Privacy Policy

Version 3.3

Publication date: May 13, 2026 · Effective date: May 13, 2026

Plain-language summary We are SONIX SA, the Swiss company behind SONIX (sonix.gg and sonixapp.com, including all subdomains such as arena.sonix.gg, and the SONIX desktop and mobile apps). This is what we want you to know up front: • Pulsar voice is never recorded, transcribed, or analysed. • We don‘t profile you for advertising. We don’t run behavioural ads. • We don’t train AI models on your content, voice, or messages. • We don’t sell your personal information. • You can see, correct, export, or delete your data at any time. Below we explain in detail what data we collect, why, for how long, and what your rights are.

Table of contents

1. Who we are and how to contact us
2. Scope of this Privacy Policy
3. Our six privacy commitments
4. Personal data we collect
5. How we use your data (and our lawful basis)
6. Voice in Pulsar — our strongest commitment
7. Arena, Orbital, and third parties
8. Cookies and similar technologies
9. Service providers and sub-processors
10. International data transfers
11. How long we keep your data (retention schedule)
12. Security
13. Your rights
14. Children’s privacy (under 13 / 16)
15. Schools and institutional deployments (FERPA)
16. Marketing communications
17. Automated decisions and profiling
18. Data breach notifications
19. Changes to this Privacy Policy
20. How to contact us and complain

1. Who we are and how to contact us

Plain-language summary We are SONIX SA, in Switzerland. We are the data controller of your personal information. For any privacy question, email privacy@sonix.gg.

SONIX is operated by SONIX SA (“SONIX”, “we”, “us”, “our”), a company incorporated under the laws of Switzerland, registered under CH-550-1185270-2, with registered office at Rue de Genève 100, 1004 Lausanne, Switzerland. SONIX SA was previously known as TYXIT SA; references to TYXIT SA in earlier versions of these documents should be read as references to SONIX SA.

SONIX SA is the data controller of the personal information we collect through the Services, except where this Privacy Policy or a separate written agreement (such as an Institutional Customer Agreement with a school) provides otherwise.

Privacy contacts

• Privacy and data protection questions: privacy@sonix.gg
• Postal address: SONIX SA, Rue de Genève 100, 1004 Lausanne, Switzerland
• Designated privacy contact (Switzerland and EU): privacy@sonix.gg

2. Scope of this Privacy Policy

Plain-language summary This policy covers all of SONIX: our websites, the desktop app, the mobile app, and the three modules (Pulsar, Arena, Orbital), plus the Supersonix subscription.

This Privacy Policy applies to personal information we process when you use:

• our websites at sonix.gg and sonixapp.com (including all subdomains, such as arena.sonix.gg);
• the SONIX desktop application;
• the SONIX mobile application (iOS and Android);
• our three product modules: Pulsar (voice and chat), Arena (tournaments), and Orbital (mini-games);
• our Supersonix subscription and any other paid features;
• our customer support, our developer programs, and our institutional offerings.

Specific terms apply in addition to this policy where you use SONIX in particular ways: see Section 7 (Arena and Orbital), Section 15 (Schools), and the Cookies Policy.

3. Our six privacy commitments

Plain-language summary These six commitments are how SONIX is different. They apply to every user, regardless of age, country, or subscription status.

Commitment 1 — Voice stays private

Pulsar voice and video are never recorded, transcribed, or analysed by SONIX. We do not store voice content. We do not extract voiceprints. We do not run speech recognition or emotion detection. Voice passes through our servers in real time and is gone when the call ends.

Commitment 2 — No behavioural advertising

We do not show you advertisements based on a profile of you. We do not allow ad networks to track you across the Services. We do not share your behavioural data with advertisers.

Commitment 3 — No AI training on your content

We do not use your content, voice, messages, or any other personal information to train artificial intelligence or machine learning models. Where we use machine learning to improve specific features (such as anti-cheat or voice quality), we use only aggregated, anonymised, non-personal signals — not your identifiable content.

