Legal

Privacy
Policy.

Last updated · 14 June 2026 · Version 2.0

Before you publish — 6 things to do This policy is written specifically for a Serbia-incorporated company serving global, EU/UK and California users. Replace every highlighted field with your real details, then: (1) confirm your legal entity name, address & registration/tax numbers; (2) appoint & name an EU representative (GDPR Art. 27) and a UK representative — a Serbian company serving EU/UK users generally needs both; (3) confirm your domain & contact emails; (4) if you serve Serbian consumers, you likely also need a Serbian-language version; (5) confirm US-bound data uses Serbian Standard Contractual Clauses; (6) have Serbian + an EU/UK privacy lawyer review before launch. Delete this box when done.

The short version

your code→ stays on your machine

memory db→ stays on your machine

prompts & generation→ your own model credentials

what we hold→ account, subscription, support

0bytes of your source code on our servers

Who we are (data controller)

This Privacy Policy explains how Sonn — registered company name, e.g. "Sonn d.o.o." ("Sonn", "we", "us", "our"), a company incorporated in the Republic of Serbia, collects, uses, and protects personal data when you visit sonn.dev, create an account, or use the Sonn software. We are the data controller of the personal data described here.

Controller

Legal entity name (Serbia)

Registered address

street, city, Serbia

Company / tax no.

APR matični broj · PIB

Privacy contact

privacy@sonn.dev

EU representative (Art. 27)

name & EU address — appoint before serving EU users

UK representative

name & UK address — appoint before serving UK users

Data Protection Officer

Not required for our processing; reach our privacy team above.

Which laws apply, and our local-first design

As a Serbian company, our home framework is the Serbian Law on Personal Data Protection ("Zakon o zaštiti podataka o ličnosti", Official Gazette of RS 87/2018 — the "LPDP"). Because we offer Sonn to people in the EU/EEA and the UK, the EU General Data Protection Regulation (GDPR) and the UK GDPR also apply to that processing. If you are a California resident and the relevant thresholds are met, the CCPA (as amended by the CPRA) applies — see section 11. These regimes are closely aligned, and this single policy is written to satisfy all of them.

The most important thing to understand is that Sonn is local-first, so the data that matters most never reaches us:

Your source code is read and written only on your own machine.
Your memory database — the local file recording sessions, embeddings, and learned patterns — lives on your disk, inside your own trust boundary.
Prompts and model generation run through your own model-provider credentials. They go to the provider you already trust, under your agreement with them — not through a Sonn server.

The volume of your source code stored on Sonn servers is zero bytes. This policy therefore concerns the limited account, subscription, support, and security data described below.

Personal data we collect

We practise data minimisation — we collect only what we need to run the service.

Account data — your email address and authentication details, used to create and secure your account. Collected directly from you.
Subscription data — your plan, subscription status, and trial dates. Payments are sold and processed by Polar, our merchant of record; we never receive or store your card or payment details. We receive only limited information from Polar — such as your email and whether your subscription is active — so we can unlock the right features.
Support data — the content of messages you send us and the email address you write from.
Technical & security logs — limited server logs (e.g. IP address, timestamp, request type) needed to keep the site available and secure and to prevent abuse.

We do not use website analytics or advertising trackers, and we do not collect product telemetry from the client. We do not intentionally collect special-category / sensitive personal data (such as health, biometric, or political data), and we ask that you don't send it to us.

How & why we use it (legal bases)

Under the LPDP, GDPR and UK GDPR we must have a lawful basis for each purpose. They map as follows:

Provide the service & your account

Performance of a contract with you.

Provide & manage your paid plan

Performance of our contract with you (Polar processes the payment).

Respond to support requests

Contract, and our legitimate interest in helping users.

Keep Sonn secure, debug & prevent abuse

Legitimate interests in a safe, working service.

Comply with law & defend legal claims

Legal obligation, and legitimate interests.

Providing your email is necessary to create an account and use Sonn; without it we cannot provide the service. To buy a paid plan you give payment details to Polar (our merchant of record) at checkout, not to us — we never receive your card details. We do not sell your personal data, and we do not use your code, prompts, or memory to train AI models.

Automated decision-making & profiling

We do not make decisions about you that produce legal or similarly significant effects through solely automated means, and we do not profile you for advertising. Sonn's "reasoning" features operate on your own machine over your local memory database to assist your coding — they are not a server-side profiling of you as an individual.

