Sonaflo Privacy Policy

Last updated: December 9th, 2025.

This Privacy Policy explains how Sonaflo (“Sonaflo”, “we”, “us”, or “our”) collects, uses, and shares information about you when you use our websites, platform, products, and services, including Sonaflo LiftSync, Multi-Source Results, Backfill, DeckMate, Survey Generator Pro, and related tools (collectively, the “Services”).

Brand-lift data and campaign performance intelligence are sensitive assets. This policy is designed to give agencies, advertisers, publishers, and Measurement Sources clear, practical insight into how we handle information on the Sonaflo platform.

If you do not agree with this policy, please do not access or use the Services.

1. Who we are

Sonaflo is a multi-tenant software platform designed to unify brand-lift measurement across Measurement Sources and channels.

Controller / responsible entity:
Sonaflo, LLC
Email: privacy@sonaflo.com

In most cases, Sonaflo acts as a service provider / processor to our customers (for example, agencies, advertisers, and publishers) that use the platform to manage their own data and relationships with Measurement Sources. Those customers are typically the “controllers” of personal data they upload or connect to Sonaflo.

For certain activities described in this Privacy Policy and our Terms of Service—such as creating and using aggregated, de-identified analytics and trends across categories—Sonaflo may act as an independent controller / business. In those cases, we only use information in a form that does not identify individual users, Clients, brands, products, campaigns, or Measurement Sources.

2. Scope

This Privacy Policy applies to:

• Visitors to our marketing sites (for example, sonaflo.com and related pages).
• Users of the Sonaflo platform (for example, agency, advertiser, publisher, and Measurement Source users).
• Prospective customers who interact with us (for example, via demos, contact forms, and events).

This policy does not replace or override any data processing agreement we may enter into with a customer. Where there is a conflict between this policy and a signed data processing agreement, that agreement will usually control.

3. Information we collect

The specific information we collect depends on how you interact with Sonaflo and which features you use.

For clarity, when we refer to Customer Data in this policy, we mean all information you or your organization submit or make available to the Services, including:

• Source Reports: Brand-lift studies, measurement outputs, and other reporting from Measurement Sources.
• Client Data: Campaign metadata, brand and product information, briefs, categorizations, and related context supplied by or on behalf of a Client.
• Any related survey instruments, templates, files, and configurations you upload or create in the platform.

3.1 Information you provide directly

We collect information you choose to provide, such as:

• Account and contact details: Name, email address, job title, organization, and team; login credentials and user preferences.
• Organization and tenant information: Agency, advertiser, publisher, and Measurement Source account details; team names, org structures, PO references, and billing contacts.
• Content you upload or create in the platform: Brand-lift studies, campaign metadata, audience definitions, creative descriptors; survey instruments and question sets (for example, via Survey Generator Pro); DeckMate templates, layouts, and reporting frameworks.
• Backfill and Measurement Source submissions: Files and feeds submitted for Backfill or Measurement Source uploads (for example, aggregated BLS results), mapping rules, thresholds (such as p-value and sample size), and study configurations.
• Support and communication: Messages you send via support channels, forms, or email; feedback, feature requests, and survey responses related to Sonaflo.

3.2 Information we process on behalf of our customers

Our customers may use Sonaflo to store or process information about their own campaigns, clients, and partners. This can include aggregated brand-lift results, campaign-level metrics and benchmarks, and Measurement Source–specific output that is mapped into a unified format.

In these cases, our customer is responsible for ensuring they have the right to collect and process that information and to share it with Sonaflo. We act as a processor / service provider and handle the data according to their instructions and our agreements with them.

3.3 Survey and research data

Sonaflo is designed to work primarily with aggregated, study-level results, not raw respondent-level data. In many cases, survey fieldwork is conducted by Measurement Sources or research partners, and those partners provide Sonaflo with aggregated results (for example, lift points, p-values, sample sizes) rather than directly identifiable respondent data.

If any personal data about research participants is ever processed in Sonaflo (for example, in a custom integration), it is generally controlled by our customer or Measurement Source partner. They should provide their own privacy notices and consents to the relevant participants.

3.4 Automatically collected information

When you use the Services, we automatically collect certain technical and usage information, such as:

• Log data (for example, IP address, browser type, device information, pages viewed, date/time stamps).
• Platform usage (for example, features accessed, actions taken, error logs).
• Session and performance metrics used to monitor and improve reliability.