Commitment 4 — No sale of personal data

We do not sell your personal information. We do not rent it. We do not licence it for commercial use by third parties for their own marketing purposes.

Commitment 5 — Minimal data collection

We collect what we genuinely need to run the Service, support you, prevent abuse, and meet our legal obligations. Nothing more. We do not collect special-category data (racial or ethnic origin, religious beliefs, health, sexual orientation, biometrics, political opinions, etc.) — except where you voluntarily include such information in your content, which we cannot prevent.

Commitment 6 — Your rights, made easy

You can access, correct, export, restrict, or delete your data at any time. Most actions can be performed in your account settings. Anything else, email privacy@sonix.gg — we will respond within 30 days, faster where reasonably possible.

4. Personal data we collect

Plain-language summary We collect data in five categories: account info, technical info, in-app activity, payment info (only if you pay), and support requests. We do NOT collect: location beyond approximate region for connection quality; race, religion, sexual orientation, or other sensitive categories; biometric identifiers; voiceprints; financial information beyond what your payment processor handles; search history; or anything from your device beyond what we need.

4.1 Account information

• Email address (required for account creation, login, security alerts, and service communications). Where available, an email address may be hashed and used only for authentication purposes.
• Username (chosen by you; publicly visible to other users).
• Password (stored as a salted hash, never in plain text; we never see your password).
• Date of birth (collected at registration to enforce minimum age requirements; not displayed publicly).
• If you sign in with Google or Discord: the basic identifier and email address from that provider (we do not access your contacts, calendar, or unrelated data on the third-party account).
• Avatar and profile picture (if you choose to upload one; publicly visible to other users you interact with).

4.2 Network and device information

• IP address — used in real time to establish low-latency voice connections (“blue call” mode in Pulsar). The IP address is used for connection and a coarse approximation of your region (for routing). We do not store the full IP address as a persistent record except as needed for security investigations.
• Connection-quality signals (ping, jitter, packet loss) — used to optimise the connection and (in Pulsar) displayed to participants of the same call for transparency. Aggregated for service improvement; not used to profile you.
• Device identifier and type (Windows PC, Mac, iOS, Android), app version, and basic device performance signals — used to support multi-device sessions, push notifications, and to debug crashes. Device identifiers are retained for a maximum of 60 days from the last use.

4.3 In-app activity

• Text messages and other content you choose to send or post — including images, files, gifs, soundmojis, and whiteboard contributions. Stored so that your chat history is available the next time you open the app.
• Crew (group) memberships, friend connections, and similar relationship data — necessary to operate the social features.
• Aggregate session metadata: number of sessions, duration of sessions, number of users in a session, features used. Used in aggregated form for service improvement and reliability.
• Tournament participation history in Arena (matches played, results, leaderboard positions).
• Orbital game-launch records (which games you launched and when, for service operation; gameplay content within the game is held by the Game Developer — see Section 7).
• Xcoins balance and transaction history.
• Customer support history (including the content of any bug reports you choose to send us).

4.4 Payment information

• If you purchase a Supersonix subscription or otherwise pay through SONIX, we use third-party payment processors (such as Stripe, Apple Pay, and Google Pay).
• We receive only a payment confirmation, a transaction reference, and (where required for tax purposes) your billing country.
• We do NOT collect or store your full credit card number, CVV, or bank account details. These are handled by the payment processor under PCI DSS standards.
• Where required by tax law (for example, EU VAT), we may collect and store your billing country and a tax identifier (if you provide one for a B2B invoice).

4.5 Information we do NOT collect

• Voice or video content from Pulsar calls (see Section 6).
• Precise location (we use only coarse, approximate region for connection routing).
• Special categories of personal data (racial or ethnic origin, religious beliefs, health information, sexual orientation, political opinions, trade-union membership, genetic data, biometric identifiers).
• Financial information beyond what your payment processor provides (we do not collect your income, salary, debts, or net worth).
• Search history in the app (we do not log or store searches you perform inside SONIX as a persistent record associated with you).
• Address book or contacts from your device (we may, with your permission, help you find existing SONIX users among your contacts in the mobile app, but we do not store your contact list on our servers).

