Effective May 23, 2026

Privacy Policy

This policy explains what personal information Sonas Code ("Sonas") collects, why we collect it, and what we do with it. It applies to the website, the web application at /studio, the Roblox Studio plugin, and any related APIs.

1. What we collect

Account information

• Email address (if you sign in with email)
• OAuth profile fields (display name, avatar) if you sign in with a third-party provider
• Account creation date and the timestamp of your last visit

Content you submit

• Prompts and chat messages you send to the AI
• Files, scripts, and project metadata you create
• Roblox place data the plugin sends to Sonas when you authorize an AI action (e.g. scan_tree)

Usage data

• Server logs of API calls (timestamps, route, status code, latency)
• Usage events (provider, model, prompt size, completion size, errors)
• Plugin connection events (pairing, polling, command results)

Payment information

• PayPal transaction ID, payment amount, currency, and the email PayPal sent us via Instant Payment Notification (IPN) when you upgrade or buy a starlight top-up.
• We do not receive your card details, bank details, or PayPal password. PayPal handles all sensitive payment data — see PayPal's privacy notice.

Cookies and similar technologies

We use a small number of strictly necessary cookies (authentication session, CSRF token). We do not use third-party advertising trackers. See the Cookie Policy for the full list.

2. Why we use your information

• Provide the service: authenticate you, route AI requests, store and retrieve your projects.
• Pay model providers: we forward prompts to AI providers (Anthropic, OpenAI-compatible vendors, and similar) to generate responses.
• Operate, secure, and improve the service: logs and usage events let us detect abuse, fix bugs, and monitor performance.
• Bill starlight: usage events drive starlight accounting; payment records track your subscription state.
• Communicate with you: account notices, payment receipts (via SMTP), low-credit warnings, security alerts, and (with your opt-in) product updates.

3. AI providers

Your prompts and messages are sent to AI providers to generate responses. We do not train or fine-tune any model on your data, and our providers' standard API terms generally prohibit them from training on inference traffic — but you should consult their published policies for current commitments. We currently rely on one or more of: Anthropic, OpenAI-compatible providers (e.g. Pollinations, FreeModel), and self-hosted inference.

4. Sharing

We do not sell your personal information. We share information only with:

• Service providers (hosting, database, AI inference, analytics) under contracts that restrict their use of the data to the services they provide for us.
• Legal authorities when required by law, court order, or to protect rights, property, or safety.
• A successor entity in a merger, acquisition, or asset transfer, in which case the new entity is bound by this policy or a no-less-protective successor.

5. Storage and security

Data is stored in managed Postgres (via Supabase). All transit is over TLS. Production access is restricted by IP allowlist and role-based authentication. We use row-level security so users can only access their own rows. We rotate keys and audit access on a regular schedule. No system is perfectly secure; please report vulnerabilities to security@sonas.dev.

6. Retention

• Account: retained while your account is active and for up to 90 days after closure.
• Projects/messages/files: retained while your account is active. You may delete them at any time from the Studio UI.
• Usage events: retained for up to 13 months for billing reconciliation and analytics, then deleted or anonymized.
• Server logs: retained for up to 30 days.

7. Your rights

Depending on where you live, you may have rights to access, correct, port, restrict, or delete your personal data, and to object to certain processing. To exercise these rights, email privacy@sonas.dev. We will respond within the time required by applicable law (typically 30 days).

8. Children

Sonas is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us at privacy@sonas.dev and we will delete it.

9. International transfers

Sonas is operated from the United States and our infrastructure providers may host data in other countries. By using the service you consent to the transfer of your information to the United States and other jurisdictions where data-protection laws may differ from those of your country.

10. Changes to this policy

We will update this page when our practices change. Material changes will be highlighted at the top of the page and announced by email where appropriate.

11. Contact

Sonas Labs · Privacy · privacy@sonas.dev