Privacy Policy
Last updated: May 20, 2026
What this policy covers
This Privacy Policy explains how Sounday ("we," "us") collects, uses, and shares information when you use our website, apps, and embedded player (the "Services"). It also explains your privacy choices and rights.
Who we are
Sounday is the data controller for personal information processed to provide and improve the Services. We are registered in Barcelona, Spain. If you have questions, contact us at support@sounday.ai.
What we collect
We collect information from three places:
Information you provide
- Account information (email address, display name, profile photo).
- Station configuration (topics, sources, station name, public/private setting).
- Content you submit (links, documents, optional text).
- Messages you send to support.
- Billing information. When you subscribe to Sounday Pro, RevenueCat (our merchant of record) and its payment processor collect your payment-method details on our behalf. Sounday does not receive or store full card numbers. We do store your subscription status (trial / active / cancelled / expired), the product purchased, billing period, expiry date, and the RevenueCat subscriber identifier.
Information we collect automatically
- Playback events (which episodes you start, completion, duration listened).
- Server access logs (IP address, request path, user agent) for security and reliability.
- A single browser storage entry (
sounday-consentin local storage) recording your analytics preference. No advertising or cross-site tracking cookies are used by Sounday.
Information from connected sources
- RSS feed URLs you add and the items retrieved from those feeds (titles, URLs, dates, and extracted text).
- Emails you forward to your ingest address. When you forward a newsletter or message to your workspace's
@in.sounday.aiaddress, we receive and store the sender address, subject, and full email body. Whether or not the content has been used, inbound emails are automatically deleted 7 days after receipt.
How we use information
- Provide the service: create stations, fetch source content, generate scripts and audio, and enable playback.
- Personalize your experience: language and voice preferences, topic relevance, playback settings.
- Operate public stations: if you make a station public, we display station pages, provide RSS feeds, and support sharing.
- Maintain safety and security: prevent fraud, enforce policies, debug reliability issues.
- Improve Sounday: understand feature usage and performance.
- Communicate with you: send service messages (e.g., "Your briefing is ready"), invitations, and optional daily digests if enabled in your settings.
Legal basis for processing (GDPR)
If you are in the EU, UK, or another jurisdiction with similar rules, we rely on the following lawful bases under Article 6 of the GDPR:
| Processing activity | Lawful basis |
|---|---|
| Creating and operating your account; generating episodes; delivering audio | Contract — Art. 6(1)(b) (performance of the terms of service) |
| Transactional email (magic links, invitations, episode-ready notifications) | Contract — Art. 6(1)(b) |
| Storing inbound emails you forward to your ingest address | Contract — Art. 6(1)(b); deleted after the 7-day retention window |
| Optional product analytics (if/when enabled after banner opt-in) | Consent — Art. 6(1)(a); revocable at any time |
| Optional daily digest email | Contract — Art. 6(1)(b); you can turn it off in settings or via the unsubscribe link |
| Optional Telegram delivery | Consent — Art. 6(1)(a); revocable by disconnecting the integration |
| Security logging, abuse detection, rate limiting | Legitimate interests — Art. 6(1)(f) (operating a safe service) |
| Responding to legal requests; retaining records where required | Legal obligation — Art. 6(1)(c) |
| Processing subscription payments and managing your Sounday Pro subscription | Contract — Art. 6(1)(b) |
| Retaining invoices and billing records for tax and accounting purposes | Legal obligation — Art. 6(1)(c) (Spanish Código de Comercio Art. 30: 6 years) |
How AI and audio generation works
Sounday generates scripts and audio from the sources you select. This involves:
- Fetching and extracting text from your sources (RSS feeds, forwarded emails, or content you upload).
- Sending that source text to our AI sub-processor, OpenAI, to generate a script and synthesize it into audio.
- Storing the generated audio so you can listen.
Sounday does not use your content to train AI models, and under the OpenAI API data policy, OpenAI does not use content submitted through the API to train or improve their models either. OpenAI retains API content for up to 30 days for abuse and misuse monitoring, after which it is deleted.
