Sonaverse

Legal

Privacy Policy

Last updated: 23 March 2026

Sonaverse Ltd · Sonaverse Platform

Last Updated: 3 June 2026 Effective Date: 23 March 2026

This Privacy Policy describes how Sonaverse Ltd collects, uses, shares, and protects your personal data when you use the Sonaverse platform. Please read it carefully. By using our Services you confirm that you have read and understood this Policy. Capitalised terms used but not defined here have the meanings given in our Terms of Service.

Sonaverse Ltd · 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ · Company No. 17108925 · privacy@sonaverse.ai · www.sonaverse.ai/privacy

1. Who We Are and How to Contact Us

Sonaverse Ltd ("Sonaverse", "we", "us", or "our") is the data controller responsible for your personal data processed through the Sonaverse platform. We are incorporated in England and Wales under company number 17108925. Our registered office is at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

PurposeContact
Privacy queries and data rights requestsprivacy@sonaverse.ai
Data Protection Officer (DPO)Julian Saunders — privacy@sonaverse.ai
Urgent data concerns or security incidentssecurity@sonaverse.ai
Postal correspondenceSonaverse Ltd (Data Protection), 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Our appointed Data Protection Officer is Julian Saunders, contactable at privacy@sonaverse.ai.

We aim to respond to all privacy-related enquiries within 30 days. Where a request is complex or you have submitted multiple requests, we may extend this period by a further two months, in which case we will notify you within the initial 30-day period.

Sonaverse Ltd is registered with the Information Commissioner's Office (ICO) as a data controller (registration reference ZC114963). The ICO is the UK's supervisory authority for data protection.

2. What Personal Data We Collect

We collect different categories of personal data depending on how you use the platform.

CategoryExamplesCollected from
Account dataName, email address, username, password (hashed), account creation date, account typeYou, directly
Identity verification dataGovernment-issued ID documents, liveness check images or video, verification status and outcomeYou, directly; identity verification provider
Contact and communications dataEmail address, mobile telephone number (for WhatsApp OTP verification and interview follow-ups), support correspondenceYou, directly
Personal MaterialsVoice recordings, interview transcripts, written responses, personal narratives, biographical information, photographs, audio and video recordings provided to build a sonaYou, directly
Knowledge MaterialsDocuments, books, research papers, reports, presentations, and other materials uploaded to augment a sonaYou, directly
Derived / inferred dataVector embeddings derived from Personal Materials and Knowledge Materials; behavioural and communication pattern data extracted during the sona-building processGenerated by our systems from materials you provide
Interaction dataRecords of interactions with sonas (prompts and responses), session metadata, Access Tier at time of interaction, timestampAutomatically, when you use the platform
Visitor conversation dataInbound microphone audio, the real-time transcript of your speech, any messages you type, and session metadata, generated when you talk to a founder demonstration sona on our public website without an accountYou, directly, via the website conversation interface
Conversation memory profilesShort AI-generated summaries of your conversations with a sona, capturing context, interests, and preferences relevant to that sona relationship. Created only where you have given explicit consent. See Section 5.Generated by our systems from your interaction data
Payment and billing dataSubscription status, payment history, currency, Stripe customer ID. Full card details are held by Stripe, not by us.You, directly; Stripe
Usage and technical dataIP address, browser type, device type, operating system, referring URL, pages visited, feature usage, error logsAutomatically, via cookies and server logs
Consent recordsRecords of consents given, consent withdrawal recordsYou, directly
Contact exchange recordsThe email address an account-holder shares with a professional sona's owner via the optional contact exchange feature, together with the corresponding consent decision. Created only where the account-holder has given explicit consent.You, directly; via the contact exchange consent card in the conversation
Posthumous provisionsWritten instructions provided by a sona subject regarding the continuation of their sona after deathYou, directly

Special category data

Certain data we process may constitute "special category data" under UK GDPR — data that carries heightened sensitivity and legal protection. This includes:

  • Biometric data. Voice recordings processed for the purpose of creating a voice or identity representation may, depending on the processing involved, constitute biometric data within the meaning of Article 9 UK GDPR. We process such data only where we have your explicit consent.
  • Health data. Personal Materials may, at your discretion, contain health-related information you choose to share as part of your personal narrative. We do not solicit health data and do not require it. Where you voluntarily include health information in Personal Materials, we process it solely on the basis of your explicit consent.
  • Other special categories. Personal Materials may contain information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation or life. We process any such data on the basis of your explicit consent and solely to provide the Services you have requested.
  • Conversation memory profiles. Because conversations with sonas are freeform, memory profiles synthesised from those conversations may contain or be derived from special category data. We process any special category data within memory profiles only on the basis of your explicit consent under Article 9(2)(a) UK GDPR. See Section 5.

