Legal
Privacy Policy
Last updated: 23 March 2026
Sonaverse Ltd · Sonaverse Platform
Last Updated: 23 March 2026 Effective Date: 23 March 2026
This Privacy Policy describes how Sonaverse Ltd collects, uses, shares, and protects your personal data when you use the Sonaverse platform. Please read it carefully. By using our Services you confirm that you have read and understood this Policy. Capitalised terms used but not defined here have the meanings given in our Terms of Service.
Sonaverse Ltd · 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ · Company No. 17108925 · privacy@sonaverse.ai · www.sonaverse.ai/privacy
1. Who We Are and How to Contact Us
Sonaverse Ltd ("Sonaverse", "we", "us", or "our") is the data controller responsible for your personal data processed through the Sonaverse platform. We are incorporated in England and Wales under company number 17108925. Our registered office is at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
| Purpose | Contact |
|---|---|
| Privacy queries and data rights requests | privacy@sonaverse.ai |
| Urgent data concerns or security incidents | security@sonaverse.ai |
| Postal correspondence | Sonaverse Ltd (Data Protection), 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ |
We aim to respond to all privacy-related enquiries within 30 days. Where a request is complex or you have submitted multiple requests, we may extend this period by a further two months, in which case we will notify you within the initial 30-day period.
Sonaverse Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. The ICO is the UK's supervisory authority for data protection.
2. What Personal Data We Collect
We collect different categories of personal data depending on how you use the platform.
| Category | Examples | Collected from |
|---|---|---|
| Account data | Name, email address, username, password (hashed), account creation date, account type | You, directly |
| Identity verification data | Government-issued ID documents, liveness check images or video, verification status and outcome | You, directly; identity verification provider |
| Contact and communications data | Email address, mobile telephone number (for WhatsApp OTP verification and interview follow-ups), support correspondence | You, directly |
| Personal Materials | Voice recordings, interview transcripts, written responses, personal narratives, biographical information, photographs, audio and video recordings provided to build a sona | You, directly |
| Knowledge Materials | Documents, books, research papers, reports, presentations, and other materials uploaded to augment a sona | You, directly |
| Derived / inferred data | Vector embeddings derived from Personal Materials and Knowledge Materials; behavioural and communication pattern data extracted during the sona-building process | Generated by our systems from materials you provide |
| Interaction data | Records of interactions with sonas (prompts and responses), session metadata, Access Tier at time of interaction, timestamp | Automatically, when you use the platform |
| Payment and billing data | Subscription status, payment history, currency, Stripe customer ID. Full card details are held by Stripe, not by us. | You, directly; Stripe |
| Usage and technical data | IP address, browser type, device type, operating system, referring URL, pages visited, feature usage, error logs | Automatically, via cookies and server logs |
| Consent records | Records of consents given, consent withdrawal records | You, directly |
| Posthumous provisions | Written instructions provided by a sona subject regarding the continuation of their sona after death | You, directly |
Special category data
Certain data we process may constitute "special category data" under UK GDPR — data that carries heightened sensitivity and legal protection. This includes:
- Biometric data. Voice recordings processed for the purpose of creating a voice or identity representation may, depending on the processing involved, constitute biometric data within the meaning of Article 9 UK GDPR. We process such data only where we have your explicit consent.
- Health data. Personal Materials may, at your discretion, contain health-related information you choose to share as part of your personal narrative. We do not solicit health data and do not require it. Where you voluntarily include health information in Personal Materials, we process it solely on the basis of your explicit consent.
- Other special categories. Personal Materials may contain information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation or life. We process any such data on the basis of your explicit consent and solely to provide the Services you have requested.
You are never required to provide special category data. If you choose to include it in your Personal Materials, you do so voluntarily and with the understanding that it will be processed as part of your sona.
3. How We Collect Your Personal Data
(a) Directly from you
- When you create an account and complete registration;
- When you submit Personal Materials or Knowledge Materials to build or enrich a sona;
- When you complete identity verification;
- When you subscribe to a sona on the Creator Marketplace;
- When you interact with a sona (your prompts are recorded as interaction data);
- When you contact our support team or submit a report;
- When you provide posthumous provisions;
- When you respond to interviews conducted via WhatsApp as part of the sona-building process.
(b) Automatically when you use our platform
- Usage and technical data, including your IP address, browser type, and pages visited, are collected automatically via server logs and cookies when you access our Website or Services;
- Interaction data, including prompts submitted to sonas and the responses generated, are logged automatically when you use the chat interface.
