SONAR BLOOM← Back
LEGAL

PRIVACY POLICY

Effective Date: April 22, 2026

1. Who We Are

Sonar Bloom App LLC ("SonarBloom", "we", "us", "our") operates the SonarBloom platform (the "Service"), a software-as-a-service application that helps e-commerce brands monitor and organize mentions of their products on Instagram and TikTok, and that helps creators share insights about their content with brands they collaborate with.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices and rights you have. It applies to our website, our Shopify app, our Meta/Facebook app, and any other product or feature that links to this policy.

Privacy contact: [email protected]

2. Who This Policy Applies To

This policy covers three categories of users:

  • Brand / merchant users — people who sign up for SonarBloom on behalf of an e-commerce business and connect a Shopify store and/or a Meta (Facebook/Instagram) or TikTok account.
  • Creator / influencer users — people who connect their Instagram or TikTok account through a form sent by a brand so the brand can see content they have tagged or mentioned the brand in.
  • Website visitors — people who browse sonarbloom.com without creating an account.

3. Information We Collect

We collect the categories of personal information listed below. Where required by law, we specify the sources from which the information is collected.

3.1 Account and identity data

  • Name, email address, and password (hashed)
  • Company or brand name, website URL, country
  • Role or job title (optional)
  • Profile image (if you provide one)

Source: provided directly by you when you sign up or update your profile.

3.2 Shopify store data

  • Shop name, shop domain, shop ID, shop owner email, plan type, country, currency, timezone
  • Product catalog: titles, descriptions, images, SKUs, variants, tags, collections
  • Order metadata associated with customer mentions or creator collaborations (no payment card data)
  • Customer data we receive from Shopify only to the extent a merchant explicitly links a mention or a creator to a customer record
  • Shopify API access tokens and OAuth scopes granted by the merchant

Source: Shopify Admin API, received after you install our app from the Shopify App Store and grant the permissions requested.

3.3 Meta / Instagram / Facebook data

  • Instagram business or creator account ID, username, profile picture, follower count, account type
  • Facebook Page ID and name linked to the Instagram account
  • Public posts, stories, reels, and comments that mention, tag, or are tagged by the connected account
  • Basic insights/metrics on content (reach, impressions, engagement) where the connected account has granted access
  • Direct-message thread metadata where the connected account has enabled messaging permissions
  • Meta OAuth access token and granted permission scopes

Source: Meta Graph API, received after you connect a Facebook/Instagram account via Facebook Login and approve the requested permissions.

3.4 TikTok data

  • TikTok account username, display name, avatar, account type, follower count
  • Public videos and posts that mention, tag, or are tagged by the connected account
  • Basic video metrics (views, likes, comments) where permitted by the TikTok API scope
  • TikTok OAuth access token and granted permission scopes

Source: TikTok for Developers API, received after you connect a TikTok account and approve the requested scopes.

3.5 Billing data

  • For merchants billed through Shopify: your Shopify billing status (active, frozen, cancelled) and plan tier
  • For customers billed outside Shopify (if applicable): billing name, billing email, billing address, last 4 digits of your card, card brand, and card expiry — collected and stored by our payment processor, Stripe. We do not store full payment card numbers.
  • Invoice and payment history, refund records

3.6 Usage, device, and technical data

  • IP address (truncated for analytics), approximate geolocation derived from IP (country/region level)
  • Browser type and version, operating system, device type, screen size
  • Pages viewed, features used, clicks, timestamps, referrer URL
  • Server logs (requests, response codes, error traces) retained for security and debugging
  • Session identifiers and authentication cookies

3.7 Communications and support data

  • Emails and support tickets you send us, and our replies
  • In-app messages, feedback, and survey responses

4. How We Use Your Information

We use the information described above for the following purposes:

