Privacy Policy

Effective Date: February 28, 2026

1. Introduction

Solum Health Technologies, Inc. ("Solum Health," "we," "us," or "our") operates the website getsolum.com and the Solum Health platform, a healthcare AI software-as-a-service ("SaaS") solution that provides front-office automation tools for healthcare providers. Our principal place of business is located at 989 Market Street, 2nd Floor, San Francisco, California 94103.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, access our platform, or otherwise interact with our services. It applies to all visitors, users, and others who access or use our website and platform (collectively, "you" or "your").

Based on its current operations, Solum Health functions as a Business Associate under HIPAA, not as a Covered Entity or healthcare clearinghouse. Solum Health is not an electronic health record (EHR) system or a healthcare provider. We are a healthcare AI SaaS company that connects to third-party EHR systems, insurance payor portals, and other healthcare information systems on behalf of our customers. When we process Protected Health Information ("PHI"), we do so solely as a Business Associate under HIPAA.

By accessing or using our Services, you acknowledge that you have read this Privacy Policy. Certain uses of your information require your affirmative consent, which will be obtained separately where required by applicable law. If you do not agree with this Privacy Policy, please do not access or use our services.

2. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

  • "Platform" means the Solum Health web-based software application, including all features, modules, dashboards, APIs, and integrations provided by Solum Health to its Customers.
  • "Services" means the Platform, the website at getsolum.com, and any related tools, support, documentation, professional services, and other offerings provided by Solum Health.
  • "Annie" means Solum Health's AI-powered virtual assistant that performs front-office automation tasks such as prior authorization, insurance verification, patient intake, claims management, and other administrative functions on behalf of Customers.
  • "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or household. This includes, but is not limited to, name, email address, phone number, IP address, and professional credentials.
  • "Protected Health Information" or "PHI" means individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate, as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.
  • "Customer" means a healthcare provider, practice, organization, billing company, management services organization ("MSO"), or other entity that has entered into a services agreement with Solum Health to use the Platform.
  • "End User" means any individual who is authorized by a Customer to access and use the Platform, including but not limited to physicians, nurses, office managers, billing staff, and other authorized personnel.
  • "De-Identified Data" means information that has been stripped of all identifiers such that it cannot reasonably be used to identify an individual, in accordance with the de-identification standards set forth in 45 C.F.R. § 164.514(b) (the HIPAA Safe Harbor method) or 45 C.F.R. § 164.514(a) (the Expert Determination method).

3. Information We Collect

We collect different types of information depending on how you interact with our website and platform. The categories of information we collect are described below.

3a. Information You Provide Directly

When you create an account, request a demo, fill out a form, contact us, or otherwise interact with our Services, you may provide us with the following types of information:

  • Full name and professional title
  • Email address
  • Phone number
  • Practice or organization name and address
  • National Provider Identifier (NPI) number
  • Professional credentials, licensure information, and specialty
  • Billing and payment information (processed through our third-party payment processor)
  • Login credentials (username and password)
  • Communications you send to us, including support requests, feedback, survey responses, and correspondence
  • Any other information you choose to provide in connection with your use of our Services

3b. Information Collected Automatically

When you visit our website or use our platform, we automatically collect certain information about your device and usage, including:

  • IP address and approximate geolocation
  • Device type, operating system, and hardware identifiers
  • Browser type, version, and language preferences
  • Pages visited, features used, and content viewed
  • Referral source (the URL that directed you to our website)
  • Session duration, click patterns, and navigation paths
  • Date and time of access
  • Cookies, pixel tags, and similar tracking technologies (see Section 9)

3c. Information from Third Parties

We may receive information about you from third-party sources, including:

  • Referral partners, resellers, or channel partners who refer you to our Services
  • Third-party data providers that help us supplement and verify business contact information
  • Integration sources, such as EHR systems, practice management systems, and insurance payor portals, from which we receive data necessary to perform our Services on behalf of our Customers
  • Publicly available sources, including professional directories, public registries, and social media profiles

