Privacy Policy

Last updated: April 2, 2026

Who we are

Sonar is operated by 0arch (“we,” “us,” “our”), a software studio based in Miami, Florida. Sonar is accessible at sonar.0arch.io. For privacy inquiries, contact us at sonar@0arch.io.

What data we collect

We collect the minimum data necessary to operate the service:

  • Account data: Your email address and a hashed password when you create an account. We hash passwords using PBKDF2-SHA256 with 600,000 iterations and a unique salt per user. We never store your plaintext password.
  • Subscription data: If you subscribe to Sonar Pro, Stripe processes your payment. We store your Stripe customer ID to manage your subscription. We do not store your credit card number, expiration date, or CVC — that data is held exclusively by Stripe. See Stripe's privacy policy.
  • Usage data: Which signals you save (stored as signal IDs linked to your account). We do not track page views, clicks, or browsing behavior. We do not use analytics tools like Google Analytics.
  • Authentication cookies: When you sign in, we set a single HTTP-only cookie called sonar_session containing a signed JWT token. This cookie is Secure, SameSite=Strict, and expires after 24 hours. We do not set tracking cookies, advertising cookies, or third-party cookies.
  • Rate limiting data: We temporarily store your IP address and request timestamps in our database to enforce rate limits on authentication endpoints. This data is automatically deleted after it expires (typically within minutes).

What data we do NOT collect

  • We do not collect your name, phone number, or physical address.
  • We do not use cookies for tracking or advertising.
  • We do not sell, rent, or share your personal data with third parties for marketing purposes.
  • We do not use Google Analytics, Facebook Pixel, or any third-party tracking tools.
  • We do not collect device fingerprints or browser metadata beyond what is necessary for rate limiting.

Signal data

The demand signals displayed in Sonar are sourced from publicly available posts on Reddit (via Reddit's public JSON endpoints) and Hacker News (via the Algolia API). We do not scrape private content, direct messages, or any data that requires authentication to access. All signal data consists of post titles, public text content, upvote counts, comment counts, subreddit names, and timestamps — all of which are publicly visible on their respective platforms.

Where data is stored

All data is stored on Cloudflare's infrastructure. Specifically, we use Cloudflare D1 (a serverless SQLite database) for account data, saved signals, and rate limiting records. Our application runs on Cloudflare Workers, which processes requests at edge locations globally. Cloudflare's infrastructure is SOC 2 Type II and ISO 27001 certified. See Cloudflare's privacy policy.

How we use your data

  • Your email address is used to identify your account, manage your subscription, and contact you about service issues.
  • Your hashed password is used solely for authentication.
  • Your Stripe customer ID is used to verify your subscription status and process payments.
  • Your saved signal IDs are used to display your saved signals when you log in.
  • Rate limiting data is used to prevent abuse of authentication endpoints.

Third-party services

We use the following third-party services:

  • Stripe— Payment processing. Stripe receives your payment information directly; it never passes through our servers. Stripe's PCI DSS Level 1 certification covers this.
  • Cloudflare — Hosting, DNS, and database infrastructure. Cloudflare may process your IP address for DDoS protection and CDN routing.
  • Reddit and Hacker News — We fetch publicly available post data from these platforms to generate signals. No user data is sent to these platforms.

Data retention

  • Account data is retained until you delete your account or request deletion.
  • Signal data (public Reddit/HN posts) is retained for 90 days, then automatically deleted.
  • Rate limiting records are deleted within minutes of expiration.
  • Stripe retains payment data according to their own retention policy and legal requirements.

Your rights

You have the right to:

  • Request a copy of all personal data we hold about you.
  • Request deletion of your account and all associated data.
  • Request correction of inaccurate personal data.
  • Withdraw consent for data processing at any time by deleting your account.

To exercise any of these rights, email sonar@0arch.io. We will respond within 30 days.

Children

Sonar is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at sonar@0arch.io and we will delete it.

Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the site. The “last updated” date at the top of this page reflects the most recent revision.

Contact

For any privacy-related questions or requests, contact us at sonar@0arch.io.