You are never required to provide special category data. If you choose to include it in your Personal Materials, or if it arises in the course of conversation, you do so voluntarily and with the understanding that it will be processed as part of your sona or memory profile where you have given consent.

3. How We Collect Your Personal Data

(a) Directly from you

  • When you create an account and complete registration;
  • When you submit Personal Materials or Knowledge Materials to build or enrich a sona;
  • When you complete identity verification;
  • When you subscribe to a sona on the Creator Marketplace;
  • When you interact with a sona (your prompts are recorded as interaction data);
  • When you contact our support team or submit a report;
  • When you provide posthumous provisions;
  • When you respond to interviews conducted via WhatsApp as part of the sona-building process.

(b) Automatically when you use our platform

  • Usage and technical data, including your IP address, browser type, and pages visited, are collected automatically via server logs and cookies when you access our Website or Services;
  • Interaction data, including prompts submitted to sonas and the responses generated, are logged automatically when you use the chat interface;
  • Where you have given consent to conversation memory, your interactions with sonas are periodically synthesised into a short profile by an AI model. See Section 5.

(c) From third parties

  • Identity verification outcome data from our identity verification provider when you complete a verification check;
  • Payment status and billing information from Stripe when you subscribe to a sona or when a subscription status changes;
  • WhatsApp delivery confirmations and message status from Meta Platforms when we send OTP codes or interview messages via WhatsApp Business.

(d) From website visitors — where you talk to a founder demonstration sona on our public website, we process the audio you speak or the text you type during that conversation, together with basic session metadata, even if you do not hold a Sonaverse account.

Under UK GDPR, we must have a lawful basis for processing your personal data.

PurposeData categoriesLawful basis
Creating and managing your accountAccount data, contact dataContract: necessary to perform the contract with you.
Providing the sona service, including ingesting Personal Materials and Knowledge MaterialsPersonal Materials, Knowledge Materials, derived dataContract: necessary to perform the contract with you. Explicit consent: for any special category data you choose to include.
Identity verification (OTP at account creation; full KYC at publishing stage)Identity verification data, contact dataContract: necessary to provide the service. Legitimate interests: preventing fraud and ensuring integrity.
WhatsApp OTP authenticationMobile telephone number, OTP codesContract: necessary to verify your identity to provide the service.
Conducting interview follow-ups via WhatsAppMobile telephone number, interview responsesConsent: we will obtain your consent before sending interview messages via WhatsApp.
Processing payments and managing subscriptionsPayment and billing dataContract: necessary to process your subscription.
Creator Marketplace revenue calculations and payoutsPayment and billing data, subscription dataContract: necessary to perform our obligations to Creator Marketplace participants.
Managing Access Tier controls and enforcing sona permissionsAccount data, interaction data, consent recordsContract: necessary to provide the service. Legitimate interests: protecting the privacy of sona subjects.
Providing founder demonstration sonas to website visitors (public, no account)Visitor conversation dataLegitimate interests (demonstrating and marketing the Services); Consent obtained via the pre-conversation notice shown before the conversation begins
Maintaining security and preventing fraud, abuse, and policy violationsUsage data, technical data, interaction dataLegitimate interests: protecting the platform and our users from harm.
Improving the Services and developing new features (excluding cross-sona model training)Usage data, technical data, anonymised interaction dataLegitimate interests: improving our product for all users.
Responding to your support queries and complaintsAccount data, contact data, support correspondenceContract: necessary to provide support. Legitimate interests: resolving disputes.
Sending transactional emailsAccount data, contact dataContract: necessary to communicate service status changes.
Complying with legal obligationsAny data relevant to the requestLegal obligation.
Processing posthumous provisionsPosthumous provisions, account dataLegitimate interests: honouring the documented wishes of the sona subject.
Synthesising conversation memory profiles (ordinary personal data aspects)Interaction data, conversation memory profilesConsent (Article 6(1)(a)): we process this data only where you have given explicit consent to the conversation memory feature.
Synthesising conversation memory profiles (special category data aspects)Conversation memory profiles where derived from or containing special category dataExplicit consent (Article 9(2)(a)): we process special category data within memory profiles only on the basis of explicit consent.
Transmitting an account-holder's email to a professional sona's owner via the contact exchange featureContact exchange recordsConsent (Article 6(1)(a)): we transmit your email only where you have given explicit consent via the contact exchange card shown in the conversation.

