Commitment to Privacy

Sono IT (“We”) offers software as a service to our customers (“You”), which includes use of the mobile and web applications, online databases, browser interfaces and documentation (“Service”), and provides the Service to You under the terms of our Service use agreement.
Protection and privacy of data of our customers are very important to us. This policy statement is created to provide You with transparent information and guidelines about the privacy and data protection aspects of the Service, as well as its compliance with applicable laws and regulatory obligations.
This policy also describes your choices regarding use, access and correction of personal data of your employees and your customers (“Data Subjects”), so you can better understand Sono IT practices and ensure they are consistent with any privacy notices you have made available to them.

Scope of Policy

This Privacy Policy describes how Sono IT collects, receives, accesses, uses and discloses certain personal data received in connection with the Service, and governs Sono IT’s use of such personal data to provide the Service to you pursuant to our agreement.
This Privacy Policy does not apply to information collected by Sono IT from visitors to sonoit.eu website, for purposes unrelated to the Service, or information collected by Sono IT through other offerings. For information about how Sono IT collects, uses and discloses information through sonoit.eu and other Sono IT offerings, please see the Sono IT Privacy Statement.

Data Processed and Purposes of Processing

Sono IT Service collects and processes two kinds of personal data: Customer Information and Client Information.
Customer Information is information that we receive from you, or from a third party at your direction, about your Data Subjects. We collect only the Customer Information that you provide to us, direct us to collect, or access to provide services to you. Customer Information may include personal data about different types of individuals, including: consumers, employees, and other business partners. Such personal data may include basic contact information, such as name, postal address, email address and phone number, as well as more sensitive personal data, such as financial information, demographic information, purchase information, market-research information, and employee performance information. Indeed, Sono IT may, upon your instruction, obtain any type of data about any type of individual that you upload to our products, send to us through online or offline mechanisms, or direct us to collect from third-party aggregators.
We operate under the assumption that it is your obligation as a data controller to notify individuals whose personal data may be included in your Customer Information about the personal data you collect and the purposes for which you collect it, to obtain their consent to our processing of their personal data, where required, and to ensure that such personal data is reliable for its intended use, accurate, complete and current. We have no direct relationship with the individuals whose personal data is included in the Customer Information we process.
We collect and process Customer Information only for the purpose of providing the Service to you and in accordance with our agreement with you. In certain situations, we may supplement Customer Information provided by you with information from other sources. This is done only when you specifically request, and we agree to, such supplementation. This supplementation of Customer Information is for the sole purpose of providing Service to you. We will retain Customer Information for the duration stipulated in our agreement with you, or longer, as necessary to comply with our legal obligations, resolve disputes or enforce our agreements.
Client Information is personal data about people in your organization, such as users who interact with the Service. Client Information usually is limited to name, work email address, work phone number and job title. We collect Client Information through online forms, email, phone and other written means that you use to provide it to us.
We use Client Information to authorize the use of the Service, support your account, maintain our business relationship with you, respond to your inquiries and perform accounting functions.

Sono IT may additionally use Customer Information and Client Information for the following purposes:

• To maintain and upgrade the system. Our technical staff may require periodic access to services data that may include Customer Information or Client Information, to monitor system performance, test systems, and develop and implement upgrades to systems. Any temporary copies of such services data created as a necessary part of this process are maintained only for time periods relevant to those purposes.
• To address performance and fix issues. On occasion, we may develop new versions, patches, updates and other fixes to our programs and services, such as security patches that address newly discovered vulnerabilities.
• To meet legal requirements. Sono IT may be required to provide personal data to comply with legally mandated reporting, disclosure or other legal process requirements when we believe, in our sole discretion, that disclosure is necessary to protect our rights, or to respond to a government request.