3d. Patient Data and Protected Health Information (PHI)

In the course of providing our Services to Customers, our platform may process patient data, including Protected Health Information (PHI), on behalf of healthcare providers. It is important to understand the following:

  • Solum Health processes PHI solely as a Business Associate under HIPAA, acting on behalf of and under the direction of our Customers (who are the Covered Entities).
  • All PHI processing is governed by a Business Associate Agreement ("BAA") executed between Solum Health and each Customer prior to any PHI being transmitted to or processed by our platform.
  • Solum Health does not have a direct relationship with patients whose data is processed through the platform. Patients are End Users of our Customers, not of Solum Health.
  • This Privacy Policy does not grant patients any direct rights against Solum Health with respect to their PHI. Patients seeking to exercise their rights regarding their health information should contact their healthcare provider directly.
  • The types of patient data processed may include, but are not limited to: patient demographics, insurance information, diagnosis codes, procedure codes, authorization details, appointment information, and other clinical and administrative data necessary to perform front-office automation tasks.

4. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, maintain, and improve our website, platform, and Services
  • To create and manage your account, authenticate your identity, and process transactions
  • To perform front-office automation tasks through Annie, including prior authorization submissions, insurance verification, patient intake processing, and claims management, on behalf of our Customers
  • To communicate with you, including responding to inquiries, providing customer support, and sending service-related notifications
  • To send marketing and promotional communications, such as newsletters, product updates, and event invitations (with your consent, where required by applicable law)
  • To personalize your experience and deliver content, features, and recommendations relevant to your interests and role
  • To conduct analytics, research, and reporting to understand usage patterns, measure performance, and improve our Services
  • To detect, prevent, and respond to fraud, security incidents, unauthorized access, and other harmful or illegal activity
  • To comply with applicable laws, regulations, legal processes, and governmental requests, including HIPAA, CCPA, and state privacy laws
  • To enforce our Terms of Service, this Privacy Policy, and other agreements
  • To facilitate a merger, acquisition, reorganization, or sale of assets, as described in Section 7
  • To create De-Identified Data or aggregated data sets that do not identify any individual, which we may use for purposes consistent with applicable law, including product development, benchmarking, and industry research

5. Legal Bases for Processing

We process your Personal Information based on one or more of the following legal bases:

  • Consent: Where you have given us explicit, informed consent to process your Personal Information for a specific purpose, such as receiving marketing communications. You may withdraw your consent at any time by contacting us or using the unsubscribe mechanism provided in our communications.
  • Contract Performance: Where processing is necessary to perform our obligations under a contract with you or your organization, including providing access to the platform, processing transactions, and delivering the Services you have requested.
  • Legitimate Interests: Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include operating and improving our Services, ensuring platform security, preventing fraud, conducting analytics, and marketing our Services to relevant audiences.
  • Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject, including HIPAA requirements, tax and accounting obligations, and responses to valid legal process such as subpoenas or court orders.

6. HIPAA Compliance

Solum Health takes its obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") seriously. The following describes our HIPAA compliance posture:

  • Business Associate Status: Solum Health operates as a Business Associate, as defined under 45 C.F.R. § 160.103. We are not a Covered Entity. We process PHI solely on behalf of our Customers, who are the Covered Entities responsible for obtaining any required patient authorizations and consents.
  • Business Associate Agreements: We require a fully executed Business Associate Agreement (BAA) with every Customer before any PHI is transmitted to or processed by our platform. The BAA defines the permitted uses and disclosures of PHI, our security obligations, and breach notification responsibilities.
  • HIPAA Privacy Rule: We use and disclose PHI only as permitted or required by the BAA and applicable law. We do not use PHI for marketing, fundraising, or any purpose not authorized by the BAA.
  • HIPAA Security Rule: We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). These safeguards are detailed in Section 11 of this Privacy Policy.
  • Breach Notification Rule: In the event of a breach of unsecured PHI, we will notify the affected Customer without unreasonable delay and no later than 60 days after discovery of the breach, in accordance with 45 C.F.R. § 164.410. We will cooperate with the Customer in fulfilling their notification obligations to affected individuals and the U.S. Department of Health and Human Services (HHS).
  • Workforce Training: Solum Health provides HIPAA training to workforce members who access or handle PHI as part of onboarding and on a recurring basis thereafter. Training covers the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and our internal policies and procedures.
  • Risk Assessments: We conduct periodic risk assessments in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(A) to identify potential threats and vulnerabilities to ePHI and to implement appropriate security measures to mitigate identified risks.
  • AI and PHI: PHI processed by Solum Health is not used to train, fine-tune, or improve artificial intelligence or machine learning models, whether general-purpose or specialized. AI model inference on PHI is performed solely to deliver the specific Services contracted by the Customer under the applicable BAA.

