability

This Privacy Policy ("Policy") governs the collection, use, storage, sharing, and protection of personal data across all digital properties and services operated by Sterra Solutions LLC under the platform Sterrasol.ai.

Sterra Solutions LLC. Operated by Sterra Solutions LLC, incorporated in the State of Florida, United States. The platform also maintains an Indian operational presence; the relevant Indian entity details are to be confirmed and this Policy will be updated accordingly. The US entity is subject to US federal and applicable state privacy laws including CCPA/CPRA. Indian operations are subject to the DPDPA 2023 and associated Rules.

Where a user accesses the Platform from the European Economic Area (EEA), United Kingdom, Canada, Australia, Singapore, the Gulf Cooperation Council region, or any other jurisdiction with applicable data protection laws, the relevant provisions of those laws also apply as described in Section 14 (Jurisdiction-Specific Rights).

This Policy covers both our role as a Platform Operator (controlling user account data) and our role as a Marketplace Intermediary (facilitating contracts between Clients and Service Providers / Freelancers). Where we act purely as a data processor on behalf of a business client, a separate Data Processing Agreement (DPA) governs that relationship.

2. Definitions

Throughout this Policy, the following terms have the meanings set out below:

"Personal Data" / "Personal Information" means any information that identifies or could reasonably identify a natural person, directly or indirectly, including but not limited to name, email address, phone number, government ID, financial account details, device identifiers, IP address, location data, or any combination of data that could single out an individual.

"Sensitive Personal Data" means a subset of Personal Data warranting heightened protection, including government-issued identification numbers, financial data, health/medical information, biometric data, passwords, racial or ethnic origin, religious beliefs, sexual orientation, and trade union membership.

"Data Principal" / "Data Subject" means the natural person to whom Personal Data relates.

"Data Fiduciary" / "Controller" means the entity that determines the purposes and means of processing Personal Data. In this Policy, this refers to Sterra Solutions LLC.

"Data Processor" / "Processor" means any person or entity that processes Personal Data on behalf of the Controller.

"Platform" means any website, mobile application, API, or digital service operated under Sterrasol.ai.

"User" means any individual who accesses or uses the Platform in any capacity, including as a Client, Service Provider, Freelancer, Visitor, or Account Holder.

"Crowdsourcing Services" means the marketplace and platform services that connect Clients seeking professional services with Service Providers / Freelancers offering such services.

"Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, deletion, or destruction.

"Consent" means a freely given, specific, informed, and unambiguous indication of the Data Principal's agreement to the processing of their Personal Data.

3. Identity of the Data Controller / Data Fiduciary

3.1 Sterra Solutions LLC

Sterra Solutions LLC | Registered in the State of Florida, United States | Registered Address: 609 S Volusia Ave, Orange City, FL 32763-6503. Note: The Indian affiliated entity details (name, CIN) are to be confirmed and this section updated prior to publication.

4. Contact Details and Data Protection Officer / Grievance Officer

Users may exercise their rights, raise queries, or submit complaints to the designated Privacy Points of Contact:

General Privacy Queries:

Email: accounts@sterrasol.ai

Postal Address: 609 S Volusia Ave, Orange City, FL 32763-6503, United States

Response Time: Within 30 calendar days of receipt of a verifiable request (72 hours for data breach notifications where legally required).

Data Protection Officer. Sterra Solutions LLC:

Name / Title: Namratha Reddy Swarna, Sterra Solutions LLC

Email: accounts@sterrasol.ai

This officer is available during business hours, Monday through Friday (excluding US public holidays).

5. Categories of Personal Data We Collect

5.1 Data You Provide Directly

Identity Data: Full name, username, professional title, profile photograph, biography.

Contact Data: Email address, phone number, mailing address, emergency contact details.

Account Credentials: Encrypted passwords, two-factor authentication tokens.

Professional Data: Work history, portfolio, skills, certifications, education, professional references, LinkedIn or GitHub profile links.

Financial & Payment Data: Bank account details, payment card numbers (tokenized), billing address, tax identification numbers (PAN, SSN, EIN, GST/VAT numbers), invoices, payout preferences.

