Privacy Policy

1. Data Controller Information

2. Legal Basis for Data Processing (GDPR)

We process your personal data based on the following legal grounds under GDPR:

Article 6(1)(a) - Consent

You provide explicit consent when creating an account and using our voice recording features.

Article 6(1)(b) - Contract Performance

Processing is necessary to provide our meditation services as per our Terms of Service.

Article 9(2)(a) - Special Category Data

Important: Your voice recordings constitute biometric data under GDPR. We process this sensitive data only with your explicit consent, which you can withdraw at any time.

3. Information We Collect

3.1 Account Information

• Email address - for account creation and communication
• Password - securely hashed and encrypted
• Name - optional, for personalization
• Authentication data - when using Google or Apple Sign-In

3.2 Voice Data (Biometric Data)

When you use our voice recording feature, we collect:

• Voice recordings - short audio samples for voice cloning
• Voice characteristics - extracted features for AI processing
• Processing metadata - technical data about voice quality

3.3 Meditation & Usage Data

• Meditation themes and preferences
• Session history and duration
• App usage patterns and feature interactions
• Favorited meditations and playlists

3.4 Technical Data

• Device type and operating system version
• App version and build number
• IP address (for security and diagnostics)
• Crash reports and performance data

3.5 Payment Information

Payment processing is handled by trusted third-party providers (Stripe/Apple/Google). We do not store your full payment card details. We only receive:

• Subscription status
• Transaction IDs
• Subscription plan information

4. How We Use Your Information

4.1 Core Service Provision

• Creating and maintaining your account
• Generating personalized meditation content using AI
• Processing voice recordings for voice cloning
• Storing and delivering your meditation sessions

Anonymization: When we anonymize data, it is processed in a way that makes it impossible to re-identify you, even with additional information. Anonymized data is no longer considered personal data under GDPR and may be retained for statistical and research purposes.

4.2 AI Processing

Your voice data is processed using:

• ElevenLabs - for voice cloning and synthesis
• OpenAI - for meditation script generation and text processing

4.3 Data Processing Agreements

4.4 Service Improvement

• Analyzing usage patterns to enhance user experience
• Improving AI voice quality and meditation content
• Conducting research and development
• Optimizing app performance and reliability

4.5 Communication

• Sending service-related notifications
• Responding to support requests
• Notifying about important updates or changes
• Sending marketing communications (with your consent)

5. Data Sharing & Third-Party Processors

We share your data only with trusted partners who help us provide our service. All third parties are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance:

5.1 AI Service Providers

5.2 Infrastructure Providers

• Railway/Cloud Hosting - Server hosting and data storage
• AWS/DigitalOcean - Backup and file storage

5.3 Authentication Services

• Google OAuth - Google Sign-In functionality
• Apple Sign-In - Apple authentication

5.4 Payment Processors

• Stripe - Credit card payment processing
• Apple App Store - In-app purchases (iOS)
• Google Play - In-app purchases (Android)

5.5 Analytics & Performance

• Google Analytics - Usage statistics (anonymized)
• Mixpanel - User behavior analysis (optional)
• Sentry - Error tracking and crash reporting

6. International Data Transfers

As a company registered in Austria (EU), we ensure that any transfer of personal data outside the European Economic Area (EEA) is protected by appropriate safeguards:

• EU Standard Contractual Clauses (SCCs): Approved by the European Commission to ensure adequate data protection
• EU-US Data Privacy Framework (DPF): ElevenLabs is DPF certified; OpenAI uses EU Standard Contractual Clauses (2021)
• Strict Data Processing Agreements: Our AI providers cannot use your data independently or for training their models
• Adequacy Decisions: Transfers only to countries with adequate data protection standards

You have the right to request copies of these safeguards (including SCCs and DPAs) by contacting us at support@sonaya.ai.

We have implemented appropriate supplementary measures for international data transfers, including regular reviews of data protection practices and security assessments.

7. Data Security Measures

We implement state-of-the-art security measures to protect your personal data:

7.1 Technical Measures

• Encryption - End-to-end encryption for voice data transmission
• Secure Storage - AES-256 encryption at rest
• HTTPS/TLS - All data transfers over secure connections
• Access Controls - Role-based access restrictions
• Regular Backups - Encrypted backup systems

7.2 Organizational Measures

• Regular security audits and penetration testing
• Employee training on data protection
• Incident response procedures
• Confidentiality agreements with all staff

8. Data Retention Policy

8.1 Active Accounts

• Account Data - Retained while your account is active
• Voice Recordings - Stored until you delete them or close your account
• Meditation History - Kept for service provision and personalization

8.2 After Account Deletion

• Voice Data - Permanently deleted within 30 days
• Personal Information - Removed within 90 days
• Legal Records - Financial records kept for 7 years (Austrian law requirement)
• Analytics Data - Anonymized data may be retained for statistical purposes

8.3 Inactive Accounts

If your account remains inactive (no login) for 24 consecutive months, we will send you a reminder email to the address registered on your account. If you do not respond or log in within 30 days of this notification, your account and all associated data (including voice recordings and meditation history) will be permanently deleted.

9. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: support@sonaya.ai
• Use the "Privacy Dashboard" in the app settings
• Contact our Data Protection Officer: support@sonaya.ai

We will respond to your request within 30 days.

10. Consent & Withdrawal

10.1 Voice Data Consent

Before collecting any voice recordings, we require your explicit, informed consent. You understand that:

• Voice data is biometric/special category personal data under GDPR
• Your voice may reveal sensitive information (ethnicity, health, age)
• Data will be processed using AI technology (ElevenLabs, OpenAI)
• You can withdraw consent at any time

10.2 How to Withdraw Consent

You can withdraw consent at any time by:

• Deleting your voice data in app settings
• Contacting support at support@sonaya.ai
• Using the "Delete Voice Data" button in your Privacy Dashboard

Effect of Withdrawal: Your voice data will be permanently deleted within 30 days, and you won't be able to generate new personalized meditations.

11. Cookies & Tracking Technologies

11.1 Essential Cookies

• Authentication tokens
• Session management
• Security features

11.2 Analytics Cookies (Optional)

• Google Analytics - Usage statistics
• Mixpanel - User behavior insights

11.3 Managing Cookies

You can control analytics cookies through the app's Privacy Settings. Essential cookies cannot be disabled as they're necessary for the app to function.

12. Children's Privacy

Children Under 18: Sonaya is not intended for children under 18 years of age. We do not knowingly collect personal information from children.

If we discover that we have inadvertently collected data from a child under 18, we will delete such information within 30 days.

For Parents and Guardians: If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@sonaya.ai. We will promptly:

• Verify the request
• Delete all personal information associated with the child's account
• Terminate the account
• Confirm deletion within 30 days

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Austrian Data Protection Authority (Datenschutzbehörde) within 72 hours
• Inform affected users directly if the breach poses a high risk
• Provide details about the nature of the breach and remedial actions
• Implement immediate measures to prevent further unauthorized access

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email to your registered address
• Display a prominent notice in the app
• Seek renewed consent where required by law

We recommend reviewing this policy periodically to stay informed about how we protect your data.

15. Supervisory Authority & Complaints

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

However, we encourage you to contact us first so we can address your concerns directly.