Soma Professional Privacy Policy

Effective Date: March 25, 2026  |  Version: 2.0

1. Introduction and Scope

Soma Health Solutions Inc. ("Soma," "we," "us," or "our") provides a documentation and workflow platform designed for therapists, counselors, and other licensed practitioners. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information in connection with our products and services.

This policy applies to:

• The Soma web application (soma-health.ca and associated domains)
• The Soma mobile application for practitioners
• The Soma client-facing mobile application
• All related APIs, integrations, and services
• Our public website and marketing pages

Soma is a B2B software-as-a-service (SaaS) platform. We are not a clinical practice, and we do not provide clinical services. We build documentation and workflow tools that help licensed practitioners work more efficiently.

We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This policy addresses all ten fair information principles set out in Schedule 1 of PIPEDA.

2. Definitions

Throughout this policy, the following terms have specific meanings:

• Personal Information means information about an identifiable individual, as defined under PIPEDA. This includes name, email address, professional credentials, and any data that can identify a specific person.
• Customer means a therapist, counselor, or other licensed practitioner who creates an account and subscribes to Soma's services.
• End User means any individual (including a Customer's client) who interacts with Soma's services, such as through the client-facing mobile application.
• Clinical Data means information relating to a practitioner's professional practice, including session transcripts, AI-generated note drafts, and documentation created through the platform.
• Client Data means any data that an End User submits through the client-facing application, including journal entries, mood ratings, activity responses, and wearable data summaries.
• Alias means the pseudonymous identifier that a Customer assigns to each of their clients within the platform. Soma does not require or request client real names.
• Wearable Data means biometric and activity data collected from connected devices such as Fitbit or Apple HealthKit, shared by End Users with their practitioner's consent.
• Sub-processor means a third-party service provider engaged by Soma to process data on our behalf in the delivery of our services.

3. Privacy Officer

Soma has designated a Privacy Officer who is accountable for our compliance with this policy and with PIPEDA. Our Privacy Officer is responsible for receiving and responding to all privacy-related inquiries, access requests, and complaints.

4. Information We Collect

We collect different categories of information depending on how you interact with our platform. We limit our collection to what is necessary for the identified purposes described in Section 6.

4.1 Customer Account Information

When a practitioner creates a Soma account, we collect:

• Full name and professional credentials
• Email address
• Practice name and address (if provided)
• Professional license or registration information (if provided)
• Billing and payment information (processed by our payment processor; we do not store full payment card numbers)
• Account preferences and settings

4.2 Clinical Data (Processed on Behalf of Customers)

When Customers use our documentation and workflow tools, the following data is created and stored within their account:

• Client aliases (pseudonymous identifiers created by the Customer)
• Session transcripts generated from real-time audio processing
• AI-generated note drafts (SOAP, DAP, BIRP, and other formats)
• Notes and documentation created or edited by the Customer

4.3 End User (Client) Data

When an End User interacts with the Soma client-facing mobile application, the following data may be collected and shared with their designated practitioner:

• Journal entries
• Mood ratings and self-assessments
• Activity responses (assigned by their practitioner)
• Wearable data summaries (if the End User connects a device and consents to sharing)

End User data is associated with the alias assigned by the Customer, not with personally identifiable information held by Soma.

4.4 Website Visitor Data

When you visit our website (soma-health.ca), we may collect:

• IP address and approximate geographic location
• Browser type, operating system, and device information
• Pages visited, referral source, and time spent on each page
• Information submitted through contact forms or demo requests

5. How We Collect Information

We collect information through three channels:

5.1 Directly from You

Information you provide when creating an account, configuring settings, entering data into the platform, or contacting us for support.

5.2 Automatically

Technical and usage data collected through server logs, cookies, and analytics tools when you interact with our platform and website. See Section 18 for details on cookies and tracking technologies.

5.3 Through Integrations

Data received from connected third-party services, including wearable device platforms (Fitbit, Apple HealthKit) when an End User authorizes a connection. We only receive data that the End User has explicitly chosen to share, and only for the duration of the active connection.

6. Purposes for Collection, Use, and Disclosure

We identify the purpose for collecting personal information at or before the time of collection. We use and disclose personal information only for the purposes identified below, or for purposes that a reasonable person would consider appropriate in the circumstances.