Identity Verification Data: Government-issued ID (passport, driver's license), selfie/biometric data where required for KYC compliance, utility bills.

Project & Communication Data: Messages exchanged on the Platform, project briefs, contracts, milestones, deliverables, feedback, ratings, and reviews.

Dispute & Legal Data: Information submitted in connection with dispute resolution proceedings, refund requests, or legal claims.

5.2 Data Collected Automatically

Device & Technical Data: IP address, device type, hardware model, operating system, browser type and version, screen resolution, time zone, language settings.

Usage & Analytics Data: Pages visited, features used, search queries, click-stream data, time spent on pages, conversion events, error logs.

Location Data: Approximate location derived from IP address; precise location only if the User expressly grants location permission via the mobile application.

Cookie & Tracking Data: First-party and third-party cookies, pixel tags, local storage objects, session tokens. See Section 10 (Cookies).

5.3 Data Received from Third Parties

Identity Verification Providers: Verification results and risk signals from KYC/AML service providers.

Payment Processors: Transaction status, fraud risk scores, chargeback information.

Social Login Providers: If you register or log in via Google, LinkedIn, Apple, or similar, we receive the basic profile information you authorize.

Background Check Providers (where applicable and consented): Criminal record status (pass/fail only), professional credential verification.

Advertising & Analytics Partners: Aggregated audience segments, conversion attribution data.

Public Sources: Publicly available professional information consistent with applicable law.

5.4 Sensitive Personal Data

We collect Sensitive Personal Data only where: (a) required by law (e.g., tax ID, KYC identity documents); (b) you have provided explicit/informed consent; or (c) it is necessary for dispute resolution or legal proceedings. We do not collect Sensitive Personal Data for marketing purposes. We apply additional technical and organizational safeguards to all Sensitive Personal Data.

6. Legal Basis for Processing

We process Personal Data only where a valid legal basis exists. The applicable basis varies by jurisdiction and processing activity:

6.1 Consent

We rely on your freely given, specific, informed, and unambiguous consent for: non-essential cookies and tracking technologies; marketing communications; processing of Sensitive Personal Data where not otherwise required by law; and sharing your data with third parties for their own marketing purposes. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6.2 Contract Performance

Processing is necessary to enter into or perform the contract between you and us (e.g., creating an account, facilitating payments, managing projects, processing payouts, resolving disputes).

6.3 Legal Obligation

Processing is required to comply with applicable laws including AML/KYC regulations, tax reporting obligations, court orders, law enforcement requests, and data breach notification requirements.

6.4 Legitimate Interests

We process data for our legitimate interests where these are not overridden by your rights. These include: fraud prevention and platform security; improving and personalizing the Platform; analyzing usage patterns; sending service-related communications; and enforcing our Terms of Service. We conduct and document a balancing test before relying on this basis.

6.5 Vital Interests

In rare emergency circumstances, we may process data to protect the vital interests of a Data Principal or another natural person.

7. How We Use Your Personal Data

7.1 Platform Operations

Creating, verifying, and maintaining your account.

Processing payments, payouts, invoices, and tax documentation.

Facilitating contracts, project collaboration, and communication between Clients and Service Providers.

Providing customer support and dispute resolution.

Delivering platform notifications, transactional emails, and service updates.

7.2 Safety, Compliance & Fraud Prevention

Identity verification and KYC/AML compliance.

Detecting, investigating, and preventing fraud, abuse, spam, and unauthorized access.

Complying with applicable laws, regulations, court orders, and government requests.

Protecting the rights, property, and safety of our Users and the public.

7.3 Platform Improvement

Analyzing usage patterns and feedback to improve features and user experience.

Conducting research, analytics, and testing of new features (using anonymized or pseudonymized data where possible).

Training internal AI/ML models used solely to improve platform functionality (not for sale to third parties; model training on user content requires explicit opt-in where required by law).

7.4 Marketing and Communications

Sending personalized recommendations, newsletters, and promotional offers where you have consented or where permitted by applicable law.

