Sonic EMS – Privacy Policy

1. Who We Are

Sonic EMS is operated and controlled by Sonic Digital Group Ltd. Sonic EMS is a trading name of Sonic Digital Group Ltd.

For UK data protection law (UK GDPR & Data Protection Act 2018), Sonic Digital Group Ltd is the data controller, unless stated otherwise.

Controller details

Trading name: Sonic EMS
Registered company: Sonic Digital Group Ltd
Email: dpo@sonicems.com
Supervisory authority: Information Commissioner's Office (ICO), UK

2. Scope

This policy explains how we handle personal data when you:

• Visit our website
• Contact us, request a demo, or create an account
• Use Sonic EMS
• Receive support, billing, and service communications

Where we process personal data on behalf of client organisations using Sonic EMS, Sonic Digital Group Ltd acts as a data processor and the client acts as the data controller (see Section 10).

3. Personal Data We Collect

Website & enquiries: name, email, organisation, phone, message content.

User accounts: name, email, roles/permissions, login identifiers, preferences, support history.

Billing/admin: billing contact, address, invoice/payment references, VAT info. We do not store full card numbers; payments are via third‑party processors.

Technical/usage: IP, device/browser/OS, access/audit/API logs, error/performance data.

Marketing (optional): subscription preferences, email engagement (opens/clicks).

4. How We Use Personal Data (Lawful Bases)

5. Cookies

We use cookies and similar technologies for:

• Essential functions (authentication, security) — no consent required
• Analytics (Google Analytics 4) — only with your consent

When you visit any page on Sonic EMS you will be shown a cookie-consent banner. You may choose Accept Analytics to enable Google Analytics 4 tracking, or Essential Only to decline analytics cookies. When you are signed in, your choice is stored in the database linked to your account so it applies consistently across all devices and browsers. You can review or change your preference at any time from the Notifications tab of your Staff Profile. If you are not signed in, your choice is stored in your browser’s local storage only.

Google Analytics 4

If you accept analytics, we use Google Analytics 4 (operated by Google Ireland Ltd / Google LLC, a data sub‑processor). Google Analytics collects pseudonymous usage data (pages visited, session duration, etc.) and associates it with an internal numeric user identifier — never your email address, name, or other personally-identifiable information. Data may be transferred to and processed in the United States under the EU–US Data Privacy Framework. For further information, see Google's Privacy Policy and the GA4 data safety guide.

The following pseudonymous data points are sent when analytics are active:

• Internal numeric user ID (not your email address or name)
• Internal numeric organisation (tenant) ID
• Whether the account is a system administrator (true or false)
• Application version number
• Calendar locale setting (e.g. en-GB)
• Page section (e.g. events, reports, staff)
• AJAX error events — HTTP status code and internal function name (no user data)
• Uncaught JavaScript error events — error message and source file path only

URL query strings are never included in any analytics event parameter.

You can also opt out of Google Analytics across all websites by installing the Google Analytics Opt-out Browser Add-on.

6. Data Sharing, Hosting, and Sub‑Processors

We only share personal data where it is necessary to operate Sonic EMS and deliver the service.

Primary hosting provider

IONOS Cloud Ltd – https://www.ionos.co.uk/
IONOS Cloud Ltd provides our core hosting infrastructure and acts as a data sub‑processor under appropriate contractual safeguards.

Other sub‑processors (as applicable)

• Email/notification services
• Payment processors
• Monitoring, logging, and error reporting
• Customer support/CRM tools
• Google Analytics 4 (Google Ireland Ltd / Google LLC) — analytics only when consent is granted

All sub‑processors are bound by data protection and confidentiality obligations and receive only the minimum data needed.

7. International Transfers

Some providers may process data outside the UK. Where this occurs, we implement appropriate safeguards (e.g., the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses) to protect personal data.

8. User Accounts, Company Linking, and Access Control

Sonic EMS uses a user‑owned account model. Accounts belong to the individual user.

Linking to a company

By linking an account to a company in Sonic EMS, the user authorises that company to access and process the user's data within the system, subject to roles/permissions. While linked, the company acts as a data controller for the personal data it accesses; Sonic EMS enforces access controls as a data processor.

Unlinking & loss of access

A user or a company may unlink at any time. Once unlinked, the company immediately loses access to all personally identifiable information (PII) for that user and can no longer view profile/contact details or communicate with the user via Sonic EMS.

Limited retention for auditing

After unlinking, the company may retain only:

• The user's name; and
• The events/shifts to which the user was assigned.

This limited retention is necessary for historical, contractual, and auditing purposes and complies with UK GDPR principles of data minimisation and purpose limitation.

9. Users Not Linked to Any Company

If a user is not linked to any company, we treat the account as inactive (but user‑controlled).

• We run a weekly check for unlinked users and email them to choose whether to keep or remove their account.
• If there's no response, the account is automatically removed 90 days after the first notice.
• If the user chooses to keep the account, we'll email again every 6 months to reconfirm.
• Users planning to work with another Sonic EMS venue may keep the account open; otherwise, they can remove it immediately.

Account closure

On removal, we securely delete the account and associated personal data, subject to minimal retention required for legal/auditing purposes (e.g., records described above).

10. Sonic EMS as a Data Processor (for Client Organisations)

When client organisations use Sonic EMS to manage events, staff/volunteers, participants, or attendees:

• The client is the data controller; and
• Sonic Digital Group Ltd (Sonic EMS) is the data processor.

Processed data may include attendee/participant details, staffing/shift assignments, communications sent via the platform, and audit/usage logs. Processing is governed by our Data Processing Agreement (DPA).

11. Security

• TLS encryption in transit; encryption at rest where supported
• Role‑based access control and least privilege
• MFA for privileged access
• Logging and audit trails
• Regular patching, vulnerability management, and monitoring
• Backups and tested restore procedures

12. Your Rights (UK GDPR)

You can access, rectify, erase, restrict, object, and port your personal data. Where we rely on consent, you can withdraw it anytime.

Contact: dpo@sonicems.com. You may also complain to the Information Commissioner's Office (ICO).

13. Children

Sonic EMS is not directed at children under 16. We do not knowingly collect children's data via the website.

14. Changes

We may update this policy from time to time. The latest version will be published here with the updated date above.

15. Contact

Sonic Digital Group Ltd (trading as Sonic EMS)
Email: dpo@sonicems.com