Privacy Policy

1. Introduction

Welcome to Sonar Tracker ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cryptocurrency whale tracking platform.

If you have any questions or concerns about this Privacy Policy or our practices regarding your personal information, please contact us at eduardo@sonartracker.io.

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you voluntarily provide when you:

• Register for an account: Email address and password
• Subscribe to premium services: Payment information (processed securely by Stripe)
• Contact us: Name, email address, and any information included in your message
• Use our services: Search queries, filter preferences, and usage patterns

2.2 Information Collected Automatically

When you access our Service, we automatically collect certain information, including:

• Log Data: IP address, browser type, operating system, referring URLs, and pages visited
• Device Information: Device type, unique device identifiers, and mobile network information
• Usage Data: Time spent on pages, features used, and interaction patterns
• Cookies and Similar Technologies: We use cookies to enhance user experience and analyze usage patterns

2.3 Third-Party Data

We may receive information from third-party services:

• Authentication Providers: Supabase authentication data
• Payment Processors: Stripe transaction and subscription status
• Market Data Providers: CoinGecko, CryptoPanic for public cryptocurrency data

3. How We Use Your Information

We use the collected information for various purposes:

• Provide and Maintain Services: To deliver the Sonar Tracker platform and its features
• Process Transactions: To process your subscription payments and manage your account
• Improve Our Services: To understand usage patterns and enhance user experience
• Communicate with You: To send service updates, security alerts, and support messages
• Personalization: To customize content and recommendations based on your preferences
• Security: To detect, prevent, and address technical issues, fraud, or illegal activities
• Legal Compliance: To comply with applicable laws and regulations
• Analytics: To analyze trends, track user behavior, and generate statistical insights

3.1 Legal Basis for Processing (UK GDPR / EU GDPR Article 6)

Where the UK GDPR or the EU GDPR applies to our processing of your personal data, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): to create and operate your account, deliver the Service you have subscribed to, and process payments. Without this data we cannot provide the Service.
• Legitimate interests (Art. 6(1)(f)): to secure the Service against fraud and abuse, to debug and improve the Service, to maintain audit logs, and to send you transactional service communications. We have assessed that these interests are not overridden by your fundamental rights.
• Consent (Art. 6(1)(a)): for non-essential cookies, web analytics (Vercel Web Analytics, Google Analytics), marketing emails (where required by PECR / ePrivacy Directive), and any optional features you opt into. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c)): to retain transaction records for tax, accounting and anti-money-laundering purposes, and to respond to lawful requests from regulators, courts and law-enforcement authorities.
• Vital interests / public interest (Art. 6(1)(d)/(e)): not generally relied upon, but may apply in exceptional cases (e.g. responding to a safeguarding emergency).

We do not knowingly process special-category personal data (UK GDPR Art. 9), data revealing criminal convictions or offences (Art. 10), or data of children under 18.

4. Data Sharing and Disclosure

4.1 We May Share Your Information With:

• Service Providers: Third-party companies that help us operate our platform (hosting, payment processing, analytics). These providers are contractually obligated to protect your data.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
• Legal Requirements: We may disclose your information if required by law, court order, or governmental regulation, or to protect the rights, property, or safety of Sonar Tracker, our users, or others.

4.2 We Do NOT:

• Sell your personal information to third parties
• Share your personal information with advertisers without your consent
• Use your email for unsolicited marketing (you can opt out of promotional emails anytime)

5. Data Security

We implement industry-standard security measures to protect your personal information:

• Encryption: All data transmitted between your device and our servers is encrypted using SSL/TLS
• Password Security: Passwords are hashed and salted using industry-standard algorithms
• Access Controls: Limited access to personal data with role-based permissions
• Regular Audits: Periodic security assessments and vulnerability testing
• Secure Infrastructure: Hosted on secure cloud infrastructure (Vercel, Supabase)

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal information (subject to legal obligations)
• Data Portability: Request a copy of your data in a machine-readable format
• Withdraw Consent: Withdraw consent for data processing where consent was the basis