Displaying targeted advertising based on platform behavior (subject to your cookie and marketing preferences).

You may opt out of marketing communications at any time via the unsubscribe link in emails or through your Account Settings.

7.5 Legal and Corporate Transactions

Enforcing our Terms of Service, other agreements, and policies.

Exercising or defending legal claims.

Processing in connection with a merger, acquisition, or sale of assets, subject to the acquirer's commitment to honor this Policy.

8. How We Share Your Personal Data

We do not sell your Personal Data to third parties for monetary consideration. We may share Personal Data in the following circumstances:

8.1 With Other Platform Users

Your public profile information (name, photo, skills, ratings, portfolio) is visible to other registered Users for the purpose of facilitating marketplace transactions. Project communications are shared with the relevant counterparty to the contract.

8.2 With Service Providers (Data Processors)

We engage vetted third-party processors to help operate the Platform under contractual obligations that require them to protect your data and process it only per our instructions. Categories include:

Cloud hosting and infrastructure (e.g., AWS, Google Cloud, Azure)

Payment processors and escrow services

Identity verification and background check providers

Communication and email delivery services

Customer support, analytics, and fraud detection tools

8.3 For Legal Compliance and Safety

We may disclose Personal Data to government authorities, law enforcement, regulators, or courts when required by applicable law, court order, or to protect against fraud, legal liability, or physical harm. We will notify you of such disclosures where legally permitted.

8.4 Corporate Transactions

In connection with any merger, acquisition, or sale of assets, your data may be transferred to the successor entity, provided it gives equivalent privacy protection or notifies you and allows you to exercise your rights.

8.5 Aggregated or De-identified Data

We may share aggregated, de-identified, or anonymized data (which cannot reasonably re-identify you) with partners, investors, or the public for research, reporting, or business intelligence purposes.

9. International Data Transfers

Given the nature of our platforms, Personal Data may be transferred between entities and to third-party processors located in countries other than your country of residence. We ensure adequate safeguards for all cross-border transfers:

EU/EEA and UK Users: Transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA), or adequacy decisions.

All Transfers: We conduct transfer impact assessments for high-risk jurisdictions and maintain records of all cross-border data flows.

10. Cookies and Similar Tracking Technologies

10.1 What We Use

Our Platform uses cookies, web beacons, pixel tags, local storage, and similar technologies. These fall into the following categories:

Strictly Necessary Cookies: Essential for Platform functionality. Cannot be disabled without impacting core features (e.g., session authentication, security tokens).

Functional Cookies: Enable personalization and enhanced features. Disabled by default; activated on consent.

Analytics Cookies: Help us understand User interaction using tools such as Google Analytics. IP addresses are anonymized. Disabled by default; activated on consent.

Marketing and Advertising Cookies: Enable targeted advertising via platforms such as Google Ads and Meta Pixel. Disabled by default; activated on explicit consent.

10.2 Your Choices

On your first visit, you will be presented with a cookie consent banner allowing you to accept, reject, or customize non-essential cookies. You may change your preferences at any time via the "Cookie Settings" link in the website footer. Note that disabling certain cookies may affect Platform functionality.

10.3 Third-Party Cookies

Third-party advertising partners may set their own cookies, subject to their own privacy policies. A full list of third-party partners and links to their policies is available in our Cookie Policy, accessible from the Platform footer.

11. Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations:

Active Account Data: Retained for the lifetime of the active account.

Post-Deletion: Minimal identifying data (name, email, transaction history) retained for up to 7 years for tax, AML, accounting, and legal hold compliance. Payment card data purged within 90 days of account closure.

Identity Verification Documents: Retained for the period required by KYC/AML regulations in the applicable jurisdiction (typically 5–10 years).

Communication Records: Platform messages and project records retained for 3 years post-project completion for dispute resolution purposes.

Backup Systems: Anonymized backups may be retained for up to 90 days.

Legal Hold: Where data is subject to regulatory inquiry or litigation, retention is extended for the duration of such proceedings.

After the relevant retention period, Personal Data is securely deleted or anonymized using industry-standard methods.