5. How we use your data (and our lawful basis)

Plain-language summary Every use of your data has a reason and a legal basis under the GDPR. The table below sets out which is which.

Under the EU GDPR, the Swiss FADP, and equivalent laws, we must have a lawful basis for each processing activity. The lawful bases we rely on are:

• Contract (Art. 6(1)(b) GDPR): we process the data because we need to in order to provide the Services you have asked us to provide.
• Legitimate interests (Art. 6(1)(f) GDPR): we process the data because we have a legitimate business interest that is not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR): we process the data because you have given us permission. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c) GDPR): we process the data because the law requires us to.

Purpose

Lawful basis

What this means

Provide and operate the Services (accounts, voice, chat, tournaments, games, subscriptions)

Contract

We can’t run SONIX for you without basic account, session, and content data.

Authenticate you and keep your account secure

Contract + Legitimate interests

Includes password hashing, suspicious-login detection, anti-fraud checks.

Customer support and bug investigation

Contract + Legitimate interests

We use the information you give us in a support request to help you and improve the product.

Aggregate analytics for service improvement

Legitimate interests

Aggregated, anonymised usage signals — not used to profile you or target ads.

Abuse prevention, anti-cheat, content moderation

Legitimate interests + Legal obligation

Detecting and stopping breaches of the Terms, Community Guidelines, and the law.

Comply with our legal obligations (tax, accounting, AML where relevant, law-enforcement requests)

Legal obligation

We retain limited records for the periods the law requires.

Send service emails (account confirmations, security alerts, important updates)

Contract + Legitimate interests

Necessary to operate the Service. You cannot opt out of these, but you can close your account.

Send marketing emails about SONIX features (when you’ve opted in)

Consent

Always opt-in. You can unsubscribe at any time from the email footer or in your settings.

Process Supersonix payments

Contract + Legal obligation

Payment is handled by third-party processors; we receive only a confirmation and tax data.

Investigate, defend, or assert legal claims

Legitimate interests

Including disputes, regulatory enquiries, and litigation.

Comply with Swiss telecoms-surveillance law (BÜPF/VÜPF) where required

Legal obligation

Limited retention of connection metadata where the law requires.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms, and we have concluded they are not. If you disagree, you have the right to object (see Section 13).

6. Voice in Pulsar — our strongest commitment

Plain-language summary Your voice in Pulsar is private. We don’t record it, transcribe it, store it, analyse it, or use it for anything beyond delivering the call. This is the single biggest difference between SONIX and other gaming-comms platforms.

Pulsar carries real-time voice and video communications between SONIX users. We have designed Pulsar around the strongest possible voice-privacy posture:

• No recording. SONIX does not record any Pulsar voice or video call. There is no recording feature controlled by us. There is no server-side audio archive.
• No transcription. SONIX does not transcribe Pulsar voice, in real time or after the fact.
• No AI analysis. We do not run speech-to-text, sentiment analysis, emotion detection, voiceprint extraction, or any other artificial intelligence or machine learning analysis on user voice.
• No voice profiling for advertising. We never use voice content to profile users for advertising or any commercial purpose.
• No biometric data. We do not extract, derive, store, or use any biometric identifiers (such as voiceprints, faceprints, or speaker-identification vectors) from Pulsar.
• Encryption in transit. Voice and video streams are encrypted in transit between users and our servers.
• Ephemeral processing. Voice streams pass through our infrastructure for the limited purpose of real-time delivery, and are not retained in any persistent storage.
• Aggregate quality signals only. We use only content-agnostic, aggregate signals (such as packet loss and jitter) for service quality and abuse-prevention purposes. These signals do not include the content of your voice communications.

If you record your own session

Users may have the technical ability to record audio from their own devices using third-party tools. Any such recording is outside SONIX’s control. You must comply with all applicable recording, wiretap, and consent laws in your jurisdiction. You may not use third-party tools designed to bypass our no-recording architecture (see Section 7 of our Terms of Use and Section 12 of our Community Guidelines).

