Privacy Policy

1. Data Controller Information

2. Legal Basis for Data Processing (GDPR)

We process your personal data based on the following legal grounds under GDPR:

Article 6(1)(a) - Consent

You provide explicit consent when creating an account and using our voice recording features.

Article 6(1)(b) - Contract Performance

Processing is necessary to provide our meditation services as per our Terms of Service.

Article 9(2)(a) - Special Category Data

Important: Your voice recordings constitute biometric data under GDPR. We process this sensitive data only with your explicit consent, which you can withdraw at any time.

3. Information We Collect

3.1 Account Information

• Email address - for account creation and communication
• Password - securely hashed and encrypted
• Name - optional, for personalization
• Authentication data - when using Google or Apple Sign-In

3.2 Voice Data (Biometric Data)

When you use our voice recording feature, we collect:

• Voice recordings - short audio samples for voice cloning
• Voice characteristics - extracted features for AI processing
• Processing metadata - technical data about voice quality

3.3 Meditation & Usage Data

• Meditation themes and preferences
• Session history and duration
• App usage patterns and feature interactions
• Favorited meditations and playlists

3.4 Technical Data

• Device type and operating system version
• App version and build number
• IP address (for security and diagnostics)
• Crash reports and performance data

3.5 Payment Information

Payment processing is handled by trusted third-party providers (Stripe/Apple/Google). We do not store your full payment card details. We only receive:

• Subscription status
• Transaction IDs
• Subscription plan information

4. How We Use Your Information

4.1 Core Service Provision

• Creating and maintaining your account
• Generating personalized meditation content using AI
• Processing voice recordings for voice cloning
• Storing and delivering your meditation sessions

4.2 AI Processing

Your voice data is processed using:

• ElevenLabs - for voice cloning and synthesis
• OpenAI - for meditation script generation and text processing

4.3 Service Improvement

• Analyzing usage patterns to enhance user experience
• Improving AI voice quality and meditation content
• Conducting research and development
• Optimizing app performance and reliability

4.4 Communication

• Sending service-related notifications
• Responding to support requests
• Notifying about important updates or changes
• Sending marketing communications (with your consent)

5. Data Sharing & Third-Party Processors

We share your data only with trusted partners who help us provide our service. All third parties are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance:

5.1 AI Service Providers

5.2 Infrastructure Providers

• Railway/Cloud Hosting - Server hosting and data storage
• AWS/DigitalOcean - Backup and file storage

5.3 Authentication Services

• Google OAuth - Google Sign-In functionality
• Apple Sign-In - Apple authentication

5.4 Payment Processors

• Stripe - Credit card payment processing
• Apple App Store - In-app purchases (iOS)
• Google Play - In-app purchases (Android)

5.5 Analytics & Performance

• Google Analytics - Usage statistics (anonymized)
• Mixpanel - User behavior analysis (optional)
• Sentry - Error tracking and crash reporting

6. International Data Transfers

As a company registered in Austria (EU), we ensure that any transfer of personal data outside the European Economic Area (EEA) is protected by appropriate safeguards:

• Standard Contractual Clauses (SCCs) - EU-approved data transfer mechanisms
• Adequacy Decisions - Transfers only to countries recognized by the EU Commission
• Data Processing Agreements - GDPR-compliant contracts with all US-based processors

Our primary data centers are located in the EU. Data transferred to the US (OpenAI, ElevenLabs) is protected under EU-US Data Privacy Framework and SCCs.

7. Data Security Measures

We implement state-of-the-art security measures to protect your personal data:

7.1 Technical Measures

• Encryption - End-to-end encryption for voice data transmission
• Secure Storage - AES-256 encryption at rest
• HTTPS/TLS - All data transfers over secure connections
• Access Controls - Role-based access restrictions
• Regular Backups - Encrypted backup systems

7.2 Organizational Measures

• Regular security audits and penetration testing
• Employee training on data protection
• Incident response procedures
• Confidentiality agreements with all staff

8. Data Retention Policy

8.1 Active Accounts

• Account Data - Retained while your account is active
• Voice Recordings - Stored until you delete them or close your account
• Meditation History - Kept for service provision and personalization

8.2 After Account Deletion

• Voice Data - Permanently deleted within 30 days
• Personal Information - Removed within 90 days
• Legal Records - Financial records kept for 7 years (Austrian law requirement)
• Analytics Data - Anonymized data may be retained for statistical purposes

8.3 Inactive Accounts

Accounts inactive for more than 3 years may be automatically deleted after notification.

9. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@sonaya.ai
• Use the "Privacy Dashboard" in the app settings
• Contact our Data Protection Officer: dpo@sonaya.ai

We will respond to your request within 30 days.

10. Consent & Withdrawal

10.1 Voice Data Consent

Before collecting any voice recordings, we require your explicit, informed consent. You understand that:

• Voice data is biometric/special category personal data under GDPR
• Your voice may reveal sensitive information (ethnicity, health, age)
• Data will be processed using AI technology (ElevenLabs, OpenAI)
• You can withdraw consent at any time

10.2 How to Withdraw Consent

You can withdraw consent at any time by:

• Deleting your voice data in app settings
• Contacting support at support@sonaya.ai
• Using the "Delete Voice Data" button in your Privacy Dashboard

Effect of Withdrawal: Your voice data will be permanently deleted within 30 days, and you won't be able to generate new personalized meditations.

11. Cookies & Tracking Technologies

11.1 Essential Cookies

• Authentication tokens
• Session management
• Security features

11.2 Analytics Cookies (Optional)

• Google Analytics - Usage statistics
• Mixpanel - User behavior insights

11.3 Managing Cookies

You can control analytics cookies through the app's Privacy Settings. Essential cookies cannot be disabled as they're necessary for the app to function.

12. Children's Privacy

Sonaya is not intended for children under 18 years of age. We do not knowingly collect personal information from minors. If we discover that we have inadvertently collected data from a child under 18, we will delete it immediately.

Parents or guardians who believe their child has provided us with personal information should contact us at privacy@sonaya.ai.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Austrian Data Protection Authority (Datenschutzbehörde) within 72 hours
• Inform affected users directly if the breach poses a high risk
• Provide details about the nature of the breach and remedial actions
• Implement immediate measures to prevent further unauthorized access

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email to your registered address
• Display a prominent notice in the app
• Seek renewed consent where required by law

We recommend reviewing this policy periodically to stay informed about how we protect your data.

15. Supervisory Authority & Complaints

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

However, we encourage you to contact us first so we can address your concerns directly.