← Back to site

Privacy Policy

Last updated 25 June 2026

Sona ("we", "us") provides an AI assistant that businesses ("Customers") embed on their own websites to answer visitor questions and capture enquiries. This policy explains what we collect and how we handle it. For data that website visitors submit through a Customer's assistant, the Customer is the data controller and we act as their processor.

1. Information we collect

2. How we use it

We do not sell personal data, and we do not use your or your visitors' content to train our own models.

3. Sub-processors

We rely on the following providers to deliver the service:

ProviderPurpose
SupabaseDatabase + authentication hosting
Google (Gemini API)Language model + embeddings. On paid API tiers, inputs are not used to train Google's models. [REVIEW]
StripeSubscription billing + card processing
ResendTransactional + alert email
TwilioSMS lead alerts (optional)

4. Cookies & local storage

The dashboard uses local storage to keep you signed in. The embedded assistant stores a random session identifier in the visitor's browser to maintain conversation continuity. We do not use third-party advertising or tracking cookies.

5. Data retention & deletion

We keep data for as long as your account is active. Customers can export or permanently delete all data held about a specific visitor email directly from the dashboard (Subject Access & erasure). Anonymous trial/demo data is purged automatically after a short period. To close your account and delete your data, email privacy@sona.app.

6. Your rights

Depending on your location (including under GDPR/UK GDPR), you may have rights to access, correct, export, or delete personal data, and to object to or restrict processing. Visitors should direct such requests to the business whose assistant they used; that business can service the request from its dashboard. Account holders can contact us directly.

7. Security

Data is encrypted in transit. Access is restricted by per-tenant membership checks, and server-side requests are guarded against access to internal resources. No method is perfectly secure, but we work to protect your data.

8. Changes

We may update this policy; material changes will be reflected by the "last updated" date above.