You can delete stations and episodes at any time, and remove sources to stop future ingestion.
When we share information
Service providers (sub-processors)
We use the following vendors to operate Sounday. They process personal data on our behalf under data processing agreements that restrict how they may use it.
| Vendor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase | Authentication, session management, magic-link email delivery | Email, authentication metadata | EU / US |
| Amazon Web Services (AWS) | Application hosting, database, object storage, job queues | All application data at rest (encrypted) | US (us-east-1) |
| OpenAI | Script generation (LLM) and voice synthesis (TTS) | Source article text, generated scripts | US |
| Resend | Outbound transactional email (notifications, digests, invitations) | Recipient email, email content | US |
| Mailgun | Inbound email parsing (the ingest address) | Raw emails you forward to your ingest address | US |
| Mixpanel | Product analytics (only with your consent) | Pseudonymous user ID, event names, device/browser metadata | EU (residency enabled) |
| Telegram | Optional delivery channel for episodes (opt-in per user) | Telegram chat ID, episode metadata, audio URL | Global |
| RevenueCat (RevenueCat, Inc.) | Subscription billing as merchant of record: paywall, payment processing, tax computation and remittance, subscription state management | Email, Sounday user ID, subscription status, purchase events, billing address, payment-method token | US |
Our AI sub-processor (OpenAI) processes content solely to generate scripts and audio on your behalf. Under the OpenAI API data policy, this content is not used to train their models and is retained only for a short abuse-monitoring window.
RevenueCat acts as our merchant of record under its own privacy policy and engages further payment-processing sub-processors (including Stripe) to charge cards and remit taxes. Full details and an up-to-date sub-processor list are available at revenuecat.com/privacy.
Public stations
If you make a station public, your station page and episodes are accessible to anyone. If you share an episode link, the recipient can listen without an account.
Legal and safety reasons
We may disclose information if required by law, to respond to lawful requests, or to protect users, the public, and Sounday.
Business transfers
If Sounday is involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction. We will notify you of any such change.
We do not sell your personal information.
Your choices and controls
- Privacy settings: manage notifications, public/private station settings, analytics preferences, and email preferences in your account.
- Delete content: delete episodes, stations, and your account at any time.
- Email delivery: turn episode notifications and daily digests on or off in settings, or use the unsubscribe link in emails.
Data retention
We keep information only as long as needed for the purposes described above, unless a longer period is required by law. The table below reflects what the current code actually does, not aspirational retention targets.
| Data | Retention |
|---|---|
| Inbound (forwarded) emails | 7 days from receipt — automatically deleted. |
| Generated episode audio & scripts | 3 months from generation, or until you delete the episode (whichever comes first). Audio is hard-deleted from storage; scripts and source snapshots are cleared. |
| Public episode share links | 3 months from creation — after that the link shows an "episode no longer available" page. |
| Account data after you request deletion | 14-day grace period during which you can cancel. After the grace period, your account, workspaces, stations, episodes, and audio are permanently removed. Billing records required by tax law (next row) survive deletion. |
| Billing and subscription transaction records (invoices, receipts) | Retained for 6 years from the end of the relevant fiscal year, as required by Spanish commercial law (Código de Comercio Art. 30). These records contain your name, email, and transaction details and survive account deletion. |
| Server & security logs | 7 days. |
| Encrypted database backups | Up to 7 days. |
| Content sent to OpenAI | Up to 30 days, retained by OpenAI for abuse monitoring only; not used to train their models. |
| Playback events | Stored in our application database while the associated episode remains available. If optional Mixpanel analytics is enabled, Mixpanel retains analytics events under its own retention settings. |
Encrypted backups may contain deleted records for up to a further 7 days after the grace period closes, before they are overwritten on the next backup cycle.
Security
We use technical and organizational measures to protect your information:
- TLS / HTTPS for all traffic between your device and our servers.
- Encryption at rest for our database (AWS RDS, AES-256) and object storage (AWS S3, AES-256).
