Effective April 2026Privacy Policy
Version 1.2 · Last updated May 2026
1. Introduction
Sol Foundry, Inc. (“Sol Foundry,” “we,” “us,” or “our”) operates the Sol platform, accessible at hellosol.app and solfoundry.app (the “Service”). This Privacy Policy describes how we collect, use, store, protect, and share your personal information when you use our Service.
By using Sol, you agree to the collection and use of information as described in this policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2.1 Information You Provide
| Data Type | Description | Purpose |
|---|---|---|
| Name | Your display name from Google account | Account identification, in-app display |
| Email address | Your Google account email | Account identification, communication |
| Profile image URL | Your Google profile photo URL | In-app display |
2.2 Information Collected Automatically
| Data Type | Description | Purpose |
|---|---|---|
| Usage data | Features used, actions taken within the platform | Service delivery, product improvement |
| Device and browser information | Browser type, operating system (via standard HTTP headers) | Service compatibility, troubleshooting |
| Error and performance data | Application errors, stack traces (PII collection disabled) | Service reliability, bug fixing |
| Application telemetry | Request traces, response times, system metrics (PII collection disabled) | Performance monitoring, service optimization |
2.3 Information Created Through Your Use of the Service
| Data Type | Description | Purpose |
|---|---|---|
| Callouts (tasks) | Tasks and action items you create or are assigned | Core service functionality |
| Loops | Recurring items you configure | Core service functionality |
| Topics | Conversation topics and threads | Core service functionality |
| Contacts | Contact information you add to the platform | Core service functionality |
| File attachments | Files you upload to the platform | Core service functionality |
2.4 Integration Data
If you connect third-party services (Gmail, Slack) through the platform:
| Data Type | Description | Purpose |
|---|---|---|
| OAuth tokens | Authentication tokens for connected services | Enabling integrations |
| Message references | References to Slack messages or Gmail threads (not message content) | Linking callouts to source conversations |
OAuth tokens for connected services are managed by our integration partner, Composio, and are not stored directly by Sol Foundry.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Deliver core Sol functionality including task management, topic identification, and integrations
- Improve the Service: Analyze usage patterns and error data to fix bugs and improve features
- Communicate with you: Send service-related notifications and respond to support requests
- Ensure security: Detect and prevent unauthorized access, fraud, and abuse
- Comply with legal obligations: Meet applicable legal and regulatory requirements
We do not use your personal information for advertising, sell it to third parties, or share it for purposes unrelated to providing and improving the Service.
3.1 Data Controller and Processor Roles
For individual accounts, Sol Foundry acts as the data controller with respect to personal information collected and processed through the Service.
For organizational or workspace accounts, the customer organization acts as the data controller/business, and Sol Foundry acts as a service provider/data processor with respect to end-user content processed on behalf of the customer. In such cases, the customer organization determines the purposes and means of processing, and Sol Foundry processes data only in accordance with the customer’s instructions and applicable agreements.
3.2 Law Enforcement and Legal Disclosure
We may disclose personal information where required to comply with applicable law, regulation, legal process, or enforceable governmental request. Where permitted by law, we will make reasonable efforts to notify you before such disclosure.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account, data storage, integrations) | Performance of contract (Article 6(1)(b) GDPR) |
| Security monitoring, fraud prevention | Legitimate interest (Article 6(1)(f) GDPR) |
| Service improvement, usage analytics | Legitimate interest (Article 6(1)(f) GDPR) |
| Service-related communications | Performance of contract (Article 6(1)(b) GDPR) |
| Compliance with legal obligations | Legal obligation (Article 6(1)(c) GDPR) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting us.
5. How We Store and Protect Your Information
5.1 Data Storage
Our primary infrastructure is hosted in the United States (AWS us-east-1 region). Some third-party service providers listed in Section 6 may process limited data in other regions as part of their service delivery. We require all providers to maintain appropriate security safeguards regardless of processing location.
| Storage System | Data Stored | Encryption |
|---|---|---|
| Amazon Aurora PostgreSQL | User accounts, callouts, loops, topics, contacts | AWS KMS encryption at rest |
| Amazon S3 | File attachments | AWS KMS encryption at rest |
| Amazon DynamoDB | LLM response metadata (no PII) | AWS-managed encryption at rest |
5.2 Encryption
- At rest: All databases and storage systems use AWS KMS or AES-256 encryption
- In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Database connections require SSL.
