Privacy Policy

Last Updated: July 31, 2024

Sonar collects personal data as part of its Services, a personal wellbeing companion for youth that provides text coaching, identifies moments of distress and helps navigate the process of finding support, often in partnership with schools, school districts and other organizations supporting youth wellbeing. Given the nature of our Services, your privacy, and the privacy of all our users and stakeholders, is very important to us. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use, and share your information as described in this Privacy Policy.

Remember that your use of the Services is at all times subject to our Terms of Use, which incorporates this Privacy Policy. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the Terms of Use.

What This Privacy Policy Covers

This Privacy Policy covers how we treat Personal Data that we collect from or about Participating Youth, parents or legal guardians of Participating Youth, Wellbeing Allies and other related parties or partners (e.g., their school). “Personal Data” means any information that identifies or relates to a particular individual and includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws or regulations. This Privacy Policy does not cover the practices of Third Party Services. This Privacy Policy addresses our compliance with the The Family Educational Rights and Privacy Act (FERPA), Children's Online Privacy Protection Rule ("COPPA") and Student Online Personal Protection Act (SOPPA).

Personal Data

Categories of Personal Data We Collect

This chart details the categories of Personal Data that we collect and have collected over the past 12 months and the categories of parties to whom we have disclosed this Personal Data:

Category of Personal Data

Profile or Contact Data

Examples of Personal Data We Collect

  • First and last name
  • Email
  • Phone number

Corresponding Category of Personal Data under Privacy Law

  • Identifiers
  • Customer Records
  • Sensitive personal information: consumer account log-in
  • Characteristics of protected classifications under State or federal law
  • Commercial information
  • Internet or network activity
  • Geolocation data
  • Audio and visual information
  • Professional or employment-related information
  • Education information
  • Inferences to create consumer profile
  • Sensitive personal information: precise geolocation
  • Sensitive personal information: racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Sensitive personal information: health
  • Sensitive personal information: sex life or sexual orientation
  • Electronic and visual information
  • Sensitive personal information: social security, driver's license, state identification card, or passport number
  • Sensitive personal information: consumer account log-in
  • Sensitive personal information: email and text message contents

Category of Personal Data

Online Identifiers

Examples of Personal Data We Collect

  • Unique identifiers such as account names and passwords

Corresponding Category of Personal Data under Privacy Law

  • Identifiers
  • Customer Records
  • Sensitive personal information: consumer account log-in
  • Characteristics of protected classifications under State or federal law
  • Commercial information
  • Internet or network activity
  • Geolocation data
  • Audio and visual information
  • Professional or employment-related information
  • Education information
  • Inferences to create consumer profile
  • Sensitive personal information: precise geolocation
  • Sensitive personal information: racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Sensitive personal information: health
  • Sensitive personal information: sex life or sexual orientation
  • Electronic and visual information
  • Sensitive personal information: social security, driver's license, state identification card, or passport number
  • Sensitive personal information: consumer account log-in
  • Sensitive personal information: email and text message contents

Category of Personal Data

Payment Data

Examples of Personal Data We Collect

  • Payment card type
  • Last 4 digits of payment card
  • Billing address, phone number, and email

Corresponding Category of Personal Data under Privacy Law

  • Customer Records

Category of Personal Data

Web and App Analytics

Examples of Personal Data We Collect

  • Web page and app activity, including session replay
  • Request IDs
  • IP addresses

Corresponding Category of Personal Data under Privacy Law

  • Customer Records

Category of Personal Data

Social Network Data

Examples of Personal Data We Collect

  • Social media handles
  • Social media posts and content submissions
  • Social media profile information, such as birthday and gender

Corresponding Category of Personal Data under Privacy Law

  • Identifiers
  • Customer Records
  • Sensitive personal information: consumer account log-in
  • Characteristics of protected classifications under State or federal law
  • Commercial information
  • Internet or network activity
  • Geolocation data
  • Audio and visual information
  • Professional or employment-related information
  • Education information
  • Inferences to create consumer profile
  • Sensitive personal information: precise geolocation
  • Sensitive personal information: racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Sensitive personal information: health
  • Sensitive personal information: sex life or sexual orientation
  • Electronic and visual information
  • Sensitive personal information: social security, driver's license, state identification card, or passport number
  • Sensitive personal information: consumer account log-in
  • Sensitive personal information: email and text message contents