7. Data Sharing and Disclosure

Solum Health does not sell your Personal Information as that term is defined under the CCPA/CPRA. We do not exchange Personal Information for monetary consideration. For information about how we share data with analytics providers, see Section 9 (Cookies and Tracking Technologies). We may share or disclose your information only in the following circumstances:

  • Service Providers: We share information with trusted third-party service providers who perform services on our behalf, such as cloud hosting, payment processing, email delivery, analytics, customer support, and security monitoring. These providers are contractually obligated to use your information solely for the purposes of providing services to us and are required to maintain appropriate confidentiality and security measures. Where service providers may access PHI, they are bound by BAAs or equivalent data protection agreements.
  • Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including in response to subpoenas, court orders, or requests from law enforcement or regulatory agencies. We will attempt to notify you of such requests to the extent permitted by law.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, or other sale or transfer of some or all of our assets, your information may be transferred as part of the transaction. We will provide notice before your Personal Information is transferred and becomes subject to a different privacy policy. Any successor entity will be bound by the terms of existing BAAs with respect to PHI.
  • De-Identified Data: We may share De-Identified Data that has been stripped of all identifiers in accordance with the HIPAA Safe Harbor standard (45 C.F.R. § 164.514(b)). De-Identified Data cannot reasonably be used to identify any individual and is not subject to the restrictions of this Privacy Policy or HIPAA.
  • With Your Consent: We may share your information with third parties when you have given us explicit, informed consent to do so.
  • Protection of Rights: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our Terms of Service, this Privacy Policy, suspected fraud, situations involving potential threats to the physical safety of any person, or as evidence in litigation in which we are involved.

8. Third-Party Integrations Disclaimer

The Solum Health platform connects to third-party systems, including but not limited to electronic health record (EHR) systems, practice management systems, insurance payor portals, clearinghouses, and other healthcare information technology systems. These connections are made solely for the purpose of performing the Services contracted by our Customers.

Any reference to or connection with a third-party system, product, or service on our website or within our platform is made solely for identification purposes and does not constitute or imply:

  • A partnership, sponsorship, or endorsement by the third party
  • An affiliation with or certification by the third party
  • An exclusive relationship or preferred vendor status with the third party
  • A joint venture or co-development arrangement with the third party
  • Any guarantee of continued availability, compatibility, or support from the third party

Third-party systems are governed by their own terms of service, privacy policies, and data handling practices. Solum Health is not responsible for the privacy practices, security measures, or content of any third-party system. We encourage you to review the privacy policies of any third-party systems that you or your organization use in conjunction with our platform.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Website. Cookies are small text files stored on your device when you visit a website. They can be "persistent" (remaining on your device until they expire or you delete them) or "session-based" (deleted when you close your browser).

Types of Cookies We Use

  • Essential / Strictly Necessary: These cookies are required for basic site functionality, including session management, CSRF protection, and storing your consent preferences. These cookies cannot be disabled without impairing the functionality of our Services.
  • Analytics / Performance: These cookies help us understand how visitors interact with our website, including page views, navigation patterns, and error reporting. Analytics cookies do not directly identify individual visitors.
  • Functional: These cookies remember your choices, such as display preferences, to provide a more personalized experience. Disabling functional cookies may reduce certain features of the website.
  • Marketing / Targeting: Solum Health does not currently use marketing or targeting cookies. If this changes in the future, we will update this policy and obtain consent where required by law.

