Privacy policy
1. Our Commitment to Privacy
Your privacy is important to us. We designed Sona to help you improve your wellness by tracking metrics like heart rate and breathing – we understand this is highly personal data, and we are committed to protecting it. This Privacy Policy explains what information we collect, how we use and store it, and your rights regarding your data. Sona’s practices are aligned with global privacy standards including the EU General Data Protection Regulation (GDPR), UK data protection laws, and U.S. state privacy laws (such as California’s CCPA.
2. Personal Data We Collect
When you use Sona, we may collect the following types of information:
- Account Information: When you create a Sona account, we collect your email address, password, and any profile details you provide (such as name or username). This is used to identify you and manage your account.
- Biometric and Wellness Data: Sona collects data from the device’s sensors to help you track your wellness. This includes metrics like heart rate, heart rate variability (HRV), breathing/respiratory rate, and related data points about your sessions and usage. For example, when you run a relaxation session, Sona may record your heart rate and HRV throughout the session to show changes in your stress level.
- Device and App Usage Data: We gather technical information such as device identifiers, firmware/app version, and timestamps of sessions or logins. We may also collect logs of app features you use or error reports, which help us improve the Service. This data is generally not personally identifiable on its own, but may be linked with your account to troubleshoot issues.
- Optional Information: If you choose to enter additional information into the app (for example, tagging your mood or notes about how you feel), that data will be collected and stored as part of your profile. Such entries are optional and solely for your personal tracking benefit.
- Cookies and Website Data: If you visit our website or web portals, we may use cookies or similar technologies to collect analytics information (e.g. pages visited, browser type) and to remember your preferences. You will be informed about cookies and can manage your preferences via our cookie banner or browser settings.
We do not knowingly collect any data from children under 13. If we learn that a user under 13 has created an account and provided personal data, we will delete that account and data in accordance with applicable laws.
3. How We Use Your Data
We process collected data for the following purposes, in line with your expectations when using Sona:
- To Provide and Personalize the Service: We use your data to operate Sona and deliver insights to you. For example, heart rate and HRV data are analyzed and presented back to you in the app to show your relaxation level or progress over time. This allows us to give you personalized feedback and wellness insights based on your biometric data.
- To Maintain and Improve Sona: Internal analysis of usage patterns and aggregated data helps us understand how users interact with Sona and how we can make it better. We may use anonymized or aggregated wellness data (data that can no longer identify you) to research trends and improve our algorithms and features. For instance, we might study average HRV changes across many users to refine Sona’s stress reduction programs. This research will not identify you personally, and any insights shared publicly or with partners will be in anonymized form.
- To Provide Customer Support: If you reach out to us with a question or issue, we will use your account info and relevant device data to help troubleshoot and resolve the problem. For example, error logs or session records may be examined by our support team (who are authorized to access data only when necessary for support).
- To Communicate with You: We may use your email to send important notifications about Sona, such as changes to terms or privacy policy, security alerts, or app updates. We may also send wellness tips, device usage suggestions, or product news, but you have the choice to opt out of marketing emails at any time. We will not spam you, and we do not share your contact information with third-party marketers.
- To Ensure Safety and Integrity: Data may be used to monitor for improper use of Sona, enforce our Terms of Service, and protect against fraud or misuse.
- To Comply with Legal Obligations: If we are legally required to retain or disclose certain data (for example, for tax, audit, or law enforcement requests), we will do so in compliance with applicable laws. We will oppose any unwarranted or overly broad request for access to user data, and whenever legally permissible, we will inform you if your data is requested by a government or law enforcement entity.
We will only use your personal data for the purposes above or for closely related purposes. If we need to use your data for a new, unrelated purpose, we will notify you and, if required, obtain your consent. We base our data processing on legitimate grounds such as performing our contract with you (providing the service), your consent (for sensitive health data or optional features), and compliance with legal obligations.