Category of Personal Data

Phone and Third-Party App Data

Examples of Personal Data We Collect

  • Accelerometer data
  • Motion
  • Keyboard inputs and usage patterns
  • Music and media app usage
  • Screen time and app usage
  • Ambient light (Android only)
  • Battery state and charging time (iOS only)
  • Call status (iOS only)

Corresponding Category of Personal Data under Privacy Law

  • Identifiers
  • Customer Records
  • Sensitive personal information: consumer account log-in
  • Characteristics of protected classifications under State or federal law
  • Commercial information
  • Internet or network activity
  • Geolocation data
  • Audio and visual information
  • Professional or employment-related information
  • Education information
  • Inferences to create consumer profile
  • Sensitive personal information: precise geolocation
  • Sensitive personal information: racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Sensitive personal information: health
  • Sensitive personal information: sex life or sexual orientation
  • Electronic and visual information
  • Sensitive personal information: social security, driver's license, state identification card, or passport number
  • Sensitive personal information: consumer account log-in
  • Sensitive personal information: email and text message contents

Category of Personal Data

Other Information that You Voluntarily Choose to Provide

Examples of Personal Data We Collect

  • Information shared with us in chats, text messages, emails, or surveys

Corresponding Category of Personal Data under Privacy Law

  • Identifiers
  • Customer Records
  • Sensitive personal information: consumer account log-in
  • Characteristics of protected classifications under State or federal law
  • Commercial information
  • Internet or network activity
  • Geolocation data
  • Audio and visual information
  • Professional or employment-related information
  • Education information
  • Inferences to create consumer profile
  • Sensitive personal information: precise geolocation
  • Sensitive personal information: racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Sensitive personal information: health
  • Sensitive personal information: sex life or sexual orientation
  • Electronic and visual information
  • Sensitive personal information: social security, driver's license, state identification card, or passport number
  • Sensitive personal information: consumer account log-in
  • Sensitive personal information: email and text message contents
Sources of Personal Data

We collect your Personal Data from the following sources:

  • Information You Provide Us. We collect Personal Data that you provide when you directly interact with us or our Services, such as when you register or communicate with us.
  • Information Other People Provide Us. For Youth Participants, we collect Personal Data about you that your Wellbeing Allies, our Wellbeing Companions and partner organizations provide when they directly interact with our Services.
  • Information We Collect Automatically. For Youth Participants, we collect Personal Information automatically from the social media accounts to which you have given us access about your social media profiles and activity and from data analytics providers about your interactions with our Services, the devices that you use with our services, your usage of the devices that you use with our Services (including your interactions with Third-Party Services), and survey responses that you provide directly to us or data analytics providers. For Mental Health Ally users, we collect Personal Information automatically from data analytics providers about your interactions with our Services.
Purposes for Collecting, Using, and Disclosing Personal Data

We collect, use, and disclose your Personal Data for the following business purposes:

  • Providing the Services. We collect, use, and disclose your Personal Data to provide the Services that you requested, including creating your account, authenticating your log-ins, providing customer service, communicating with you, analyzing your use of the Services and Third Party Services, generating Notifications, and processing payments. Third-party vendors perform some of these services for us. For the avoidance of doubt, the user data collected is used solely for these purposes and not for any other unauthorized activities. In the context of partnering with a school district, it is deemed that these purposes are Educational in nature.
  • Ensuring Security and Integrity. We collect, use, and disclose your Personal Data to detect security incidents that may compromise Personal Data, prevent fraudulent or other illegal activity, and identify Acute Risks to youth users or third parties.
  • Debugging. We collect, use, and disclose your Personal Data to identify and repair errors that impair the Services’ existing intended functionality.
  • Undertaking Research. We collect, use, and disclose your Personal Data to undertake internal research for technological development and demonstration. We may also disclose your Personal Data to trusted partners for research purposes.
  • Verifying and Maintaining the Services’ Qualify and Safety. We collect, use, and disclose your Personal Data to verify and maintain the Services’ quality and safety.
  • Improving the Services. We collect, use, and disclose your Personal Data to improve, upgrade, and enhance the Services that we offer, including training our artificial intelligence, or other machine learning, models.

