Introduction
Sona Academy (“we”, “us”, “our”) is committed to protecting personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
This Privacy Policy explains how we collect, use, and safeguard personal data in connection with the Sona Academy platform.
Sona Academy is primarily intended for healthcare professionals. However, certain sections of the platform are publicly accessible and may be used by individuals without verified professional status. Access to specific content and features may be restricted to verified healthcare professionals.
Depending on the level of access and user status, the types of personal data collected and the purposes of processing may differ.
Data Controller
The controller of personal data is:
Sona-Pharm OÜ
6 Ahtri Street, Tallinn, Estonia.
Categories of Personal Data
We may collect and process the following categories of personal data:
Identification data (e.g., name).
Contact details (e.g., email address).
Professional information (e.g., occupation, specialisation, affiliation).
Account and platform usage data (e.g., login history, content access, session activity).
Communication preferences.
The platform consists of both publicly accessible areas and restricted sections intended for healthcare professionals. Data processing activities may differ depending on the level of access and user status.
Where users access restricted professional sections, we may collect professional information (e.g., occupation, specialisation, affiliation). For users accessing public sections, only general account or usage data may be processed.
We may also process publicly available professional information (from platforms like LinkedIn, Xing, ResearchGate, and university, institutional, or employer profiles) relating to healthcare professionals for the purpose of maintaining and developing our professional network, in accordance with applicable laws.
We do not collect, process, or store patient data or identifiable health data.
Purposes of Processing
Personal data is processed for the following purposes:
Providing access to the platform.
Verifying professional status (where access to restricted professional content is requested).
Delivering educational content.
Personalising user experience and content recommendations.
Communicating relevant educational updates.
Ensuring platform security and functionality.
Legal Bases for Processing
We rely on the following legal bases under GDPR:
Legitimate interests – to improve the platform (Art. 6(1)(f) GDPR).
Consent – for communications where required (Art. 4(11) GDPR).
Legal obligations – where applicable (Art. 6(1)(c) GDPR).
Performance of Contract Obligation – to operate the platform (Art. 6(1)(b) GDPR).
Data Storage and Transfers
All personal data is stored within the European Economic Area (EEA).
We operate a centralised infrastructure and do not maintain country-specific storage.
Limited remote access may be granted to authorised personnel outside the EEA under appropriate safeguards (SCC, Standard Contractual Clauses).
We do not engage in broad or uncontrolled international data transfers.
Certain service providers (including CRM tools) may be located outside the European Economic Area, including in jurisdictions such as the United Kingdom or other non-EU countries that ensure an adequate level of data protection or where appropriate safeguards (SCC, Standard Contractual Clauses) have been implemented in accordance with applicable data protection laws.
Sona Academy may engage processors located in jurisdictions such as Ukraine or Kazakhstan for technical and administrative support. Such processing is subject to contractual safeguards and limited to remote access where possible.
Data Sharing
We do not sell or rent personal data. Data may be shared only with:
Service providers to maintain and operate technical infrastructure and secure our systems and services (e.g., hosting and infrastructure provider Google Cloud Platform, analytics provider Google Analytics, and Content delivery networks (CDN)).
Affiliates within the Sona group (where necessary).
Authorities, where required by law.
Sona Academy does not engage in profiling for advertising purposes or in cross-platform tracking of users.
Data Retention
Personal data is retained only as long as necessary for the purposes for which it was collected, including to operate the platform and comply with applicable legal obligations. Where possible, specific retention periods are applied:
Account data is retained for the duration of the user relationship and deleted within 90 days after account closure.
Technical logs are retained for up to 90 days, unless required longer for security investigations.
Analytical data (aggregated or pseudonymised usage statistics) are retained for 26 months.
Consent records (cookie consent logs, disclaimer acknowledgments) are retained for up to 3 years after the consent was given or withdrawn.
Where exact periods cannot be specified, data is retained based on criteria such as legal requirements, dispute resolution needs, and operational necessity. Data is deleted or anonymised once it is no longer required.
User Rights
Where applicable, users have the right to:
Access their data (Art. 15 GDPR).
Request correction or deletion (Art. 16 and 17 GDPR).
Restrict or object to processing (Art. 18 and 21 GDPR).
Withdraw consent (Art. 7(3) GDPR).
Lodge a complaint with a supervisory authority (Art. 77 GDPR).
Communications and Opt-Out
Users may opt out of receiving communications at any time via:
Account settings.
Unsubscribe links.
Direct contact.
Security
We implement appropriate technical and organisational measures to protect personal data, and we only use service providers that have taken contractual obligations to implement sufficient information security measures.
Third-Party Links
The platform may integrate or link to third-party platforms (such as video hosting services). Where users access such services, their data may be processed by those third parties in accordance with their own policies. We are not responsible for their data practices.
Updates
We may update this Privacy Policy from time to time. Updated versions will be made available on the platform.
Contact
For data protection inquiries:
[Insert contact email]