We use this information to secure the platform, troubleshoot issues, understand how features are used, and improve the overall experience.

3.5 Cookies and similar technologies

We and our service providers may use cookies, web beacons, and similar technologies to keep you signed in and remember your preferences, understand how our marketing site and platform are used, and support security features and performance monitoring.

You may be able to control cookies through your browser settings. If you disable certain cookies, some parts of the Services may not function properly.

3.6 Information from third parties

We may receive information from customers and partners (such as agencies or Measurement Sources who provision accounts for you), identity providers / SSO systems, service providers (such as analytics, payment, or communication vendors), and public sources (such as LinkedIn or corporate websites) to help keep contact information up to date.

3.7 Aggregated, de-identified, and Trends Data

We may create Aggregated Data and Trends Data derived from Customer Data and usage of the Services. These outputs are designed so they do not identify individual users, Clients, brands, products, campaigns, or Measurement Sources. For example, we may generate category-level trends, benchmarks, or statistics that reflect how certain types of campaigns perform across an industry segment.

Aggregated and Trends Data are handled as non-personal information where they cannot reasonably be linked back to an identifiable individual or organization.

4. How we use information

We use the information we collect for the following purposes:

• To provide and maintain the Services: Creating and managing accounts and tenants; enabling workflows such as LiftSync, Multi-Source Results, Backfill, DeckMate, and survey generation; generating exports (HTML, CSV, PDF, PPTX, DOCX) and reports.
• To secure the platform: Authenticating users and enforcing access controls; detecting, preventing, and responding to suspected fraud, abuse, or security incidents.
• To support customers: Responding to inquiries and support requests; providing onboarding, training, and success guidance.
• To improve and develop the Services: Analyzing usage patterns to understand what is working and where we can improve; testing features, workflows, and user experience.
• To generate Aggregated and Trends Data: Normalizing and combining Customer Data (including Source Reports and Client Data) to create de-identified, category-level or similarly aggregated analytics and benchmarks that do not identify individual users, Clients, brands, products, campaigns, or Measurement Sources. These outputs may power features such as market-level insights, planning benchmarks, and category trends.
• To communicate with you: Sending service-related notices, updates, and administrative messages; sending optional product updates, invitations, and marketing communications (where permitted by law).
• To comply with legal obligations: Complying with applicable laws and regulations; responding to lawful requests from public authorities.
• For other purposes with your consent: Any additional uses that we clearly explain and to which you consent.

5. Legal bases for processing (EEA/UK users)

Where applicable (for example, if you are in the European Economic Area or the UK), we rely on one or more of the following legal bases:

• Performance of a contract – To provide the Services under our agreement with you or your organization.
• Legitimate interests – To operate, improve, and secure our Services; to generate aggregated analytics and trends that help customers plan and benchmark performance; and to support our business operations, provided these interests are not overridden by your rights and interests.
• Consent – For certain optional activities, such as some marketing communications or specific cookies.
• Legal obligations – Where processing is necessary to comply with laws we are subject to.

6. How we share information

We do not sell personal information in the ordinary sense of the word. We may share information in the following situations:

Within your organization and authorized users: We share information with other users in your organization or tenant, consistent with your roles, teams, and permissions, and with Measurement Source users or partners you invite into your workflows, subject to your settings and agreements.

Service providers and subprocessors: We engage trusted third parties to help us operate the Services (for example, hosting providers, email providers, analytics tools, AI infrastructure). These providers are bound by contractual obligations to protect your data and are only permitted to use personal data as necessary to provide services to us.

Measurement Sources and partners: At your direction, we may share or receive data with or from Measurement Sources, research providers, and other partners to normalize and unify brand-lift results and to support LiftSync, Multi-Source Results, Backfill, or related workflows. In these cases, our use of data is governed by your instructions and any relevant agreements.

Business transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, or sale of assets, your information may be transferred to the acquiring or successor entity, subject to appropriate protections.

Legal and safety: We may disclose information when we believe in good faith that doing so is reasonably necessary to comply with an applicable law, regulation, legal process, or governmental request; to protect the rights, property, or safety of Sonaflo, our customers, or others; or to detect and address fraud, security, or technical issues.

Aggregated and de-identified outputs: We may share Aggregated Data and Trends Data (for example, category-level benchmarks or trend views) with customers or in our materials, provided such outputs do not identify individual users, Clients, brands, products, campaigns, or Measurement Sources.

