Skip to content
Automotive Car Repair Shops Property Management Home Services Real Estate Finance & Insurance Logistics Enterprise
AI Receptionist Appointments & Bookings After Hours & Overflow FAQs & Inquiries Customer Surveys Sales Calls Emergency Dispatch
About us Contact
English Suomi
Book a Demo

Legal

Privacy Policy

How we collect, use, and protect personal data on callsono.com and in the Sono AI phone service.

Last updated: 13 May 2026 · Version: 1.0

1. About this policy

This Privacy Policy explains how Closio Oy ("Sono", "we", "us") processes personal data when you visit the website at callsono.com, contact us, or use the Sono AI phone service (the "Service"). It also describes the rights you have under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

For business customers, this policy is complemented by our Data Processing Agreement (DPA), which sets out the terms on which Sono processes personal data on behalf of the customer.

2. Controller & contact

For the purposes described in this policy, the controller of your personal data is:

  • Closio Oy (operating the Sono brand)
  • Registered office: Kampinkuja 2, 00100 Helsinki, Finland
  • Business ID: 3515243-4
  • Privacy contact: [email protected]

We have not appointed a statutory Data Protection Officer (DPO) as we are not required to do so. The address above is, however, our primary contact point for all data protection enquiries.

3. Our roles: controller and processor

Sono acts in two different roles depending on the situation:

  • As a controller for personal data we collect and use for our own purposes — for example, personal data of website visitors, prospects who contact us, and the contact persons of our business customers.
  • As a processor for personal data we process on behalf of our business customers in connection with the Service — for example, audio and transcripts of calls handled by the AI voice agent for the customer. The customer is the controller for that data, and processing is governed by the Service Agreement and the DPA.

If you are an end user (e.g., a caller to a business that uses Sono) and you want to exercise your rights regarding personal data processed by the Service, please contact the relevant business directly. We will support that business in responding to your request.

4. Personal data we collect

4.1 Website visitors

  • Technical data such as IP address (truncated where possible), device and browser type, language, referring URL, pages viewed, time on page, and approximate location at country level.
  • Information you provide when filling in a form, requesting a demo, or otherwise contacting us (e.g., name, work email, company, message).

4.2 Customers, prospects and contact persons

  • Name, business email, phone number, job title, employer, public professional information (e.g., LinkedIn URL).
  • Commercial information: correspondence, meeting notes, proposals, contracts, invoicing details.

4.3 Service usage data

  • Account and login information of authorised users of our customer's Sono account.
  • Configuration data, integration tokens, and audit logs of actions taken in the Service.
  • Aggregated and statistical usage data used to operate and improve the Service.

4.4 Call data processed on behalf of customers

When acting as a processor, Sono handles, on behalf of our customer, the following call-related data:

  • Phone numbers of the caller and the called party;
  • Audio of the call and its transcription;
  • Names, appointment details, vehicle information, account references and other information shared by the caller during the call;
  • Call metadata: timestamps, duration, outcome, routing.

The customer determines which fields are captured, what notice is given to callers, and how the data is used downstream. See the DPA for full details.

5. Purposes & legal bases

We process personal data for the purposes and on the legal bases set out below. "Legitimate interests" is used only where we have assessed that our interest does not override your rights.

PurposeLegal basis (GDPR Art. 6)
Operating, securing and improving the websiteLegitimate interest (art. 6(1)(f))
Responding to enquiries and demo requestsSteps prior to a contract (art. 6(1)(b)) / legitimate interest
Sales and marketing to business contacts (B2B)Legitimate interest (art. 6(1)(f))
Sending electronic direct marketing where requiredConsent (art. 6(1)(a))
Concluding and performing customer contractsPerformance of contract (art. 6(1)(b))
Invoicing, accounting, statutory record-keepingLegal obligation (art. 6(1)(c))
Providing the Service to customers (call handling)Processed under DPA on behalf of customer-controller
Product analytics & quality monitoringLegitimate interest / DPA instructions
Defending legal claims, compliance, fraud preventionLegitimate interest / legal obligation

You can object to processing based on our legitimate interest at any time — see Section 11.

6. Sources of data

We collect personal data primarily directly from you (when you visit the Website, fill in a form, send us a message, sign a contract, or use the Service). We may also collect business contact information from public sources such as company websites, LinkedIn, and corporate registers, in line with applicable B2B prospecting practice.