Specific Cookies

Cookie Name Provider Purpose Duration Type
__sh_session Solum Health Session management and authentication Session Essential
__sh_csrf Solum Health Cross-site request forgery protection Session Essential
__sh_consent Solum Health Stores your cookie consent preferences 1 year Essential
_ga Google Analytics Distinguishes unique visitors to our site 2 years Analytics
_ga_* Google Analytics Maintains session state for analytics 2 years Analytics
__sh_preferences Solum Health Stores display and language preferences 1 year Functional

Third-Party Cookies

  • Google Analytics: We use Google Analytics, which sets _ga and _ga_* cookies to collect usage statistics about how visitors interact with our website. Google Analytics data is used in aggregate form and does not directly identify individual visitors.
  • HubSpot: Embedded meeting scheduling widgets on our website may set cookies from HubSpot to facilitate appointment booking and track form submissions.
  • Social Media Embeds: LinkedIn and other social media platforms may set their own cookies when embedded content or sharing buttons are present on our pages. These cookies are governed by the respective platform's privacy policy.

How to Manage Cookies

You can control and manage cookies through your browser settings. Most modern browsers, including Chrome, Firefox, Safari, and Edge, allow you to view, block, and delete cookies. You can also configure your browser to notify you when a cookie is being set, so you can decide whether to accept it.

Please note that blocking or deleting essential cookies may impair the functionality of our website and prevent you from accessing certain features of our Services.

Global Privacy Control (GPC)

Our website recognizes and responds to the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for non-essential cookies and as a request to opt out of the sale or sharing of your personal information, as applicable under state privacy laws.

Do Not Track

There is currently no uniform standard for how websites should respond to "Do Not Track" (DNT) browser signals. Our website does not respond to DNT signals at this time. However, we do honor the Global Privacy Control (GPC) signal as described above.

Cookie Consent

When you first visit our website, a cookie consent banner will be displayed, allowing you to accept or decline non-essential cookies. Essential cookies do not require your consent and are set automatically, as they are necessary for the website to function properly.

Analytics and functional cookies are set only after you provide your consent through the cookie banner. You may withdraw your consent at any time by clearing your browser's cookie data for our website. Your cookie preferences are stored locally on your device for up to one year.

10. Data Retention

We retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, unless a longer retention period is required or permitted by law. The specific retention period depends on the nature of the information and the purpose for which it was collected:

  • Account Information: Retained for the duration of your account or your organization's services agreement with us, and for a reasonable period thereafter to fulfill legal, accounting, and reporting obligations.
  • Transaction Records: Retained for the period required by applicable tax and accounting laws.
  • Marketing Data: Retained until you opt out of marketing communications, after which we will remove your information from our active marketing lists within 10 business days.
  • Usage and Analytics Data: Retained in identifiable form for up to 24 months, after which it is aggregated or de-identified.
  • PHI: Retained in accordance with the terms of the applicable BAA. PHI is not retained longer than necessary to perform the Services and fulfill our legal obligations.

Post-Termination Data Export: Upon termination or expiration of a Customer's services agreement, data export and deletion will be handled in accordance with the terms of that agreement. Generally, Customers will have a reasonable period to export their data, after which Solum Health will de-identify or securely delete Customer data in accordance with its retention schedule and applicable legal requirements.

Legal Hold: Notwithstanding the foregoing, we may retain information for longer periods if required by applicable law, regulation, legal process, litigation hold, or governmental investigation.