7. International data transfers

Depending on where you are located, your information may be transferred to, stored in, and processed in countries other than your own, including the United States, where our primary operations may be located.

Where required by law, we implement appropriate safeguards to protect international transfers of personal data, such as standard contractual clauses or other approved mechanisms.

8. Data retention

We retain information for as long as necessary to provide the Services, fulfill the purposes described in this policy, comply with legal, tax, or accounting obligations, and enforce or defend legal rights.

Retention periods may vary depending on the type of data and our agreements with customers. In many cases, customers control how long project-level data (for example, studies, exports, Backfill jobs) is kept in their tenant.

We may anonymize or aggregate data so that it is no longer reasonably associated with an identifiable individual. We may use Aggregated Data and Trends Data for legitimate business purposes without further notice, provided it remains de-identified.

9. AI features and automated processing

Some Sonaflo features use AI models to help summarize findings, generate narratives, or interpret metrics (for example, AI summaries of brand-lift results or glossary explanations).

• We may send relevant snippets of your content (such as aggregated results, chart context, or narrative prompts) to AI infrastructure providers to generate these outputs.
• We implement access controls so AI outputs respect tenant and role-based permissions.
• We do not use AI features to make automated decisions that produce legal or similarly significant effects about individuals.

We recommend that customers avoid transmitting unnecessary personal data or sensitive personal data into AI prompts, and we can work with you to align AI usage with your internal policies.

10. Your rights and choices

Your rights will depend on where you live and how you interact with Sonaflo. Subject to applicable law, you may have the right to:

• Access your personal data and obtain a copy.
• Correct inaccurate or incomplete personal data.
• Delete certain personal data.
• Restrict or object to certain processing.
• Data portability, where technically feasible.
• Withdraw consent at any time where we rely on consent.

If you are an end user of Sonaflo via your employer or another organization, we may ask you to direct your request to that organization, which is the controller of your data.

To exercise your rights, please contact us at privacy@sonaflo.com. We may need to verify your identity before fulfilling your request and may be unable to fully comply with a request where the law requires or permits us to retain certain information.

Marketing communications: You can opt out of non-essential marketing communications by following the unsubscribe instructions in the message or by contacting us. We may still send you service-related or transactional communications.

11. California and similar regional privacy rights

If you are a resident of California or another jurisdiction with similar rights, you may have additional rights, such as:

• The right to know what categories of personal information we collect and how we use and disclose them.
• The right to request deletion of personal information, subject to certain exceptions.
• The right to correct inaccurate personal information.
• The right to limit certain uses of sensitive personal information (if applicable).

We do not knowingly “sell” personal information or share it for cross-context behavioral advertising in the sense defined under some state privacy laws. Where we rely on service providers or contractors, we contractually restrict their use of personal information.

Aggregated Data and Trends Data that cannot reasonably be linked to an identifiable individual are treated as non-personal information for purposes of these laws.

You may exercise your rights by contacting us at privacy@sonaflo.com and indicating your jurisdiction and the nature of your request.

12. Children’s privacy

The Services are not intended for children under 16, and we do not knowingly collect personal information directly from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete it. If you believe a child has provided us with personal information, please contact us.

13. Security

We use appropriate technical and organizational measures to protect personal information, including tenant-aware architecture and strict access controls; role-based permissions for sensitive actions (such as exports, template changes, PO updates); audit logging for key operations; and measures designed to protect against unauthorized access, use, alteration, or destruction.

No system can be fully secure, and we cannot guarantee absolute security. However, security is central to how Sonaflo is designed and operated, and we continuously work to strengthen our defenses.

14. Third-party websites and services

The Services may link to third-party websites, platforms, or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their content, privacy practices, or security. We encourage you to review their privacy policies before providing them with information.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top, and we may provide additional notice where required (for example, via the platform or email).

Your continued use of the Services after an updated policy is posted indicates that you have read and understood the changes.

16. Contact us

If you have any questions about this Privacy Policy or our data practices, or if you would like to exercise your rights, please contact us:

Email: privacy@sonaflo.com

This Privacy Policy is a template and does not constitute legal advice. You should review and adapt it with your legal counsel to ensure it accurately reflects how Sonaflo operates and complies with the laws that apply to your business and customers.