(c) From third parties
- Identity verification outcome data from our identity verification provider when you complete a verification check;
- Payment status and billing information from Stripe when you subscribe to a sona or when a subscription status changes;
- WhatsApp delivery confirmations and message status from Meta Platforms when we send OTP codes or interview messages via WhatsApp Business.
4. Why We Process Your Data and Our Legal Bases
Under UK GDPR, we must have a lawful basis for processing your personal data.
| Purpose | Data categories | Lawful basis |
|---|---|---|
| Creating and managing your account | Account data, contact data | Contract: necessary to perform the contract with you. |
| Providing the sona service, including ingesting Personal Materials and Knowledge Materials | Personal Materials, Knowledge Materials, derived data | Contract: necessary to perform the contract with you. Explicit consent: for any special category data you choose to include. |
| Identity verification (OTP at account creation; full KYC at publishing stage) | Identity verification data, contact data | Contract: necessary to provide the service. Legitimate interests: preventing fraud and ensuring integrity. |
| WhatsApp OTP authentication | Mobile telephone number, OTP codes | Contract: necessary to verify your identity to provide the service. |
| Conducting interview follow-ups via WhatsApp | Mobile telephone number, interview responses | Consent: we will obtain your consent before sending interview messages via WhatsApp. |
| Processing payments and managing subscriptions | Payment and billing data | Contract: necessary to process your subscription. |
| Creator Marketplace revenue calculations and payouts | Payment and billing data, subscription data | Contract: necessary to perform our obligations to Creator Marketplace participants. |
| Managing Access Tier controls and enforcing sona permissions | Account data, interaction data, consent records | Contract: necessary to provide the service. Legitimate interests: protecting the privacy of sona subjects. |
| Maintaining security and preventing fraud, abuse, and policy violations | Usage data, technical data, interaction data | Legitimate interests: protecting the platform and our users from harm. |
| Improving the Services and developing new features (excluding cross-sona model training) | Usage data, technical data, anonymised interaction data | Legitimate interests: improving our product for all users. |
| Responding to your support queries and complaints | Account data, contact data, support correspondence | Contract: necessary to provide support. Legitimate interests: resolving disputes. |
| Sending transactional emails | Account data, contact data | Contract: necessary to communicate service status changes. |
| Complying with legal obligations | Any data relevant to the request | Legal obligation. |
| Processing posthumous provisions | Posthumous provisions, account data | Legitimate interests: honouring the documented wishes of the sona subject. |
Legitimate interests balancing
Where we rely on legitimate interests as our lawful basis, we have conducted a balancing assessment to confirm that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests; see Section 10.
5. Voice Processing Notice
This section contains specific information about how we handle voice recordings and voice-derived data, which may constitute biometric data under UK GDPR. Please read it carefully.
If you provide voice recordings as part of your Personal Materials — for example, as part of a structured interview for your sona — we process those recordings as follows.
What we collect:
- The audio recording itself, stored securely in our database;
- A text transcript extracted from the recording;
- Vector embeddings derived from the transcript.
How we use it:
- To configure the sona model associated with your sona, giving it access to the content, tone, and style of your spoken responses;
- To inform the written communication style and knowledge base of your sona;
- For trust and safety purposes.
What we do not do:
- We do not use your voice recordings to create a synthetic voice model capable of generating audio in your voice, unless you separately and explicitly consent to this;
- We do not share your voice recordings with third parties for their own use;
- We do not use your voice data to train general AI models for use outside your specific sona without your explicit consent;
- We do not commercialise your voice or voice-derived data on a standalone basis.
Lawful basis: We process voice recordings on the basis of your explicit consent. You may withdraw this consent at any time by contacting us at privacy@sonaverse.ai. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Following withdrawal, we will deactivate your sona and delete your voice recordings. Voice-derived embeddings will be removed from operational systems within 30 days.
Retention: Voice recordings and transcripts are retained for as long as your sona remains active. They are deleted within 30 days of deactivation of the sona or upon a valid deletion request.
6. Knowledge Materials and Third-Party Data
(a) How Knowledge Materials are stored
We store: (i) the source document; (ii) extracted text derived from the document; and (iii) vector embeddings generated from the extracted text. All three are stored in our secure Supabase database infrastructure. Access to stored Knowledge Materials is restricted to authorised personnel and the AI processing systems that serve your sona.