11. Data Security

Solum Health implements comprehensive administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of your information. Our security measures include:

  • SOC 2 Type II Certification: Our platform and infrastructure undergo independent third-party examinations against the SOC 2 Type II trust services criteria (Security, Availability, Confidentiality). Information about our current compliance posture is available upon request under NDA.
  • Encryption at Rest: Data stored in our production systems, including PHI, is encrypted at rest using industry-standard encryption methods (currently AES-256 or equivalent).
  • Encryption in Transit: Data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS), with TLS 1.2 as the minimum supported version and TLS 1.3 preferred where available. We enforce HTTPS on all public-facing endpoints.
  • Penetration Testing: We engage independent security firms to conduct periodic penetration testing of our platform and infrastructure. Identified vulnerabilities are remediated according to their severity.
  • Role-Based Access Controls (RBAC): Access to data within our platform is governed by role-based access controls, ensuring that users can only access the information necessary to perform their job functions, in accordance with the principle of least privilege.
  • Multi-Factor Authentication (MFA): We require multi-factor authentication for all administrative access to our platform and infrastructure. MFA is available and recommended for all End Users.
  • Audit Logging: We maintain comprehensive audit logs of all access to and actions performed on data within our platform. Audit logs are retained and monitored for security and compliance purposes.
  • Incident Response: We maintain a documented incident response plan that is tested and updated regularly. We maintain incident response procedures designed to enable timely detection, investigation, containment, and remediation of security incidents.
  • Uptime: We maintain infrastructure designed for high availability, supported by redundant systems, automated failover, and continuous monitoring. Specific uptime commitments are described in applicable Service Agreements.

While we implement commercially reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incident and notifying affected parties in accordance with applicable law and our contractual obligations.

12. Sub-processors and Data Processing

Solum Health engages categories of sub-processors to support service delivery. All sub-processors accessing PHI are required to execute a Business Associate Agreement (BAA). This section supplements and is subject to any executed Service Agreement or BAA.

Sub-processor Categories

Category Purpose Data Accessed
Cloud Infrastructure Primary hosting, storage, compute, and disaster recovery All data categories
AI / Machine Learning AI model inference and natural language processing for platform features PHI (under BAA), PII, Usage Data
Communication Services Email delivery, SMS, and notification services PII, limited PHI (under BAA)
Payment Processing Subscription billing and payment management PII (billing information only)
Analytics Product usage analytics and performance monitoring Usage Data, de-identified data only
Security Threat detection, vulnerability scanning, and security monitoring Usage Data, system logs
Customer Support Ticketing and customer communication management PII, Usage Data

Specific vendor names are available upon request. Contact hello@getsolum.com for our current sub-processor list.

Data Location

All data is processed and stored exclusively within the United States. Primary cloud infrastructure operates from U.S.-based data centers that undergo SOC 2 Type II examinations. No data is transferred to or stored in locations outside the United States. Backup and disaster recovery infrastructure is also located within the United States.

Changes to Sub-processors

Solum Health will provide at least thirty (30) days advance written notice before engaging a new category of sub-processor that will access PHI or PII, except where emergency engagement is necessary to protect the security or availability of the Services, in which case notice will be provided as soon as reasonably practicable. Notice will be provided to the primary contact on the customer account. Customers may object by contacting hello@getsolum.com within the notice period. Changes in specific vendors within existing sub-processor categories do not require advance notice.

13. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Information. This section describes the rights available to different categories of individuals.

13a. Rights Available to All Users

Regardless of your location, Solum Health provides the following rights to all users of our Services:

  • Access: You have the right to request a copy of the Personal Information we hold about you.
  • Correction: You have the right to request that we correct any inaccurate, incomplete, or outdated Personal Information we hold about you.
  • Deletion: You have the right to request that we delete your Personal Information, subject to certain exceptions (such as information we are required to retain by law).
  • Opt-Out of Marketing: You may opt out of receiving marketing communications from us at any time by clicking the "unsubscribe" link in any marketing email, by updating your communication preferences in your account settings, or by contacting us directly at hello@getsolum.com.
  • Data Portability: You have the right to request your Personal Information in a structured, commonly used, and machine-readable format (such as CSV or JSON).

To exercise any of these rights, please contact us at hello@getsolum.com. We will verify your identity before processing your request and will respond within the timeframe required by applicable law (typically 45 days, with extensions as permitted). If we need additional time, we will notify you of the reason and expected response date.

