Privacy Policy
Last updated: February 2026 • GDPR Compliant
Privacy at a Glance
We collect minimal data
Only what is needed to provide the service
No third-party marketing
We never sell or share your data for marketing
Deleted on cancellation
Account data removed within 30 days
UK GDPR & DPA 2018 compliant
Full data protection rights enforced
1. Who We Are
Sonosfera ("we", "us", "our") is a B2B background music streaming service operated from the United Kingdom. We are the data controller for the personal data described in this policy. For data protection enquiries, contact us at privacy@sonosfera.app.
2. Data We Collect
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account login, communications | Contract |
| Business name | Account identification | Contract |
| Password (hashed) | Account security | Contract |
| Subscription plan | Service delivery | Contract |
| Payment info | Billing (processed by Stripe) | Contract |
| Device identifiers | Session management, one-device enforcement | Legitimate interest |
| IP address | Security, fraud prevention, session validation | Legitimate interest |
| Usage data | Service improvement, troubleshooting | Legitimate interest |
What We Do NOT Collect
- - GPS or precise location tracking
- - Data about your customers, clients, or venue visitors
- - Audio recordings from your venue
- - Personal data of your employees
- - Sensitive or special category data
3. Legal Basis for Processing
Under the UK GDPR and the Data Protection Act 2018, we rely on the following legal bases:
- Performance of a contract – Processing necessary to provide the Sonosfera service you have subscribed to (account management, authentication, billing, music streaming).
- Legitimate interests – Processing necessary for our legitimate business interests (security, fraud prevention, service improvement), where these do not override your rights and freedoms.
- Legal obligation – Processing required to comply with applicable laws (e.g., tax and accounting records).
- Consent – Where we send you optional marketing communications, we rely on your explicit consent. You can withdraw consent at any time.
4. How We Use Your Data
- Providing access to music streaming and the Sonosfera platform
- Account creation, management, and authentication
- Enforcing one-device-per-location restrictions
- Processing payments and managing subscriptions via Stripe
- Sending transactional emails (billing notices, service updates, security alerts)
- Responding to your support enquiries
- Improving the Service based on aggregated, anonymised usage patterns
We do NOT sell your data, share it for third-party marketing, or use it for automated decision-making or profiling that produces legal effects.
5. Data Sharing & Sub-Processors
We do NOT share your data with any third parties for marketing purposes. We only share data with service providers essential to operating Sonosfera.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing | Payment details, email | US/EU (EU SCCs) |
| Supabase | Database and authentication | Account data, session data | EU (AWS Frankfurt) |
| Vercel | Website hosting | IP address, usage data | Global CDN (EU primary) |
All sub-processors are bound by Data Processing Agreements (DPAs) that require them to process data only as instructed, implement appropriate security measures, and comply with applicable data protection laws.
6. International Data Transfers
Some of our sub-processors may process data outside the UK and the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements
- Adequacy decisions recognised by the UK and EU (e.g., the EU-US Data Privacy Framework)
- Contractual commitments from processors to maintain equivalent levels of data protection
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while subscription is active |
| After cancellation | Deleted within 30 days, except as noted below |
| Payment records | Retained for 7 years (UK tax/accounting obligations) |
| Support correspondence | Retained for 2 years after resolution |
| Security logs | Retained for 12 months |
When data is deleted, it is permanently removed from our active systems. Backups containing residual data are purged within 90 days of deletion.
8. Your Rights
Under the UK GDPR, the Data Protection Act 2018, and (where applicable) the EU GDPR, you have the following rights:
- Access – Request a copy of your personal data (Subject Access Request)
- Rectification – Correct inaccurate or incomplete data
- Erasure – Request deletion of your data ("right to be forgotten")
- Restriction – Restrict the processing of your data in certain circumstances
- Portability – Receive your data in a structured, machine-readable format
- Objection – Object to processing based on legitimate interests
- Withdraw consent – Where processing is based on consent, withdraw it at any time
- Complain – Lodge a complaint with the Information Commissioner's Office (ICO)
To exercise your rights, contact us at privacy@sonosfera.app. We will respond within 30 days. For EU residents, you may also contact your local supervisory authority.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Passwords are hashed using industry-standard algorithms (never stored in plaintext)
- Role-based access controls for internal systems
- Regular security reviews and dependency updates
- Supabase Row Level Security (RLS) policies for database access
10. Cookies
We use only essential cookies required for authentication and security. We do not use advertising, analytics, or third-party tracking cookies. For full details, see our Cookie Policy.
11. Children's Privacy
Sonosfera is a B2B service designed for businesses. We do not knowingly collect or process personal data from individuals under the age of 18. If we become aware that we have collected data from a minor, we will take immediate steps to delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
13. Contact Us
For privacy questions, data requests, or to exercise your rights:
- Email: privacy@sonosfera.app
- Supervisory authority: Information Commissioner's Office (ico.org.uk)
Your privacy matters to us. We only collect what we need and never sell your data.