Legal

Privacy Policy

Effective March 17, 2026

1. Introduction

Sonor, Inc. (“Sonor,” “we,” “us,” or “our”) operates the Sonor platform, including sonor.io, app.sonor.io, signal.sonor.io, api.sonor.io, sonor.dev, and all related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account data: name, email address, password (hashed), organization name, and billing information when you create an account or subscribe to a plan.
  • Project data: domain names, API keys, site configuration, and content you manage through the platform (SEO metadata, blog posts, form configurations, CRM records, etc.).
  • Communications: messages you send through Echo (our AI assistant), support requests, and any other communications with us.
  • Payment information: processed securely by Stripe, Inc. We do not store full credit card numbers on our servers.

2.2 Information Collected Automatically

  • Analytics data: page views, scroll depth, click events, session duration, referral sources, and web vitals collected by our site-kit on websites that integrate Sonor.
  • Device and browser information: IP address, browser type, operating system, device type, and screen resolution.
  • Usage data: features used, pages visited within the dashboard, and interaction patterns.
  • Cookies and similar technologies: session cookies for authentication and preference cookies for dashboard settings.

2.3 Information from Third Parties

  • OAuth providers: when you sign in with Google, we receive your name, email, and profile picture.
  • Connected platforms: when you connect services (Google Business Profile, social media accounts, hosting providers, etc.), we access data necessary to provide the features you enabled.

3. How We Use Your Information

  • Provide, maintain, and improve the Service.
  • Process transactions and send related information (receipts, invoices, subscription confirmations).
  • Power AI features (Echo, Signal, Copilot) by assembling business context from your project data to generate personalized insights and recommendations.
  • Send administrative emails (account setup, security alerts, service updates).
  • Monitor and analyze usage trends to improve user experience.
  • Detect, prevent, and address technical issues and security threats.
  • Comply with legal obligations and enforce our Terms of Service.

4. AI Data Processing

Sonor’s AI features (Echo, Signal AI, and Copilot) process your business data to provide insights, recommendations, and automated actions. Specifically:

  • AI context assembly uses data from your projects (analytics, CRM, SEO, forms, reputation, etc.) to generate relevant responses.
  • Echo conversations and AI-generated content are associated with your organization and project.
  • Memory features persist learned facts and preferences across sessions to improve future interactions.
  • We use Anthropic’s Claude API to power our AI features. Data sent to Anthropic is governed by their privacy policy. Anthropic does not use your data to train their models.
  • AI features are only available on projects with Limited AI or Full Signal AI plans. Standard-plan project data is never processed by AI systems.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

  • Service providers: Stripe (payments), Supabase (database and authentication), Anthropic (AI), Resend (email), Netlify/Vercel (hosting), and other vendors that help us operate the Service.
  • Your agency:if your organization is managed by an agency on Sonor, the agency administrators can access your organization’s data as part of their management role.
  • Legal requirements: when required by law, subpoena, or government request, or to protect the rights, safety, or property of Sonor, our users, or the public.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account cancellation:

  • Your data is preserved for 90 days in a read-only state, allowing reactivation.
  • After 90 days, data is marked for deletion and removed in accordance with our data lifecycle policy.
  • Certain data may be retained longer to comply with legal obligations (e.g., billing records, tax requirements).

7. Data Security

We implement industry-standard security measures to protect your data:

  • All data in transit is encrypted via TLS/HTTPS.
  • Data at rest is encrypted using Supabase’s encryption at rest.
  • API keys are hashed before storage; full keys are shown only once at creation.
  • Row-level security (RLS) policies enforce tenant isolation at the database level.
  • Rate limiting and abuse detection on all public endpoints.
  • Security headers (Helmet.js) on all API responses.

No method of electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Object to or restrict processing of your data.
  • Data portability (receive your data in a structured format).
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@sonor.io.

9. Cookies

We use the following types of cookies:

  • Essential cookies: required for authentication and core functionality.
  • Preference cookies: remember your dashboard settings, theme, and layout choices.
  • Analytics cookies: help us understand how users interact with sonor.io (our marketing site only).

We do not use third-party advertising cookies or tracking pixels.

10. Children’s Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions. We ensure appropriate safeguards are in place for international transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.