Privacy Policy
Last updated: 4 June 2026
ITB Consulting Inc. (ITBコンサルティング株式会社, the “Company”, “we”, “us”, “our”) operates the Soneam service at soneam.com (“Soneam”, the “Service”). This Privacy Policy explains how we handle personal data. It applies to engineers who hold an account and to the clients they invite to review or receive files.
Controller / processor; entrustment
For account holders, the Company is the data controller. For the personal data of review/delivery participants that an account holder uploads or invites (e.g. a client’s name, email and comments), the account holder is the controller and the Company acts as a processor (under Japan’s Act on the Protection of Personal Information, “APPI”, an entrusted party / 委託先) on their behalf.
1. Information we collect
- Account & profile — email, hashed password, optional profile details (display name, job title, studio name/URL, social links, avatar).
- Content you upload — audio files (masters/mixes), generated derivatives (lossless preview, waveform peaks, loudness/true-peak metadata), project titles, notes and cover art.
- Review & delivery participants — names, email addresses and comments submitted via a review link, and the IP address recorded with an approval as evidence of sign-off.
- Billing — your plan and Stripe customer/subscription identifiers. Card details are handled by Stripe; we never see or store full card numbers.
- Usage & technical — log data, device/browser information, error reports, and privacy-first, cookieless analytics (aggregate page views and product-usage events) that do not track you across other sites.
- Cookies & local storage — see our Cookie Policy.
2. How we use information & legal bases
| Purpose | Legal basis (GDPR/UK GDPR) |
|---|---|
| Provide the Service — store/process audio, run review, approval and delivery | Performance of a contract |
| Keep the Service secure, prevent fraud and abuse, debug, and improve features | Legitimate interests — specifically our interest in operating a secure, reliable service, preventing misuse, and improving it (balanced against your rights; a legitimate-interests assessment is held internally) |
| Send transactional email (verification, comment/approval/delivery notices) | Contract / legitimate interests |
| Send product or marketing email | Consent (opt-in; withdraw anytime) |
| Comply with legal, tax and accounting obligations | Legal obligation |
Under APPI, we identify the purpose of use as the above and do not use personal data beyond it without further notice or consent.
3. We do not train AI on your content
We do not use your audio, comments or other content to train, fine-tune or develop machine-learning or generative-AI models — ours or anyone else’s — and we never sell or share your content for that purpose. Your masters are often unreleased and confidential, and we treat them that way. Audio is processed automatically only to deliver features you use (e.g. generating a waveform, lossless preview, or loudness measurement). If we ever introduce optional AI-assisted features, they will be strictly opt-in, clearly described, and off by default.
4. Sharing & sub-processors
We do not sell your personal data. We share it only with service providers that process it on our instructions to run the Service, and where required by law or to protect rights and safety. Current sub-processors and where they process data:
| Provider | Purpose | Country / region of processing |
|---|---|---|
| Cloudflare R2 | Audio/file storage (private bucket, signed expiring URLs) | United States (Western North America) |
| Railway | Application hosting & database | United States |
| Stripe | Payments & subscriptions | United States (and Ireland for EU customers) |
| Resend | Transactional & (opt-in) marketing email | United States |
| “Sign in with Google” (only if you choose it) | United States | |
| Sentry | Error monitoring | United States |
| Plausible Analytics | Aggregate, cookieless web analytics | European Union |
| PostHog | Product-usage analytics (server-side, cookieless) | European Union |
5. International data transfers
5.1 For EU/EEA & UK data
For personal data transferred outside the EEA/UK we rely on: (i) the EU-US Data Privacy Framework (and its UK extension) for providers that are DPF-certified; and (ii) for all other transfers, the Standard Contractual Clauses (with the UK Addendum / IDTA) as appropriate safeguards under GDPR Art. 46 — note that the SCCs are a safeguard rather than an adequacy decision — together with supplementary measures such as encryption. Because the DPF is the subject of ongoing legal challenge, we maintain SCCs as a standing fallback regardless of a provider’s DPF status.
