Privacy
SONA Privacy Policy
Effective date: 15-06-2026
Last updated: 15-06-2026
SONA is a calm, private place to understand your tinnitus symptoms. Because this app handles information about your health, we take privacy seriously, and we’ve tried to write this policy the way we’d want one written for us: plainly, honestly, and without hiding the parts that matter.
This policy explains what we collect, why, who (if anyone) we share it with, how long we keep it, and the rights you have over your data under the EU General Data Protection Regulation (GDPR).
Who we are
SONA (“we”, “us”, “the app”) is provided by Rodrigo Felicio, operating as an individual sole trader, based in Madrid, Spain.
We are the data controller for the personal data described in this policy. That means we decide what data is collected and why, and we’re responsible for protecting it.
- Contact: hello@sona-care.com
- Data Protection Officer: We have not appointed a DPO. You can reach us about any privacy matter at hello@sona-care.com.
What data we collect
We only collect what the app actually needs to work. We don’t run analytics SDKs, crash-reporting tools, advertising trackers, or any third-party trackers, there are none in the app.
Here’s everything, grouped by type.
Account data
- Email address and password. Your password is securely hashed (bcrypt) and managed entirely by our authentication provider (Supabase Auth). The app never sees, stores, or transmits your plaintext password or its hash.
- Username / display name.
- Google Sign-In (optional). If you choose to sign in with Google, Google provides us with your email address and basic profile information to create your account. We never receive your Google password.
- Waitlist (pre-launch only). If you joined a SONA waitlist before having an account, we may hold your email address and the sign-up source. This is not linked to any account and exists only to let us contact you about launch.
Health data (special category, see the section below)
This is the heart of what SONA does, and the most sensitive information we hold:
- Your THI (Tinnitus Handicap Inventory) score (0–100), grade, and your per-question answers.
- Tinnitus details: side (left / right / both), start date, and duration.
- Somatic modulators: whether jaw, teeth, neck, or posture affect your tinnitus.
- Daily check-ins: tinnitus intensity (1–10), sleep hours and quality, stress, caffeine, alcohol, noise exposure, jaw tension, distraction, and mood.
- Free-text daily notes you choose to write.
- Self-reported tinnitus sound profile: frequency (Hz) per ear, relative loudness, dominant ear, and texture.
- AI-generated summaries: your weekly insight summaries and your specialist report summaries.
Behavioural data (how you use the app)
- Saved custom tones; sound-masking sessions; breathing sessions.
- Your Calm Space progress and any free-text reflections you write.
- News bookmarks and read state; clinical-trial matches and dismissals; community-interest signals.
- Your preferences and consent flags (research consent, trials opt-out, notification preferences).
- Any free-text feedback you send us.
Technical data
- A user UUID (a random internal ID that identifies your account in our database).
- Your authentication session token, stored encrypted on your device (iOS Keychain / Android Keystore via SecureStore).
- AI cost/usage telemetry (which AI feature ran, token counts, estimated cost), linked to your user ID so we can monitor and control costs. This is automatically de-identified (your ID is set to NULL) when you delete your account, see “Account deletion”.
Push notifications are local-only. SONA’s reminders are generated on your own device. We do not send a push token to any server, and no remote service tracks your notifications.
Special-category health data & your explicit consent
Most of what SONA stores is health data, which GDPR (Article 9) treats as a “special category” needing extra protection.
We process your health data on the basis of your explicit consent, which you give during setup before any health data is collected. You are always free to withdraw that consent, you can stop tracking at any time and delete your account, which erases this data (see “Account deletion & what persists”).
How we use your data, and our lawful basis
We use your data only for the purposes below. For each, we tell you the legal basis we rely on under GDPR.
| What we do | Why | Lawful basis |
|---|---|---|
| Create and run your account; let you log in | To provide the app you signed up for | Contract (Art. 6(1)(b)) |
| Store and display your tracking, profiles, sessions, bookmarks | Core app features | Contract (Art. 6(1)(b)); and explicit consent for the health-data parts (Art. 9(2)(a)) |
| Generate your weekly insight and specialist report summaries | To give you the personalised insights SONA exists for | Explicit consent for health data (Art. 9(2)(a)) |
| Match you to clinical trials and relevant news | To surface research that may matter to you | Contract / consent for the underlying health profile used |
| Keep the service secure; prevent abuse; monitor and control AI/infrastructure costs | To protect users and keep the app sustainable | Legitimate interests (Art. 6(1)(f)) |
| Send you waitlist / launch emails (pre-launch) | To tell you when SONA is available | Consent (Art. 6(1)(a)) |
| Record your research-consent and other preference flags | To honour your choices | Consent (Art. 6(1)(a)) |
We do not use your data for advertising, profiling for ads, or automated decisions that produce legal or similarly significant effects about you.
AI processing, exactly what happens (and what never does)
SONA uses AI for two features: your weekly insight summary and your specialist report. We know AI and health data together make people nervous, so here is precisely how it works.