7. Arena, Orbital, and third parties

Plain-language summary Arena: SONIX provides the platform; Tournament Organisers run their own tournaments and are responsible for participant data they collect. Orbital: third-party games receive only your username and avatar — nothing else. Game developers’ own privacy notices govern what happens inside their games.

7.1 Arena — Tournament Organisers

Arena enables third-party Tournament Organisers (“Organisers”) to create and run tournaments. SONIX processes your participation data (matches played, results, leaderboards) as data controller for the operation of Arena.

Where you enter a tournament, the Organiser may collect additional information from you — for example, contact details for prize delivery, identification documents for eligibility verification, or tax information for prize reporting. In respect of that data, the Organiser is the data controller and is independently responsible for compliance with applicable data protection law. The Organiser’s privacy notice (made available to you when you enter the tournament) governs the Organiser’s processing.

SONIX does not transfer to the Organiser more personal information than is strictly necessary to enable the Organiser to run the tournament (typically: your SONIX username, your in-tournament results, and — where required for prize delivery — contact information you have voluntarily provided).

7.2 Orbital — Third-Party Games

Orbital hosts both games developed by SONIX and Third-Party Games developed by independent Game Developers. When you launch a Third-Party Game from Orbital, the Game Developer receives only:

• your SONIX username (pseudonym), so that you appear in the game with the identity you use across SONIX;
• your SONIX avatar (image), so that you can play with your avatar inside the game.

Nothing else is shared with the Game Developer by SONIX. The Game Developer does not receive your real name, email address, date of birth, IP address, contact details, friends list, payment information, message history, or voice data.

Inside the Third-Party Game, the Game Developer may collect game-specific data (your score, in-game choices, in-game interactions). That collection is governed by the Game Developer’s own privacy notice, which is made available to you before you launch the game. The Game Developer is the controller of any such data and is independently responsible for compliance with data protection law.

Each Game Developer signs SONIX’s Developer Agreement, which requires them to: limit data collection to what is necessary for the game; publish a clear privacy notice; obtain explicit consent for any advertising or AI training within the game; and indemnify SONIX for breaches. SONIX reviews each Third-Party Game before publication and may suspend any game that breaches our Developer Agreement.

8. Cookies and similar technologies

Plain-language summary We use a small number of cookies and similar technologies, mainly to keep you logged in and to remember your settings. We do NOT use advertising cookies. We do NOT use tracking pixels for behavioural advertising. Our Cookies Policy gives the full inventory.

We use cookies and similar technologies (web storage, device identifiers, SDKs) on our websites and in our apps. These technologies fall into the following categories:

• Strictly necessary cookies. Required to operate the Services. They cannot be disabled. Examples: session cookies, authentication tokens, security cookies, and the cookie that remembers your consent choice (set by our consent management platform, CookieYes).
• Limited analytics (with consent). Aggregated, anonymised statistics about how the Services are used, to help us improve them. Loaded only if you give consent through our cookie banner. We currently use Google Analytics 4 with privacy-protective settings (IP anonymisation, no advertising signals, no data sharing with other Google products).

We do NOT use advertising cookies. We do NOT use behavioural-targeting pixels. We do not allow third-party ad networks to track our users.

Our cookie consent banner is provided by CookieYes (operated by CookieYes Limited, a UK company), which acts as our data processor under a written Data Processing Agreement. CookieYes is listed in our sub-processor list at sonix.gg/subprocessors.

You can manage your cookie preferences through the cookie banner on our websites and through your browser’s controls. Our full Cookies Policy at sonix.gg/cookies lists each cookie, its purpose, and its retention period.

9. Service providers and sub-processors

Plain-language summary We use a small number of trusted service providers (for hosting, payments, identity verification, customer support). They process data only on our instructions, under written contracts. Our up-to-date sub-processor list is published at sonix.gg/subprocessors.

