SonorМонгол

Privacy Policy

Effective date: 2 May 2026|Last updated: 2 May 2026

This Privacy Policy describes how Sonor (“we”, “us”, “our”) collects, uses, shares, and protects personal information from visitors to rune.mn and from customers who sign up to use the Sonor platform. It is written in plain language. If you have questions, email us at info@rune.mn.

1. Who We Are

Sonor is a conversational commerce platform for Mongolian businesses, operated by Sonor LLC, registered in Mongolia. Our primary contact for privacy matters is info@rune.mn.

2. Data We Collect

2.1 Information you provide directly: When you create an account we collect your name, email address, business name, phone number (optional), and a hashed copy of your password. When you contact us via form or email we collect the information you submit.

2.2 Usage and technical data: When you visit rune.mn we collect server log data — IP address, browser user-agent, referring URL, and timestamp — for security and operational purposes.

2.3 Data received from Meta Platforms (Facebook & Instagram): If you connect a Facebook Page or Instagram Business Account to Sonor, we receive the following data from Meta via the Messenger API and Instagram Messaging API:

  • Page ID and Page access tokens
  • Instagram Business Account ID
  • End-user's Facebook user ID (PSID) or Instagram-scoped user ID
  • End-user's public display name and, where available, profile picture URL
  • Message content (text, images, attachments) sent by end-users to your Page or Instagram account
  • Message timestamps and delivery/read receipts
  • Webhook event metadata (entry IDs, messaging type)

We receive this data solely because you (the Sonor merchant) authorised our app to manage your Page's or Instagram account's messages on your behalf.

2.4 Order, payment, and conversation data: When you use Sonor to operate your business, we process customer conversations, orders, product catalog entries, knowledge-base documents, and payment metadata that you and your customers generate through the platform.

2.5 Payment data: Payments made by your customers are processed by QPay. We receive a confirmation webhook from QPay containing the order amount, currency, and a transaction reference. We do not see, store, or process card numbers, bank account numbers, or other sensitive financial credentials.

3. How We Use the Data

We use the information we collect for the following purposes:

  • To provide, operate, and improve the Sonor service
  • To authenticate accounts and enforce security
  • To process orders and integrate with QPay
  • To power the Sonor AI agent (routing conversation content to the underlying language model to generate replies on your behalf)
  • To send you transactional and operational emails (you can opt out of non-essential communications at any time)
  • To comply with legal obligations applicable in Mongolia

Meta Platform Data use restriction: Data received from Meta APIs (Facebook, Messenger, Instagram) is used ONLY to provide and improve the Sonor messaging service on your behalf. We do not use Meta Platform Data to target advertising, build user profiles for advertising purposes, sell data, or any other purpose beyond delivering the features you have enabled. This is a hard contractual restriction in our agreement with Meta.

4. AI Processing of Conversations

When the Sonor AI agent handles a customer message, the conversation content is sent to the underlying language-model provider (currently Google Gemini) so the model can generate a contextually appropriate reply. We select providers that:

  • Do not use customer conversation content to train future models
  • Process data under commercially appropriate data protection agreements

All conversations are logged within Sonor's database so you can audit what the AI said and why. You control retention duration in your account settings.

5. Sharing and Disclosure

We do not sell personal information. We share data only in the following limited circumstances:

  • Service providers: We share data with trusted sub-processors (cloud hosting, email delivery, language model APIs) strictly to deliver the Sonor service. All sub-processors are bound by data protection agreements.
  • Channel APIs: Sending a reply through a Meta channel (Messenger, Instagram) necessarily involves transmitting data through Meta's APIs. This is integral to the service you have configured.
  • Legal obligations: We may disclose data if required by Mongolian law, regulation, or valid legal process.
  • Business transfers: In the event of a merger or acquisition, user data may be transferred to the acquiring entity under confidentiality obligations.

We never share Meta Platform Data with third parties except (a) as required by law, (b) as necessary to deliver the messaging integration you configured, or (c) with your express written consent. We never share such data with data brokers or advertising networks.

6. Data Retention

We retain data for as long as your account is active plus a reasonable period thereafter to resolve disputes and comply with legal obligations. Specifically:

  • Conversation and order history: retained for the duration of your subscription plus 90 days after account closure.
  • Meta Platform Data (messages, user IDs): retained for the same period unless you request earlier deletion.
  • Server logs: retained for up to 12 months for security purposes.
  • Financial transaction records: retained for 7 years to comply with Mongolian accounting law.

You may request earlier deletion of your account and associated data at any time (see Section 8).

7. Data Security

We implement technical and organisational measures to protect personal information, including:

  • Encryption in transit (HTTPS/TLS) and at rest for sensitive fields
  • Role-based access controls limiting data access to authorised personnel
  • Regular security reviews of our infrastructure and third-party providers
  • Immediate notification procedures in case of a data breach affecting users

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Export your data in a portable format
  • Delete your account and associated personal data
  • Withdraw consent for non-essential data processing at any time
  • Revoke Sonor's access to your Facebook Page or Instagram account at any time via your Facebook Business Settings

To exercise any of these rights, email info@rune.mn or use the account dashboard. We will respond within 5 working days. If we materially change this policy, we will notify you by email at least 14 days before the change takes effect.

9. Children's Data

Sonor is a business-to-business platform. We do not knowingly collect personal data from individuals under the age of 13. If we become aware that we have inadvertently collected data from a child under 13, we will delete it promptly. If you believe we hold such data, contact info@rune.mn.

10. Cookies and Tracking Technologies

rune.mn uses only essential cookies: session cookies, anti-CSRF tokens, and a language preference cookie. We do not use third-party advertising cookies, Google Analytics, or Meta Pixel on this website.

11. International Data Transfers

Sonor's primary servers are located in Mongolia. Certain service providers we use — including our language-model provider and outbound email provider — process data outside Mongolia. We ensure adequate contractual protections are in place for all international transfers. A current list of sub-processors is available on request at info@rune.mn.

12. Third-Party Platforms

This policy covers Sonor's handling of your data. The Meta platforms (Facebook, Instagram, Messenger) have their own privacy policies that govern how Meta processes data. By connecting a Facebook Page or Instagram account to Sonor, you acknowledge that Meta's terms and privacy policy also apply to your use of those platforms.

Relevant Meta policies:

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email at least 14 days before they take effect. The effective date at the top of this document will always reflect the current version. Continued use of Sonor after the effective date constitutes acceptance of the revised policy.

14. Contact

For any privacy-related questions, requests, or complaints: