How we handle your data

We collect the following categories of personal data:

We use the personal data we collect for the following purposes:

• Providing our service: Processing customer data you upload to generate and send outreach campaigns (emails and SMS) on your behalf.
• AI-powered personalisation: Using artificial intelligence to draft personalised communications based on the customer data you provide. AI processing is done in real time with zero data retention by AI providers.
• Campaign analytics: Tracking delivery, opens, clicks, replies, and bounces to provide you with performance reporting.
• Account management: Authenticating your access, managing your subscription, and providing customer support.
• Compliance and safety: Enforcing suppression lists, honouring opt-out requests, and preventing misuse of the platform.
• Improving our service: Analysing aggregated, anonymised usage patterns to improve platform features and performance.

Under the UK General Data Protection Regulation (UK GDPR), we process personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to deliver the SonaLift platform and services you have contracted for.
• Legitimate interests (Article 6(1)(f)): Processing for analytics, security, and service improvement where our interests do not override your rights.
• Legal obligation (Article 6(1)(c)): Processing required to comply with applicable laws, including data protection and electronic communications regulations.
• Consent (Article 6(1)(a)): Where you have given explicit consent, such as opting in to marketing communications from SonaLift. You may withdraw consent at any time.

When we process customer data on your behalf (as a data processor), you are the data controller and are responsible for ensuring you have a valid legal basis for the personal data you upload.

We only share personal data with third parties where strictly necessary to provide our service:

• Supabase: Database hosting and authentication infrastructure. Data encrypted at rest and in transit.
• Anthropic (Claude AI): AI content generation. Zero data retention policy — your data is not stored or used for model training.
• Resend: Email delivery service for campaign emails.
• Twilio: SMS delivery service for campaign text messages.
• Render: Application hosting infrastructure.

We will never:

• Sell your personal data or your customers' data to anyone.
• Share data between different SonaLift clients.
• Use your data for advertising or marketing by third parties.
• Share mobile phone number opt-in data or consent with any third parties or affiliates for marketing or promotional purposes.

When you use SonaLift to send SMS messages to your customers, the following applies:

• No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.
• All categories of data exclude text messaging originator opt-in data and consent. This information will not be shared with any third parties.
• Every SMS includes a clear opt-out mechanism (Reply STOP). Opt-out requests are processed immediately and the number is permanently added to suppression lists.
• SMS messages comply with the Telephone Consumer Protection Act (TCPA) and applicable messaging regulations.
• Message frequency varies by campaign. Message and data rates may apply.

We retain personal data only for as long as necessary:

• Account data: Retained for the duration of your account plus 30 days after closure.
• Customer data you upload: Retained for the duration of your account. Upon account closure or your written request, all customer data is permanently deleted within 30 days.
• Campaign analytics: Retained for the duration of your account to provide historical reporting.
• Suppression lists: Retained indefinitely to ensure opted-out contacts are never re-contacted, even after account closure.
• AI processing data: Not retained. AI providers process data in real time with zero storage.

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data where there is no compelling reason to continue processing.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Request a machine-readable copy of your data to transfer to another service.
• Right to object: Object to processing based on legitimate interests.
• Rights related to automated decision-making: Our AI generates draft content only. All outreach is subject to human review and approval before sending. No solely automated decisions with legal or significant effects are made.

To exercise any of these rights, contact us at hello@sonalift.co. We will respond within 30 days.

Our platform uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels from third-party ad networks, or social media tracking cookies.

• Session cookies: Used to keep you logged in and maintain your session. Expire when you close your browser or after a set period.
• Authentication tokens: Securely stored to verify your identity. Essential for platform functionality.

Because we only use strictly necessary cookies, no cookie consent banner is required under UK/EU regulations.

Some of our service providers process data outside the UK and European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the relevant authorities.
• Providers certified under recognised data protection frameworks.
• Contractual commitments to data protection standards equivalent to UK GDPR.

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption in transit (TLS) and at rest (AES-256).
• Complete data isolation between clients at the database level.
• Secure authentication with session management.
• Regular security reviews and dependency updates.
• Access controls limiting data access to authorised personnel only.

For full details on our security practices, see our Data Protection page.

SonaLift is a business-to-business platform. Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at hello@sonalift.co and we will delete it promptly.

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through a notice on our platform before the changes take effect.

We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when the policy was last revised.