We use and disclose sensitive personal information for the purposes listed above, which includes purposes other than those specified under Cal. Civ. Code § 1798.121(a).

Sale and Sharing of Personal Data

We do not sell or share your Personal Data. We do not knowingly sell or share the Personal Data of consumers under age 16. We do not use Personal Data to create targeted advertising profiles or for any marketing purposes.

Personal Data Retention

We retain each category of your Personal Data for as long as you have an open account with us or as otherwise reasonably necessary to provide you with our Services. We may retain Personal Data for longer if doing so is necessary to comply with our legal obligations or if we need it for other legitimate purposes, such as to prevent harm and promote safety, security, and integrity; investigate possible violations of our Terms of Use; or protect ourselves, including our rights, property, or services. In that case, we will retain only the amount of Personal Data that is required to fulfil such purpose, and only for as long as is reasonably necessary to fulfill such purpose. If no such requirements exist, we will only retain data for 60 calendar days following the request.

In order to securely delete or destroy Personal Data when it is no longer needed, we will follow established procedures, including secure deletion from devices, encryption of stored data, and the physical destruction or shredding of paper records and storage media. We will also assess third-party vendors to ensure their compliance with secure disposal practices.

Business Transfers

Your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

Deidentified or Aggregated Data

We may create deidentified or aggregated data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such deidentified or aggregated data and disclose it to third parties for lawful purposes, including to analyze, build and improve the Services and to market our business. We will maintain and use deidentified data in deidentified form only and not attempt to reidentify deidentified data, except for purpose of determining whether our deidentification process is sufficient.

Third Party Vendors

We partner with the following third party vendors in order to provide our services: Intercom, Clerk, Ksana Health, PostHog and Amazon Web Services, Vercel, Sentry, Stripe, Typeform, GitHub and Squarespace.

All vendors are extensively vetted and are required to comply with all relevant acts, policies and regulations in order to protect user data accordingly.

Data Security

We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.

Data Protection Measures

  • Encryption and Access Control. We use industry-standard AES-256 encryption for data at rest and TLS for data in transit. Access to confidential systems is restricted through Role-Based Access Control (RBAC) and multi-factor authentication (MFA), ensuring only authorized personnel access sensitive data.
  • Vendor and Third-Party Security. All vendors with access to Confidential data undergo security assessments aligned with our Third-Party Management Policy. Agreements clearly define responsibilities for protecting data, following standards such as SOC 2 and ISO 27001.
  • Secure Development and Cloud Protection. Applications follow secure-by-design principles, including least privilege and defense-in-depth. Cloud service providers are continuously evaluated for compliance with our security frameworks to prevent data breaches or service disruptions.
  • Incident Response and Monitoring. Our Incident Response Plan ensures swift detection, response, and remediation of potential security incidents. Systems are continuously monitored, and incidents are logged and escalated per defined severity levels.
  • Backup and Data Disposal. Regular backups ensure data availability, and restore tests are performed annually. Personal data is securely deleted or de-identified when no longer required, following NIST standards for data sanitization.
  • Employee Training and Awareness. Employees receive security awareness training upon hire and annually thereafter. Access to systems is removed immediately upon termination to prevent unauthorized access.
  • Compliance with Legal and Regulatory Standards. We follow GDPR, CCPA, and other applicable regulations, ensuring personal data is processed lawfully and transparently. Annual policy reviews ensure continued alignment with evolving legal requirements.

Data Breach Notification Procedure

In the event of a data breach, we will notify the affected individuals and their school within 30 calendar days and the relevant board or education (e.g., ISBE) within 10 business days in the event of a data breach involving student data. In this notification, we will provide the date of the breach, types of data affected, and steps taken to mitigate the breach. A data breach report will be posted on our website within 60 calendar days of a data breach.

