Soma Client Privacy Policy

Effective Date: August 10, 2025

Introduction

Soma Health Solutions Inc. (“Soma”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect information in the Soma client app (the “App”). We follow Canadian privacy law (PIPEDA).

Key Principles (Plain Language)

• Anonymous by default: we do not collect your name, email, or direct identifiers. In this policy, “anonymous” means Soma does not store or link personal identifiers to your app data.
• Off by default: any feature that shares or collects sensitive data is opt-in. You control what is enabled and can turn it off at any time.
• Device-first: the free app stores your journal and activity content encrypted on your device. Optional encrypted cloud backup for the same device is available.
• AI privacy: AI processing runs on private servers with immediate deletion (“zero-day retention”). No prompts are logged.
• No sales or advertising use: we do not sell your data or use it for ads.
• Canada data residency: data is stored on secure servers located in Canada.

What We Collect (Depending on Features You Enable)

• Journal entries (encrypted): text or content you create. Remains encrypted and unreadable to Soma unless you explicitly opt in for anonymized improvement use.
• Activity details (encrypted): tasks/activities you log, including completion state, timestamps, and durations. Text/details remain encrypted unless you opt in for improvement use.
• Ratings & metadata (anonymous): mood/stress ratings, time/date/duration, and completion status used to power in-app features.
• Audio recordings (provider feature only): if a connected provider enables recording and you agree, recordings are used only to create transcripts for clinical note drafts and are deleted within 25 days.
• Wearable summaries (provider feature only): if enabled by your provider and you connect a device, we may collect anonymous summaries (e.g., heart rate, oxygen saturation, breathing rate, sleep, temperature, activity levels). Your wearable credentials are encrypted and not decrypted.
• Technical logs: standard server logs may include IP addresses. Soma does not access or use IP logs to identify you; any infrastructure logging is used only for security and reliability.

How We Use Information

• Provide and maintain the App (e.g., store your encrypted entries on your device, process anonymous ratings and timestamps).
• Optional encrypted cloud backup for the same device (if you request it via support@soma-health.ca).
• If connected to a provider and you choose to share, securely transmit summaries or selected data to your provider.
• If you opt in, use anonymous and/or encrypted-then-consented data to improve the App and platform functionality.
• Protect the App, detect abuse, and ensure reliability (e.g., security monitoring).

AI Processing Privacy

• AI processing occurs on private servers with immediate deletion (“zero-day retention”).
• Prompts and outputs are not logged, and there is no exchange of personal identifiers.
• Sensitive data is encrypted; we do not decrypt it unless you explicitly opt in for improvement use. Wearable credentials are never decrypted.

Audio Recording & Transcription (Provider Feature)

• Only available if you are connected to a provider and recording is enabled.
• Your acceptance of the Terms of Service acts as explicit consent to record sessions for transcription purposes when the feature is used.
• Recordings are used solely to create transcripts for clinical note drafts and are deleted within 25 days.
• Recordings and transcripts are not used for any other purpose without your further consent.

Wearable Device Data (Provider Feature)

• Not available in the free app; only available if a connected provider enables it and you choose to connect a device.
• Data collected (if connected) may include anonymous summaries such as heart rate, oxygen saturation, breathing rate, sleep, temperature, and activity levels.
• Wearable account credentials are encrypted and will not be decrypted by Soma, even if you opt in to product improvement.
• We summarize and share wearable data with your provider only if you consent to connect a wearable.

Your Choices & Controls

• Enable/disable features: all sensitive features are off by default. You choose what to enable and can turn them off any time.
• Connect/disconnect a provider: optional; disconnecting stops future sharing (it does not delete data already in your provider’s records).
• Cloud backup (same device): optional encrypted backup is available on request.
• Product improvement opt-in: optional; encrypted journal/activity text is not used unless you explicitly consent. You can withdraw consent at any time.

Data Security & Location

• Data is stored on secure servers located in Canada.
• We use encryption at rest and in transit, least-privilege access controls, and security monitoring.
• Sensitive data (journal text, activity details, transcripts, wearable credentials) is encrypted; credentials are never decrypted.

Data Retention

• Audio recordings (if used) are deleted within 25 days of recording.
• Encrypted cloud backups (if requested) are retained while the feature is active or until you ask us to delete them.
• Technical logs are retained only as necessary for security and operations and are not used to identify you.

No Sale; Service Providers

• We do not sell your data and do not use it for advertising.
• We may use vetted subprocessors (e.g., secure hosting) bound by confidentiality and data protection obligations consistent with this policy.

Your Rights (PIPEDA)

Subject to applicable law, you may request access to your personal information, ask for corrections, withdraw consent for optional uses, or ask questions about our privacy practices. Contact support@soma-health.ca.

Children

The App is intended for individuals who can legally consent or who have consent from a parent/guardian. Providers are responsible for obtaining any required consents in clinical contexts.

Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new effective date in the App. If changes materially affect your rights, we will provide additional notice in the App.

Contact Us

Questions or requests? Email support@soma-health.ca.

By using the Soma client app, you agree to this Privacy Policy.