13b. California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which your Personal Information was collected, the business or commercial purpose for collecting your Personal Information, and the categories of third parties with whom we share your Personal Information. This right covers the 12-month period preceding your request.
  • Right to Correct: You have the right to request that we correct any inaccurate Personal Information we maintain about you, taking into account the nature of the Personal Information and the purposes of processing.
  • Right to Delete: You have the right to request that we delete the Personal Information we have collected from you, subject to certain exceptions provided by law.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your Personal Information, as those terms are defined under the CCPA/CPRA. Solum Health does not sell your Personal Information. We do not share your Personal Information for cross-context behavioral advertising purposes.
  • Right to Limit Use of Sensitive Personal Information: You have the right to direct us to limit our use and disclosure of your Sensitive Personal Information to only those uses necessary to perform the Services or as otherwise permitted by the CPRA. To exercise this right, contact us at legal@getsolum.com.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide you a different quality of service, or suggest that you will receive a different level of service for exercising your rights.

HIPAA Exemption: Pursuant to Cal. Civ. Code 1798.145(c)(1)(A), Personal Information collected and maintained in compliance with HIPAA is exempt from the CCPA/CPRA. Patient data processed by Solum Health as a Business Associate is governed by the applicable BAA and HIPAA. Patients seeking to exercise rights regarding their health information should contact their healthcare provider directly.

Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of Personal Information: identifiers (name, email, phone, IP address), professional or employment-related information (title, credentials, NPI), commercial information (transaction records, account activity), internet or electronic network activity (browsing history, usage data), and geolocation data (approximate location based on IP address).

Categories of Personal Information Disclosed for a Business Purpose: In the preceding 12 months, we have disclosed the following categories of Personal Information to our service providers for a business purpose: identifiers, professional information, commercial information, and internet or electronic network activity.

To exercise your rights, you or your authorized agent may submit a request by contacting us at hello@getsolum.com or hello@getsolum.com. You may also reference our "Do Not Sell or Share My Personal Information" commitment above.

13c. Other State Privacy Laws

Residents of the following states have additional rights under their respective state privacy laws. If you are a resident of one of these states, you may exercise the rights described below by contacting us at hello@getsolum.com.

  • Virginia (VCDPA): Virginia residents have the right to access, correct, delete, and obtain a portable copy of their Personal Information. You also have the right to opt out of the processing of your Personal Information for purposes of targeted advertising, the sale of Personal Information, and profiling in furtherance of decisions that produce legal or similarly significant effects.
  • Colorado (CPA): Colorado residents have the right to access, correct, delete, and obtain a portable copy of their Personal Information, and the right to opt out of targeted advertising, the sale of Personal Information, and certain profiling activities.
  • Connecticut (CTDPA): Connecticut residents have the right to access, correct, delete, and obtain a portable copy of their Personal Information, and the right to opt out of the sale of Personal Information, targeted advertising, and profiling.
  • Utah (UCPA): Utah residents have the right to access and delete their Personal Information, and the right to opt out of the sale of Personal Information and targeted advertising.
  • Texas (TDPSA): Texas residents have the right to access, correct, delete, and obtain a portable copy of their Personal Information, and the right to opt out of the sale of Personal Information, targeted advertising, and profiling.
  • Oregon (OCPA): Oregon residents have the right to access, correct, delete, and obtain a portable copy of their Personal Information, and the right to opt out of the sale of Personal Information, targeted advertising, and profiling.
  • Additional States: Residents of states with applicable comprehensive privacy laws, including Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, and Rhode Island, may have similar rights to access, correct, delete, and port their Personal Information, and to opt out of targeted advertising. To exercise your rights under any applicable state law, contact us at legal@getsolum.com.

Appeal Process: If we decline your privacy request, you have the right to appeal our decision. To appeal, please contact us at hello@getsolum.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within the timeframe required by your state's applicable law. If your appeal is denied, you may contact your state's attorney general to file a complaint.