Privacy Rights

Under law, individuals and partner organization (e.g., school districts), where applicable, have the following privacy rights:

  • Right to Know. The right to request the following information about how we have collected and used your Personal Data: (i) the categories of Personal Data we collect; (ii) the categories of sources from which we collect your Personal Data; (iii) the business or commercial purpose(s) for collecting, your Personal Data; (iv) the categories of third parties to whom we disclosed your Personal Data; (v) the categories of third parties to whom we disclosed your Personal Data; and (vi) the specific pieces of Personal Data we have collected about You in a portable, and, where technically feasible, readily usable format that allows you to transmit the data to another entity.
  • Right to Request Correction. The right to correct inaccurate Personal Data maintained by us.
  • Right to Request Deletion. The right to request that we delete your Personal Data, subject to certain defined exceptions.
  • Right to Limit the Use or Disclosure of Sensitive Personal Information. The right to request that we limit our processing of sensitive personal information to the purposes specified under Cal. Civ. Code § 1798.121(a).
  • Right to Non-Discrimination. The right not to receive discriminatory treatment for exercising your privacy rights.

To submit a request to exercise your privacy rights, including to access, review, request corrections or delete user data, please contact us at support@sonarmentalhealth.com. To submit a request to exercise your right to limit, you can also click “Limit the Use of My Sensitive Personal Information.” If you are under 13, your parent, guardian must make any request to exercise your right to know, request correction, or request deletion.

Please note that, depending on the nature of your request, we may need additional information to verify your identity, or, as applicable, the identity of your parent or guardian, including, without limitation, name, address, telephone number, and/or email addresses. We will use any information you submit only to fulfill your request.

You may use an authorized agent to submit a request to exercise your privacy rights. If you would like to designate an authorized agent, we will require you to submit an email or letter confirming that you authorize your agent to submit the request and including information that allows us to verify your identity. This verification process is not necessary if your authorized agent provides documentation showing that the authorized agent has power of attorney to act on your behalf.

Nevada Resident Rights

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at support@sonarmentalhealth.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.

Additional Information Regarding the Privacy of Users under the Age of 13

This section contains additional information regarding the privacy of users under the age of 13. We disclose Personal Data collected from users under the age of 13 to third parties. The types of Personal Data collected from users under the age of 13, how that Personal Data is collected, the types of third parties that receive that Personal Data, and how we and those third parties use that Personal Data is described in the “Personal Data” section.

We do not enable a user under the age of 13 to make Personal Data publicly available. Due to the nature of our Services, we do collect a wide variety of Personal Data from Participating Youth, including Participating Youth under 13; however, we will not require a user under the age of 13 to disclose more Personal Data than is reasonably necessary to use our Services.

A parent or guardian of a user under the age of 13 can review that user’s Personal Data, have deleted that user’s Personal Data, or refuse to permit further collection or use of that user’s Personal Data by contacting us at support@sonarmentalhealth.com. We will give the parent or guardian of a user under the age of 13 the option to consent to the collection and use of that user’s Personal Data without consenting to the disclosure of the user’s Personal Data to third parties.

Additional Information Regarding Compliance With the The Family Educational Rights and Privacy Act (FERPA) and Student Online Personal Protection Act (SOPPA)

In order to provide our service, we often partner with schools and school districts. In addition to the policies outlined in this agreement, we also sign a Data Privacy Agreement with each school or district partner, which outlines specific data protection obligations. Partners or regulatory bodies can request an audit to verify our compliance with these Acts. We will respond to requests within 60 calendar days or receipt.

Changes to this Privacy Policy

We're constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time, but we will alert you to any such changes by placing a notice on the Sonar website, by sending you an email and/or by some other means. Please note that if you've opted not to receive legal notice emails from us (or you haven't provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. Use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.

Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

Website: www.sonarmentalhealth.com

Email: support@sonarmentalhealth.com

Phone: 650-400-6375

Address: 2108 N ST # 9120, Sacramento, CA 95816

If you, your child, or someone you know is in crisis, call or text 988 for the Suicide and Crisis Lifeline, or dial 911. You’re never alone.
© 2024 Sonar. All rights reserved.