Data Subject Rights and Choices

The EU General Data Protection Regulation (GDPR), Swiss Federal Act on Data Protection and UK GDPR/Data Protection Act require that data subjects have rights to access personal data about themselves that an organization holds and, more specifically, a right to: (1) obtain confirmation whether personal data about them is being processed; (2) have the data communicated to them so they may verify its accuracy and the lawfulness of the processing; and (3) have the data corrected, amended or deleted.
With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to provide your data subjects a means of accessing their data and requesting that such data be corrected, amended or deleted. Under our current business model, we have no direct interaction with your data subjects, and, therefore, have no direct way for them to submit these requests to us. If you are a Sono IT Service customer, and you receive such a request from a data subject about whom we host personal data, and you would like our assistance in responding to that request, please contact our privacy office at dpo@sonoit.eu. We will respond to requests within 30 days of receipt.
With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to obtain from your data subjects the appropriate consent to transfer their data to us and for us to process their data, to provide agreed-upon services to you and to disclose their data to third parties, consistent with this Policy and our agreements with you. We will not share, sell, rent or trade with third parties for their marketing purposes any Customer Information collected by us, unless you direct us to do so and have the appropriate authorization to do so. If your data subject would no longer like to be contacted by you or by Sono IT at your direction, please inform the data subject to contact you, as Sono IT customer, directly.
With respect to Client Information, certain Sono IT SaaS systems enable users to access and amend or correct their own personal data. Otherwise, if you or your users would like to request access to or correction of Client Information, please contact our privacy office at dpo@sonoit.eu. We will respond to requests within 30 days of receipt.
We will not use or disclose Client Information for purposes that are materially different than those described in this Policy, or subsequently authorized, without offering data subjects a choice to opt out of such uses or disclosures.

Data Security and Protection

We take reasonable measures that are designed to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Some of our security measures include the following:

• Employee training and responsibilities. We take certain steps to reduce the risks of human error, theft, fraud and misuse of our facilities. We train our personnel on our privacy and security policies, and we require our employees to sign confidentiality agreements. We also have assigned to an individual the responsibility to manage our information security program.
• Access control. We limit access to Customer Information to only those individuals who have an authorized purpose for accessing that information. We terminate those access privileges following job change or termination.
• Data encryption. All electronic transfers of non-public Customer Information between you and Sono IT (including sensitive personal data and sign-on credentials) are required by Sono IT to be done through encrypted connections. Storage and archiving of all Customer Information and Client Information data, collected by Sono IT Service for purposes outlined in this Policy, are required by Sono IT to be stored encrypted and readable only within a scope of authorized use of Service.
• Data anonymization. Our Service systems will apply the anonymization to the Customer Information data which may be scheduled for deletion but still cannot be permanently deleted due to technical restrictions related to maintaining integrity of other data from general Service database that depends on it.

If we confirm that your Customer Information has been accessed or used by unauthorized individuals, we will contact your designated representative to coordinate our response to the incident. If you have any questions about the security of your personal information, you can contact us at dpo@sonoit.eu.
We keep your personal data for as long as necessary to fulfill the purposes outlined in this Policy, to adhere to our policies, and for any period as legally required or permitted by applicable law.

Onward Transfers to Third Parties

We will not disclose personal data to third parties for purposes other than those described in this Policy, except at your direction and with your authorization. Disclosures of personal data will be carried out in accordance with applicable data protection laws relating to onward transfers. We will not sell, rent or lease your personal data to others.
Sono IT may also disclose personal data as required or permitted by law, such as in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law enforcement request or other legal process.
Sono IT is a company headquartered in Croatia, member state of European Union, with customers and business partners in more than 15 countries and with technical systems hosted and located in EU. Personal data collected on Sono IT Service systems may be transferred across country borders and stored or processed in Croatia or any other country within EU in which Sono IT maintain facilities for the purposes of data consolidation, storage and information management. By using our systems, your organization consents to any such transfer of information outside of your country of residence. Sono IT will handle your information collected by our systems in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information.

Inquiries and Complaints

If you have questions or concerns regarding this Policy or our handling of your personal data, you should first contact us by sending an email to dpo@sonoit.eu or by regular mail to the attention of:
Sono IT d.o.o.
Slavonska avenija 26/1
10000 Zagreb
Croatia
Att: DPO Sono IT

We will respond within a reasonable time frame.

Changes to This Policy

We reserve the right to modify this Policy at any time. It is your responsibility to request the current version of this document at your preferred interval.
Effective Date: Jan 1, 2025
Latest Revised Date: Feb 18, 2025