Privacy Policy
Last updated: February 21, 2026
1. Controller
The controller within the meaning of Art. 4(7) GDPR is:
Dinghy GmbH
Blumenstr. 77
63069 Offenbach am Main, Germany
Email: hello@dinghy.studio
Managing directors: Daniel Becker, Nils Borgboehmer
Commercial register: Amtsgericht Offenbach am Main, HRB 55121
VAT ID: DE343822523
2. Overview
Ask Sona ("asksona.io", the "Service") is a web application that lets you create, manage, and interact with AI-powered marketing personas. This policy explains what personal data we collect, why we process it, and what rights you have under the GDPR and applicable German data protection law.
3. Data we collect
3.1 Account data
When you create an account, we collect your email address. You may set a password; if you choose magic-link authentication instead, no password is stored. We assign a unique user ID (UUID) to your account.
3.2 Content data
All content you create in Ask Sona is stored in our database. This includes projects, personas and profile data, persona images, chat conversations, and version history.
3.3 Collaboration data
If you invite others, we store invitee email addresses, assigned roles, and acceptance timestamps.
3.4 Documents uploaded for AI processing
Supporting documents (for example .txt, .csv, .md) are read in your browser and sent to the AI model for processing. They are not stored on our servers.
3.5 Usage and analytics data
We use Plausible Analytics in a privacy-focused, cookie-free setup for aggregated metrics such as page views and referral sources.
3.6 Session replay data
In production we use OpenReplay to understand app interactions (for example clicks and navigation) and improve usability. In our current setup we do not capture form input values. Sessions are associated with your email address for support scenarios.
3.7 Technical data
Our providers (including hosting and database) collect technical data such as IP address, browser type, OS, referrer, and timestamps for security and operations.
3.8 Cookies and local storage
We use essential cookies only. Authentication tokens are stored in HTTP-only cookies. Theme preference may be stored in local storage.
4. Purposes and legal bases
We process personal data based on Art. 6(1) GDPR:
| Purpose | Data | Legal basis |
|---|---|---|
| Providing the Service | Account, content, collaboration data | Art. 6(1)(b) GDPR |
| AI persona generation and chat | Prompts, persona data, chat history, uploaded documents | Art. 6(1)(b) GDPR |
| Authentication and security | Email, password hash, tokens, IP | Art. 6(1)(b) GDPR |
| Aggregated analytics (Plausible) | Anonymized usage data | Art. 6(1)(f) GDPR |
| Session replay and live support | Interaction data, email address | Art. 6(1)(f) GDPR |
| Infrastructure and hosting | IP address, technical data | Art. 6(1)(f) GDPR |
Where processing is based on legitimate interest (Art. 6(1)(f) GDPR), our interests are maintaining, improving, and securing the Service. For OpenReplay specifically, we limit replay data to interaction events and the logged-in account email used for support, do not capture form input values in our current configuration, apply role-based access controls, and retain replay data for a limited period. You can object to this processing at any time (see Section 8).
5. AI data processing
Ask Sona uses LLMs via OpenRouter for persona generation and chat. Depending on your usage, prompts, persona profile data, chat history, and supporting document content may be processed.
We use Zero Data Retention (ZDR) models and do not send account credentials such as email passwords to AI models.
6. Processors and data transfers
We work with third-party processors under Art. 28 GDPR. Where required, transfers outside the EU/EEA rely on appropriate safeguards, especially EU Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR.
| Provider | Purpose | Location | Legal documentation |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | USA (EU region available) | Privacy · DPA |
| Vercel Inc. | App hosting and edge functions | USA / global CDN | Privacy · DPA |
| OpenRouter (Nous Research Inc.) | AI model routing (ZDR only) | USA | Privacy · DPA available on request |
| Plausible Insights OU | Privacy-friendly analytics | EU (Estonia) | Privacy · DPA |
| OpenReplay Technologies Inc. | Session replay and live support | USA / EU | DPA/subprocessor documentation available on request |
We review these third-party legal terms periodically. If a linked page changes, the latest version on the provider website applies.
7. Data retention
- Account data is retained as long as your account exists; deleted within 30 days after account deletion unless legal duties require longer retention.
- Content data is retained as long as your account exists or until deletion.
- AI provider processing uses ZDR; internal logs keep only minimal technical metadata.
- Plausible stores aggregated, anonymous metrics.
- OpenReplay session data is retained up to 90 days.
- Technical access logs are typically retained up to 30 days.
8. Your rights
Under GDPR you have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You can also lodge a complaint with a supervisory authority.
To exercise your rights, contact hello@dinghy.studio.
Competent supervisory authority: Hessian Data Protection Commissioner (Hessischer Beauftragter fuer Datenschutz und Informationsfreiheit), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
9. Security
- TLS/HTTPS encryption in transit.
- Encryption at rest for database storage.
- Row Level Security for access control.
- HTTP-only cookies for authentication tokens.
- Regular security updates and dependency audits.
10. Children
The Service is not directed at children under 16, and we do not knowingly collect their personal data.
11. Changes to this policy
We may update this privacy policy from time to time. Material changes are communicated by email or in-app notice.
12. Automated decision-making
We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.
13. Data Protection Officer
We have currently not appointed a Data Protection Officer (DPO), as we are not legally required to do so under Art. 37 GDPR and applicable national law.
14. Contact
Dinghy GmbH
Blumenstr. 77
63069 Offenbach am Main, Germany
Email: hello@dinghy.studio