(b) Third-party personal data in Knowledge Materials
You are responsible for ensuring that any personal data of identifiable third parties contained in Knowledge Materials is handled lawfully. We recommend redacting the personal data of third parties from Knowledge Materials wherever it is not necessary for the operation of your sona.
To the extent that we process personal data of third parties contained in Knowledge Materials you upload, we do so as a data processor acting on your instructions, and our Data Processing Addendum governs that processing.
(c) Retrieval limits
Our retrieval system applies technical limits on the volume of content surfaced from any single Knowledge Material per interaction (500 words per passage; 1,000 words aggregate per source per session). These limits exist to protect the rights of third-party rights-holders and to reduce the risk of disproportionate disclosure.
7. Who We Share Your Data With
We do not sell your personal data. We do not share it for third-party advertising purposes. We share your data only as described in this section.
(a) Service providers (data processors)
| Provider | Role | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, and file storage infrastructure | All personal data stored in our platform | USA (EU/UK data hosted on EU region servers where available) |
| Anthropic PBC | AI model provider (Claude API) used to power sona responses | Interaction data: prompts submitted to sonas and relevant Knowledge Material context | USA |
| Stripe Inc. | Payment processing and subscription management | Payment and billing data; subscription status; email address | USA |
| Resend Inc. | Transactional email delivery | Email address; email content | USA |
| Meta Platforms Ireland Ltd | WhatsApp Business Platform: OTP delivery and interview follow-up messages | Mobile telephone number; OTP codes; interview content | Ireland (EU) |
| Identity verification provider | Identity document verification and liveness checking | Name, date of birth, ID document images, liveness video or photograph | To be confirmed on provider selection |
(b) Other Sonaverse users
When you interact with a sona as a subscriber, the creator may be able to see metadata about subscriber interactions (such as the number of interactions and the Access Tier). Individual prompts you submit to a sona are not shared with the creator unless you are interacting at the Family or Colleague tier and the creator has configured the sona to retain interaction summaries.
(c) Legal and regulatory disclosures
We may disclose your personal data to law enforcement agencies, regulatory authorities, courts, or other public bodies where we are required to do so by law, by court order, or where we reasonably believe that disclosure is necessary to protect the rights, property, or safety of Sonaverse Ltd, our users, or the public.
(d) Business transfers
If Sonaverse Ltd is involved in a merger, acquisition, restructuring, or sale of all or part of its assets, your personal data may be transferred to the acquiring entity. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.
8. International Transfers of Personal Data
Several of our key service providers are based in the United States. For transfers to our US-based service providers (Supabase, Anthropic, Stripe, and Resend), we rely on UK International Data Transfer Agreements (UK IDTAs) or UK Addenda to EU Standard Contractual Clauses (SCCs). Copies of the relevant transfer mechanisms are available on request from privacy@sonaverse.ai.
For transfers involving Meta Platforms Ireland Ltd (WhatsApp Business), data is processed within the EU under Meta's standard terms.
If you are resident in the European Economic Area, the same transfer safeguards apply to any transfer of your data from the UK to the EEA, which is currently subject to an EU adequacy decision for the UK.
9. How Long We Keep Your Data
| Data category | Retention period | Trigger for deletion |
|---|---|---|
| Account data | Duration of account plus 30 days | Account closure or deletion request |
| Identity verification data | 3 years from date of verification | Legal obligation: anti-fraud and AML compliance |
| Personal Materials (voice recordings, transcripts, source documents) | Duration of associated sona plus 30 days | Sona deactivation or deletion request |
| Knowledge Materials (source documents and extracted text) | Duration of associated sona plus 30 days | Sona deactivation, takedown notice, or deletion request |
| Vector embeddings | Purged from operational systems within 30 days of sona deactivation or deletion request | Sona deactivation, deletion request, or consent withdrawal |
| Interaction data | 12 months from date of interaction, then anonymised | Rolling 12-month window |
| Payment and billing data | 7 years from date of transaction | Legal obligation: financial record-keeping |
| Usage and technical data | 13 months from date of collection | Rolling deletion |
| Consent records | Duration of the associated consent plus 6 years | Legal obligation |
| Support correspondence | 3 years from date of last correspondence | Limitation period for contractual claims |
| Posthumous provisions | Until actioned, then retained for 3 years | Actioning of provision plus 3 years |
Where data is anonymised (rather than deleted), it no longer constitutes personal data under UK GDPR. We may retain anonymised data for analytical and product development purposes indefinitely.
