Privacy Policy

1. Who we are

Sono is operated as a personal project based in the United Kingdom. For any privacy-related questions, you can contact us at support.sonno@gmail.com.

When we say "Sono", "we", "us" or "our", we mean the operator of this service. When we say "you" or "your", we mean the person using our website or service.

2. What data we collect

We collect the minimum data needed to operate the service:

• Account information — your email address and a hashed (bcrypt) version of your password when you register. We never store your password in plain text.
• Plan and billing information — your subscription status (free or Pro). Payment details are handled entirely by Stripe and never stored on our servers.
• Saved rooms — room names and codes you choose to save as a Pro user. Room passwords are stored but we recommend treating them as low-security codes, not sensitive credentials.
• Session metadata — timestamps of when free sessions are used, to enforce the session cooldown period. No audio content is logged.
• Usage patterns — basic server logs (IP addresses, request paths, timestamps) kept for up to 30 days for security and debugging purposes.

We do not collect: audio content, names, phone numbers, location data, or any tracking data beyond standard server logs.

3. How we use your data

We use the data we collect exclusively to:

• Create and manage your account
• Enforce plan limits (session length, device count)
• Process payments via Stripe
• Send transactional emails (password reset links) — no marketing emails
• Investigate security incidents using server logs

We will never sell your data, share it with advertisers, or use it for any purpose not listed above.

4. Audio data

Sono streams audio directly between your laptop and your phone using WebRTC peer-to-peer technology. Audio content is never routed through, stored on, or processed by our servers.

Our signalling server only facilitates the initial connection handshake (exchanging connection metadata). Once the connection is established, all audio flows directly between your devices.

When a TURN relay server is used (for connections across different networks), audio packets may pass through the relay server momentarily, but they are not logged, recorded, or inspectable in transit.

5. Third-party services

We use the following third-party services:

• Stripe — payment processing. Stripe handles all card data under their own Privacy Policy. We receive only your Stripe customer ID and subscription status.
• Google Fonts — fonts are loaded from Google's CDN. Google may log font requests per their Privacy Policy.
• STUN/TURN servers — used to establish peer-to-peer connections. Your IP address may be exchanged with these servers during connection setup. On the free plan, we use Google's public STUN server.
• QR code API — room codes are encoded into QR codes using the free api.qrserver.com API. The room code is sent to this service when generating a QR image.

We do not use analytics platforms, advertising networks, or any tracking services.

6. Cookies and browser storage

We use a single httpOnly session cookie called sono_token to keep you logged in. This cookie:

• Contains a signed JWT (JSON Web Token) — not your password or personal data
• Expires after 30 days
• Is marked httpOnly so it cannot be read by JavaScript
• Is marked Secure in production (HTTPS only)

We also use localStorage to store the cooldown timestamp for free sessions. This data lives only in your browser and is automatically cleared when the cooldown expires.

We do not use any third-party cookies or tracking cookies.

7. Data retention

• Account data — kept for as long as your account exists. You can request deletion at any time.
• Server logs — automatically deleted after 30 days.
• Password reset tokens — expire after 1 hour and are cleared from our database after use.
• Stripe data — governed by Stripe's retention policies. We can request deletion from Stripe on your behalf.

To request deletion of your account and all associated data, email us at support.sonno@gmail.com with the subject "Data deletion request".

8. Your rights (UK GDPR)

As a UK resident, you have the following rights under UK GDPR:

• Right of access — request a copy of all data we hold about you
• Right to rectification — ask us to correct inaccurate data
• Right to erasure — ask us to delete your data ("right to be forgotten")
• Right to restriction — ask us to limit how we process your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to our processing of your data

To exercise any of these rights, email support.sonno@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data correctly.

9. Security

We take reasonable steps to protect your data:

• Passwords are hashed using bcrypt with a cost factor of 12 — they cannot be reversed
• Session tokens are signed JWTs stored in httpOnly cookies, not accessible to JavaScript
• All connections in production use HTTPS/TLS
• API endpoints are rate-limited to slow brute-force attempts

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly by emailing support.sonno@gmail.com.

10. Contact us

For any privacy questions, data requests, or concerns:

• Email: support.sonno@gmail.com
• Jurisdiction: United Kingdom

We will respond to all privacy-related enquiries within 30 days.

We may update this policy from time to time. Material changes will be communicated via email if you have an account with us. The "Last updated" date at the top of this page will always reflect the most recent revision.