Legal
Privacy Policy
Effective July 5, 2026
Sonora Labs, Inc. ("Sonora") runs sonoralabs.one, an evaluation and monitoring platform for voice agents. Our customers send us call transcripts and audio so we can grade them. That makes privacy the core of the product, not a footnote, so this policy is written to be read. If anything is unclear, email privacy@sonoralabs.one.
1. What we collect
There are two categories, and we treat them very differently.
Account data. When you sign up we collect your name, work email, company, and a password hash or SSO identifier. If you pay us, our payment processor handles billing details; we never see full card numbers. We also collect product usage events (for example, a scenario suite was created) and standard server logs (IP address, browser, timestamps) to operate and secure the service.
Customer call content. The transcripts, call audio, and call metadata (timestamps, duration, agent version, latency measurements) that you send to Sonora through our API or integrations. For this data we act as a data processor on your behalf: you are the controller, you decide what to send, and we process it only on your documented instructions under our data processing agreement.
2. How call content is used
Call content is used for exactly one purpose: grading and monitoring your voice agents. That means scoring turns against your rubrics, generating failure traces, computing regression alerts, and showing the results to your team.
We never use your transcripts or audio to train models. Not our models, not our providers' models. The managed model providers we use for transcription and grading are contractually barred from retaining or training on any data we send them.
3. Storage and retention
All data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Retention defaults are:
- Transcripts: 12 months, then deleted automatically.
- Call audio: 30 days, then deleted automatically.
Both windows are configurable per project, all the way down to zero retention. In zero-retention mode we grade the call in memory, keep only the scores and metadata, and discard the transcript and audio immediately after grading. Deleting a project removes its call content from live systems and backups within 30 days.
4. PII redaction
Every plan can turn on redaction. When it is enabled, we detect names, phone numbers, email addresses, physical addresses, and payment card numbers in incoming content and replace them with typed placeholders such as [PHONE] before anything is stored or sent to a model provider. Scores are computed on the redacted text, and the original values never touch disk.
5. Subprocessors
We use a small set of vendors to run Sonora, by category:
- Cloud hosting, compute, and storage.
- Managed model providers for transcription and grading.
- Payment processing.
- Transactional email delivery.
- Error and performance monitoring.
Each subprocessor is bound by a data protection agreement at least as strict as ours. A live, named list is available on request from privacy@sonoralabs.one, and customers with a DPA receive 30 days notice before we add a subprocessor that can access call content.
6. Security and SOC 2 Type II
Sonora holds a SOC 2 Type II attestation, renewed annually by an independent auditor. Employee access to customer call content is restricted to engineers with a specific operational need, gated by SSO and hardware security keys, and logged. You can request the current SOC 2 report under NDA at privacy@sonoralabs.one.
7. Your rights
Under GDPR, CCPA, and similar laws, you can request access to, deletion of, or a portable copy of your personal data. Email privacy@sonoralabs.one and we will respond within 30 days.
One nuance specific to what Sonora does: if your voice appears in a call that one of our customers recorded, that customer is the data controller for the recording. We will route your request to them and support their response, including deleting the content on their instruction.
8. Data residency
By default, Sonora processes and stores data in the United States. Customers on the Scale plan can pin both processing and storage to a US or EU region, with residency commitments written into the DPA.
9. Children
Sonora is a business tool and is not directed at anyone under 16. We do not knowingly collect personal data from children. If you believe a child's data has reached us, email privacy@sonoralabs.one and we will delete it.
10. Changes to this policy
We will post updates on this page and revise the effective date above. For any material change to how we handle call content, we will email account owners at least 30 days before the change takes effect.
11. Contact
Questions, requests, or complaints: privacy@sonoralabs.one. We answer every message, usually within two business days.
See also our Terms of Service.