10. Your Rights Under UK GDPR
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What it means in practice |
|---|---|
| Right of access (Article 15) | You may request a copy of the personal data we hold about you. We will provide this within one month of receipt of your request. |
| Right to rectification (Article 16) | You may ask us to correct inaccurate personal data or complete incomplete data. |
| Right to erasure (Article 17) | You may ask us to delete your personal data in certain circumstances, including where data is no longer necessary for its original purpose or where you withdraw consent. |
| Right to restriction (Article 18) | You may ask us to restrict processing of your data in certain circumstances. |
| Right to data portability (Article 20) | Where we process your data on the basis of contract or consent using automated means, you may request a machine-readable copy of data you have provided to us. |
| Right to object (Article 21) | You may object at any time to processing based on legitimate interests. Where you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Right to withdraw consent (Article 7(3)) | Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Rights related to automated decision-making (Article 22) | We do not make solely automated decisions that produce legal or similarly significant effects for you. |
To exercise any of your rights, please contact us at privacy@sonaverse.ai. We will not charge a fee for processing rights requests, except where requests are manifestly unfounded or excessive.
11. Complaints and the Right to Lodge a Complaint
If you are unhappy with how we have handled your personal data, please contact us at privacy@sonaverse.ai in the first instance.
If you remain dissatisfied after contacting us, you have the right to lodge a complaint with a supervisory authority:
| If you are based in... | Supervisory authority |
|---|---|
| The United Kingdom | Information Commissioner's Office (ICO) · www.ico.org.uk · 0303 123 1113 |
| The European Economic Area | Your national data protection authority. See edpb.europa.eu for a list. |
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) · www.edoeb.admin.ch |
12. Cookies and Tracking Technologies
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Essential for the platform to function: session authentication, security tokens, load balancing. Cannot be disabled. | No — necessary for the service. |
| Functional | Remembering your preferences, language settings, and display choices. | Yes — set only with your consent via our cookie banner. |
| Analytics | Understanding how users navigate the platform to improve the experience. Data is aggregated and not used to identify individuals. | Yes — set only with your consent. |
| Payment processing | Cookies set by Stripe to process payments securely and detect fraud. | Strictly necessary for payment functionality. |
You can manage your cookie preferences at any time through the cookie settings panel accessible from the footer of our website.
We do not use cookies or tracking technologies for the purpose of serving targeted advertising to you, and we do not share cookie data with advertising networks.
13. Children's Data
Our Services are not directed at and may not be used by persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has provided us with personal data, please contact us immediately at privacy@sonaverse.ai and we will take prompt steps to delete that data.
A sona may only be created of a living adult. The creation of a sona of a minor is absolutely prohibited under our Terms of Service and Prohibited Use Policy.
14. Security
We implement appropriate technical and organisational measures, which include:
- Encryption of data in transit (TLS) and at rest;
- Role-based access controls limiting internal access to personal data on a need-to-know basis;
- Row-level security (RLS) policies enforced at the database layer, ensuring that data is segregated by user and Access Tier;
- Regular security reviews and vulnerability assessments;
- Access logging for sensitive operations.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
If you become aware of or suspect a security vulnerability or data breach involving our platform, please notify us immediately at security@sonaverse.ai.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email and by posting a notice on the platform at least 30 days before the change takes effect.
The current version is always available at www.sonaverse.ai/privacy.
Where a change to this Policy requires your consent, we will seek that consent separately before processing your data for that new purpose.
Appendix: Key Terms Used in This Policy
| Term | Meaning |
|---|---|
| Data controller | The entity that determines the purposes and means of processing personal data. Sonaverse Ltd is the data controller for all personal data processed through the Sonaverse platform. |
| Data processor | An entity that processes personal data on behalf of a data controller, under the controller's instructions. |
| Personal data | Any information relating to an identified or identifiable living individual. |
| Special category data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data, or biometric data processed for the purpose of uniquely identifying a person. |
| UK GDPR | The UK General Data Protection Regulation: the retained EU law version of the EU GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018. |
| UK IDTA | UK International Data Transfer Agreement: the mechanism approved by the ICO for transferring personal data from the UK to countries without an adequacy decision. |
| ICO | Information Commissioner's Office: the UK's independent supervisory authority for data protection law. |
| Legitimate interests | A lawful basis for processing personal data under UK GDPR where the processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests or rights. |
Legal documents