7. Retention

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law:

  • Website analytics: up to 12 months (aggregated longer).
  • Contact form & enquiry data: up to 24 months from last interaction.
  • CRM / prospect records: as long as there is a reasonable business interest, reviewed at least every 24 months.
  • Customer contract and account data: for the duration of the customer relationship plus the periods required by accounting and statute of limitations laws (typically 6–10 years).
  • Invoicing and accounting records: retained for the period required by the Finnish Accounting Act (typically 6 years from the end of the accounting period).
  • Call recordings and transcriptions processed under the DPA: a maximum of 24 months unless the customer instructs otherwise or law requires a longer period.
  • Marketing opt-outs / suppression lists: kept indefinitely to honour your preferences.

After expiry we either delete the data or irreversibly anonymise it.

8. Sharing & sub-processors

We do not sell personal data. We share it only with parties that need access to perform tasks on our behalf or as required by law:

  • Sub-processors that provide the technical infrastructure of the Service — including telephony and call routing, speech-to-text and text-to-speech, AI model providers, agent orchestration, cloud hosting, databases, product analytics, error tracking and logging. The current named list is maintained in our Data Processing Agreement and is available to customers and, on request, to others by writing to [email protected].
  • Business tools we use to run the company (e.g., email, CRM, document storage, accounting, billing, communications).
  • Professional advisors (legal, audit, insurance) and authorities where required by law.
  • Buyers or successors in connection with a merger, acquisition, financing or reorganisation, under appropriate confidentiality safeguards.

All sub-processors are bound by written agreements requiring confidentiality and adequate security. We notify customers of new Service sub-processors as set out in the DPA.

9. International transfers

We aim to keep personal data within the EU/EEA. Where transfers outside the EU/EEA are necessary (for example, because a sub-processor is established in the United States), we rely on:

  • recipients certified under an applicable adequacy framework (such as the EU-U.S. Data Privacy Framework, where applicable); and/or
  • the European Commission's Standard Contractual Clauses (SCCs), with supplementary technical and organisational measures where required.

We carry out and document a transfer impact assessment where required. You can request a copy of the relevant safeguards by writing to [email protected].

10. Cookies & analytics

The Website uses a limited set of cookies and similar technologies:

  • Strictly necessary for the site to function (e.g., security, session, language).
  • Analytics through PostHog (EU instance, EU data residency), configured with privacy-friendly defaults (identified profiles only, no autocapture of sensitive elements). PostHog helps us understand which pages are useful and to debug issues.

We do not run advertising trackers on the Website. You can block cookies in your browser settings; doing so may affect site functionality.

11. Your rights

Under the GDPR you have the following rights regarding personal data we hold about you:

  • Access — request a copy of your personal data and information about how it is processed.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — ask us to delete personal data when the legal grounds for processing no longer apply.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive data you provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract.
  • Object — object to processing based on our legitimate interests, including direct marketing.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.

To exercise your rights, contact [email protected]. We respond within one month; complex requests may extend this by two additional months, and we will let you know.

If you are a caller whose data has been processed by the Service on behalf of a business, please contact that business first; we will assist them with your request.

12. Complaints

If you believe we have processed your personal data unlawfully, please first contact us so we can address the issue. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement. In Finland, the supervisory authority is the Data Protection Ombudsman:

  • Tietosuojavaltuutetun toimisto, PL 800, 00531 Helsinki
  • Visiting address: Lintulahdenkuja 4, 00530 Helsinki
  • Web: tietosuoja.fi

13. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • encryption of data in transit (TLS) and at rest;
  • role-based access controls and individual authentication;
  • least-privilege provisioning and regular access reviews;
  • logging, monitoring, and alerting for security events;
  • secure development practices and dependency management;
  • vetted sub-processors with comparable security standards;
  • staff confidentiality undertakings and data protection training.

No system is perfectly secure. We will notify affected customers without undue delay, and in any event within 24 hours of detection, of any personal data breach affecting their data, in line with the DPA.

14. Children

The Website and Service are intended for business use and are not directed at children under 16. We do not knowingly collect personal data from children.

15. Changes to this policy

We may update this Privacy Policy from time to time. The current version is always available at callsono.com/privacy, with the "Last updated" date at the top. Material changes will be communicated by reasonable means, such as a notice on the Website or by email to active customers.

Questions about this policy? Email [email protected].