12. Your Rights as a Data Principal / Data Subject

Depending on your jurisdiction, you have the following rights. We honor these for all Users to the extent technically and legally feasible:

12.1 Right to Access / Confirmation

You have the right to request confirmation of whether we process your Personal Data and to receive a copy, including information on purposes, data categories, recipients, and retention periods.

12.2 Right to Correction / Rectification

You have the right to request correction of inaccurate Personal Data and completion of incomplete Personal Data. Many corrections can be made directly in Account Settings.

12.3 Right to Erasure / Deletion

You have the right to request deletion of your Personal Data when it is no longer necessary, when you withdraw consent, or when it has been unlawfully processed. Deletion requests are processed within 30 days, subject to legal retention obligations.

12.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, for example, while accuracy is being verified.

12.5 Right to Data Portability

You have the right to receive your Personal Data in a structured, machine-readable format (e.g., JSON or CSV) and to transmit it to another controller.

12.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing, we cease processing immediately.

12.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where such processing applies, you may request human review.

12.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time via your Account Settings or by contacting us. Withdrawal does not affect prior lawful processing.

12.9 US - CCPA/CPRA Specific Rights

California residents additionally have the right to:

Know the categories of personal information collected, the business purposes, and third parties with whom it is shared.

Opt out of the "sale" or "sharing" of personal information (including cross-context behavioral advertising). Exercise this right via the "Do Not Sell or Share My Personal Information" link in the Platform footer.

Limit the use and disclosure of Sensitive Personal Information to the purposes authorized by CPRA.

Non-discrimination for exercising CCPA/CPRA rights.

Authorized agents may submit CCPA/CPRA requests on your behalf with written authorization.

12.10 How to Submit a Request

To exercise any right, please submit a verifiable request via:

Email: accounts@sterrasol.ai

In-App: Account Settings > Privacy > Submit a Request

We will acknowledge receipt within 5 business days and respond within 30 calendar days. We may extend by a further 30 days with notice where legally permitted. We may require identity verification to protect your security.

13. Data Security

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure:

Encryption: All data in transit encrypted using TLS 1.2 or higher. Data at rest encrypted using AES-256 or equivalent.

Access Controls: Role-based access control (RBAC) limiting employee access to data necessary for their role. All administrative access is logged and reviewed.

Authentication: Multi-factor authentication (MFA) required for all internal systems and offered to Users.

Vulnerability Management: Regular penetration testing, vulnerability scanning, and patching of known security vulnerabilities.

Incident Response: A documented breach response plan including 72-hour notification obligations under DPDPA and GDPR, and compliance with applicable US state breach notification laws.

Vendor Security: Data processors are contractually required to maintain equivalent security standards and are subject to periodic security assessments.

Employee Training: All employees with access to Personal Data receive regular data protection and security awareness training.

No Internet transmission is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. Report suspected unauthorized access immediately to accounts@sterrasol.ai.

14. Jurisdiction-Specific Provisions

14.1 European Economic Area (EEA) and United Kingdom

For Users in the EEA and UK, the EU GDPR 2016/679 and UK GDPR respectively apply. The legal bases for processing are described in Section 6.

You may lodge a complaint with your local supervisory authority at edpb.europa.eu.

14.2 United States. California (CCPA/CPRA)

The CCPA as amended by CPRA applies to California residents. We do not knowingly sell the personal information of California residents. We respond to verified CCPA/CPRA requests within 45 calendar days.

14.3 United States. Other States

We extend equivalent rights to residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other US states with comprehensive privacy laws. Contact accounts@sterrasol.ai to exercise your rights.

14.4 Canada (PIPEDA / Law 25 - Quebec)

For Canadian Users, PIPEDA and, where applicable, Quebec Law 25 apply. Contact accounts@sterrasol.ai to withdraw consent or request data access.

14.5 Australia

For Australian Users, the Privacy Act 1988 (Cth) and Australian Privacy Principles apply. Complaints may be lodged with the OAIC at oaic.gov.au.

