Last updated: 9 July 2026
Who we are
Sonar Development (“we”, “us”, “our”) operates the website at https://sonardevelopment.com. For the personal data described in this policy, we act as the data controller.
You can contact us about this policy or about your personal data by email at support@sonardevelopment.com.
The personal data we collect
We collect the information you choose to submit through the two forms on this website: the contact form and the project-brief form. We do not collect more than we need to respond to and assess your enquiry.
Contact form
- Name - used to identify you and address our reply.
- Email address (required) - used to reply to your enquiry and to send you a confirmation that we received it.
- Company (optional) - used for business context.
- Subject (required) - used to categorise your enquiry.
- Message (required) - the free-text content of your enquiry. Because this is free text, it may contain whatever personal data you choose to include.
- Consent - a tick confirming you agree to us storing these details to respond to your enquiry. The checkbox is not ticked by default.
Project-brief form
- Name and email address (email required) - used to identify you and reply.
- Company (optional) - used for business context.
- What you need (required) - the type of project, so we understand what to build.
- Your goal (required) - a free-text description of what the project should achieve. Because this is free text, it may contain whatever personal data you choose to include.
- Additional information (optional) - any other free-text context you choose to share.
- Consent - a tick confirming you agree to us storing the brief to assess and respond to your project. The checkbox is not ticked by default.
Data we generate when you submit a form
When the website's database is enabled, submitting a form also creates the following technical data, used for security and record-keeping rather than collected from you directly:
- A salted SHA-256 hash of your IP address. We never store your raw IP address. The hash is used for rate limiting, abuse prevention, and to record the provenance of your consent.
- Your browser's User-Agent string, truncated to 300 characters, kept for diagnostics and abuse context.
- A consent record storing the exact consent wording shown to you, the form type, the hashed IP and a timestamp.
- A reference code generated for your submission so it can be tracked. The code itself is not personal data but is linked to your record.
- Operational email-delivery logs (recipient address, subject, template, status and any error) recording that a notification or confirmation email was sent.
Both forms also include a hidden anti-spam field. If it is filled in - which only automated bots do - the submission is silently discarded and never stored.
We do not intentionally collect special-category data (such as data about health, race, religion or political views). Please avoid including such information in free-text fields unless it is necessary.
Separately, we hold credentials for internal staff who administer this website (name, email, role and a hashed password). This data is never collected from public visitors and is not shown publicly.
How we use your personal data, and our legal bases
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we must have a lawful basis for each use of your personal data. We rely on the following:
- Consent (UK GDPR Article 6(1)(a)) - our primary basis for storing and using the details you submit. Both forms require an explicit consent checkbox that is not ticked by default, and we store the exact wording you agreed to.
- Steps prior to a contract (UK GDPR Article 6(1)(b)) - where processing your project brief is necessary to take steps, at your request, before potentially entering into a contract with you.
- Legitimate interests (UK GDPR Article 6(1)(f)) - for security and abuse prevention (such as hashed-IP rate limiting, the hidden anti-spam field, CAPTCHA verification where enabled, and audit logging) and for responding to and managing inbound business enquiries.
In practice, we use the data to identify you, reply to your enquiry, assess and scope a potential project, send you a confirmation of receipt, and protect the website and our records from abuse.
Who we share your personal data with
We do not sell your personal data. We share it only with service providers who process it on our behalf (our processors) so that this website can function. Depending on how the site is configured, these may include:
- Our hosting platform and content delivery network, Vercel Inc., which handles all request traffic to the site, provides HTTPS, and serves the site from a global edge network.
- Our email infrastructure, Microsoft 365, which operates the studio mailbox that receives and answers your enquiry.
- A transactional email provider, used to deliver the notification email to the studio and the confirmation email to you when one is enabled. The studio notification includes the details you submitted.
- A database host, which stores the records described above when the website's database is enabled.
- A CAPTCHA verification provider, used to check that a submission is human, where a provider is enabled. No CAPTCHA is active by default and none is currently shown on the public forms.
