Privacy Policy
Last updated: 2026-05-28
1. What we collect
When you sign up we collect: your email address, a hashed password (we never see the plaintext), and your preferences (market focus, quiet hours, language, notification choices). When you use the Service we collect: the rules you create, the alerts you receive, your AI chat messages, basic usage metrics (page views, error logs), and — if you connect Telegram — your Telegram chat ID. We collect your IP address transiently during a request and store it only in audit logs for security events (such as login attempts).
2. What we DO NOT collect
We never ask for or store your brokerage credentials, trading account passwords, portfolio holdings, or transaction history. We have no way to view, place, or modify trades on your behalf. We do not access your contacts, location, microphone, or camera. We do not use third-party advertising cookies or trackers.
3. How we use it
Your data is used to: (a) deliver the Service (evaluate your alert rules, send notifications, answer your AI chat questions); (b) communicate with you about your account, billing, or security; (c) improve the product (anonymous aggregate metrics, never individual behavior). We never sell, rent, or share your personal data with third parties for marketing.
4. Payments — Stripe
All payments are processed by Stripe (https://stripe.com). Stripe handles your credit card number, billing address, and CVV directly — we never see them. We store only a Stripe customer ID and the resulting subscription status. Stripe's own privacy policy governs that flow.
5. Service providers we use
We share the minimum necessary data with these vendors so the Service can function: Stripe (payments), Resend (transactional email), Anthropic (AI chat — your messages and a market-context summary are sent for inference; Anthropic does not train on this data per their API terms), Cloudflare (hosting + DNS), and our infrastructure provider for compute and database. Each vendor is bound by their own data-processing terms.
6. Security
All data is encrypted in transit (TLS) and at rest. Passwords are hashed with bcrypt at cost factor 12. Refresh tokens are stored as SHA-256 hashes only — even a database leak doesn't expose live sessions. Access to production systems is limited to operators and logged. Our security tracking flags failed login bursts and other anomalies.
7. Your rights
You can: (a) export everything we have about you as JSON from Settings; (b) delete your account permanently from Settings — deletion cascades across alerts, rules, push subscriptions, and chat history; (c) ask us to correct any inaccurate information by emailing privacy@sonartradings.com; (d) opt out of the weekly digest from Settings while keeping critical transactional emails (security, billing).
8. Data retention
Active accounts: we keep your data as long as your account exists. Deleted accounts: hard-deleted immediately on request; audit-log entries referencing the deletion event remain for security purposes but no longer link to you. Backups are retained for 30 days, after which deleted data is purged from those too.
9. Cookies
We use only essential cookies: your authentication token (sonar:token), a refresh token, a language preference (sonar-lang), and a cookie-consent record (sonar:cookie-consent). With your explicit consent we additionally load anonymous product analytics (PostHog or Google Analytics) to understand which features get used. We do not use advertising cookies. You can decline analytics from the banner at any time.
10. Children
Sonar is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has registered, email privacy@sonartradings.com and we'll delete the account.
11. Contact
Questions about privacy: privacy@sonartradings.com