Privacy Policy
Last updated: 1 April 2025
Sondra ("we", "us", "our") is operated by Sondra Labs Ltd., registered in [COMPANY JURISDICTION]. We provide AI-powered audio and video processing at sondra.app.
We built Sondra with one principle: your files are yours. This Privacy Policy explains exactly what data we collect, why, and what we do โ and don't do โ with it.
1. Who This Policy Applies To
This policy applies to everyone who uses Sondra, including:
- Visitors who use the service without an account ("Anonymous Users")
- Registered users on Free, Pro, or Business plans
- Business customers using the Sondra API
If you are located in the European Union, European Economic Area, or United Kingdom, additional rights apply to you under the GDPR and UK GDPR (see Section 9).
2. Data We Collect
2.1 Files You Upload
When you upload a file to Sondra for processing, we handle it as follows:
| User type | File stored for | Used to train AI? |
|---|---|---|
| Anonymous (no account) | Maximum 1 hour after processing | Never |
| Free (registered) | Maximum 1 hour after processing | Never (unless you opt in) |
| Pro | Maximum 24 hours after processing | Never |
| Business | Maximum 7 days after processing | Never |
After the retention period, your file is automatically and permanently deleted from our servers. This is enforced by automated deletion policies โ not a manual process.
Files processed client-side (in your browser, for files under 200MB) never leave your device and are never stored on our servers.
2.2 Account Information
If you create an account, we collect:
- Email address
- Password (stored as a bcrypt hash โ we cannot read your password)
- Name (optional)
- Subscription tier and billing status
2.3 Payment Information
We do not store your payment card details. All payments are processed by Stripe, a PCI-DSS certified payment processor. We receive only a payment confirmation and a customer reference from Stripe. Stripe's privacy policy is available at stripe.com/privacy.
2.4 Usage Data
We collect anonymised data about how you use Sondra to improve the service:
- Pages visited and features used
- File type and duration (not file content)
- Processing time and outcome (success or failure)
- Browser type, operating system, and approximate location (country level)
2.5 Cookies
We use two categories of cookies:
Essential cookies (always active):
- Session authentication
- Your cookie consent preference (
sondra_cookie_consent)
Analytics cookies (only with your consent):
- Google Analytics 4 โ anonymised usage statistics
- Mixpanel โ product behaviour analytics
You can change your cookie preferences at any time via the banner at the bottom of the page.
3. How We Use Your Data
| Purpose | Legal basis (GDPR) |
|---|---|
| Processing your uploaded files | Contract performance |
| Managing your account and subscription | Contract performance |
| Processing payments via Stripe | Contract performance |
| Sending transactional emails (receipts, invite links) | Contract performance |
| Improving and debugging the service | Legitimate interest |
| Analytics (with consent) | Consent |
| Complying with legal obligations | Legal obligation |
We do not:
- Sell your data to any third party
- Use your files to train AI models (without explicit opt-in)
- Share your personal data with advertisers
- Use your data for automated decision-making that produces legal effects
4. File Processing โ How It Works
Client-side processing: Files under 200MB are processed directly in your browser using WebAssembly technology. These files are never transmitted to our servers.
Server-side processing: Files over 200MB, or those requiring advanced AI noise cancellation, are uploaded to our servers via an encrypted connection. The file is processed and then deleted according to the retention schedule in Section 2.1.
In both cases, files are never reviewed by human staff and are never linked to your identity if you are using Sondra without an account.
5. Data Sharing
We share data only with the following trusted service providers, who process it strictly on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | File storage and processing infrastructure | USA (EU region available for Business tier) |
| Stripe | Payment processing | USA |
| Resend | Transactional email delivery | USA |
| Sentry | Error monitoring (anonymised) | USA |
| Google Analytics | Usage analytics (with consent) | USA |
| Mixpanel | Product analytics (with consent) | USA |
All providers are bound by data processing agreements and are prohibited from using your data for their own purposes.
6. Data Security
We take security seriously:
- All connections use TLS 1.3 encryption
- Files stored on our servers use AES-256 encryption at rest
- Files are accessed via temporary signed URLs โ our S3 bucket is never publicly accessible
- We do not log the content of your files
- Anonymous users' files are never linked to any identity
We conduct regular security reviews. If we become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by law.
7. Children's Privacy
Sondra is not directed at children under the age of 13 (or 16 in EU member states where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify registered users by email at least 14 days in advance.
9. Your Rights (GDPR / UK GDPR)
If you are located in the EU, EEA, or UK, you have the following rights:
Right of access โ You can request a copy of the personal data we hold about you.
Right to rectification โ You can ask us to correct inaccurate data.
Right to erasure โ You can delete your account and all associated data at any time from your account settings. This is immediate and permanent.
Right to restriction โ You can ask us to restrict processing of your data in certain circumstances.
Right to data portability โ You can request your data in a structured, machine-readable format.
Right to object โ You can object to processing based on legitimate interest.
Right to withdraw consent โ Where processing is based on consent (e.g. analytics cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@sondra.app. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, contact your national data protection authority.
Data controller:
Sondra Labs Ltd.
[ADDRESS]
privacy@sondra.app
10. Contact
For any privacy-related questions, contact us at privacy@sondra.app.