Privacy Policy

Last Updated: January 10, 2025

Our Privacy Commitment

At Solari Health, your privacy is our top priority. We believe health data is deeply personal and should be protected with the highest security standards. This policy explains how we collect, use, protect, and handle your information.

Our Promise: We will NEVER sell your health data to third parties. Your information exists solely to help you manage your health.

1. Information We Collect

Account Information

  • Email address: For account creation and communication
  • Password: Securely hashed and stored via AWS Cognito
  • Account metadata: Creation date, last login

Health Information (Encrypted)

  • Symptom entries: Names, severity, dates, and detailed notes (encrypted)
  • Doctor visits: Doctor names, contact information, diagnoses, and treatments (encrypted)
  • Medications: Names, dosages, and effectiveness (encrypted)
  • Timeline metadata: Dates and entry timestamps

Optional Demographics (Not Encrypted)

  • Age range: For personalized AI insights
  • Sex/Gender: For relevant health recommendations
  • Medical conditions: To improve AI analysis accuracy
  • Note: All demographics are optional and can improve AI recommendations but are not required

Technical Information

  • IP address: For security and fraud prevention
  • Browser/device info: To optimize your experience
  • Session data: To keep you securely logged in
  • Error logs: To improve platform reliability (PII redacted)

2. How We Use Your Information

Primary Uses

  • Secure Storage: Organize and protect your health timeline with end-to-end encryption
  • AI Analysis: Generate personalized health insights and pattern recognition
  • Service Delivery: Provide core platform functionality
  • Account Management: Authentication and security

AI-Powered Features

When you use AI insights, we:

  • Decrypt your data temporarily in your browser to prepare it for analysis
  • Send decrypted data securely via HTTPS to our AI partners (Anthropic Claude, DeepSeek)
  • Generate insights including symptom patterns, correlations, and potential specialist recommendations
  • Return results to you - AI providers do not store your health data

🔒 Why decryption is necessary for AI: AI cannot analyze encrypted data. Your data is decrypted in your browser, sent over encrypted HTTPS connections, analyzed in real-time, and immediately discarded by AI providers. Neither Anthropic nor DeepSeek store your health information.

AI Disclaimer: All AI-generated insights are for informational and educational purposes only. They are not medical advice and should never replace professional medical consultation. Always consult qualified healthcare providers for diagnosis and treatment.

3. Data Security & Encryption

End-to-End Encryption

What we encrypt (AES-256-GCM):

  • All symptom names and descriptions
  • Doctor names, phone numbers, and addresses
  • Medical diagnoses and treatment plans
  • Medication names and dosages
  • All notes and detailed observations

How encryption works:

  1. Each user has a unique encryption key stored securely
  2. Data is encrypted in your browser before transmission
  3. Encrypted data is stored in our database
  4. Only you can decrypt your data with your encryption key
  5. Even Solari Health staff cannot read your encrypted health data

Additional Security Measures

  • TLS/HTTPS: All data transmission uses 256-bit SSL encryption
  • AWS Cognito: Enterprise-grade authentication with MFA support
  • PostgreSQL: Industry-standard database with encrypted storage
  • Regular security audits: Continuous monitoring and updates
  • Rate limiting: Protection against brute force attacks
  • Session management: Automatic logout on inactivity

Your Security Controls

  • Strong password requirements enforced
  • Secure password reset via email verification
  • Activity monitoring and suspicious login alerts
  • Complete account deletion with permanent data purging

4. Data Sharing & Third Parties

We Share Data ONLY With:

  • AI Analysis Providers (Optional):
    • Anthropic (Claude AI) - when you request insights
    • DeepSeek - for second opinion analysis when available
    • Data sent: Decrypted symptoms, visits, medications, demographics
    • Data retention: Zero - providers do not store your health data
    • Purpose: Real-time analysis to generate health insights
  • Infrastructure Providers:
    • AWS (database hosting and authentication) - encrypted data only
    • Vercel (hosting) - no access to user data
    • Upstash (Redis caching) - session data only, no health data
  • Error Monitoring:
    • Sentry - error logs with all PII automatically redacted

We NEVER:

  • Sell your data to advertisers, marketers, or data brokers
  • Share your data with insurance companies
  • Use your data for purposes other than providing the service
  • Train AI models on your personal health data

5. Your Rights & Controls

You Can Always:

  • Access: View all your encrypted and decrypted health data
  • Export: Download your complete health timeline in standard formats
  • Edit: Modify or update any entry at any time
  • Delete: Remove individual entries or your entire account
  • Opt-out: Choose not to use AI analysis features
  • Request information: Ask what data we have about you

Data Portability

Export your data anytime in standard formats (JSON, CSV) for:

  • Personal records and backups
  • Sharing with healthcare providers
  • Transferring to other health platforms
  • Offline analysis

Account Deletion

When you delete your account:

  • All personal data is immediately removed from our active databases
  • Encrypted health data is permanently deleted
  • Deletion is permanent and irreversible - no recovery possible
  • You receive email confirmation of deletion
  • Anonymized aggregate statistics may be retained for service improvement (no personal identifiers)

6. Data Retention

Active Accounts

  • Health data retained as long as your account is active
  • You control what to keep or delete at any time
  • Encryption keys stored securely for the life of your account

Deleted Accounts

  • Immediate deletion upon account termination
  • No grace period or data recovery option
  • Encryption keys permanently destroyed
  • Anonymized aggregate statistics may be retained (no PII)

Security Logs

  • Login and security logs retained for 90 days
  • Used only for security, fraud prevention, and service improvement
  • Automatically purged after retention period

7. HIPAA Compliance Status

Solari Health implements HIPAA-grade security measures including:

  • End-to-end encryption of Protected Health Information (PHI)
  • Secure authentication and access controls
  • Audit logs and activity monitoring
  • Data breach notification procedures
  • Regular security assessments and updates

Note: Solari Health is a personal health tracking tool and is not currently a HIPAA-covered entity or business associate. We are not a healthcare provider, health plan, or healthcare clearinghouse. However, we implement security measures that meet or exceed HIPAA standards to protect your data.

8. International Users

Solari Health is operated from the United States. By using our service:

  • You consent to data processing and storage in the United States
  • All data is encrypted regardless of location
  • We use standard contractual clauses for international data transfers
  • You may have additional rights under local laws (GDPR, CCPA, etc.)

9. California Privacy Rights (CCPA)

California residents have these rights:

  • Right to know: What personal information we collect and how we use it
  • Right to delete: Request deletion of your personal information
  • Right to opt-out: We don't sell data, so no opt-out needed
  • Right to non-discrimination: Same service regardless of privacy choices

To exercise these rights, contact: privacy@solarihealth.ai

10. European Users (GDPR)

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with supervisory authorities

Legal basis for processing: Consent (you provide data voluntarily) and Legitimate Interests (providing health tracking services).

11. Children's Privacy

Solari Health is intended for users 18 years and older. We do not knowingly collect information from anyone under 18. If we learn we have collected data from a minor, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make significant changes:

  • We'll update the "Last Updated" date at the top
  • We'll notify you via email for material changes
  • You'll see a notification in the app
  • Continued use after changes constitutes acceptance

13. Contact Us

Questions about privacy or data protection? We're here to help:

Your Privacy, Your Control

Solari Health exists to help you understand your health journey. We believe in transparency, security, and putting you in control of your data. If you have any concerns or questions, please don't hesitate to reach out.

Back to Dashboard