- The AI provider is Anthropic (the Claude API), a US company.
- Anthropic receives de-identified health metrics only, the numeric symptom data needed to write a summary.
- Anthropic never receives: your name, your email, your username, your user UUID, or any free-text, your daily notes, your reflections, and your feedback are never sent to AI.
- All AI calls happen server-side, inside our secure backend functions. The app itself never talks to Anthropic and never holds an AI key.
- For news and clinical-trial features, the AI receives zero user data, only public article and trial text.
In short: identifiable data about you never reaches Anthropic, and your private free-text writing is never sent to any AI.
Because Anthropic processes data in the United States, using these two summary features involves an international transfer of the de-identified metrics. See “International transfers”.
Who we share your data with
We do not sell your data, and we do not share it for advertising. We use a small number of carefully chosen service providers (“sub-processors”) who process data on our behalf, under contract.
| Sub-processor | What they do | What they receive | Where |
|---|---|---|---|
| Supabase | Hosts our database and authentication, stores all your data | All data described in this policy | EU (France) |
| Anthropic (Claude API) | Generates weekly + specialist summaries | De-identified health metrics only. Never name, email, username, UUID, or any free text | USA |
| Sign-in (only if you choose Google Sign-In) | Authentication identity (email + basic profile) | Per Google’s infrastructure | |
| Expo / EAS | App build infrastructure | No end-user personal data is collected by the app through Expo. Push notifications are local-only | Per Expo’s infrastructure |
| ClinicalTrials.gov / PubMed / public research sources | Sources of public research content | No user data is sent, these are outbound fetches only | Public sources |
We may also disclose data if we’re legally required to (e.g. a valid court order), or to protect the rights and safety of our users.
Note on subscriptions: A subscription provider is not currently integrated. If and when paid subscriptions launch, this policy will be updated to describe that provider and the billing data involved.
International transfers
Your data is stored in the EU (France).
The one exception is the de-identified health metrics sent to Anthropic in the United States for your two summary features. Transfers of personal data outside the EU/EEA require appropriate safeguards under GDPR (Chapter V), such as the European Commission’s Standard Contractual Clauses (SCCs).
Data retention
We keep your personal data for as long as your account is active, so the app can show you your history and trends.
If your account is inactive for 24 consecutive months, we will delete it and its associated data. We will email you a warning before this happens, so you have the chance to keep your account active.
Waitlist emails are kept for up to 6 months from when you join the waitlist, or until you ask us to remove your email, whichever comes first.
When you delete your account, your data is removed as described in “Account deletion & what persists” below. Residual copies may persist in our provider’s encrypted backups for a limited period before they are cycled out, in line with our hosting provider’s backup practices.
Security
We protect your data with measures including:
- Encryption at rest and encryption in transit (TLS) for all data on our backend.
- Row Level Security in the database, so each user can only ever access their own data.
- Authentication via bcrypt-hashed passwords or Google OAuth, with short-lived signed (JWT) sessions.
- Your session token stored encrypted on your device (iOS Keychain / Android Keystore).
- Backend secrets and AI keys held server-side only, never shipped inside the app.
No system is ever perfectly secure, but we work to protect your data and to keep improving these measures.
Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify data that is wrong or incomplete.
- Erase your data (“right to be forgotten”).
- Restrict how we process your data.
- Port your data, receive it in a portable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time (this won’t affect processing that already happened before you withdrew).
- Lodge a complaint with a data protection supervisory authority. In Spain, that’s the AEPD (aepd.es), or you can complain to the authority in your own EU country.
How to exercise your rights: You can access and delete most of your data directly in the app (Profile settings). For anything else, email us at hello@sona-care.com and we’ll respond within the timeframe GDPR requires (normally within one month).
Account deletion & what persists
You can delete your account at any time from within the app. This triggers a secure server-side process that deletes your authentication account and cascade-deletes all of your data across every table in our database.
For full honesty, here’s what remains after deletion, and why:
- AI usage-cost records are kept, but your user ID on them is set to NULL, they are no longer linked to you and become anonymous cost data.
- Aggregate, non-personal cost snapshots (totals that don’t identify anyone) are kept.
- Waitlist email: If you joined the SONA waitlist, that email is stored separately. If you want it removed, email us at hello@sona-care.com and we will delete it.
Children
SONA is intended for adults and is not directed to children. You must confirm you are at least 18 years old to create an account.
Changes to this policy
We may update this policy as SONA evolves. When we make a material change, we’ll update the “Last updated” date above and, where appropriate, let you know in the app. Significant changes affecting how we use your health data will be brought to your attention so you can review them.
Contact
Questions, requests, or concerns about your privacy?
Rodrigo Felicio
Email: hello@sona-care.com
You also have the right to contact the AEPD (Spain’s data protection authority, aepd.es) at any time.