  • Provide the Service. Fetch mentions, surface insights, match creators to brands, display analytics, deliver notifications, authenticate you, and operate the core product features.
  • Billing and account management. Charge subscription fees (via Shopify Billing API for Shopify merchants, or via Stripe for direct customers), issue invoices, prevent fraudulent charges, handle refunds and disputes.
  • Customer support. Respond to questions, troubleshoot issues, investigate reports of abuse or platform-policy violations.
  • Security and integrity. Detect and block unauthorized access, abuse, fraud, and violations of our Terms of Service; maintain audit logs; investigate incidents.
  • Improve the Service. Analyze aggregate usage patterns to understand which features are used and how to improve them. We do not sell this data.
  • Communications. Send transactional emails (receipts, alerts, service notices) and, with your consent where required, occasional product updates. You can unsubscribe from non-essential emails at any time.
  • Legal compliance. Respond to lawful requests from public authorities, enforce our Terms, and comply with tax, accounting, and platform partner obligations (Shopify, Meta, TikTok, Stripe).

5. Legal Bases for Processing (EU/UK/EEA Users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR and UK GDPR:

  • Performance of a contract (Art. 6(1)(b)). Providing the Service after you create an account, billing, customer support.
  • Legitimate interests (Art. 6(1)(f)). Securing the Service, preventing fraud and abuse, aggregate analytics, improving the Service, and communicating with existing customers about features they use. Where we rely on this basis, we have assessed that our interests are not overridden by your rights and freedoms; you can object at any time.
  • Consent (Art. 6(1)(a)). Non-essential cookies, optional marketing emails, and processing of special categories of data where you voluntarily share them. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)). Tax, accounting, and responding to lawful authority requests.

6. Service Providers and Sub-Processors

We share personal data only with service providers ("sub-processors") that help us operate the Service. Each is bound by a written agreement that restricts their use of your data to providing the contracted service. Our current sub-processors are:

  • Vercel, Inc. — website and application hosting (United States)
  • Amazon Web Services, Inc. — cloud infrastructure and database hosting (United States)
  • Stripe, Inc. — payment processing for direct customers (United States)
  • Postmark, Inc. — transactional email delivery (United States)
  • Google LLC (Google Analytics) — aggregate website analytics (United States)

We also integrate with the following third-party platforms. These platforms act as independent controllers of the data you maintain with them, not as our sub-processors — they set their own terms and privacy policies for that data, and we access it only with your authorization:

  • Shopify Inc. — source of your store data and billing path for Shopify App Store installs (Canada)
  • Meta Platforms, Inc. — source of Facebook and Instagram data (United States)
  • TikTok Pte. Ltd. / TikTok Inc. — source of TikTok data (United States and other jurisdictions, per TikTok's current privacy documentation)

We will post an update on this page before engaging a new sub-processor that handles personal data. If you have a data processing addendum (DPA) with us, you can request a current sub-processor list and sign up to be notified of changes by emailing [email protected].

We do not sell your personal information and we do not share it for cross-context behavioral advertising.

7. Data Retention

We retain personal data only as long as needed for the purposes described in this policy:

  • Account data: until you close your account, plus up to 12 months for dispute resolution and legal compliance
  • Shopify shop data: deleted within 30 days after Shopify sends the shop/redact webhook (which Shopify dispatches approximately 48 hours after you uninstall the app), in accordance with Shopify's data retention requirements for apps
  • Meta/Instagram content: when initiated by a direct request from you, deleted within 30 days of verification; when initiated by a Meta data-deletion callback triggered by you removing our app in your Facebook settings, deleted within 90 days of the callback (typically within 30 days), as permitted by Meta's Platform Terms
  • TikTok content: deleted within 30 days of your disconnecting the account or of a verified deletion request
  • Cached story content (Meta): 24 hours
  • Direct-message metadata: 90 days after collection, unless you configure a shorter period
  • Billing records: 7 years from the date of the transaction, to comply with tax and accounting laws
  • Server logs and security logs: up to 90 days, then deleted or anonymized
  • Support tickets: up to 3 years from resolution

When retention periods expire, data is permanently deleted or irreversibly anonymized. See our Data Deletion page for how to request earlier deletion.