To operate the Services, we engage third-party service providers (“Processors” or “Sub-processors”) who process personal information on our behalf. We choose providers carefully, sign written data-processing agreements with each of them under Article 28 GDPR (or its FADP equivalent), and require them to apply technical and organisational measures equivalent to ours.

Categories of sub-processors we use include:

• hosting and infrastructure (cloud servers, content delivery networks);
• payment processing (for Supersonix subscriptions);
• transactional email delivery (account confirmations, password resets, security alerts);
• cookie consent management (banner display, consent recording, consent log);
• customer support tooling;
• anti-abuse and security services;
• age and identity verification at sensitive moments (only when verification is required and only for the specific verification).

Our current sub-processor list — naming each provider, their country of establishment, the purpose, and the data categories processed — is published and kept up to date at sonix.gg/subprocessors. We give institutional customers advance notice of changes to that list.

We do NOT use advertising networks, behavioural-tracking SDKs, or AI-model-training providers as sub-processors of user data.

10. International data transfers

Plain-language summary Some of our service providers are located outside Switzerland. When data leaves the EEA or Switzerland, we use Standard Contractual Clauses or equivalent safeguards.

SONIX is based in Switzerland, and we host most of our data within the EEA and Switzerland. Some of our service providers are based in the United States or other countries.

When personal data is transferred to a country that does not have an adequacy decision under EU GDPR Article 45 or Swiss FADP equivalent, we rely on appropriate safeguards under GDPR Article 46, including:

• the European Commission’s revised Standard Contractual Clauses (SCCs), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, where appropriate combined with supplementary measures (such as encryption);
• the UK International Data Transfer Addendum, where the UK GDPR applies;
• the Swiss FDPIC’s equivalent approved clauses, where Swiss law applies.

Where neither adequacy nor SCCs apply, we may rely on one of the derogations in GDPR Article 49, but only where strictly necessary (for example, where you have explicitly consented or where the transfer is necessary for performance of a contract you have entered into).

You can request a copy of the safeguards we apply for any transfer by emailing privacy@sonix.gg.

11. How long we keep your data

Plain-language summary We keep your data only for as long as we need it. The table below gives the categories and periods.

Our retention principles are: (i) keep data only as long as necessary for the purpose it was collected; (ii) delete or anonymise data when no longer needed; (iii) retain longer only where the law or a legitimate interest (such as defence of legal claims) requires.

Category

Retention period

Why

Account data (email, username, password hash, date of birth)

While account is active + 30 days after deletion

To allow account recovery within a short window and complete deletion thereafter.

Account marked inactive (no activity 3 years)

Deleted after 1-month advance notice

Per Section 3.4 of the Terms of Use.

Pulsar text messages, images, files in Crews/DMs

Stored while the Crew exists and the message has not been deleted; deleted within 30 days of account closure

To support chat history while you use the service.

Pulsar voice and video

NOT STORED (ephemeral)

Voice is never recorded — see Section 6.

Device IDs and basic device performance signals

Maximum 60 days from last use

For multi-device session support and crash debugging; minimised.

IP address (full)

Not stored as a persistent record; held only as needed for security investigations, max 90 days

Privacy minimisation; legitimate interest in security.

Connection-quality signals (ping, jitter, packet loss)

Aggregated within 30 days; aggregates may be retained longer

Service-quality improvement.

Customer support cases (incl. bug reports)

24 months from case closure

Quality assurance and follow-up support.

Tournament participation records (Arena)

While account is active + 12 months

Public history of competitive play and dispute resolution.

Orbital game-launch records

12 months

Service operation; user history.

Xcoins balance and transaction history

While account is active

Service operation.

Supersonix payment records

10 years

Swiss Code of Obligations Article 958f requires accounting records to be retained for 10 years.

Moderation actions and abuse records (warnings, suspensions, takedowns)

5 years

Defence of legal claims; repeat-offender tracking; transparency reporting.

Marketing email opt-in/opt-out preferences

Indefinite (to honour the opt-out)

Required to respect your preferences if you sign up again.

