Privacy Policy

Effective Date: December 11, 2023

This is the privacy policy (Policy) of Sona Systems, Ltd. and Sona Systems, LLC (together, Company, we, us, our). If you are a customer, it is part of your contract with the Company. For customers in the United States; Canada (unless set out on your invoice); and South America, Company transmits data to servers located in the United States. For customers in Europe and the UK/Gibraltar, Company may transmit the Customer Record and Inquiry Information to servers located in the United States, on the basis of Company’s participation in the Data Privacy Framework Program (“DPF”), specifically the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework (with respect to the latter, as of October 12, 2023) and the related adequacy decisions by the European Commission and UK Government, but will not transmit Subject Information to servers located outside the European Union. For customers outside the aforementioned regions (such as in the Asia-Pacific region), the Company transmits data to servers located in Japan.

Company complies with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and/or United Kingdom (as applicable) to the United States. Company has certified to the Department of Commerce that it adheres to the DPF Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view our certification, please visit:

In compliance with DPF Principles, Company commits to resolve complaints about our collection or use of personal information of EU or UK individuals. European Union or UK individuals with inquiries or complaints regarding our compliance with the DPF program should first contact Company. Company and its Data Protection Officer, Justin Fidler, may be reached at [email protected] or by mail at Sona Systems, Trummi 5, 12616 Tallinn, ESTONIA. If you have a question regarding our Privacy Policy, please contact us. Company commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU to the US and to cooperate with the UK Government, ICO and/or GRA, as applicable, with regard to data transferred from the UK and/or Gibraltar to the US. The Federal Trade Commission has jurisdiction over Company’s compliance with the DPF program. Under certain conditions, you may have the right to invoke binding arbitration for complaints regarding the DPF not resolved by any of the other DPF mechanisms. More information can be found at

Company also complies with the European Union’s General Data Protection Regulation (GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR). EU citizens and citizens of the UK/Gibraltar, as applicable, also have the right to lodge a complaint with a supervisory authority.

Finally, Company complies with the California Consumer Privacy Act of 2018 (“CCPA”). A consumer whose personal information is covered by CCPA (as defined in that law) may contact Company as follows to request required disclosures under CCPA:

The most recent version of this Policy will always be available at this address. Any changes to this Policy, other than necessary to remedy typographical errors, will be announced by email to customers to the primary address you have on file with us.

This Privacy Policy applies to the following information, received directly by the Company, of which it is the Controller:

  • Information obtained via inquiries
  • Information necessary to provide Company’s services to customers; and
  • Information processed by Company while providing services to customers.

How Company uses information obtained via inquiries

When a third party contacts us via our website or other means, Company may collect information voluntarily provided by that third party, of which the Company is the Controller, including (“Inquiry Information”):

  • Third party’s Corporate name;
  • Name of an individual who serves as the third party’s contact;
  • Email address of contact person

How Company uses information necessary to provide Company’s services to customers

Company collects the following information from customers when they contract for Company’s services (the “Customer Record”), of which Company is the Controller:

  • Customer corporate name;
  • Contact name of an individual at customer’s location who is responsible for the services;
  • Email addresses provided to Company by the customer as contact points;
  • Physical address; and
  • Payment information.

Information that is part of the Customer Record will be used by Company to:

  • Collect payment (in conjunction with a third-party payment processor);
  • Market Company’s services to the customer;
  • Contact the customer about issues related to the service;
  • Contact the customer about issues of general interest to Company’s customers; and
  • In response to an inquiry about the status of Company’s services and to provide troubleshooting about those services.

Except as stated above, the Customer Record may be shared with third parties only in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

The Customer Record will only be sold by Company in conjunction with the sale, or other acquisition, of its business. It is not otherwise sold or rented to third parties.

The Company does not market to individuals under sixteen years of age and does not knowingly collect information directly from these individuals.

Customer Record information is collected on the basis of the contractual relationship between the Company and Customer, except that contact names and email addresses of individuals may be collected on the basis of the Company’s legitimate interest in having one or more contacts with whom Company can correspond regarding the Customer. Customers may opt out of providing information for their Customer Record by declining to be Customers. Providing information for a Customer Record is required to become a Customer. Data subjects (as defined in GDPR) may request from the Company access to, rectification of, erasure of, restriction of processing of the data subject’s information in the Customer Record when applicable (as provided at Articles 15, Section 2 & Articles 16-18, Section 3, Chapter III of GDPR), and the Company may be informed by email of any changes to the Customer Record. Data subjects also have the right to data portability as provided at Article 20, Section 4, Chapter III of GDPR and the right to object to processing of applicable data within the Customer Record, as provided at Article 21, Section 4, Chapter III of GDPR.

