Privacy Policy
Last updated: April 18, 2026
What this policy covers
This Privacy Policy explains how Sounday ("we," "us") collects, uses, and shares information when you use our website, apps, and embedded player (the "Services"). It also explains your privacy choices and rights.
Who we are
Sounday is the data controller for personal information processed to provide and improve the Services. If you have questions, contact us at support@sounday.ai.
What we collect
We collect information from three places:
Information you provide
- Account information (email address, display name, profile photo).
- Station configuration (topics, sources, station name, public/private setting).
- Content you submit (links, documents, optional text).
- Messages you send to support.
Information we collect automatically
- Playback events (which episodes you start, completion, duration listened).
- Server access logs (IP address, request path, user agent) for security and reliability.
- A single consent cookie (
sounday-consent) recording your cookie-banner choice. No advertising or cross-site tracking cookies are used.
Sounday does not currently ship any third-party product-analytics tracker (e.g. Google Analytics, Segment). If we add one in the future, it will only activate after you explicitly accept analytics in the cookie banner, and it will be named in the sub-processor list below.
Information from connected sources
- RSS feed URLs you add and the items retrieved from those feeds (titles, URLs, dates, and extracted text).
- Emails you forward to your ingest address.When you forward a newsletter or message to your workspace's
@ingest.sounday.aiaddress, we receive and store the sender address, subject, and full email body. This inbox is used to power a future "include forwarded newsletters in your episode" feature; that processing is not yet live. Whether or not the content has been used, inbound emails are automatically deleted 7 days after receipt.
How we use information
- Provide the service: create stations, fetch source content, generate scripts and audio, and enable playback.
- Personalize your experience: language and voice preferences, topic relevance, playback settings.
- Operate public stations: if you make a station public, we display station pages, provide RSS feeds, and support sharing.
- Maintain safety and security: prevent fraud, enforce policies, debug reliability issues.
- Improve Sounday: understand feature usage and performance.
- Communicate with you: send service messages (e.g., "Your briefing is ready") and optional marketing if you opt in.
Legal basis for processing (GDPR)
If you are in the EU, UK, or another jurisdiction with similar rules, we rely on the following lawful bases under Article 6 of the GDPR:
| Processing activity | Lawful basis |
|---|---|
| Creating and operating your account; generating episodes; delivering audio | Contract — Art. 6(1)(b) (performance of the terms of service) |
| Transactional email (magic links, invitations, episode-ready notifications) | Contract — Art. 6(1)(b) |
| Storing inbound emails you forward to your ingest address | Contract — Art. 6(1)(b); deleted after the 7-day retention window |
| Optional product analytics (if/when enabled after banner opt-in) | Consent — Art. 6(1)(a); revocable at any time |
| Optional marketing email | Consent — Art. 6(1)(a); revocable via the unsubscribe link |
| Optional Telegram delivery | Consent — Art. 6(1)(a); revocable by disconnecting the integration |
| Security logging, abuse detection, rate limiting | Legitimate interests — Art. 6(1)(f) (operating a safe service) |
| Responding to legal requests; retaining records where required | Legal obligation — Art. 6(1)(c) |
How AI and audio generation works
Sounday generates scripts and audio from the sources you select. This involves:
- Fetching and extracting text from your sources (RSS feeds, forwarded emails, or content you upload).
- Sending that source text to our AI sub-processor, OpenAI, to generate a script and synthesize it into audio. This is the only AI provider we currently use.
- Storing the generated audio so you can listen.
Sounday does not use your content to train AI models, and under the OpenAI API data policy, OpenAI does not use content submitted through the API to train or improve their models either. OpenAI retains API content for up to 30 days for abuse and misuse monitoring, after which it is deleted. You can review their current policy at openai.com/enterprise-privacy.
You can delete stations and episodes at any time, and remove sources to stop future ingestion.
When we share information
Service providers (sub-processors)
We use the following vendors to operate Sounday. They process personal data on our behalf under data processing agreements that restrict how they may use it.
| Vendor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase | Authentication, session management | Email, authentication metadata | EU / US |
| Amazon Web Services (AWS) | Application hosting, database, object storage, job queues | All application data at rest (encrypted) | US (us-east-1) |
| OpenAI | Script generation (LLM) and voice synthesis (TTS) | Source article text, generated scripts | US |
| Resend | Outbound transactional email (magic links, notifications, digests) | Recipient email, email content | US |
| Postmark | Inbound email parsing (the ingest address) | Raw emails you forward to your ingest address | US |
| Mixpanel | Product analytics (only with your consent) | Pseudonymous user ID, event names, device/browser metadata | EU (residency enabled) |
| Telegram | Optional delivery channel for episodes (opt-in per user) | Telegram chat ID, episode metadata, audio URL | Global |
Our AI sub-processor (OpenAI) processes content solely to generate scripts and audio on your behalf. Under the OpenAI API data policy, this content is not used to train their models and is retained only for a short abuse-monitoring window.
Public stations
If you make a station public, your station page and episodes are accessible to anyone. If you share an episode link, the recipient can listen without an account.
Legal and safety reasons
We may disclose information if required by law, to respond to lawful requests, or to protect users, the public, and Sounday.