6.2 GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to Object: Object to processing of your personal data
• Right to Restriction: Request restriction of processing of your personal data
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority

6.3 Exercising Your Rights

To exercise any of these rights, please contact us at eduardo@sonartracker.io. We will respond to your request within 30 days.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained while your account is active and for a reasonable period after account closure
• Transaction Data: Retained for at least 7 years for accounting and tax purposes
• Usage Data: Typically retained for 12-24 months for analytics purposes
• Cookies: Session cookies expire when you close your browser; persistent cookies expire after the period specified in the cookie

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Keep you signed in to your account
• Remember your preferences and settings
• Understand how you use our Service
• Improve our Service based on usage patterns

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of certain features.

Types of Cookies and Local Storage We Use:

• Essential Cookies/Storage:
  • sb-*-auth-token — Supabase authentication session (required for login)
  • sonar_cookie_consent — Records your cookie consent preference
  • sonar_theme — Your display theme preference
• Preference Storage:
  • sonar_tutorial_* — Tracks which onboarding tutorials you have viewed
  • sonar_sentiment_fp — Anonymised fingerprint for sentiment voting (prevents duplicate votes; see Section 9.1)
• Analytics (optional, can be rejected):
  • Vercel Web Analytics — anonymous page view counting, no personal data collected
  • sonar_analytics_disabled — Set to 'true' if you reject analytics cookies

You can reject non-essential cookies via the cookie banner shown on your first visit, or by clearing your browser's localStorage. Essential cookies cannot be disabled as they are required for the Service to function.

9. Third-Party Services and Sub-Processors

We use the following third-party processors and sub-processors to operate the Service. Each is bound by a written data-processing agreement that imposes UK GDPR / EU GDPR Article 28 obligations on the sub-processor, including confidentiality, security, sub-processing controls, audit rights and assistance with data-subject requests. Where personal data is transferred outside the UK / EEA, the safeguards described in Section 11 apply.

• Supabase Inc. (USA / EU regions) — authentication, user database, Postgres hosting, file storage. Data categories: account credentials, profile data, watchlists, votes, chat history. Privacy Policy
• Vercel Inc. (USA, edge network global) — hosting, deployment, web analytics, speed insights. Data categories: IP address, request metadata, anonymous pageview events. Privacy Policy
• Stripe, Inc. (USA / Ireland) — payment processing, subscription management, fraud prevention. Data categories: payment card details (PCI-DSS scoped), billing address, transaction metadata. Privacy Policy
• Brevo SAS (France, EU) — transactional and marketing email delivery. Data categories: email address, name, engagement events. Privacy Policy
• xAI Corp. (USA) — large-language-model inference for ORCA AI Features. Data categories: your query text and contextual market data only (no personal identifiers). Privacy Policy
• OpenAI, L.L.C. (USA) — fallback large-language-model inference when xAI is unavailable. Same data categories as xAI. Privacy Policy
• Google LLC (USA, EU) — Google Analytics 4 and Google Tag Manager (analytics consent only). Data categories: IP address (anonymised), device data, page interactions. Privacy Policy
• CoinGecko Pte. Ltd. (Singapore) — public cryptocurrency market data (no personal data sent). Privacy Policy
• CryptoPanic — public cryptocurrency news (no personal data sent). Privacy Policy
• LunarCrush, Inc. (USA) — social sentiment and engagement metrics for cryptocurrency tokens (no personal data sent). Privacy Policy

We will give 30 days' prior notice (by updating this page) before adding a new sub-processor that processes your personal data. Material changes will also be notified by email to subscribers. You may object to a new sub-processor by terminating your subscription before the new sub-processor goes live.