4. Where and How We Store Your Data
Your data is stored both locally on your Sona device/app and securely on our cloud servers. Storing data in the cloud (online) allows you to access your information across devices and ensures you have a backup. We employ industry-standard security measures to protect your personal data: for example, data transmissions are encrypted (HTTPS), and sensitive health metrics are stored in encrypted form on our servers. We also restrict internal access to personal data – only authorized personnel with a valid need (e.g. a support request) can access user data, consistent with our policy of limiting data access. We maintain audit logs to track access to personal data and will investigate any unauthorized access attempt.
Our servers may reside in the United States or European Union (we use reputable cloud providers with data centers in these regions). If you are located in the UK or EU, know that when we transfer your data outside of your country (for example, to the U.S.), we ensure appropriate legal safeguards are in place (such as standard contractual clauses or compliance with EU-US/UK data transfer frameworks) to protect your information. We comply with the cross-border data protection requirements of GDPR to ensure your data enjoys the same level of protection even if stored or processed in another country.
We retain your personal data for as long as you use Sona and maintain an account with us. Typically, your data will be stored until you request deletion or close your account. In some cases, we may retain certain information after account deletion if required by law or for legitimate business purposes (e.g. maintaining records of transactions or anonymized aggregate data). When data is no longer needed and no legal obligation requires retention, we will securely delete or anonymize it.
5. Sharing of Data with Third Parties
Your privacy is a priority: by default, we do not share your personal data with any third-party companies or apps for their own independent use, especially not for marketing or advertising purposes. Sona is a wellness service, and unlike some platforms, we do not sell or rent your personal information to data brokers or advertisers.
The limited circumstances in which we might share data are as follows:
- Service Providers: We use trusted third-party service providers to help us operate Sona (for example, cloud hosting services, data analytics tools, customer support ticketing systems, email delivery services). These providers act under our instructions to process data on our behalf only for the purposes described in this policy. They are contractually obligated to protect your data and cannot use it for anything other than assisting us in delivering the Sona service.
- Legal Requirements: If we receive a legally binding request (such as a court order or subpoena) that requires us to disclose certain data, we may do so. Our policy is to carefully review each request and only comply if required by law. We will refuse or challenge requests that are overly broad or not legally valid, especially those seeking sensitive information. Whenever possible, we will notify you if your data is being sought by a third party (for example, a government agency) so that you are aware of it, unless we are legally prohibited from doing so.
- Business Transfers: If our company undergoes a business transaction like a merger, acquisition, or asset sale, your data may be transferred to the successor entity. If that happens, we will ensure the new owner honors the commitments we have made in this policy, and we will notify you of any change in data ownership.
- With Your Consent: In all other cases, we will only share your data with third parties if you give us explicit consent to do so. For example, in the future we may offer an integration with a third-party health app or platform – we would only send your data to such a platform if you actively connect Sona to it and authorize the data sharing. Similarly, if you are part of a wellness program or study that uses Sona, we would share data with the organizing entity only with your knowledge and agreement.
Importantly, any sharing of data is done with caution. In cases where we share anonymous, aggregated insights (such as publishing overall wellness trends or collaborating with researchers), we ensure that no individual can be identified from that data.
6. Your Rights and Choices
Because we operate in multiple jurisdictions, we strive to uphold the privacy rights granted to users in various regions. You are in control of your personal data. This section outlines your key rights and how to exercise them:
- Access and Portability: You have the right to request a copy of the personal data we hold about you. We will provide you with a summary of your data in a structured, commonly used electronic format. This is sometimes known as data portability. (Please note that, at present, the Sona app does not offer a self-service “export” feature; however, you can contact us to obtain your data, and we will assist you).There is no fee for requesting your data, unless the requests are excessive or repetitive in which case a small charge may apply as permitted by law.
- Correction: If any of your information is incorrect or outdated, you have the right to request that we correct or update it. For instance, if you change your email or notice an error in your profile data, you can edit it in the app or reach out to our support for assistance.