14.6 Singapore

For Singapore Users, the PDPA 2012 (as amended) applies. Complaints may be directed to the PDPC at pdpc.gov.sg.

15. Children's Privacy

Our Platform is not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect Personal Data from minors. If you are a parent or guardian and believe your child has provided us with Personal Data, contact us immediately at accounts@sterrasol.ai and we will delete such data promptly. In jurisdictions where the threshold differs (e.g., under 13 in the US under COPPA), we apply the locally applicable threshold.

16. Artificial Intelligence and Automated Processing

Our Platform may use AI and automated processing in the following ways:

Recommendation Systems: Suggesting relevant Service Providers to Clients or relevant projects to Freelancers based on profile data and behavioral patterns.

Fraud and Risk Scoring: Automated detection of suspicious account activity, payment fraud, and policy violations.

Search and Ranking: Algorithmic ranking of search results based on relevance, quality signals, and preferences.

Content Moderation: Automated flagging of potentially violating content for human review.

Where automated processing produces decisions that significantly affect you (such as account suspension), you have the right to request human review. We do not use Personal Data to train third-party foundational AI models without explicit consent. All AI systems processing Personal Data are subject to periodic algorithmic bias audits.

17. Freelancer and Service Provider Specific Provisions

If you register on the Platform as a Service Provider, Freelancer, or Independent Contractor, the following additional provisions apply:

Your public profile (name, photo, skills, portfolio, reviews, completion rate, and earnings range) is displayed to potential Clients. You control your profile content but cannot remove data required for platform integrity (e.g., verified review history).

We collect tax identification information (W-9/W-8BEN in the US; PAN/TAN for Indian operations) to comply with withholding tax and information reporting obligations. This data is shared with tax authorities as required.

Background check results (pass/fail only) may be shared with Clients in certain service categories where enhanced verification is requested.

Your earnings, payout history, and platform standing may be used in aggregate, de-identified reporting.

If you represent a business or agency, you confirm you have authority to provide individual team member data and that those individuals have been informed of this Policy.

18. Client and Business User Specific Provisions

If you use the Platform as a Client or to procure services from Freelancers, the following additional provisions apply:

Your company name, contact information, and aggregated review score (as a Client) are visible on the Platform.

Payment method and billing details are processed through PCI-DSS compliant payment processors. We do not store full card numbers on our systems.

If you upload data about your end-users or customers as part of a project brief, you are responsible for ensuring you have the legal right to share that data and that your own privacy policy adequately discloses such sharing.

For business accounts, you may appoint additional administrators, each of whom must separately agree to this Policy.

19. Third-Party Links and Integrations

Our Platform may contain links to third-party websites or offer integrations with third-party tools (e.g., Slack, Zoom, GitHub). We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policies of any third-party service before using it. This Policy does not apply to data collected by third parties.

20. Do Not Track Signals

Some browsers transmit Do Not Track (DNT) signals. We currently do not respond to DNT signals uniformly, as there is no accepted industry standard. You may use Cookie Settings (Section 10) or the opt-out mechanisms in Section 12 to control tracking. We will update our DNT practices as standards evolve.

21. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will:

Post the updated Policy on the Platform with a revised "Last Updated" date.

Notify registered Users by email or in-app notification at least 30 days before material changes take effect (14 days for non-material changes).

Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy. If you do not agree, please discontinue use and request deletion of your account.

22. Governing Law and Dispute Resolution

This Policy is governed by the laws applicable to Sterra Solutions LLC. Disputes shall be resolved as follows:

Sterrasol.ai disputes relating to the US entity shall be resolved in courts of competent jurisdiction in the State of Florida, United States. Disputes relating to Indian operations shall be resolved in courts of competent jurisdiction in Hyderabad, Telangana, India. EU/UK residents retain the right to bring claims before local supervisory authorities.

Nothing in this section limits your right to file a complaint with a data protection supervisory authority in your jurisdiction.

23. Acknowledgement and Consent

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. For EU/UK Users, where consent is relied upon, it is recorded with timestamp and version number.

This Policy should be read in conjunction with our Terms of Service and Cookie Policy, both available in the Platform footer.