9.1 AI Data Processing (xAI/OpenAI)

When you interact with ORCA AI, the following data is sent to our AI provider (xAI or OpenAI as fallback):

• Your query text — the question or prompt you type
• Contextual market data — aggregated whale transaction summaries, price data, sentiment scores, and news headlines relevant to the token you are asking about
• No personal identifiers — your email, name, IP address, billing details and account ID are never included in AI requests

Data retention by AI providers: Queries sent to xAI and OpenAI are subject to their respective data retention policies. Sonar does not control how these providers store or process data after it is transmitted. We recommend reviewing their privacy policies linked above. Sonar stores your conversation history in our database so you can access past sessions; you can delete your conversation history at any time from your profile settings.

AI training: We do not use your personal queries to train AI models, and we have configured our enterprise / API agreements with xAI and OpenAI so that your prompts are not used to train their foundation models. However, those providers may retain logs for abuse-monitoring and compliance for short periods per their published policies.

AI output is not personal data about you in most cases, but to the extent any AI Feature output incidentally references you, you have the same access, rectification and erasure rights set out in Section 6.

We encourage you to review the privacy policies of these third-party services to understand how they collect, use, and protect your information.

9.1 Browser Fingerprinting

For our community sentiment voting feature, we use a locally generated browser fingerprint (a random UUID stored in your browser's localStorage) to prevent duplicate votes. This fingerprint:

• Is generated randomly and does not identify you personally
• Is stored only in your browser's localStorage — you can delete it at any time by clearing browser data
• Is stored in our database only in association with your votes, not linked to any personal information
• Is retained for 30 days, after which associated vote records are anonymised

You can opt out of fingerprinting by clearing your browser's localStorage or using your browser's private/incognito mode.

9.2 Account Deletion

You can permanently delete your account and all associated data at any time through your profile settings or by making a request to eduardo@sonartracker.io. Upon deletion, we will remove:

• Your authentication credentials and profile information
• Your sentiment votes and watchlist entries
• Any feedback you have submitted
• All personally identifiable data associated with your account

This process is irreversible. Anonymised, aggregated analytics data may be retained as it cannot be linked back to you.

10. Children's Privacy

Sonar Tracker is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete such information.

11. International Data Transfers

Sonar Tracker is operated from the United Kingdom and uses sub-processors located in the United Kingdom, the European Economic Area (EEA), the United States, Singapore and other jurisdictions (see Section 9). When we transfer your personal data from the UK or the EEA to a country that the UK or the European Commission has not deemed to provide an adequate level of data protection, we rely on one or more of the following safeguards:

• The European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor) annexed to Commission Implementing Decision (EU) 2021/914;
• The UK Information Commissioner’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs;
• The EU–US Data Privacy Framework and the UK Extension to the DPF, where the receiving organisation is self-certified;
• Where strictly necessary, the explicit consent of the data subject under UK GDPR Art. 49(1)(a) / EU GDPR Art. 49(1)(a).

We carry out a transfer impact assessment (TIA) for each cross-border data flow and apply supplementary technical measures (encryption in transit, encryption at rest, pseudonymisation where practicable, access controls and key management) so that the personal data continues to enjoy a level of protection essentially equivalent to that guaranteed within the UK / EEA.

You may obtain a copy of the relevant transfer mechanism (with commercial terms redacted) by emailing privacy@sonartracker.io.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

For material changes, we will provide more prominent notice (such as an email notification) at least 30 days before the new policy takes effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us, Data Controller and Complaints

For all privacy-related queries, including to exercise the rights set out in Section 6, to request our list of sub-processors, or to obtain a copy of the safeguards we use for international transfers, please contact:

Data Controller: SonarTracker (United Kingdom)
Postcode: SE16 3TY
Email (privacy): privacy@sonartracker.io
Email (general): eduardo@sonartracker.io

Response Time: We acknowledge data-subject requests within 5 business days and substantively respond within 30 days (extendable to 90 days for complex requests, with notice).

Right to complain: If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. EU residents may complain to the supervisory authority in their member state. California residents may complain to the California Privacy Protection Agency.

See also our dedicated Data Removal Request page for the streamlined erasure / right-of-publicity process.