- Access to production data is limited to authorized Sounday personnel with operational need, authenticated via individual credentials and logged.
- Webhook endpoints (inbound email) are authenticated with a shared secret compared in constant time.
- SSRF protection on all outbound fetches (RSS feeds, station webhooks) — private/internal addresses are blocked, and redirects are re-validated on every hop.
No method of transmission or storage is completely secure, but we work to protect your data using industry-standard practices.
International transfers
Sounday's primary hosting region is AWS US East (N. Virginia, us-east-1). Our database, application servers, generated audio, inbound email storage, and job queues are located in the United States. Several sub-processors (see list above) also process data in the United States.
If you are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States. We rely on:
- Standard Contractual Clauses (European Commission Implementing Decision 2021/914) as the primary transfer mechanism with our US-hosted sub-processors.
- UK International Data Transfer Addendum for transfers from the UK.
- EU-US Data Privacy Framework certification where our sub-processor is certified and we rely on it.
- Encryption at rest and in transit, access controls, and short retention windows as supplementary measures.
You can request a copy of the specific transfer mechanism applied to any particular sub-processor by contacting us at support@sounday.ai.
Children
Sounday is not directed to children under 16. If you are a parent or guardian and believe a child has provided personal information to us, please contact us to request deletion.
Cookies and tracking
We use strictly necessary browser storage and authentication mechanisms to operate the website and app. With your permission where required by law, we may use optional browser storage for analytics and improvement. You can manage your preferences through Settings or your browser's site-data controls.
Changes to this policy
We may update this policy from time to time. If changes are material, we will provide notice in the app or on our website. Your continued use of the Services after changes take effect means you accept the updated policy.
Contact us
For questions, requests, or complaints about this Privacy Policy or your data:
- Email: support@sounday.ai
If you are in the EU/UK, you also have the right to lodge a complaint with your local data protection authority.
Version history
Every material change to this policy is recorded here. The "Last updated" date at the top of the page matches the most recent entry.
- May 20, 2026— Launch of Sounday Pro paid subscriptions. Disclosed RevenueCat as merchant of record (and Stripe as RevenueCat's payment-processing sub-processor). Added a billing-information section. Added payment processing and tax-record retention to the legal-basis table. Added a 6-year retention row for billing and invoice records under Spanish commercial law. Clarified that billing records survive account deletion.
- May 12, 2026 — Corrected the consent-storage description to reflect browser local storage, updated the vendor list to reflect Supabase magic-link delivery, Resend transactional email, and Mailgun inbound email parsing, shortened generated-audio/script retention to 3 months, shortened public share-link validity to 3 months, and updated server/security log retention to 7 days.
- April 18, 2026 — Named specific sub-processors (Supabase, AWS, OpenAI, Resend, Postmark, Mixpanel, Telegram). Added a lawful-basis table (GDPR Art. 6). Clarified OpenAI retention (30 days, no model training). Reconciled retention numbers with code: 14-day account-deletion grace, 7-day inbound-email TTL, 6 month episode audio retention, 6-month public share-link validity. Documented primary hosting in AWS us-east-1 and the Standard Contractual Clauses used for EU/UK transfers. Added CCPA right-to-correct language. Described the access controls and SSRF protections applied to your data.
- April 6, 2026 — Initial Privacy Policy published.
California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA):
- Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it (see "What we collect" and "When we share information" above).
- Right to delete the personal information we hold about you — use the "Delete account" flow in Settings, or email us.
- Right to correct inaccurate personal information — you can edit your display name, email, and avatar directly in Settings, or email us for any other correction.
- Right to opt out of the sale or sharing of personal information. We do not sell or share personal information (as those terms are defined by the CCPA).
- Right to limit the use of sensitive personal information — we do not use sensitive personal information for purposes that require a limit right under CPRA.
- Right to non-discrimination — you will not receive different service for exercising any of the rights above.
To exercise any of these rights, contact us at support@sounday.ai. We will verify your request by matching the email associated with your account and respond within 45 days.