This Privacy Policy describes how Soli ("we," "us," or "our") collects, uses, and safeguards information when you use our products and services, including Soli Forms and Soli Line (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

Information We Collect

We collect the following categories of information in connection with your use of the Services:

• Account Information. When you register for an account, we collect your name, email address, professional credentials, and practice name.
• Practice Information. We collect information about your practice, including practice type, number of clinicians, and billing address, to configure and deliver the Services.
• Usage Data. We automatically collect technical information such as device type, browser version, IP address, pages viewed, and feature usage patterns. This data is used to maintain and improve the Services.

Important:We do not collect or have access to your clients' Protected Health Information (PHI). Client data processed through the Services is encrypted end-to-end on your device before transmission. We cannot read, access, or decrypt this information.

How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Services
• To improve and develop new product features
• To provide technical support and respond to your inquiries
• To process billing transactions and manage your subscription
• To send service-related communications, including updates and security alerts
• To comply with legal obligations and enforce our Terms of Service

Data Encryption & Client Information

Soli employs a zero-knowledge encryption architecture. All client data — including intake forms, clinical notes, and communications — is encrypted on your device using keys that only you control. This means:

• We cannot access, view, or decrypt your client data at any time
• Our servers store only encrypted data that is unreadable without your encryption keys
• Even in the event of a data breach, encrypted client data remains protected
• You retain sole control over who can access your client information

This architecture is fundamental to our HIPAA compliance strategy and ensures that your clients' Protected Health Information remains confidential by design.

Third-Party Services

We engage the following third-party service providers to operate the Services. Each provider processes only the minimum data necessary to perform its designated function:

• Stripe — Payment processing and subscription management. Stripe receives your billing information (payment method, billing address) but does not have access to your client data.
• Telnyx — Telecommunications infrastructure for Soli Line. Telnyx provides phone number provisioning, call routing, and SMS delivery. Call content processed through Soli Line is encrypted.
• Firebase — Real-time data synchronization and push notifications. Firebase receives only encrypted data payloads and authentication tokens.

We require all third-party service providers to maintain appropriate security measures and to process your information only as necessary to provide their respective services.

Data Retention

We retain your account information and usage data for as long as your account remains active. Upon cancellation of your subscription:

• You will have a 30-day grace period to export your data
• After the grace period, your encrypted data will be permanently deleted from our servers
• Account information (name, email, billing history) may be retained for up to 12 months to comply with legal and accounting obligations
• Anonymized, aggregated usage data that cannot be linked to your identity may be retained indefinitely for product improvement

Your Rights

You have the following rights regarding your personal information:

• Access. You may request a copy of the personal information we hold about you.
• Correction. You may request correction of any inaccurate or incomplete personal information.
• Deletion. You may request deletion of your personal information, subject to legal retention requirements.
• Data Portability. You may request an export of your data in a commonly used, machine-readable format.

To exercise any of these rights, please contact us at support@meetsoli.com. We will respond to your request within 30 days.

HIPAA Compliance

Soli is designed to support your compliance with the Health Insurance Portability and Accountability Act (HIPAA). Our compliance measures include:

• Business Associate Agreement (BAA). We execute a BAA with each subscriber, as required by HIPAA, prior to processing any Protected Health Information.
• End-to-End Encryption. All client data is encrypted using AES-256 encryption at rest and TLS 1.2+ in transit. Encryption keys are managed exclusively by you.
• Audit Logs. The Services maintain comprehensive audit logs of access and modifications to support your compliance and record-keeping obligations.

Children's Privacy

The Services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child under 13 has provided us with personal information, please contact us at support@meetsoli.com, and we will take steps to delete such information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email at least 30 days before the changes take effect and update the "Effective Date" at the top of this page. Your continued use of the Services after the effective date of any revised Privacy Policy constitutes acceptance of the updated terms.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• General Inquiries: hello@meetsoli.com
• Privacy & Support: support@meetsoli.com