We keep this list current: if we change or add a processor that handles your personal data, we update this policy first. You can ask us at any time which specific providers are active by emailing support@sonardevelopment.com.
Some optional services exist in the website but are not active by default and do not currently receive any personal data: file/object storage (no file uploads are collected today), web analytics (none is loaded by default), and error monitoring. If we enable any of these, we will update this policy first.
We may also disclose personal data where required by law or to establish, exercise or defend legal claims.
International transfers
Some of our processors may store or process personal data outside the United Kingdom - for example, our hosting platform operates a global content delivery network with infrastructure in the United States and elsewhere. Where that happens, we ensure an appropriate safeguard is in place, such as a UK adequacy decision, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, relying on the processor's published data-processing terms.
How long we keep your personal data
We operate a retention schedule so that personal data is not kept longer than necessary. A scheduled process permanently removes records once they pass their retention period, and you can ask us to erase your data sooner (see Your rights).
Some data is also cleared on a purely operational basis: expired staff login sessions, used password-reset tokens and short-lived rate-limiting entries are removed continuously.
Our current retention periods are: enquiry and brief records, 24 months after the last update; consent records, kept as proof of consent and removed within 6 years once no longer tied to an active enquiry; internal audit logs, 12 months; email-delivery logs, 6 months. If we change these periods, we will update this policy.
Your rights
Under UK GDPR and the Data Protection Act 2018 you have the following rights in relation to your personal data:
- The right to be informed - explained by this policy.
- The right of access - to a copy of the personal data we hold about you.
- The right to rectification - to have inaccurate personal data corrected.
- The right to erasure - to ask us to permanently delete your personal data. On request we delete, in a single transaction, your enquiry and brief records, the related consent records, the inbound and internal email-delivery logs that reference you, and lead-related audit entries. We may keep a limited record only where the law allows or requires it, for example to establish or defend legal claims.
- The right to restrict processing - to ask us to limit how we use your data.
- The right to data portability - where processing is based on consent or a contract and carried out by automated means.
- The right to object - to processing based on our legitimate interests.
- The right to withdraw consent - at any time, without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at support@sonardevelopment.com. We honour erasure and withdrawal-of-consent requests by permanently deleting the records associated with your email address. We respond to rights requests within one calendar month, as UK GDPR requires, and where a request is made about data tied to an email address we will verify the request by corresponding with that address before acting on it.
Complaints
If you have a concern about how we handle your personal data, please contact us first at support@sonardevelopment.com so we can try to resolve it.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.
Cookies
By default, this website sets only one cookie, named sonar_session. It is a strictly necessary authentication cookie used solely for the internal staff admin area. It is set only when a staff member logs in - never for public visitors browsing the site - and only a hashed version of the token is stored on our side. It is HttpOnly, uses SameSite=Lax, is marked Secure in production, and expires after eight hours.
No analytics or marketing cookies are set by default, and no third-party tracking scripts are loaded. For full details, please see our Cookie Policy.
How we protect your personal data
We take the security of your personal data seriously and apply a range of technical measures, including:
- Server-side validation of all form input (required fields, length limits, email format and a strict consent check).
- A hidden anti-spam field and rate limiting to reduce abuse, plus a swappable CAPTCHA verification step where enabled.
- Storing IP addresses only as salted SHA-256 hashes, never in raw form, and truncating browser User-Agent strings.
- Storing staff passwords only as hashes, with account-lockout protections.
- Opaque, hashed session tokens with a short lifetime, and audit logging of administrative actions.
- An append-only record of the exact consent wording you agreed to, with a timestamp.
- Strict security headers, including a nonce-based Content Security Policy, and enforced HTTPS in production.
- Fail-closed configuration checks that refuse to run the production site with unsafe settings.
Changes to this policy
We may update this policy from time to time, for example if we enable new services or change our processors. When we do, we will revise the “Last updated” date at the top of this page. Significant changes will be made clear.
Contact
For any question about this policy or your personal data, email us at support@sonardevelopment.com.