5.2 For data subject to APPI (provision to third parties in foreign countries — APPI Art. 28)
Because the Company is established in Japan, providing personal data to the overseas providers above — including where we entrust processing to them — is a cross-border provision under APPI Art. 28. Entrustment does not exempt an overseas transfer from Art. 28. The United States is not currently designated by the Personal Information Protection Commission (PPC) as offering a level of protection equivalent to Japan (only the EEA and the UK are). We therefore rely on the basis that each recipient has put in place measures meeting the standards required of a personal-information handler (相当措置 / appropriate measures, via data-processing terms), and we (i) take steps to ensure those measures continue, and (ii) provide information about them to you on request. Where we instead rely on your consent, we will, at the time of consent, disclose (a) the name of the foreign country, (b) information on that country’s data-protection regime, and (c) the measures taken by the recipient. By creating an account and accepting this Policy, you consent to the cross-border provision of your personal data to the providers and countries described in §4 and §6, on the basis of the disclosures (a)–(c) set out in this Policy.
6. Security & external environment
We use industry-standard safeguards including encryption in transit (HTTPS), encryption at rest for stored files, a private storage bucket with signed, expiring URLs and opaque object keys, hashed passwords, password-gated review/delivery links, and access controls. No method is 100% secure, but we work to protect your data and will notify you and regulators of a breach where legally required.
Understanding of the external environment (APPI): all of our current providers, including the Cloudflare R2 bucket that stores your audio (Western North America), process data in the United States. The United States does not have a single comprehensive national data-protection law equivalent to APPI; protection there relies on sectoral and state laws (e.g. California’s CCPA/CPRA) and on the contractual and certification commitments of our providers (including, where applicable, EU-US Data Privacy Framework certification). We monitor the regime of the country where your data is held and take this into account in our safeguards.
7. Data retention
- Account & profile — kept while your account is active; deleted or anonymised within 30 days of account deletion (excluding backups, below).
- Uploaded content & review/participant data — kept while the project exists; deleted within 30 days of you deleting the project/file or your account.
- Free loudness tool — audio you upload to the public loudness tool is analyzed and then deleted immediately after measurement. It is never added to an account, never stored, and never used to train AI. Only the resulting numbers are held briefly in a temporary cache (about 15 minutes) so your browser can display them.
- Billing & tax records — retained as required by Japanese tax and corporate law (generally 7–10 years).
- Backups — purged on a rolling basis, typically within 35 days.
- Logs & error reports — typically retained up to 90 days.
8. Your rights
Depending on where you live (EU/UK GDPR, Japan’s APPI, California’s CCPA/CPRA and others), you may have the right to access, correct, delete, receive a portable copy of, or restrict/object to the processing of your personal data; to withdraw consent (e.g. marketing); and to opt out of “sale”/“sharing” (note we do not sell or share your data for advertising). You may also lodge a complaint with your supervisory authority (in Japan, the PPC).
You can delete your account and content yourself in Settings → Danger Zone, or contact [email protected]. We will not discriminate against you for exercising your rights.
To make an APPI request for disclosure, correction or suspension of use, contact us at the address in §13. We will verify your identity and respond without undue delay; we do not charge a fee for routine requests.
Review/delivery participants: for personal data you submit on a review or delivery link, the engineer who invited you is the controller. Please direct access/deletion requests to that engineer; the Company will assist them as processor. Because we receive this data from the engineer rather than from you directly, notice is provided to you on the review/delivery page and via this policy.
9. Automated decision-making
We do not carry out profiling or automated decision-making that produces legal or similarly significant effects on you.
10. EU/UK representative (GDPR/UK GDPR Art. 27)
We have assessed whether an EU and/or UK representative under Article 27 is required and currently rely on the Article 27(2) exemption: our processing of EU/UK residents’ personal data is occasional, low-risk, and does not include special categories of data or criminal-offence data on a large scale. We keep this assessment documented and review it periodically; should our processing change, we will appoint a representative as required.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal data.
12. Changes to this policy
We may update this policy; we will post the new version here with a revised “Last updated” date and, for material changes, provide additional notice.
13. Business operator & contact
ITB Consulting Inc. (ITBコンサルティング株式会社)
Registered address: MIEUX Shibuya Bldg. 8F, 5-3 Maruyamacho, Shibuya-ku, Tokyo 150-0044, Japan
Representative Director: Takahiro Maeda
Privacy contact: [email protected]
See also our Terms of Service and Cookie Policy.