Privacy Policy

Last updated: March 22, 2026

Sofa is a self-hosted application. When you run Sofa, your data lives on your own server and is under your control. This policy describes what data Sofa stores, what it sends externally, and how you can control it.

Data Stored on Your Server

All of the following data is stored locally in a single SQLite database file on the machine running Sofa.

Account Information

• Email address, display name, and hashed password
• Session tokens, IP address, and user agent string of active sessions
• If using OIDC/SSO: provider account IDs and OAuth tokens from your identity provider

Viewing Activity

• Watchlist status (e.g. “watching”, “completed”) for movies and TV shows
• Individual movie and episode watch timestamps
• Personal ratings
• Source of each watch event (manual entry, or imported from Plex, Jellyfin, or Emby)

Media Metadata

Movie, TV show, season, episode, and cast/crew metadata is fetched from The Movie Database (TMDB) and cached locally. This includes titles, descriptions, images, genres, streaming availability, and related recommendations. No personal data is included in this metadata.

Backups

Manual and scheduled backups are full copies of the database stored on your server. They contain all of the data described above. Backup management (creation, download, deletion) requires admin authentication.

External Services

Sofa communicates with the following external services during normal operation.

The Movie Database (TMDB)

Your server makes API requests to TMDB to fetch and refresh movie and TV metadata. These requests include your TMDB API key and the IDs or search queries for titles being looked up. A single API key is used for the entire instance — TMDB cannot identify individual users. No personal data (watch history, ratings, etc.) is ever sent to TMDB.

When the local image cache is enabled (the default), poster and backdrop images are downloaded from the TMDB CDN and served from your server. When disabled, images are loaded directly from TMDB’s CDN by the client.

Sofa Public API

Your server may contact the Sofa public API for two purposes:

• Update checks — a periodic request to public-api.sofa.watch to check for new releases. Only a user agent string is sent; no instance or user data is included. Can be disabled in admin settings.
• Telemetry— an optional, anonymous report sent at most once every 24 hours. It includes a random instance ID, the Sofa version, CPU architecture, bucketed user and title counts (e.g. “2-5”), and which optional features are enabled. No personal data, watch history, or exact counts are included. Telemetry is disabled by default and must be explicitly enabled by an admin. See the telemetry documentation for full details.
• Import helper— when importing watch history from Trakt or Simkl, your server proxies OAuth device-code authorization through public-api.sofa.watchso that a single OAuth client ID can be shared across all instances. Only the provider’s device code and token responses are relayed; no personal data, watch history, or instance identifiers are included in the requests.

PostHog (Mobile App Only)

The native iOS and Android app includes optional, anonymous analytics powered by PostHog. This tracks screen views and app lifecycle events — no personal data, search queries, or watch history is collected. Analytics is disabled by defaultand requires explicit opt-in. You can change your preference at any time in the app’s settings.

Media Server Integrations

If you connect Plex, Jellyfin, or Emby, those services send webhook events to your Sofa server when you finish watching something. This data is processed and stored locally. Sofa does not send data back to your media servers.

Sonarr & Radarr

If you use Sonarr or Radarr integration, those services pull your watchlist from Sofa via authenticated API requests. Sofa does not push data to them.

Cookies

Sofa uses a session cookie to keep you logged in. This cookie is HTTP-only, same-site, and contains only a session token. No third-party cookies are set by the web app.

Data Sharing

Because Sofa is self-hosted, there is no central service that has access to your data. The project maintainers have no access to your database, your watch history, or your account information. The only data that leaves your server is described in the External Services section above.

Data Retention & Deletion

All data is stored in a single SQLite file on your server. You have full control over it:

• Admin users can delete other user accounts, which cascades to all associated viewing history and ratings
• Scheduled backups are automatically pruned after a configurable retention limit (default: 7)
• Sessions and verification tokens expire automatically
• Deleting the database file removes all data entirely

Children

Sofa is not directed at children under 13. Since the application is self-hosted, account creation is controlled entirely by the server administrator.

Open Source

Sofa is open source under the MIT License. You can audit exactly what data is collected and how it is handled by reviewing the source code.

Changes

This policy may be updated as new features are added. Changes will be reflected in the “Last updated” date above and committed to the repository.

Contact

Questions or concerns about privacy can be raised via GitHub Issues.