Sona Systems Supplemental Privacy Statement

Effective Date: April 11, 2024

This Supplemental Privacy Statement describes how Sona Systems, Ltd (”Sona”) collects, uses, maintains, and discloses personal data about users of Sona’s cloud-based research and participant management software (the “Services”). Each individual user is referred to in this document as a “User.” Sona’s “Customer” is the institution through which the User participates.

This Supplemental Privacy Statement applies only to personal data of which Sona is the controller for purposes of the EU General Data Protection Regulation and UK General Data Protection Regulation (together, “GDPR”) and, separately, to the extent Sona is a “business” for purposes of the California Consumer Privacy Act of 2018 (“CCPA”). To view Sona’s complete Privacy Policy, please visit:

Sona collects the User’s IP address information and associated login information when the User logs into the Services. This information is collected for the purpose of:

  • Performing the Services as set out in the agreement between Sona and its Customer;
  • Maintaining the infrastructure that supports the Services; and
  • Troubleshooting those Services in response to Customer inquiries.

This processing is necessary for the purposes of the legitimate interests pursued by Sona and its Customer. Sona retains the personal data described above for approximately 6 months, except that it may be deleted upon a Customer’s request, unless Sona is subject to other legal retention requirements.

The information referred to above will be stored on servers located within the EU, and is never transferred to a third country.


Under GDPR, a User has the right to:

  • information about the processing of the User’s personal data;
  • obtain access to the personal data held about the User;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of personal data for marketing purposes or on grounds relating to the User’s particular situation;
  • request the restriction of the processing of User’s personal data in specific cases; and
  • receive User’s personal data in a machine-readable format and send it to another controller (‘data portability’)

Sona does not engage in automated decision-making, including profiling, that affects Users.

European Union and UK individuals with inquiries or complaints regarding privacy matters should first contact Sona.

For EU individuals, Sona and its Data Protection Officer, Justin Fidler, may be reached by email at [email protected] or by mail at Sona Systems, Trummi 5, 12616 Tallinn, ESTONIA. EU individuals also have the right to lodge a complaint with a supervisory authority.

For UK individuals, we have appointed GRCI Law Limited to act as our UK Representative. If you wish to exercise your rights under the UK General Data Protection Regulation (GDPR), or have any queries in relation to your rights or privacy matters generally please email our Representative at [email protected] or post your request or query to: UK Representative, GRCI Law Limited, Unit 3, Clive Court, Bartholomew’s Walk, Cambridgeshire Business Park, Ely, Cambridgeshire, CB7 4EA, UK. When contacting our Representative please ensure you include our company name in any correspondence. UK individuals also have the right to lodge a complaint with the Information Commissioner’s Office.


A User whose personal information is covered by CCPA (as defined in that law) may contact Company as follows to request required disclosures under CCPA:


Cookies are small data files that are placed automatically on a User’s computer by Sona’s computers. Sona uses cookies to keep Users logged into its service; to track a User’s language preference for the interface; and to track if a User has chosen to dismiss the window referring to this Supplemental Privacy Statement. Information collected using cookies is not sold by Sona, or used outside the services, other than as necessary to provide the services to Users.