13d. HIPAA Rights (Patient Data)

If you are a patient whose data has been processed through the Solum Health platform, it is important to understand the following:

  • Solum Health processes patient data, including PHI, solely as a Business Associate on behalf of healthcare providers (Covered Entities). Solum Health does not have a direct relationship with patients.
  • Your rights under HIPAA, including the right to access, amend, and receive an accounting of disclosures of your PHI, must be exercised by contacting your healthcare provider directly. Your healthcare provider is the Covered Entity responsible for responding to your HIPAA rights requests.
  • Solum Health will cooperate with its Customers (your healthcare provider) in fulfilling their obligations to respond to your HIPAA rights requests in accordance with the terms of the applicable BAA.
  • If you have questions about how your healthcare provider uses Solum Health's platform to process your information, please contact your healthcare provider directly.

14. Children's Privacy

Our website and Services are not directed to children under the age of 13. We do not knowingly collect Personal Information from children under 13. If you are under 13, please do not use our website or Services or provide any Personal Information to us.

In compliance with the Children's Online Privacy Protection Act ("COPPA"), if we become aware that we have collected Personal Information from a child under 13 without verifiable parental consent, we will take steps to promptly delete that information from our systems.

In compliance with the California Consumer Privacy Act ("CCPA"), we do not sell the Personal Information of consumers under the age of 16. We do not have actual knowledge that we sell or share the Personal Information of consumers under the age of 16.

If you are a parent or guardian and believe that your child has provided us with Personal Information, please contact us immediately at hello@getsolum.com, and we will take steps to delete that information promptly.

Note: This section applies to Personal Information collected directly by Solum Health through its website and Services. Patient data, including data relating to minors, that is processed through the platform on behalf of healthcare providers is governed by the applicable BAA and HIPAA, not this section.

15. International Data Transfers

Solum Health is headquartered in San Francisco, California, United States. Our platform, servers, and data processing infrastructure are located in the United States. All data collected through our website and platform is stored and processed in the United States.

We do not currently participate in any international data transfer framework, including the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework. Our Services are intended for use by healthcare providers and organizations located in the United States.

If you access our website or Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By accessing or using our Services from outside the United States, you consent to the transfer, storage, and processing of your information in the United States. You do so at your own risk, and you are solely responsible for compliance with any applicable local laws.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Effective Date" at the top of this Privacy Policy.

Material Changes: For material changes to this Privacy Policy, we will provide at least 30 days' advance notice before the changes take effect. Notice will be provided by one or more of the following methods:

  • Sending an email notification to the email address associated with your account
  • Posting a prominent notice on our website
  • Displaying a notification within the platform upon your next login

Where changes are required by law or regulation, we may implement changes on a shorter timeline as necessary for compliance.

Non-Material Changes: For non-material changes, such as formatting, typographical corrections, or clarifications that do not alter the substance of the policy, we will update the policy without prior notice.

Your continued use of our Services after any changes to this Privacy Policy become effective constitutes your acceptance of the revised Privacy Policy. If you do not agree with the revised Privacy Policy, you must stop using our Services and contact us to close your account.

17. Dispute Resolution

Any disputes arising under or related to this Privacy Policy are subject to the dispute resolution provisions of our Terms of Service, including the arbitration agreement and class action waiver contained therein. By using our Services, you agree to resolve disputes in accordance with those provisions.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your privacy rights, please contact us using the information below:

  • General Inquiries: hello@getsolum.com
  • Legal and Privacy Requests: hello@getsolum.com
  • Mailing Address: Solum Health Technologies, Inc., 989 Market Street, 2nd Floor, San Francisco, California 94103

We are committed to addressing your inquiries and resolving any complaints about our collection or use of your Personal Information. We aim to respond to privacy-related requests within the timeframe required by applicable law. If additional time is required, we will notify you of the reason and the expected response date.

If you are not satisfied with our response, you may file a complaint with the appropriate regulatory authority in your jurisdiction, including your state's attorney general or the U.S. Department of Health and Human Services (HHS) Office for Civil Rights for HIPAA-related matters.

Chat