Should Company practices with respect to processing or use of a Customer Record change, or should Company desire to disclose the Customer Record to any third party not acting as an agent of Company, Company will provide you with notice (either by means of an amendment to this Privacy Policy or otherwise) and provide an opportunity for you to opt out.

The DPF Principles describe Company’s obligations with respect to personal information that it transfers to third parties as described in this Privacy Policy. Company remains responsible and liable as provided in the DPF Principles if the third party processes the personal information in a manner that is not consistent with the DPF Principles, unless Company proves that it is not responsible for the event giving rise to the damage.

How Company uses information processed by it while providing services to customers

Company’s services process the following personally identifiable information provided to Company by its customers (the “Subject Information”), of which the Customer is the Controller:

  • Full name and email address of each user, and user’s language preference for the system interface.
  • Other information chosen by the customer in Company’s interface, which may include, but is not limited to: university identification number, telephone number, course enrollment information, study sign-up information, research data collected in online surveys, data collected as part of prescreening for eligibility in research studies.

For the sake of clarity, you should know that Company does not collect this Subject Information independently and does not export any Subject Information that originates in the EU or UK/Gibraltar, as applicable. Rather, the information is stored on third-party server infrastructure in the relevant geographical location.

Subject Information will be used by Company to:

  • Perform the services as set out in the agreement between Company and its customer;
  • To maintain the infrastructure that supports the services; and
  • In response to an inquiry by the customer providing the Subject Information to Company to troubleshoot those services.

Subject Information will be provided to third parties in the following circumstances:

  • To backup the Subject Information (in conjunction with a third party that specializes in backup services);
  • As authorized by Company’s customer; and
  • In response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Subject Information will only be sold by Company in conjunction with the sale, or other acquisition, of its business.

How Company uses other types of information

Cookies. Cookies are small data files that are placed automatically on a customer’s computer by our computers. These data files are read by our computer to determine whether you have visited our site before, how often, the length of time and which pages you view. Company uses cookies to keep customers logged into its service; to collect transactional information about where its customers go during their use of our services and how they behave as well as to set language preferences. Cookies are not used in conjunction with Subject Information, and, other than as necessary to keep a customer logged into the services, do not identify an individual. Information collected using cookies is not sold by Company, or used outside the services, other than as necessary to provide the services to customers.

Google Analytics. Company uses Google Analytics where visitors to our website consent to such use. You may view information about how Google Analytics collects and processes data at: When you first visit or use our website, you will be asked to consent to the storing and accessing of cookies and other information on your computer or other electronic device.

Statistical Information. Company uses statistical information to operate the infrastructure necessary to provide the services to customers and to diagnose problems with this infrastructure. Statistical information is the following: the IP address used by a customer, or subject, to access the services; page access information; study selection, modification, and other transactional information related to the studies and study sign-ups. Statistical information is not used in conjunction with Subject Information. Statistical Information, including IP address, is collected on the basis of the Company’s legitimate interest in operating its infrastructure so as to provide services to its customers. Statistical information is not sold by Company, or used outside the services, other than as necessary to provide, troubleshoot, and bill the services to customers.

Credit Card Information. The Company directs Customers who seek to pay by credit card to a credit card processing company. This may be either PayPal or Stripe, depending upon the amount of the transaction and the currency in which Customer proposes to pay. Information transmitted to a credit card company directly by Customers is governed by and subject to the terms and conditions of such credit card processing company.

Deletion and Preservation of Information. Information covered by this Policy may be deleted upon a customer’s request or, for Subject Information, by customer’s own independent action in its discretion. Absent a request for deletion, Company may otherwise retain Customer Record and Inquiry Information for the convenience of those using or inquiring about its services. Company may also retain information as required by law.

Changing and Correcting Information. To access or update Customer Record or Inquiry Information, customer must contact Company as described above in this Policy. Subject Information can be accessed or updated by a data subject or by customer’s administrator.