BÜPF/VÜPF connection metadata (Switzerland)

6 months

Swiss telecoms surveillance law.

Data subject request records

3 years from completion

Demonstration of compliance with GDPR Art. 12.

We may retain limited information for longer where required to comply with a legal obligation, to defend or assert legal claims, or pursuant to a binding order of a competent court or authority.

12. Security

Plain-language summary We protect your data using industry-standard practices: encryption, access controls, monitoring, and a written Information Security Program with a named security coordinator.

We implement technical and organisational measures appropriate to the risk, including:

• encryption of personal data in transit (TLS for all client-to-server connections) and at rest (encrypted storage for account data, content, and payments);
• password storage as salted hashes (never in plain text);
• strict role-based access control on production systems, with least-privilege access for SONIX staff and audit logs of administrative actions;
• regular vulnerability scanning and periodic third-party security testing;
• incident response procedures, including a documented breach response plan;
• a written Information Security Program, supervised by our designated security coordinator (Chief Technology Officer or delegate), with annual risk assessment and review of sub-processors.

You also have responsibilities: keep your password confidential; do not share your account; use two-factor authentication; report suspicious activity to security@sonix.gg.

No system can be made completely secure. We cannot guarantee absolute security, but we work to apply the standard expected of a privacy-first platform.

13. Your rights

Plain-language summary You have the right to see your data, correct it, delete it, restrict it, take it with you, and object. Most actions can be done from your account settings. For anything else, write to privacy@sonix.gg.

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR / Art. 25 FADP). You can ask us what personal data we hold about you and obtain a copy.
• Right to rectification (Art. 16 GDPR / Art. 32 FADP). You can correct inaccurate or incomplete data. Most fields can be updated in your account settings.
• Right to erasure (Art. 17 GDPR / Art. 32 FADP). You can delete your account and your personal data, subject to legal-retention obligations (see Section 11).
• Right to restriction (Art. 18 GDPR). You can ask us to stop processing your data in certain circumstances.
• Right to data portability (Art. 20 GDPR / Art. 28 FADP). You can ask for a copy of your data in a structured, commonly-used, machine-readable format.
• Right to object (Art. 21 GDPR). You can object to processing based on our legitimate interests.
• Right to withdraw consent (Art. 7(3) GDPR). Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right not to be subject to automated decisions with legal effect (Art. 22 GDPR). See Section 17.
• Right to lodge a complaint. See Section 20.

How to exercise your rights

Email privacy@sonix.gg with your request. We will respond within 30 days of receipt of your request (Art. 12(3) GDPR), or sooner where reasonably possible. In complex cases, we may extend the period by up to two further months and tell you why.

We may need to verify your identity before responding, to protect against fraudulent requests.

Exercising your rights is free of charge. If a request is manifestly unfounded or excessive (particularly because of its repetitive character), we may charge a reasonable fee or refuse, and explain why.

14. Children’s privacy

Plain-language summary SONIX is intended for users aged 13 and over (16 in the EEA and UK). We don’t collect data from children below those ages. If we find an underage account, we delete it. In the US, our practice goes beyond the legal floor: we never use children’s data for advertising, profiling, sale, or AI training — even with parental consent.

14.1 Minimum age

SONIX is not directed to children under the age of 13 (or under 16 in the EEA and the UK). We design the Service for users above those ages. We do not knowingly collect personal information from children below those ages without verifiable parental consent.

14.2 Age screening

At registration, we ask for date of birth. If the date you enter shows you are below the applicable minimum age, registration is blocked. If we later become aware (by report or otherwise) that a registered user is below the applicable minimum age, we will:

• suspend the account;
• delete the personal data associated with the account, except where the law requires us to retain limited information (for example, for abuse-prevention or to demonstrate compliance);
• offer the parent or legal guardian the ability to provide verifiable consent to reinstate the account where they wish to do so.

14.3 Reports about underage users

If you believe a user on SONIX is under our minimum age, please report it to moderation@sonix.gg. We will investigate and act within 24 hours of confirmation.