Business transfers
If Sounday is involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction. We will notify you of any such change.
We do not sell your personal information.
Your choices and controls
- Privacy settings: manage notifications, public/private station settings, and email preferences in your account.
- Delete content: delete episodes, stations, and your account at any time.
- Access and export: request a copy of your information by contacting us.
- Marketing: opt out via the unsubscribe link in emails or in your notification settings.
Data retention
We keep information only as long as needed for the purposes described above, unless a longer period is required by law. The table below reflects what the current code actually does, not aspirational retention targets.
| Data | Retention |
|---|---|
| Inbound (forwarded) emails | 7 days from receipt — automatically deleted. |
| Generated episode audio & scripts | 30 days from generation, or until you delete the episode (whichever comes first). Audio is hard-deleted from storage; scripts and source snapshots are cleared. |
| Public episode share links | 6 months from creation — after that the link shows an "episode no longer available" page. |
| Account data after you request deletion | 14-day grace period during which you can cancel. After the grace period, your account, workspaces, stations, episodes, and audio are permanently removed. |
| Server & security logs | Approximately 90 days. |
| Encrypted database backups | Up to 7 days (AWS RDS automated backups). |
| Content sent to OpenAI | Up to 30 days, retained by OpenAI for abuse monitoring only; not used to train their models. |
| Playback events (if/when analytics is enabled) | Up to 13 months at event level; aggregated data may be kept longer. |
Encrypted backups may contain deleted records for up to a further 7 days after the grace period closes, before they are overwritten on the next backup cycle.
Security
We use technical and organizational measures to protect your information:
- TLS / HTTPS for all traffic between your device and our servers.
- Encryption at rest for our database (AWS RDS, AES-256) and object storage (AWS S3, AES-256).
- Source credentials (API keys for private feeds) are encrypted with a dedicated key before being written to the database.
- Access to production data is limited to authorized Sounday personnel with operational need, authenticated via individual credentials and logged.
- Webhook endpoints (inbound email) are authenticated with a shared secret compared in constant time.
- SSRF protection on all outbound fetches (RSS feeds, station webhooks) — private/internal addresses are blocked, and redirects are re-validated on every hop.
No method of transmission or storage is completely secure, but we work to protect your data using industry-standard practices.
International transfers
Sounday's primary hosting region is AWS US East (N. Virginia, us-east-1). Our database, application servers, generated audio, inbound email storage, and job queues are located in the United States. Several sub-processors (see list above) also process data in the United States.
If you are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States. We rely on:
- Standard Contractual Clauses (European Commission Implementing Decision 2021/914) as the primary transfer mechanism with our US-hosted sub-processors.
- UK International Data Transfer Addendum for transfers from the UK.
- EU-US Data Privacy Framework certification where our sub-processor is certified and we rely on it.
- Encryption at rest and in transit, access controls, and short retention windows as supplementary measures.
You can request a copy of the specific transfer mechanism applied to any particular sub-processor by contacting us at support@sounday.ai.
Children
Sounday is not directed to children under 16. If you are a parent or guardian and believe a child has provided personal information to us, please contact us to request deletion.
Cookies and tracking
We use strictly necessary cookies to operate the website and app (e.g., authentication, security). With your permission where required by law, we may use optional cookies for analytics and improvement. You can manage your preferences through our cookie settings or your browser.
Changes to this policy
We may update this policy from time to time. If changes are material, we will provide notice in the app or on our website. Your continued use of the Services after changes take effect means you accept the updated policy.
Contact us
For questions, requests, or complaints about this Privacy Policy or your data:
- Email: support@sounday.ai
If you are in the EU/UK, you also have the right to lodge a complaint with your local data protection authority.
Version history
Every material change to this policy is recorded here. The "Last updated" date at the top of the page matches the most recent entry.
- April 18, 2026 — Named specific sub-processors (Supabase, AWS, OpenAI, Resend, Postmark, Mixpanel, Telegram). Added a lawful-basis table (GDPR Art. 6). Clarified OpenAI retention (30 days, no model training). Reconciled retention numbers with code: 14-day account-deletion grace, 7-day inbound-email TTL, 30-day episode audio retention, 6-month public share-link validity. Documented primary hosting in AWS us-east-1 and the Standard Contractual Clauses used for EU/UK transfers. Added CCPA right-to-correct language. Described the access controls and SSRF protections applied to your data.
- April 6, 2026 — Initial Privacy Policy published.
California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA):
- Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it (see "What we collect" and "When we share information" above).
- Right to delete the personal information we hold about you — use the "Delete account" flow in Settings, or email us.
- Right to correct inaccurate personal information — you can edit your display name, email, and avatar directly in Settings, or email us for any other correction.
- Right to opt out of the sale or sharing of personal information. We do not sell or share personal information (as those terms are defined by the CCPA).
- Right to limit the use of sensitive personal information — we do not use sensitive personal information for purposes that require a limit right under CPRA.
- Right to non-discrimination — you will not receive different service for exercising any of the rights above.
To exercise any of these rights, contact us at support@sounday.ai. We will verify your request by matching the email associated with your account and respond within 45 days.