Sona.

← Back to site

Privacy Policy

Last updated 25 June 2026

Sona ("we", "us") provides an AI assistant that businesses ("Customers") embed on their own websites to answer visitor questions and capture enquiries. This policy explains what we collect and how we handle it. For data that website visitors submit through a Customer's assistant, the Customer is the data controller and we act as their processor.

1. Information we collect

• Customer account data: your email and authentication identifiers (via magic-link sign-in), business name, and settings.
• Content you connect: the public web pages and facts you ask us to ingest to train your assistant.
• Visitor data (on your behalf): chat messages, and any contact details a visitor chooses to provide (name, email, phone), booking requests, and a page URL.
• Usage + billing data: conversation counts, feature usage, and payment status (card details are handled by Stripe, not stored by us).

2. How we use it

• To run the assistant: retrieve answers from your content, hold a conversation, and capture and route leads to you.
• To send you lead alerts and (if enabled) a weekly activity summary.
• To operate billing, prevent abuse, and improve reliability.

We do not sell personal data, and we do not use your or your visitors' content to train our own models.

3. Sub-processors

We rely on the following providers to deliver the service:

Provider	Purpose
Supabase	Database + authentication hosting
Google (Gemini API)	Language model + embeddings. On paid API tiers, inputs are not used to train Google's models. [REVIEW]
Stripe	Subscription billing + card processing
Resend	Transactional + alert email
Twilio	SMS lead alerts (optional)

4. Cookies & local storage

The dashboard uses local storage to keep you signed in. The embedded assistant stores a random session identifier in the visitor's browser to maintain conversation continuity. We do not use third-party advertising or tracking cookies.

5. Data retention & deletion

We keep data for as long as your account is active. Customers can export or permanently delete all data held about a specific visitor email directly from the dashboard (Subject Access & erasure). Anonymous trial/demo data is purged automatically after a short period. To close your account and delete your data, email privacy@sona.app.

6. Your rights

Depending on your location (including under GDPR/UK GDPR), you may have rights to access, correct, export, or delete personal data, and to object to or restrict processing. Visitors should direct such requests to the business whose assistant they used; that business can service the request from its dashboard. Account holders can contact us directly.

7. Security

Data is encrypted in transit. Access is restricted by per-tenant membership checks, and server-side requests are guarded against access to internal resources. No method is perfectly secure, but we work to protect your data.

8. Changes

We may update this policy; material changes will be reflected by the "last updated" date above.