14.4 COPPA — United States

In the United States, the Children’s Online Privacy Protection Act (COPPA) applies to operators of online services directed to children under 13 or with actual knowledge they are collecting personal information from children under 13.

SONIX is designed and marketed for gamers and is not directed to children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. Where SONIX is deployed by a US school under our Institutional Customer Agreement, the school may authorise the collection of student information from students under 13 for educational purposes, in accordance with the FTC’s school-authorisation guidance under COPPA.

Where verifiable parental consent is required, we use one of the methods accepted by the FTC under 16 CFR § 312.5, including credit-card transaction, government-issued ID verification through a trusted vendor, signed consent form, or other approved method. We do not share personal information from children with third parties without separate verifiable parental consent, except for the limited internal-operations exception under COPPA.

Parents and legal guardians have the right to:

• review the personal information we have collected from their child;
• request deletion of their child’s personal information;
• refuse to permit further collection or use of their child’s personal information;
• consent (or refuse to consent) to any third-party disclosure that requires separate consent under the 2025 COPPA amendments.

To exercise these rights, contact privacy@sonix.gg.

14.5 Voice and biometric data for minors

We do not record, transcribe, store, or analyse voice from any user — including minors. We do not extract voiceprints or any other biometric identifier. The no-voice-recording commitment in Section 6 applies to all users.

14.6 No advertising or AI training using minors’** data**

Beyond what the law requires, SONIX makes the following commitments in respect of minors:

• we do not use minors’ personal information for advertising, profiling, sale, or commercial monetisation;
• we do not use minors’ content, voice, or other data to train artificial intelligence or machine learning models;
• we do not share minors’ personal information with third parties, except as strictly necessary to operate the Service or where required by law.

14.7 Default safety settings for minors

Accounts of users under 18 are configured with stronger default safety settings, including more restrictive default direct-message permissions and enhanced content filters. These defaults can be adjusted by the user (and, in the case of minors below the age of majority in their country, by a parent or legal guardian) in account settings.

15. Schools and institutional deployments

Plain-language summary When a school deploys SONIX for its members, the school is the data controller for that workspace. In the US, SONIX acts as a “school official” under FERPA. We process student data only on the school’s instructions.

Where SONIX is provided to a school, university, esports club or other organisation (each, an “Organisation”) under our Institutional Customer Agreement, the Organisation is the data controller in respect of the personal information of its members within the Organisation’s workspace. SONIX acts as data processor (or, in FERPA terminology, “school official”) on the Organisation’s behalf and in accordance with the Institutional Customer Agreement.

15.1 FERPA — US schools

For deployments by US educational institutions receiving federal funding (each, a “School”):

• SONIX is designated as a “school official” with a “legitimate educational interest” within the meaning of 34 CFR § 99.31(a)(1)(i)(B);
• SONIX performs an institutional service or function for which the School would otherwise use employees;
• SONIX is under the direct control of the School with respect to the use and maintenance of education records;
• SONIX uses student personal information only for the purposes authorised by the School, and does not redisclose it except as directed by the School or as required by law.

SONIX does not use student personal information for advertising, profiling, sale, AI training, or any other commercial purpose. SONIX does not collect student academic records (grades, transcripts, student IDs, attendance) unless the School explicitly directs us to do so for a specific feature.

Students and parents seeking to access, correct, or delete education records should contact their School. SONIX will support any such request from the School.

15.2 US state student data laws

Where the deployment is subject to additional state-law requirements (such as New York Education Law § 2-d, California’s Student Online Personal Information Protection Act, Colorado SB 188, Illinois SOPPA, Connecticut Public Act 16-189, or Florida’s student data laws), SONIX enters into a state-specific addendum to the Institutional Customer Agreement that reflects those requirements.

15.3 GDPR / FADP — EU and Swiss schools

For deployments by EU, UK, or Swiss educational institutions, the Institutional Customer Agreement includes a Data Processing Agreement under Article 28 GDPR (or its FADP equivalent), and (where applicable) Standard Contractual Clauses for any international transfers.