Visitor speech is transcribed only to run the conversation and is not processed to uniquely identify the visitor, so it does not engage UK GDPR Article 9. No Article 9(2)(a) basis is required for this activity, in contrast to sona-creation voice (Section 6).

Legitimate interests balancing

Where we rely on legitimate interests as our lawful basis, we have conducted a balancing assessment to confirm that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests; see Section 11.

5. Conversation Memory and Profile Synthesis

This section describes how our optional conversation memory feature works. Memory is off by default and is activated only where you have given explicit consent.

When you give consent to conversation memory, Sonaverse synthesises your conversations with each sona into a short profile. That profile is used to provide continuity across future conversations with that sona.

What we synthesise: At the end of each conversation session (or at a suitable trigger point), your interaction with a sona is processed by an AI model to produce a short summary capturing relevant context, preferences, and patterns of engagement. This summary is stored as your memory profile for that sona relationship.

Where it is stored: Memory profiles are stored in Sonaverse's Supabase database, hosted in the EU. The synthesis step involves transmitting your conversation content to Anthropic PBC (USA), our AI model provider. This transfer is covered by the international transfer mechanism described in Section 9.

How it is used: On subsequent visits to a sona, the memory profile for that relationship is injected into the sona's context, allowing the sona to recall relevant details from prior conversations.

Who can see it: Memory profiles are not visible to sona creators. They are used solely within the conversation context between you and the relevant sona.

Special category data: Conversations with sonas are freeform and may cover health, relationships, beliefs, political views, and other sensitive topics. A profile synthesised from those conversations may contain or be derived from special category data. We process any such data only on the basis of your explicit consent under Article 9(2)(a) UK GDPR.

International transfer: The synthesis step involves transmitting your conversation transcript to Anthropic PBC (USA). This transfer is governed by the ICO Approved Addendum (version B.1.0) to the EU Standard Contractual Clauses, incorporated into Anthropic's Data Processing Addendum and effective by acceptance of Anthropic's Commercial Terms. The resulting profile is stored in the EU. See Section 9.

Consent and opt-out: Conversation memory is off by default. After you have had a short exchange with a sona, we will offer you the option to enable memory inline within the conversation. If you do not respond at that point, the same offer will appear at the start of your next session. Consent is account-level: a single decision covers all sonas on the platform. You may withdraw consent at any time via your account settings or by contacting privacy@sonaverse.ai. On withdrawal, your memory profile is deleted within 30 days and memory deactivates. Withdrawing memory consent does not affect your account or your access to any tier of the service.

6. Voice Processing Notice

This section contains specific information about how we handle voice recordings and voice-derived data, which may constitute biometric data under UK GDPR. Please read it carefully.

This section concerns the voice of the person whose sona is being built. For how we handle the voice of website visitors who talk to a sona, see Section 6A.

If you provide voice recordings as part of your Personal Materials — for example, as part of a structured interview for your sona — we process those recordings as follows.

What we collect:

  • The audio recording itself, stored securely in our database;
  • A text transcript extracted from the recording;
  • Vector embeddings derived from the transcript.

How we use it:

  • To configure the sona model associated with your sona, giving it access to the content, tone, and style of your spoken responses;
  • To inform the written communication style and knowledge base of your sona;
  • For trust and safety purposes.

What we do not do:

  • We do not use your voice recordings to create a synthetic voice model capable of generating audio in your voice, unless you separately and explicitly consent to this;
  • We do not share your voice recordings with third parties for their own use;
  • We do not use your voice data to train general AI models for use outside your specific sona without your explicit consent;
  • We do not commercialise your voice or voice-derived data on a standalone basis.

Lawful basis: We process voice recordings on the basis of your explicit consent. You may withdraw this consent at any time by contacting us at privacy@sonaverse.ai. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Following withdrawal, we will deactivate your sona and delete your voice recordings. Voice-derived embeddings will be removed from operational systems within 30 days.

Retention: Voice recordings and transcripts are retained for as long as your sona remains active. They are deleted within 30 days of deactivation of the sona or upon a valid deletion request.

6A. Visitor Conversations with Founder Demonstration Sonas

Our public website lets you talk to AI "sonas" of our founders (Julian and Jena) without creating an account. This section explains how we handle your data when you do.

How it works: You can interact by speaking or by typing.

