Skip to main content
← Back

Privacy Policy

Effective April 29, 2026 · Last updated April 29, 2026

This Privacy Policy explains how Human Frontier Labs Inc.(“Sontara,” “we,” or “us”) handles personal information when you use sontara.ai, our mobile applications, and related services (the “Service”). We’ve tried to write this in plain English. If anything is unclear, email privacy@sontara.ai.

1. The short version

  • We collect what we need to run your account and your AI agents, and nothing more.
  • We don’t sell your data, train AI models on your conversations, or run third-party advertising.
  • Conversations and files you send through the Service are processed by Sontara-managed AI infrastructure. Legacy bring-your-own-key accounts may still use their configured provider.
  • You can delete your account at any time from inside the app or by emailing us.

2. Information we collect

2.1 Information you give us

  • Account information.When you sign in with Google or Apple, we receive your email address and name from your authentication provider. If you sign in with Apple and choose “Hide My Email,” we receive only Apple’s private relay address.
  • Subscription information. If you subscribe to a paid plan, we receive a customer reference and subscription status from our payment processor. We do not receive or store your card number, CVC, or full billing address.
  • Agent configuration.The names you give your agents, your plan’s model configuration, the autonomy policy you set, and the channels you connect.
  • Channel and integration credentials.When you connect external services (e.g. Telegram, Slack, Discord), you provide tokens or OAuth credentials so your agent can interact with those platforms. We store them in encrypted form and use them only to operate the connections you set up.

2.2 Information generated by your use of the Service

  • Conversations and files. Messages between you and your agent, and any files you upload, are stored alongside your agent so it can remember context across sessions.
  • Usage metrics.Aggregate metrics about your agent’s activity (such as message counts and tokens consumed) for billing and capacity planning.
  • Diagnostic logs. Standard server logs we use for troubleshooting and security. We do not intentionally log message content. Logs are retained for a limited period and then deleted.

2.3 Mobile-app specifics

  • On-device data. Your sign-in token is stored in iOS Keychain or Android Keystore (encrypted by the operating system). The app remembers basic UI state.
  • Microphone & speech recognition.Voice input is transcribed by your device’s built-in speech recognizer. When an offline language model is installed it stays on your device; otherwise your operating system’s speech recognizer (Apple or Google) transcribes it, subject to that provider’s terms. Sontara does not record, store, or receive your raw audio — only the resulting text is sent to your agent.
  • No advertising or analytics SDKs. The mobile app does not embed third-party analytics or ad-tracking.

3. How we use information

We use the information described above to:

  • Operate, maintain, and improve the Service;
  • Authenticate you and protect your account;
  • Process payments and manage subscriptions;
  • Provide your agent with the credentials it needs to talk to channels and legacy AI providers you have connected;
  • Detect, investigate, and prevent fraud, abuse, and security incidents;
  • Communicate with you about service updates, billing issues, and support requests;
  • Comply with legal obligations and enforce our Terms of Service.

We do not use your conversations, files, or agent memory to train AI models, profile you for advertising, or share with data brokers.

4. Service providers

We engage third parties to help operate the Service. Their roles fall into a small number of categories:

  • Authentication. A third-party identity provider handles sign-in (Apple, Google) and session management.
  • Payments. A PCI-compliant payment processor handles all card data and billing. We never see card numbers.
  • Cloud infrastructure.Reputable cloud providers host our application, database, and your agent’s runtime environment. All data is encrypted in transit and at rest.
  • AI inference.New accounts use Sontara-managed inference. Legacy bring-your-own-key accounts may still route requests to the provider they configured; that provider’s privacy policy applies to the data they process.

We bind each provider by contract to confidentiality and appropriate security. A current list of subprocessors with specifics is available to enterprise customers, regulators, and auditors on request via privacy@sontara.ai.

5. Google Workspace data and Limited Use

When you connect a Google account, Sontara requests access to Gmail, Google Calendar, Google Drive, Docs, Sheets, and Slides so your agent can read, draft, send, and organize on your behalf. We request the following Google API scopes and use each only for the features you connect it for:

  • Gmail (read, compose, send, modify). Read, search, draft, send, reply to, and organize the messages your agent acts on at your direction.
  • Google Calendar. Read and manage the calendar events you ask your agent to handle.
  • Google Drive. Find, read, create, and update the files your agent works with.
  • Docs, Sheets, and Slides. Read and edit the documents, spreadsheets, and presentations your agent works with.
  • Account email. Identify which Google account is connected.

Limited Use commitment.Sontara’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google Workspace data only to provide and improve the user-facing features you connected it for.
  • We do not transfer or sell Google Workspace data, except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition with appropriate notice.
  • We do not use Google Workspace data for advertising.
  • We do not allow humans to read your Google Workspace data unless (a) you give explicit consent for specific messages or files, (b) it is necessary for security purposes such as investigating abuse, (c) we are required to by applicable law, or (d) the data has been aggregated and anonymized for internal operations.
  • Google Workspace data is never used to train or improve generalized AI or machine-learning models. Your agent uses it only in the moment, to perform the task you asked for, inside your isolated agent instance.

You can revoke Sontara’s access at any time at myaccount.google.com/permissions or by disconnecting the integration in the app. Revoking access invalidates and deletes the stored authorization token.

6. International data transfers

Sontara is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and other jurisdictions where our service providers operate. By using the Service, you consent to this transfer.

7. Data retention

We retain personal information for as long as your account is active or as needed to provide the Service. After you delete your account, we delete or anonymize your information within a reasonable period, except where we are required to retain it for legal, tax, accounting, or fraud-prevention purposes (for example, payment records may be retained by our payment processor for several years to satisfy tax and PCI compliance obligations).

8. Your rights

Regardless of where you live, you can:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your account from inside the app or by emailing us.
  • Export your data on request.
  • Object or restrict certain processing where applicable law gives you that right.

European Economic Area, United Kingdom, and Swiss residents have additional rights under the GDPR (and UK equivalent), including the right to lodge a complaint with your data-protection authority. California residents have rights under the CCPA / CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of the “sale” or “sharing” of personal information — we do neither.

To exercise any right, email privacy@sontara.ai. We may ask you to verify your identity before fulfilling certain requests.

9. Children

Sontara is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, contact privacy@sontara.ai and we will delete it.

10. Security

We use industry-standard practices to protect your information, including encryption in transit and at rest, isolation of your agent’s runtime from other customers’, access controls on internal systems, and the principle of least privilege for engineering access. No system is perfectly secure; if you become aware of a vulnerability, please report it to privacy@sontara.ai.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email or in-app notice and update the “Last updated” date above. Continued use of the Service after a change indicates your acceptance.

12. Contact

Questions, concerns, or requests under this policy should go to privacy@sontara.ai.

Human Frontier Labs Inc., a Delaware corporation.