16. Marketing communications

Plain-language summary We only send marketing emails if you’ve opted in. You can unsubscribe at any time. We don’t allow third parties to market to you using your SONIX data.

We may send you the following kinds of email:

• Service emails. Account confirmations, password resets, security alerts, terms updates, billing receipts, important service announcements. These are necessary to operate the Service; you cannot opt out of them while you have an active account.
• Marketing emails. Product news, feature announcements, tips, occasional promotions. We send these only if you have opted in. You can opt in (or out) in your account settings, and unsubscribe at any time from the link in the email footer.

We do not share your email address with third parties for marketing purposes.

Where we send you a marketing email about a SONIX feature similar to one you have already used or purchased (the “soft opt-in” allowed in some jurisdictions), we will do so only where lawful and we will always provide a clear unsubscribe option.

17. Automated decisions and profiling

Plain-language summary We don’t make decisions about you using only computers. Where we use automation (for example, in moderation or anti-cheat), a human reviews any decision that affects you significantly.

Article 22 GDPR gives you the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. The same principle applies under the FADP.

Where automation is used in SONIX, our approach is:

• Anti-cheat and abuse-detection systems may automatically flag accounts for review. Final decisions to suspend or terminate an account are reviewed by a human.
• Spam and harmful-content filters may automatically reduce the visibility of specific messages. Removal of content or accounts is reviewed by a human.
• We do not use profiling to make automated decisions about the price you pay for Supersonix or any other feature.
• We do not use behavioural profiling to deliver advertising.

Where an automated tool contributes to a moderation decision that affects you, our statement of reasons (see Section 13 of the Terms of Use) will tell you this and you can appeal.

18. Data breach notifications

Plain-language summary If we ever suffer a data breach that affects you, we will notify the relevant authority (typically within 72 hours under GDPR), and we will notify you when the breach is likely to put you at high risk.

We maintain a written breach response plan. In the event of a personal data breach, we will:

• notify the competent supervisory authority within 72 hours of becoming aware of the breach, where required by Art. 33 GDPR;
• notify the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as possible where required by Art. 24 FADP (where the breach is likely to result in a high risk);
• notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR);
• notify schools and other Organisations within 48 hours of becoming aware of any breach affecting their workspace data.

Notifications will describe the nature of the breach, the categories and approximate numbers of affected data subjects, the likely consequences, and the measures we have taken or intend to take.

19. Changes to this Privacy Policy

Plain-language summary We may update this Privacy Policy. We’ll tell you about material changes in advance — by in-app notice and email — at least 14 days before they take effect.

We may update this Privacy Policy from time to time, for example to reflect changes in our Services, our business, applicable law, or to better protect users. The effective date is shown at the top.

Where the change is material and adversely affects your rights, we will provide at least 14 days’ advance notice by in-app notification and by email to the address on file.

If you continue to use the Services after the change takes effect, you accept the updated Privacy Policy. If you do not agree, you may close your account before the effective date.

20. How to contact us and complain

Plain-language summary Email privacy@sonix.gg for any privacy question. You also have the right to complain to your local data protection authority — see below.

Contact us

• Privacy and data protection: privacy@sonix.gg
• Security incidents: security@sonix.gg
• Postal address: SONIX SA, Rue de Genève 100, 1004 Lausanne, Switzerland

Right to complain to a data protection authority

You have the right to lodge a complaint with a data protection authority. In particular:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland — edoeb.admin.ch.
• European Economic Area: the data protection authority of your country of residence, of your place of work, or of the place of the alleged infringement. A list is maintained by the European Data Protection Board at edpb.europa.eu.
• United Kingdom: Information Commissioner’s Office (ICO), ico.org.uk.
• United States (COPPA complaints): Federal Trade Commission, ftc.gov/complaint.

We would, however, appreciate the chance to address your concern before you contact the authority. Please email privacy@sonix.gg first.