  • If you speak, your microphone audio is streamed to a third-party speech-to-text provider (Deepgram, Inc., USA) and transcribed in real time so the sona can respond. The sona's reply is generated using an AI model (Anthropic PBC, USA) and voiced using an AI voice-generation provider (ElevenLabs Inc., USA).
  • If you type, no audio is processed.

No biometric identification: We transcribe what you say only to run the conversation. We do not create a voiceprint, and we do not use your audio to identify or authenticate you. Your inbound speech is not processed as biometric or special category data.

These are AI sonas: The sonas are AI representations of Julian and Jena. Their voices are AI-generated and their responses may not reflect the real views of either founder.

Purpose and lawful basis: We provide these sonas to demonstrate our product. Our lawful basis is our legitimate interest in showcasing and marketing the Services, together with the consent you give via the notice shown before the conversation begins. You must confirm you are 18 or over to proceed.

Sharing: To run the conversation, your audio or text is shared with the providers listed in Section 8 (speech-to-text, AI model, and AI voice generation). We do not sell this data and do not use it for advertising, and neither Deepgram nor ElevenLabs use it to train or improve their models.

Retention: Your conversation — including the transcript of anything you said or typed — is stored in the same way as a signed-in visitor's chat with a sona, and is retained for up to 12 months from the date of the conversation before automatic deletion. Inbound audio itself is processed transiently to produce the transcript and is not separately retained.

Your choices: You can type instead of speaking, and you can end the conversation at any time. For any question or request about data from these conversations, contact privacy@sonaverse.ai.

7. Knowledge Materials and Third-Party Data

(a) How Knowledge Materials are stored

We store: (i) the source document; (ii) extracted text derived from the document; and (iii) vector embeddings generated from the extracted text. All three are stored in our secure Supabase database infrastructure. Access to stored Knowledge Materials is restricted to authorised personnel and the AI processing systems that serve your sona.

(b) Third-party personal data in Knowledge Materials

You are responsible for ensuring that any personal data of identifiable third parties contained in Knowledge Materials is handled lawfully. We recommend redacting the personal data of third parties from Knowledge Materials wherever it is not necessary for the operation of your sona.

To the extent that we process personal data of third parties contained in Knowledge Materials you upload, we do so as a data processor acting on your instructions, and our Data Processing Addendum governs that processing.

(c) Retrieval limits

Our retrieval system applies technical limits on the volume of content surfaced from any single Knowledge Material per interaction (500 words per passage; 1,000 words aggregate per source per session). These limits exist to protect the rights of third-party rights-holders and to reduce the risk of disproportionate disclosure.

8. Who We Share Your Data With

We do not sell your personal data. We do not share it for third-party advertising purposes. We share your data only as described in this section.

(a) Service providers (data processors)

ProviderRoleData sharedLocation
Supabase Inc.Database, authentication, and file storage infrastructureAll personal data stored in our platformUSA (EU/UK data hosted on EU region servers where available)
Anthropic PBCAI model provider (Claude API) for sona responses, including responses of founder demonstration sonas on our website; conversation transcript processor for memory profile synthesisInteraction data: prompts submitted to sonas and relevant Knowledge Material context; conversation transcripts for memory synthesis where consent is given; visitor conversation data for demonstration sonasUSA
ElevenLabs Inc.(1) AI voice cloning: generates the synthetic voice model for your sona, only where you have given explicit consent (see Section 6); (2) AI voice generation for founder demonstration sonas on our websiteVoice recordings and voice-derived data (sona voice cloning, with consent); visitor conversation data: text generated for the sona's spoken reply (demonstration sonas)USA
Deepgram, Inc.Real-time speech-to-text for founder demonstration sonas on our websiteVisitor inbound audio; resulting transcriptUSA
Stripe Inc.Payment processing and subscription managementPayment and billing data; subscription status; email addressUSA
Stripe Inc.Identity document verification and liveness checkingName, date of birth, ID document images, liveness video or photographUSA
Resend Inc.Transactional email deliveryEmail address; email contentUSA
Meta Platforms Ireland LtdWhatsApp Business Platform: OTP delivery and interview follow-up messagesMobile telephone number; OTP codes; interview contentIreland (EU)

Neither Deepgram nor ElevenLabs use data shared under this table to train or improve their models.

(b) Other Sonaverse users

When you interact with a sona as a subscriber, the creator may be able to see metadata about subscriber interactions (such as the number of interactions and the Access Tier). Individual prompts you submit to a sona are not shared with the creator unless you are interacting at the Legacy tier and the creator has configured the sona to retain interaction summaries.

