Soniver

Privacy Policy

Last updated: April 29, 2026

1. Introduction and roles

This Privacy Policy explains how Soniver AS (org. no. 934 936 949) processes personal data. For website visitors, Soniver AS acts as controller. When business customers use the service for employee conversations, the customer acts as controller and Soniver AS acts as processor under GDPR Article 28.

2. Categories of personal data

  • Audio data: Audio is processed transiently for transcription and analysis and is not permanently stored on disk.
  • Transcripts: Text generated from conversations, including content entered or uploaded by users.
  • Pseudonymized data: We may pseudonymize text (for example names/places), but this remains personal data.
  • Analyses and notes: AI-generated notes, summaries, and leadership insights used as decision support.
  • Account and metadata: Name, email, organization membership, sign-in data, timestamps, and technical logs. Conversations may contain special category data (for example health or trade union data) if entered by the customer.

3. Purposes and legal bases

Typical purposes and legal bases are:

  • Provide the service, authentication, support, and secure operations (GDPR Art. 6(1)(b) and 6(1)(f)).
  • Pseudonymization, access control, logging, and information security (GDPR Art. 6(1)(f)).
  • Generate notes and leadership insights on customer instruction (the customer legal basis is typically Art. 6(1)(f) or 6(1)(c)).
  • Comply with legal obligations, accounting duties, and contractual obligations (GDPR Art. 6(1)(c) and 6(1)(b)).
  • We do not use customer data, transcripts, or analyses for our own model training. If special category data is processed, the customer must have a valid Art. 9 basis, typically Art. 9(2)(b).

4. Storage and retention

  • Audio is not permanently stored. Audio segments are deleted continuously as soon as transcription and analysis are completed.
  • Transcripts, notes, and analyses are stored encrypted during the active customer relationship.
  • Upon termination of the customer relationship, data is deleted within 30 days, including backup data in the ordinary backup cycle.
  • Data subjects may request access, correction, or deletion via their employer (controller) or contact us at post@soniver.com.

5. Sharing, sub-processors, and third-country transfers

We do not share conversation data with third parties for their own purposes. Conversation data, transcripts, and AI analyses are processed in Norway/EEA and are not transferred to the United States. Approved sub-processors include Clerk, Microsoft Azure, Google Cloud, MongoDB Atlas, Resend, and Stripe. For Resend, account data, metadata, and API logs are stored in the United States, while email sending can be configured to regions such as EU/Ireland (eu-west-1) or US/N. Virginia (us-east-1). Payment data may be processed by Stripe in the EU/US. Transfers outside the EEA are based on valid transfer mechanisms, including SCCs and/or the EU-U.S. Data Privacy Framework where relevant.

6. Security and automated assessments

  • Data is encrypted in transit and at rest, and the service is built with data minimization and role-based access.
  • Only authorized personnel with a need-to-know basis may access data, subject to confidentiality obligations and access controls.
  • Soniver provides decision support. Automated analyses are not used as the sole basis for decisions producing legal or similarly significant effects; human review and validation are always required by the customer.

7. Your rights

You have the right to access, rectification, erasure, restriction, portability, and to object under GDPR.

  • If processing occurs in a customer account (employer context), requests should normally be addressed to the customer as controller.
  • Soniver assists the controller in fulfilling data subject rights under GDPR Article 28.
  • You may contact us at post@soniver.com if you need help identifying the relevant controller or understanding our role.
  • You also have the right to lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority).

8. Changes to this Privacy Policy

We may update this policy when the service, sub-processors, or legal requirements change. Material changes are published on our website with an updated date.

9. Contact information

For privacy questions or to exercise rights, contact us at:

Email: post@soniver.com
Address: Sverdrups gate 21, 0559 Oslo

10. Cookies

For information about cookies and how to manage consent, see our cookie policy: /en/cookies