Cookies & similar technologies

We use only strictly necessary cookies — for example to keep you signed in and to keep the site secure. These are required for the service to work and, under the law, do not require consent. We do not set analytics, advertising, or other non-essential cookies, so there is no cookie consent banner. Where you send a browser-level opt-out signal such as Global Privacy Control (GPC), we honour it.

Sharing & service providers

We don't sell your data or share it for cross-context behavioural advertising. We disclose limited data to vetted processors who act on our instructions, each receiving only what their function requires:

Polar — our merchant of record: Polar sells, bills, and processes your subscription (including payment and tax) and provides the customer portal. Polar collects your payment data as an independent controller under its own privacy policy; we receive only your subscription status and contact email.
Hosting provider — hosts our website and account systems.
Email / transactional-mail provider — sends account and support emails.

Your chosen model provider is not our service provider: when Sonn runs generation, your prompts go to that provider under your own credentials and your agreement with them, not ours. Their handling of that data is governed by their terms.

We may also disclose data where required by law, to enforce our terms, or as part of a merger or acquisition (with notice where required). A current list of sub-processors is available on request at privacy@sonn.dev.

International data transfers

We and our providers may process data in countries outside Serbia, the EEA, or the UK — including the United States. We transfer personal data only with a lawful safeguard in place:

To countries recognised as providing an adequate level of protection (including those on Serbia's official list and EU-adequate countries), we transfer freely.
To other countries, including the United States, we rely on the Serbian Standard Contractual Clauses adopted by the Commissioner (and, for EU/UK data, the European Commission's SCCs and the UK Addendum).

You can request a copy of the relevant safeguards using the contact details in section 15.

Data retention

We keep personal data only as long as needed for the purpose it was collected:

Account data

While your account is active; deleted or anonymised after closure.

Subscription records

Plan/status while active, plus limited records we must keep for accounting. Payment records are held by Polar, not us.

Support messages

For a limited period after your query is resolved.

Security logs

Short retention, then deleted or aggregated.

When you delete your account, we delete or anonymise your personal data except where law requires us to keep limited records. Your local memory database is yours to delete at any time — it never left your machine.

Your rights

Under the Serbian LPDP, the GDPR and the UK GDPR you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten").
Restrict or object to certain processing, including processing based on legitimate interests.
Portability — receive your data in a structured, machine-readable format.
Withdraw consent at any time, where we rely on consent, without affecting prior processing.
Lodge a complaint with a supervisory authority (see section 15).

You can exercise most of these from your account page, or by emailing privacy@sonn.dev. We respond within the statutory timeframe (generally one month) and won't charge you for a reasonable request.

Your rights (California — CCPA/CPRA)

If you are a California resident, and the CCPA applies to us, you have the right to know, delete, and correct your personal information, to opt out of any "sale" or "sharing", to limit the use of sensitive personal information, and to non-discrimination for exercising your rights.

In practice: we do not sell or share your personal information as those terms are defined under the CPRA, we do not use or disclose sensitive personal information beyond legally permitted purposes, and we honour Global Privacy Control signals. The categories we collect, our purposes, sources, and recipients are described in sections 03, 04 and 07, and our retention in section 09. To make a request, email privacy@sonn.dev; you may use an authorised agent, and we will verify your request before acting on it. We do not offer financial incentives in exchange for personal information.

Children's privacy

Sonn is a developer tool not directed to children. We do not knowingly collect personal data from anyone under 16 (or the minimum age of digital consent in your country; under 13 in the United States). If you believe a child has provided us data, contact us and we will delete it.

Security & breach notification

We protect account and subscription data with encryption in transit, scoped access controls, and reputable infrastructure providers. The strongest protection is structural: because your code and memory never leave your machine, there is no central store of your source for anyone to breach. No system is perfectly secure, but we maintain measures appropriate to the risk. If a personal-data breach occurs, we will notify the competent supervisory authority without undue delay (and, where feasible, within 72 hours), and affected users where the breach is likely to result in a high risk to their rights, as the law requires.

Changes to this policy

We may update this policy as the product or the law evolves, and we review it at least once a year. We'll change the "last updated" date above and, for material changes, give reasonable notice (for example by email or an in-product notice). Continuing to use Sonn after changes take effect means you accept the updated policy.

Contact & complaints

Questions, requests, or complaints about your privacy? Reach our privacy team. You also have the right to complain to a data protection authority:

Privacy team