5.3 Access Controls
- Access controls are designed to ensure users can only access data associated with their authorized account context
- Three-layer authorization is designed to protect every API request: API Gateway verification, application-level authorization, and database-level user scoping
- Administrative access to infrastructure requires VPN and multi-factor authentication
- Access to production systems is reviewed quarterly
5.4 Security Monitoring
- AWS WAF protects against common web attacks and rate-limits abusive traffic
- AWS GuardDuty provides continuous threat detection
- AWS CloudTrail logs all infrastructure API activity
- Application errors are tracked via Sentry with PII collection disabled
6. Third-Party Services
We share data with the following third-party service providers, solely for the purpose of delivering and operating the Service:
| Provider | Data Shared | Purpose | Compliance |
|---|---|---|---|
| Amazon Web Services (AWS) | All application data (encrypted) | Cloud infrastructure hosting | SOC 2 Type II, ISO/IEC 27001:2022 |
| Google / Firebase | Email, name, profile image (via Google OAuth) | User authentication | SOC 2 Type II, ISO/IEC 27001:2022 |
| Composio | OAuth tokens for Gmail/Slack integrations | Integration token management | Vendor security reviewed annually |
| OpenAI / LLM Providers | Conversation context for AI processing (see Section 6.2) | AI-powered features | SOC 2 Type II (OpenAI) |
| Sentry | Application errors and stack traces (no PII) | Error tracking and monitoring | SOC 2 Type II, ISO/IEC 27001:2022 |
| SigNoz | Application telemetry data (no PII) | Performance monitoring | Vendor security reviewed annually |
| HetrixTools | Health check endpoint URL and response status | Uptime monitoring | N/A (no user data shared) |
We do not sell, rent, or trade your personal information to any third party.
We may update or replace subprocessors from time to time based on operational needs. We maintain appropriate contractual and security safeguards with all subprocessors. A current list of subprocessors may be requested by contacting us at the email below.
6.1 Authentication Data
Sol Foundry does not store Google account passwords. Authentication is handled entirely through Google OAuth, and only the information described in Section 2.1 is retained by Sol Foundry.
6.2 AI Data Minimization
Before sending data to LLM providers (e.g., OpenAI), we apply the following minimization measures:
- Only conversation context relevant to the specific AI feature is transmitted (not your entire account data)
- We make commercially reasonable efforts to minimize or redact direct identifiers (such as email addresses and phone numbers) before transmitting prompts to LLM providers where technically feasible
- We do not send file attachments to LLM providers
- We use API configurations that disable training on customer data (e.g., OpenAI’s data usage opt-out)
- LLM responses are cached locally to minimize repeated data transmission
7. International Data Transfers
Our Service is hosted in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on:
- EU-U.S. Data Privacy Framework: where applicable, for providers certified under the framework
- Standard Contractual Clauses (SCCs): as approved by the European Commission, incorporated into our agreements with sub-processors that process EEA personal data
- Supplementary measures: including encryption in transit and at rest, access controls, and contractual obligations on sub-processors
You may request a copy of the applicable transfer safeguards by contacting us at the email below.
8. Cookies and Tracking
Sol uses only essential cookies required for authentication (Firebase Authentication session). We do not use:
- Advertising or marketing cookies
- Third-party tracking cookies
- Analytics cookies
- Social media tracking pixels
Do Not Track
We do not respond to “Do Not Track” (DNT) browser signals, as there is no industry-standard protocol for compliance. However, since we do not use tracking cookies or third-party analytics, our data collection practices are the same regardless of DNT settings.
9. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| User account data | Duration of account | Deleted from active systems on account deletion |
| Callouts, loops, topics, contacts | Duration of account | Deleted from active systems on account deletion |
| File attachments | Duration of account | Deleted from S3 on account deletion |
| Application logs | 14 days (staging), 365 days (production) | Automatic expiration |
| Error tracking data | 90 days | Automatic expiration (Sentry retention) |
Account Deletion
When you delete your account, we initiate deletion of all your personal data from our active systems within 7 days. This includes:
- User profile information
- All callouts, loops, topics, and contacts
- All file attachments
- All integration connections (OAuth tokens disconnected from Composio)
- All cached data
Residual copies in encrypted backups are subsequently removed in accordance with backup retention schedules (within 30 days). Data already transmitted to third-party services (e.g., error logs in Sentry) will be deleted according to the retention schedules listed above.
Account deletion is permanent and is not intended to be reversible.
10. Your Rights
You have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | Contact us at the email below |
| Correction | Request correction of inaccurate personal data | Update your profile in the app, or contact us |
| Deletion | Request deletion of all your personal data | Use the account deletion feature in the app, or contact us |
| Data portability | Request your data in a machine-readable format | Contact us at the email below |
| Objection | Object to processing based on legitimate interest | Contact us at the email below |
| Restriction | Request restriction of processing while a dispute is resolved | Contact us at the email below |
| Withdraw consent | Withdraw consent where processing is based on consent | Contact us at the email below |
We may verify your identity before processing certain privacy requests to protect against unauthorized access to your data.
We will respond to all data rights requests within 30 days. If we need additional time (up to 60 additional days for complex requests), we will notify you within the initial 30-day period.
Account Deletion (Self-Service)
You can delete your account and all associated data through:
- Self-service: Use the delete account feature within the Sol application
- Request: Email us at the address below
11. Your Rights Under Applicable Law
California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights:
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information
- Right to opt out of sale — we do not sell personal information
- Right to non-discrimination for exercising your privacy rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the Service
In the preceding 12 months, we have not sold personal information and do not share personal information for cross-context behavioral advertising.
EU/EEA/UK Residents (GDPR/UK GDPR)
If you are located in the EEA or UK, you have the additional rights described in Section 4 (Legal Basis) and Section 10 (Your Rights), including:
- Right to lodge a complaint with your local supervisory authority
- Right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)
12. Data Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users and applicable regulatory authorities as required by law. We aim to provide notification within 72 hours of becoming aware of a qualifying breach, including:
- A description of the nature of the breach
- The categories and approximate number of individuals affected
- The types of personal data affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
13. Children’s Privacy
Sol is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information within 7 days.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top of this policy
- Notify users via email or in-app notification at least 30 days before material changes take effect
Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. If you do not agree with the updated policy, you may delete your account.
15. Business Transfers
Personal information may be transferred as part of a merger, acquisition, financing, or sale of company assets, subject to applicable confidentiality obligations. In such an event, we will notify affected users before personal information is transferred and becomes subject to a different privacy policy.
16. Governing Law
This Policy shall be governed in accordance with applicable U.S. privacy and consumer protection laws, including the California Consumer Privacy Act (CCPA/CPRA) and, where applicable, the General Data Protection Regulation (GDPR).
17. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about our data practices, contact us at:
Sol Foundry, Inc.Address: United States (Delaware-incorporated)
For EU/EEA residents: Sol Foundry does not currently have a physical establishment in the EU. If EU data protection regulations require appointment of an EU representative in the future, we will update this section accordingly.
Revision History
| Version | Version Date | Changes |
|---|---|---|
| 1.0 | 01/04/2026 | Initial version |
| 1.1 | 01/05/2026 | Added GDPR legal basis (Section 4), international data transfer mechanisms (Section 7), AI data minimization details (Section 6.1), DNT disclosure (Section 8), concrete deletion timeline (Section 9), CCPA/CPRA details (Section 11) |
| 1.2 | 14/05/2026 | Softened absolute security claims (Section 5.3), added data controller/processor roles (Section 3.1), added law enforcement disclosure (Section 3.2), added subprocessor change language (Section 6), tightened AI/LLM language (Section 6.2), added authentication data handling (Section 6.1), added privacy rights verification (Section 10), added business transfer clause (Section 15), added governing law (Section 16), corrected ISO/IEC 27001:2022 reference, updated date format in revision history |