We may disclose your personal data to law enforcement agencies, regulatory authorities, courts, or other public bodies where we are required to do so by law, by court order, or where we reasonably believe that disclosure is necessary to protect the rights, property, or safety of Sonaverse Ltd, our users, or the public.

(d) Business transfers

If Sonaverse Ltd is involved in a merger, acquisition, restructuring, or sale of all or part of its assets, your personal data may be transferred to the acquiring entity. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

(e) Contact exchange — professional sona owners

Where you use the contact exchange feature in conversation with a professional sona and choose to share your email address, we transmit that email to the sona's owner so they can follow up with you directly. This transfer happens only on your explicit consent. The owner receives your email as an independent data controller and is responsible for their own compliance with applicable data protection law in relation to that data. Sonaverse can delete its own contact exchange record on your request, but cannot require deletion of copies held independently by the owner.

9. International Transfers of Personal Data

Several of our key service providers are based in the United States. For transfers to our US-based service providers (Supabase, Anthropic, Stripe, Resend, ElevenLabs, and Deepgram), we rely on UK International Data Transfer Agreements (UK IDTAs) or UK Addenda to EU Standard Contractual Clauses (SCCs). In particular, the transfer of conversation content to Anthropic for sona responses and for memory profile synthesis (where you have given consent) is covered by the ICO Approved Addendum (version B.1.0) to the EU Standard Contractual Clauses, incorporated into Anthropic's Data Processing Addendum by acceptance of their Commercial Terms. Copies of relevant transfer mechanisms are available on request from privacy@sonaverse.ai.

For transfers involving Meta Platforms Ireland Ltd (WhatsApp Business), data is processed within the EU under Meta's standard terms.

If you are resident in the European Economic Area, the same transfer safeguards apply to any transfer of your data from the UK to the EEA, which is currently subject to an EU adequacy decision for the UK.

10. How Long We Keep Your Data

Data categoryRetention periodTrigger for deletion
Account dataDuration of account plus 30 daysAccount closure or deletion request
Identity verification data3 years from date of verificationLegal obligation: anti-fraud and AML compliance
Personal Materials (voice recordings, transcripts, source documents)Duration of associated sona plus 30 daysSona deactivation or deletion request
Knowledge Materials (source documents and extracted text)Duration of associated sona plus 30 daysSona deactivation, takedown notice, or deletion request
Vector embeddingsPurged from operational systems within 30 days of sona deactivation or deletion requestSona deactivation, deletion request, or consent withdrawal
Interaction data12 months from date of interaction, then deletedRolling 12-month window
Visitor conversation audio (demonstration sonas)Not retained after the conversation ends; processed transiently to produce the transcriptN/A — transient processing
Visitor conversation transcript (demonstration sonas)12 months from date of the conversation, then deletedRolling 12-month window (same retention as other interaction data — see Section 6A)
Conversation memory profilesDuration of active account, or 12 months from the date the relevant subscription lapses (whichever is longer), then deleted within 30 days. On account deletion or sona deactivation: deleted within 30 days. On consent withdrawal: deleted within 30 days.Account deletion, sona deactivation, or consent withdrawal
Payment and billing data7 years from date of transactionLegal obligation: financial record-keeping
Usage and technical data13 months from date of collectionRolling deletion
Consent recordsDuration of the associated consent plus 6 yearsLegal obligation
Contact exchange recordsDuration of the relevant account, then deleted within 30 days on account deletion, deletion request, or consent withdrawal. Note: once your email has been delivered to the sona's owner, that copy is held by the owner independently and is outside Sonaverse's control.Account deletion, deletion request, or consent withdrawal
Support correspondence3 years from date of last correspondenceLimitation period for contractual claims
Posthumous provisionsUntil actioned, then retained for 3 yearsActioning of provision plus 3 years

Where data is anonymised (rather than deleted), it no longer constitutes personal data under UK GDPR. We may retain anonymised data for analytical and product development purposes indefinitely.

11. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights in relation to your personal data:

RightWhat it means in practice
Right of access (Article 15)You may request a copy of the personal data we hold about you. We will provide this within one month of receipt of your request. Subject access request responses include all conversation memory profiles held for you across every sona you have interacted with, provided in a legible format.
Right to rectification (Article 16)You may ask us to correct inaccurate personal data or complete incomplete data.
Right to erasure (Article 17)You may ask us to delete your personal data in certain circumstances, including where data is no longer necessary for its original purpose or where you withdraw consent.
Right to restriction (Article 18)You may ask us to restrict processing of your data in certain circumstances.
Right to data portability (Article 20)Where we process your data on the basis of contract or consent using automated means, you may request a machine-readable copy of data you have provided to us.
Right to object (Article 21)You may object at any time to processing based on legitimate interests. Where you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Article 7(3))Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent for conversation memory, use the toggle in your account settings or contact privacy@sonaverse.ai.
Rights related to automated decision-making (Article 22)We do not make solely automated decisions that produce legal or similarly significant effects for you.

To exercise any of your rights, please contact us at privacy@sonaverse.ai. We will not charge a fee for processing rights requests, except where requests are manifestly unfounded or excessive.

Where you have shared your email address with a professional sona's owner via the contact exchange feature, your right to erasure (Article 17) applies to Sonaverse's own contact exchange records, which we will delete on request. We cannot, however, compel deletion of copies held independently by the owner in their capacity as a separate data controller. You may contact the owner directly to request deletion of the copy they hold.

12. Complaints and the Right to Lodge a Complaint

If you are unhappy with how we have handled your personal data, please contact us at privacy@sonaverse.ai in the first instance.

If you remain dissatisfied after contacting us, you have the right to lodge a complaint with a supervisory authority:

If you are based in...Supervisory authority
The United KingdomInformation Commissioner's Office (ICO) · www.ico.org.uk · 0303 123 1113
The European Economic AreaYour national data protection authority. See edpb.europa.eu for a list.
SwitzerlandFederal Data Protection and Information Commissioner (FDPIC) · www.edoeb.admin.ch

13. Cookies and Tracking Technologies

CategoryPurposeConsent required?
Strictly necessaryEssential for the platform to function: session authentication, security tokens, load balancing. Cannot be disabled.No — necessary for the service.
FunctionalRemembering your preferences, language settings, and display choices.Yes — set only with your consent via our cookie banner.
AnalyticsUnderstanding how users navigate the platform to improve the experience. Data is aggregated and not used to identify individuals.Yes — set only with your consent.
Analytics / functionalanon_id: a persistent identifier assigned on first visit that survives the login handoff, allowing us to link anonymous and authenticated sessions for product analytics purposes.Yes — set only with your consent via our cookie banner.
Payment processingCookies set by Stripe to process payments securely and detect fraud.Strictly necessary for payment functionality.

You can manage your cookie preferences at any time through the cookie settings panel accessible from the footer of our website.

We do not use cookies or tracking technologies for the purpose of serving targeted advertising to you, and we do not share cookie data with advertising networks.

14. Children's Data

Our Services are not directed at and may not be used by persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has provided us with personal data, please contact us immediately at privacy@sonaverse.ai and we will take prompt steps to delete that data.

A sona may only be created of a living adult. The creation of a sona of a minor is absolutely prohibited under our Terms of Service and Prohibited Use Policy.

15. Security

We implement appropriate technical and organisational measures, which include:

  • Encryption of data in transit (TLS) and at rest;
  • Role-based access controls limiting internal access to personal data on a need-to-know basis;
  • Row-level security (RLS) policies enforced at the database layer, ensuring that data is segregated by user and Access Tier;
  • Regular security reviews and vulnerability assessments;
  • Access logging for sensitive operations.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

If you become aware of or suspect a security vulnerability or data breach involving our platform, please notify us immediately at security@sonaverse.ai.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email and by posting a notice on the platform at least 30 days before the change takes effect.

The current version is always available at www.sonaverse.ai/privacy.

Where a change to this Policy requires your consent, we will seek that consent separately before processing your data for that new purpose.

Appendix: Key Terms Used in This Policy

TermMeaning
Data controllerThe entity that determines the purposes and means of processing personal data. Sonaverse Ltd is the data controller for all personal data processed through the Sonaverse platform.
Data processorAn entity that processes personal data on behalf of a data controller, under the controller's instructions.
Personal dataAny information relating to an identified or identifiable living individual.
Special category dataPersonal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data, or biometric data processed for the purpose of uniquely identifying a person.
UK GDPRThe UK General Data Protection Regulation: the retained EU law version of the EU GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018.
UK IDTAUK International Data Transfer Agreement: the mechanism approved by the ICO for transferring personal data from the UK to countries without an adequacy decision.
ICOInformation Commissioner's Office: the UK's independent supervisory authority for data protection law.
Legitimate interestsA lawful basis for processing personal data under UK GDPR where the processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests or rights.

Legal documents