- Deletion (Right to Erasure): You have the right to delete your data. You can delete your Sona account at any time, which will remove your personal information and biometric data from our systems (subject to a few exceptions like data we are required to keep by law). The app or our website may offer a “Delete Account” option. Once you confirm an account deletion, we will permanently erase or anonymize your personal data within a reasonable period. Keep in mind that deletion is irreversible – if you later return to Sona, you would need to create a new account and start fresh.
- Withdrawal of Consent: Where we rely on your consent to process data (for example, collecting certain health metrics or sending marketing emails), you have the right to withdraw that consent at any time. If you withdraw consent for processing essential to the Service, some features may not function properly, but we will respect your choice. For marketing emails, you can always use the “unsubscribe” link in those emails to opt out, or toggle your preferences in the app settings.
- Objection to Processing: You may have the right to object to certain processing activities. For instance, if we were to process your data for direct marketing (which we currently do not), you could object and opt-out. If we ever pursue uses of your data that you find intrusive or that you believe lack a legitimate basis, you can contact us to object, and we will consider your request in line with legal requirements.
- Restriction: In certain situations, you can ask us to restrict processing of your data (meaning we store it but temporarily refrain from using it). For example, if you contest the accuracy of data or have a pending objection, you can request restriction until the issue is resolved.
- Non-Discrimination: If you exercise any of these privacy rights, we will not discriminate against you. Sona will continue to provide you with the same quality of service. Since our service is free of charge, you will not lose access or face altered features just because you exercised a privacy right (aside from the natural consequence that if you delete data or account, the service may not function).
To exercise any of your rights, please contact us at hello@sona.help or through the app’s support feature. For security, we may need to verify your identity (for example, via your account email) before fulfilling requests. We will respond to your request as soon as possible, generally within one month as required by GDPR for EU/UK user. If we cannot fulfill your request (due to a legal obligation or another exception), we will explain the reason.
7. Additional Notices for Specific Regions
We design our privacy practices to meet global standards, but if specific laws apply to you, the following additional information may be relevant:
- Users in the European Economic Area (EEA), UK, or Switzerland: Sona’s legal basis for collecting and using personal data will typically be: (a) your consent (for processing health data, which is a special category under GDPR, we will obtain explicit consent); (b) performance of a contract (we need to process certain data to provide the service you signed up for); or (c) legitimate interests (to improve our product, prevent fraud, etc.), balanced against your rights. You also have the right to lodge a complaint with your country’s Data Protection Authority or the UK Information Commissioner’s Office if you believe we have infringed your privacy rights. We encourage you to contact us first so we can address your concerns directly.
- Users in the United States: If you reside in a state with privacy laws (e.g. California, Virginia, Colorado, Connecticut, Utah), you are entitled to the rights described above (access, deletion, etc.), and Sona will honor those rights in line with each law. For California residents: we do not “sell” your personal information as defined under the CCPA. We also do not share it for cross-context behavioral advertising. This Privacy Policy serves as our notice at collection and outlines the categories of information we collect and the purposes (which align with what is permitted under CCPA). California users may designate an authorized agent to make requests on their behalf by providing the agent with written permission.
- Users Elsewhere: No matter where you are, we aim to provide a high standard of privacy protection. If local laws provide you any rights beyond those listed here, we will respect those as well.
8. Changes to This Privacy Policy
We may update this Privacy Policy as Sona evolves or as privacy regulations change. If we make material changes (for example, if we start collecting additional data or share data in new ways), we will notify you prominently. We may notify you via email, in-app alert, or via an announcement on our website. We encourage you to review this Policy periodically. The “Last Updated” date at the top will always indicate the latest revision. If you continue to use Sona after an update, it means you acknowledge and accept the revised Policy. However, if any change would require new consent (for example, using your data for a new purpose that you originally did not agree to), we will obtain that consent from you.
9. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
- Email: hello@sona.help
- Address: MindSpire Ltd, Napier House, 14-16 Mount Ephraim Road, Tunbridge Wells, United Kingdom, TN1 1EE
- Data Protection Officer Jane Ollis – jane.ollis@sona.help

