Privacy Policy

Effective date: February 22, 2026

This Privacy Policy explains how SonIQ ("Company", "we", "us", or "our") collects, uses, shares, and protects your personal information when you use SonIQ Brain, our VS Code extension and related services. We are committed to protecting your privacy and being transparent about our data practices.

1. Data We Collect

1.1 Account Data

When you create an account, we collect:

• Email address - used for account identification, authentication, and communication
• Login / username - used for account identification
• Authentication tokens - session tokens for keeping you logged in

1.2 Service Data

When you use SonIQ Brain, we store the following on our servers to provide the persistent memory feature:

• Chat messages - your conversations with the AI assistant
• Memory entries - persistent context items you create or that are auto-generated from your conversations
• Project metadata - project names and configuration you associate with your account
• Custom roles - AI personas you create, including their names and system prompts

1.3 Subscription Data

When you subscribe, the following data is managed by our payment processor, Paddle:

• Payment method details (credit card, PayPal, etc.)
• Billing address and tax information
• Transaction history and invoices

We do not directly store your payment method details. Paddle acts as the Merchant of Record and handles all payment data. We receive only your subscription status, plan type, and transaction identifiers from Paddle.

1.4 Data We Do NOT Collect

• API keys - Your Anthropic and OpenAI API keys are stored locally in your VS Code settings and are never transmitted to or stored on our servers.
• Source code - We do not collect, transmit, or store your source code files. The extension reads files locally for context but does not send them to our servers.
• AI inference data - Requests to AI providers (Anthropic, OpenAI) are made directly from the extension on your machine using your API keys. These requests do not pass through our servers.

2. How We Use Your Data

We use the data we collect for the following purposes:

Purpose	Data Used
Provide and operate the Service	Account data, chat messages, memory entries, project metadata
Authenticate your identity	Email, login, session tokens
Process payments and manage subscriptions	Subscription data (via Paddle)
Send important service updates	Email address
Respond to support requests	Email address, account data
Improve the Service	Aggregated, anonymized usage patterns

We do not sell your personal data. We do not use your chat messages or memory entries to train AI models.

3. Third-Party Services

We use the following third-party services to operate SonIQ Brain:

3.1 Paddle (Payment Processor)

Paddle (Paddle.com Market Limited) acts as our Merchant of Record for all subscription payments. When you subscribe, Paddle receives and processes your name, email address, payment information (credit card, PayPal, etc.), and billing address to handle payment processing, tax compliance, invoicing, and refunds. We do not directly store your payment method details. We receive only your subscription status, plan type, and transaction identifiers from Paddle. Paddle has its own privacy policy governing how they handle your payment data.

3.2 Resend (Transactional Email)

Resend is used to send transactional emails such as account verification, password resets, and important service notifications. We share only your email address with Resend for this purpose. Resend does not receive any other personal data.

3.3 Anthropic and OpenAI (AI Providers)

When you use SonIQ Brain's AI chat feature, the extension sends requests directly to Anthropic and/or OpenAI using your own API keys. These requests are made from the VS Code extension on your machine and do not pass through our servers. Your interactions with these providers are governed by their respective privacy policies and terms of service.

3.4 Railway (Hosting Provider)

Our backend services and database are hosted on Railway, a cloud hosting provider located in the United States. All account data, chat messages, memory entries, and project metadata are stored on Railway's infrastructure. Railway acts as a data processor on our behalf.

4. Cookies and Local Storage

SonIQ Brain is primarily a VS Code extension and does not use browser cookies in the traditional sense. However:

• VS Code settings - The extension stores your preferences and API keys in VS Code's local settings storage on your machine.
• Authentication tokens - Session tokens are stored securely on your machine by the extension to maintain your login session.
• Landing page - Our website (soniqcloud.com) may use essential cookies for basic functionality. We do not use tracking or advertising cookies.

5. Data Retention

• Active accounts - Your account data (email, login, preferences) is retained for as long as your account remains active.
• After cancellation - Chat messages, memory entries, and project data are deleted within 30 days of your subscription cancellation. During this period, you may reactivate your account and retain your data.
• After account deletion - When you request account deletion, all your personal data (account data, chat messages, memory entries, project metadata) is deleted within 30 days. Some anonymized, aggregated data may be retained for analytical purposes.
• Billing records - Transaction records, invoices, and billing history are retained for 7 years after the transaction date for tax compliance, legal obligations, and financial audit purposes, as required by applicable law.
• Backups - Deleted data may persist in encrypted backups for up to 90 days before being permanently purged.

6. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS) for all communications between the extension and our servers
• Encrypted database storage
• Token-based authentication with secure session management
• Regular security updates and monitoring
• Access controls limiting who can access production data

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction where GDPR or similar data protection regulations apply, the legal basis for processing your personal data includes:

• Consent - You provide consent during account registration by agreeing to these terms and creating your account. You may withdraw your consent at any time by deleting your account.
• Contractual necessity - Processing your account data, chat messages, and memory entries is necessary to provide you with the Service you have subscribed to.
• Legitimate interest - We have a legitimate interest in improving our services, ensuring security, and communicating with users about service updates and support. We balance these interests against your rights and do not use your data in ways you would not reasonably expect.

8. Your Rights (GDPR and Similar Regulations)

Regardless of where you are located, we provide the following rights to all users:

• Right to access - You can request a copy of all personal data we hold about you.
• Right to rectification - You can request that we correct any inaccurate data.
• Right to erasure - You can request that we delete all your personal data ("right to be forgotten").
• Right to data portability - You can request your data in a structured, machine-readable format.
• Right to restrict processing - You can request that we limit how we use your data.
• Right to object - You can object to our processing of your data for certain purposes.
• Right to withdraw consent - Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

9. International Data Transfers

Our servers are located in the United States (hosted on Railway). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws, including Standard Contractual Clauses where applicable.

10. Children's Privacy

SonIQ Brain is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last updated.

12. Contact Us

If you have any questions about this Privacy Policy, your data, or wish to exercise your rights, please contact us:

• Email: [email protected]
• Website: soniqcloud.com