8. International Data Transfers

We are based in the United States and our primary hosting is in the United States. If you access the Service from outside the United States, your personal data will be transferred to, stored in, and processed in the United States and other countries where our sub-processors operate.

For transfers of personal data from the EEA, the United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, together with supplementary technical and organizational safeguards. You can request a copy of the SCCs used with a specific sub-processor by emailing [email protected].

9. Your Privacy Rights

Subject to applicable law, you have the rights below. We will verify your identity before acting on a request and will respond within the timeframes required by law (generally 30 days under GDPR, 45 days under CCPA, extendable where permitted).

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to fix inaccurate or incomplete data.
  • Deletion. Ask us to delete your personal data. See Section 7 for retention exceptions.
  • Portability. Receive your data in a structured, machine-readable format.
  • Objection and restriction. Object to, or ask us to restrict, certain processing based on legitimate interests.
  • Withdraw consent. Where processing relies on consent, withdraw it at any time.
  • Complain to a regulator. EU/UK users have the right to complain to their local supervisory authority.

To exercise any of these rights, email [email protected].

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you additional rights. In the 12 months preceding the effective date of this policy we have collected the categories of personal information described in Section 3 (identifiers, commercial information, internet activity, geolocation derived from IP, professional information, and inferences drawn from the above).

You have the right to:

  • Know what categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties we share it with
  • Delete the personal information we have collected from you, subject to legal exceptions
  • Correct inaccurate personal information
  • Opt out of sale or sharing. We do not sell your personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, but you can confirm this status by emailing [email protected].
  • Limit the use of sensitive personal information. We do not use sensitive personal information for purposes that trigger the right to limit.
  • Non-discrimination. We will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right.

To submit a verifiable request, email [email protected] from the email address associated with your account. An authorized agent may submit a request on your behalf with written authorization.

11. Security

We implement technical and organizational measures designed to protect personal data from unauthorized access, loss, or misuse, including:

  • Encryption of data in transit using TLS
  • Encryption of data at rest using the standard encryption facilities provided by our cloud infrastructure providers
  • Role-based access controls on administrative interfaces
  • Isolation of customer data by tenant
  • Audit logging of administrative actions
  • Regular backups and documented recovery procedures

No system is perfectly secure. You are responsible for keeping your account password confidential and for notifying us immediately if you suspect unauthorized access.

12. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and we will notify affected users without undue delay where required by applicable law.

13. Cookies and Similar Technologies

We use a small number of cookies and similar technologies:

  • Strictly necessary: session and authentication cookies required for the Service to function. These cannot be disabled.
  • Analytics: aggregated usage measurement (e.g., Google Analytics) to understand feature usage. IP addresses are truncated.

We do not place advertising cookies and we do not use the Service to profile you for cross-site advertising. You can manage cookies through your browser settings. Where required by law (e.g., EU/UK), we request consent before setting non-essential cookies.

14. Children

The Service is intended for businesses and for creators who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18, we will delete it. If you believe a child has provided us with personal information, contact [email protected].

15. Third-Party Platforms

The Service depends on and integrates with third-party platforms including Shopify, Meta (Facebook and Instagram), TikTok, and Stripe. Those platforms each have their own privacy policies. When you authorize us to access your data on those platforms, the platform's terms and privacy policy also apply. We recommend you review them:

  • Shopify: shopify.com/legal/privacy
  • Meta (Facebook & Instagram): facebook.com/privacy/policy
  • TikTok: tiktok.com/legal/privacy-policy
  • Stripe: stripe.com/privacy

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will give you notice — for example, by email or by a prominent notice in the app — before the changes take effect, and we will update the effective date at the top. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact Us

For any privacy question or to exercise your rights, contact us at:

Email: [email protected]
Mail: Sonar Bloom App LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA