Privacy Policy

Last Updated: June 17, 2025
Effective Date: July 1, 2025

Google API Disclosure

Sonrse use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Sonrse Labs Inc. ("Sonrse Labs," "Sonrse," "we," "us," or "our") operates an AI-driven outbound prospecting platform and related Services (the "Services"). This Privacy Policy explains how we collect, use, disclose, retain, and protect Personal Data, as well as your rights and choices. By accessing or using our Services, you agree to this policy. If you do not agree, please stop using our Services immediately.

1. Scope & Applicability
2. Key Definitions
3. Information We Collect
4. How We Use Information
5. Legal Bases for Processing
6. Disclosure & Sharing
7. International Data Transfers
8. Data Retention & Deletion
9. Cookies & Tracking Technologies
10. Security Measures
11. Your Rights & How to Exercise Them
12. Special Topics
13. Changes to This Policy
14. Contact & DPO Information

1. Scope & Applicability

This policy applies to all visitors and users of our websites, portals, APIs, and applications, and to individuals whose business contact data we process. It does not cover third-party sites or any data processed solely on the user's device before transmission to us.

2. Key Definitions

Personal Data: Information relating to an identified or identifiable person.
Processing: Any operation on Personal Data—collection, use, storage, disclosure, deletion, etc.
Sub-processor: A third party we've contracted to process Personal Data on our behalf.
EEA: European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway).
GDPR: EU General Data Protection Regulation.
CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act.
DPO: Data Protection Officer.

3. Information We Collect

We collect only what's necessary to provide, maintain, and improve our Services. Categories include:

1. Business Contact & Professional Data

Full name, job title, corporate email, work phone, company name, industry, company size, and LinkedIn profile URL.
Source: User uploads (CSVs, CRM integrations), licensed providers, and public sources.

2. Account & Authentication Data

Username, hashed password, multi-factor authentication tokens, customer ID, API keys.
Source: Provided directly at registration or via Single Sign-On (SSO).

3. Usage & Technical Telemetry

IP address, device/browser details, cookies, session logs, page views, clickstreams, API call logs.
Collected automatically via analytics scripts, server logs, cookies, and pixels.

4. Client-Provided Content & Preferences

Uploaded prospect lists, CRM configurations, Ideal Customer Profiles (ICPs), campaign assets, notification settings.

5. AI-Enriched & Derived Data

Verification results, technographic signals, funding events, inferred job changes, lead-scoring.

6. Payment & Billing Data

Billing contact name, billing address, tokenized card details (via Stripe), invoice history, subscription tier.

7. Communications & Support Interactions

Email correspondence, live-chat transcripts, support tickets, webinar attendance records.

8. Marketing & Promotional Data

Opt-in consents, email open/click-through rates, event registrations, segment memberships.

4. How We Use Information

We use Personal Data to:

Deliver & Maintain Services: Authenticate users, provision features, manage billing.
Personalize Your Experience: Recommend templates, content snippets, and enrichment suggestions.
Ensure Security & Prevent Fraud: Monitor for anomalies, block threats, maintain audit logs.
Provide Support & Success: Respond to tickets, host webinars, publish help guides.
Communicate Marketing & Updates: Send transactional notices, newsletters, and offers (where consented).
Research & Improve Product: Analyze aggregated usage metrics, conduct A/B tests, enhance UX.
Meet Legal & Compliance Obligations: Retain records, respond to subpoenas, fulfill data-subject rights.

We do not sell your Personal Data. Any sharing is limited to the purposes described and governed by contract.

5. Legal Bases for Processing

Under GDPR, our processing relies on one or more of these legal bases:

Performance of Contract: To set up and manage your account and deliver Services.
Legitimate Interests: For security, fraud prevention, product improvement, and analytics.
Consent: For marketing communications and certain cookie uses.
Legal Obligation: To comply with tax, accounting, or other regulatory requirements.

Under CCPA/CPRA, we process Personal Data for our business purposes, and—where applicable—on the basis of consent for marketing.

6. Disclosure & Sharing

We only share your data when necessary, under strict agreements:

Sub-processors: AWS (hosting), Stripe (payments), SendGrid (email), Segment (analytics), Zendesk (support), Clearbit (enrichment), Datadog (monitoring), Cloudflare (CDN).
Affiliates: For unified platform services and joint marketing.
Legal Authorities: To comply with valid legal processes (e.g., subpoenas).
Business Transactions: In connection with mergers or acquisitions, under confidentiality agreements.
Your Authorized Integrations: Via OAuth scopes you grant (e.g., Salesforce, HubSpot).

We require all third parties to handle your data securely and in compliance with applicable laws.

7. International Data Transfers

We operate globally, so data may move across borders. We rely on:

EU-U.S. Data Privacy Framework
UK-U.S. Data Privacy Framework
Swiss-U.S. Data Privacy Framework
Standard Contractual Clauses (SCCs) as needed

Our self-certifications and SCCs are available at dataprivacyframework.gov.

8. Data Retention & Deletion

We retain data as follows, then securely delete or anonymize it:

Account & Billing Records: Seven years (tax/regulatory requirements).
Prospecting & Enrichment Data: Duration of your subscription plus 90 days.
Support & Communication Logs: Three years.
Marketing Consents: Until you withdraw plus two years.
Aggregated/Anonymized Analytics: Indefinitely (no Personal Data).

To request deletion of your Personal Data, use our Privacy Center or email support@sonrse.com. We verify identity and complete deletion within 30 days, unless legal obligations require longer retention.

9. Cookies & Tracking Technologies

We use cookies and similar tools to enhance your experience:

Strictly Necessary (Session cookies): Enable core functionality; cannot be disabled.
Functional (1-year duration): Remember preferences like language and theme.
Performance (2-year duration): Collect analytics (page load times, errors).
Marketing (6-month duration): Support behavioral advertising and retargeting.

Manage your cookie preferences through your browser settings or our cookie consent banner. Note that disabling certain cookies may limit functionality.

10. Security Measures

We implement robust safeguards to protect your data:

Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access Controls: Role-based permissions and least-privilege principles.
Vulnerability Management: Quarterly penetration tests, continuous scanning, and prompt patching.
Incident Response: We detect, contain, investigate, and notify affected parties and regulators within 72 hours of a confirmed breach.

11. Your Rights & How to Exercise Them

EU/UK (GDPR)

You have rights to access, correct, erase, restrict processing, portability, object, and withdraw consent.

How to Request: Email support@sonrse.com with subject "GDPR Request."
Verification: We may request proof of identity.
Response Time: Within 30 days (possible 2-month extension for complex cases).

California (CCPA/CPRA)

You have rights to know, delete, opt-out of sale/sharing, and non-discrimination.

How to Request: Use our "California Consumer Rights" form in the Privacy Center or email support@sonrse.com.
Response Time: Within 45 days (one 45-day extension allowed).

Other Jurisdictions

Residents of Brazil, Canada, Australia, etc., may have additional rights. Contact us and we will guide you.

12. Special Topics

Children's Privacy: Our Services are for professionals; not directed at minors under 16. Any data collected from minors is promptly deleted.
Automated Decision-Making: If you're subject to decisions based solely on automated processing that produce legal or significant effects, you may request a human review.

13. Changes to This Policy

We review and may update this policy at least annually or when our Services change materially. We will post any updates here with a new "Last Updated" date and notify account holders by email at least 30 days before material changes take effect.

14. Contact & DPO Information

Sonrse Labs Inc. (Sonrse)

Mailing Address:

149 N. Montgomery St
San Francisco, CA 94105

Privacy Center & Online Requests: www.sonrse.com/privacy-policy

General Inquiries: support@sonrse.com

Thank you for trusting Sonrse. We're committed to safeguarding your privacy and data security.