Sonic EMS – Privacy Policy
1. Who We Are
Sonic EMS is operated and controlled by Sonic Digital Group Ltd. Sonic EMS is a trading name of Sonic Digital Group Ltd.
For UK data protection law (UK GDPR & Data Protection Act 2018), Sonic Digital Group Ltd is the data controller, unless stated otherwise.
Controller details
Trading name: Sonic EMS
Registered company: Sonic Digital Group Ltd
Email: dpo@sonicems.com
Supervisory authority: Information Commissioner's Office (ICO), UK
2. Scope
This policy explains how we handle personal data when you:
- Visit our website
- Contact us, request a demo, or create an account
- Use Sonic EMS
- Receive support, billing, and service communications
Where we process personal data on behalf of client organisations using Sonic EMS, Sonic Digital Group Ltd acts as a data processor and the client acts as the data controller (see Section 10).
3. Personal Data We Collect
Website & enquiries: name, email, organisation, phone, message content.
User accounts: name, email, roles/permissions, login identifiers, preferences, support history.
Billing/admin: billing contact, address, invoice/payment references, VAT info. We do not store full card numbers; payments are via third‑party processors.
Technical/usage: IP, device/browser/OS, access/audit/API logs, error/performance data.
Marketing (optional): subscription preferences, email engagement (opens/clicks).
4. How We Use Personal Data (Lawful Bases)
| Purpose | Example | Lawful Basis |
|---|---|---|
| Respond to enquiries | Forms, demo requests | Legitimate interests |
| Provide Sonic EMS | Account access, event ops | Contract |
| Billing & records | Invoices, tax/VAT | Contract / Legal obligation |
| Service communications | Security, maintenance notices | Legitimate interests |
| Security & abuse prevention | Logging, fraud prevention | Legitimate interests |
| Product improvement | Performance analytics (Google Analytics 4) | Consent (withdraw via cookie banner) |
| Marketing | Product updates | Consent (opt‑in; withdraw anytime) |
7. International Transfers
Some providers may process data outside the UK. Where this occurs, we implement appropriate safeguards (e.g., the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses) to protect personal data.
8. User Accounts, Company Linking, and Access Control
Sonic EMS uses a user‑owned account model. Accounts belong to the individual user.
Linking to a company
By linking an account to a company in Sonic EMS, the user authorises that company to access and process the user's data within the system, subject to roles/permissions. While linked, the company acts as a data controller for the personal data it accesses; Sonic EMS enforces access controls as a data processor.
Unlinking & loss of access
A user or a company may unlink at any time. Once unlinked, the company immediately loses access to all personally identifiable information (PII) for that user and can no longer view profile/contact details or communicate with the user via Sonic EMS.
Limited retention for auditing
After unlinking, the company may retain only:
- The user's name; and
- The events/shifts to which the user was assigned.
This limited retention is necessary for historical, contractual, and auditing purposes and complies with UK GDPR principles of data minimisation and purpose limitation.
9. Users Not Linked to Any Company
If a user is not linked to any company, we treat the account as inactive (but user‑controlled).
- We run a weekly check for unlinked users and email them to choose whether to keep or remove their account.
- If there's no response, the account is automatically removed 90 days after the first notice.
- If the user chooses to keep the account, we'll email again every 6 months to reconfirm.
- Users planning to work with another Sonic EMS venue may keep the account open; otherwise, they can remove it immediately.
Account closure
On removal, we securely delete the account and associated personal data, subject to minimal retention required for legal/auditing purposes (e.g., records described above).
10. Sonic EMS as a Data Processor (for Client Organisations)
When client organisations use Sonic EMS to manage events, staff/volunteers, participants, or attendees:
- The client is the data controller; and
- Sonic Digital Group Ltd (Sonic EMS) is the data processor.
Processed data may include attendee/participant details, staffing/shift assignments, communications sent via the platform, and audit/usage logs. Processing is governed by our Data Processing Agreement (DPA).
11. Security
- TLS encryption in transit; encryption at rest where supported
- Role‑based access control and least privilege
- MFA for privileged access
- Logging and audit trails
- Regular patching, vulnerability management, and monitoring
- Backups and tested restore procedures
12. Your Rights (UK GDPR)
You can access, rectify, erase, restrict, object, and port your personal data. Where we rely on consent, you can withdraw it anytime.
Contact: dpo@sonicems.com. You may also complain to the Information Commissioner's Office (ICO).
13. Children
Sonic EMS is not directed at children under 16. We do not knowingly collect children's data via the website.
14. Changes
We may update this policy from time to time. The latest version will be published here with the updated date above.
15. Contact
Sonic Digital Group Ltd (trading as Sonic EMS)
Email: dpo@sonicems.com