6.1 Customer Account Information

• To create, manage, and authenticate your account
• To process billing and payments
• To communicate about your subscription, platform updates, and service-related matters
• To provide technical support
• To verify professional credentials when required

6.2 Clinical Data

• To provide real-time transcription services
• To generate AI-assisted note drafts at the Customer's request
• To store and organize documentation within the Customer's account
• To enable data export and portability

6.3 End User (Client) Data

• To facilitate between-session engagement features (journaling, mood tracking, activities)
• To share End User-submitted data with their designated practitioner
• To display wearable data summaries to the practitioner (with End User consent)

6.4 Website Visitor Data

• To analyze website traffic and improve our website content
• To measure the effectiveness of advertising campaigns
• To respond to inquiries submitted through contact forms

6.5 All Data Categories

• To maintain platform security, detect fraud, and prevent unauthorized access
• To improve our products and services using aggregated, de-identified data
• To comply with legal obligations, respond to lawful requests, and enforce our agreements

7. Consent

We rely on meaningful consent as the basis for collecting, using, and disclosing personal information. The form of consent depends on the sensitivity of the information and the reasonable expectations of the individual.

7.1 Express Consent

We obtain express, affirmative consent before:

• Processing audio during a session (Customers must confirm client consent before initiating recording)
• Connecting wearable devices and sharing biometric data
• Using clinical data for any purpose beyond providing the requested services
• Sharing any personal information with third parties beyond our sub-processors

7.2 Implied Consent

By creating an account and using the platform, you consent to the collection and use of account information and usage data as described in this policy, and to our use of essential cookies necessary for the platform to function.

7.3 Withdrawing Consent

You may withdraw consent at any time, subject to legal or contractual restrictions, by:

• Adjusting your account settings within the platform
• Disconnecting integrations (e.g., wearable devices) through the application
• Contacting our Privacy Officer at support@soma-health.ca

We will inform you of the implications of withdrawing consent. In some cases, withdrawing consent may limit or prevent our ability to provide certain features of the platform.

8. How We Use Information

We use personal information only for the purposes identified in Section 6, or for purposes that are directly related and that you would reasonably expect. Specifically:

• Service Delivery: Operating the platform, processing transcriptions, generating note drafts, and facilitating between-session engagement features
• Communication: Sending service-related notifications, responding to support inquiries, and providing account updates
• Platform Improvement: Analyzing aggregated, de-identified usage patterns to improve features and user experience
• Security: Monitoring for unauthorized access, detecting anomalies, and maintaining the integrity of our systems
• Legal Compliance: Fulfilling our obligations under applicable laws and regulations

9. AI-Assisted Features and Transparency

Soma uses artificial intelligence to assist with note generation and documentation workflows. We believe in full transparency about how AI is used within our platform.

9.1 AI Infrastructure

Soma's AI-assisted features are powered by enterprise-grade large language models hosted within our managed cloud infrastructure. When a Customer requests an AI-generated note draft, relevant session data is processed through our AI pipeline under strict access controls. Our AI providers operate under data processing agreements with Soma and are bound by confidentiality obligations.

9.2 Zero-Day AI Data Retention

9.3 Human Review Required

All AI-generated note drafts are clearly labeled as drafts. They are presented to the Customer for review, editing, and approval before being finalized. Soma does not make autonomous decisions about clinical documentation. The licensed practitioner retains full responsibility for reviewing, editing, and approving any AI-generated content before incorporating it into their professional records.

9.4 Real-Time Audio Processing

10. Data Custodianship and Processing Roles

Understanding the respective roles of Soma and our Customers is important for clarity about data responsibilities.

10.1 The Customer as Custodian

The licensed practitioner (Customer) is the custodian of all clinical data and client data entered into or generated through the platform. The Customer determines what data to enter, how to use the platform's features, and how the resulting documentation is incorporated into their professional practice. Customers are responsible for obtaining all necessary consents from their clients, complying with their professional regulatory obligations, and managing their clinical records in accordance with applicable law.

10.2 Soma as Processor

Soma processes clinical data and client data on behalf of and under the instructions of the Customer. We do not independently determine the purposes of processing clinical data. We access clinical data only as necessary to provide the services, to maintain and improve the platform, and to comply with legal requirements. Our role is analogous to that of a data processor: we provide the tools, and the practitioner directs how they are used.

11. Information Sharing and Disclosure

We limit the disclosure of personal information to circumstances that are necessary for delivering our services or required by law.

11.1 Sub-processors

We engage trusted third-party sub-processors to support our operations, including:

• Cloud infrastructure: For secure hosting and data storage
• AI services: Enterprise-grade language model providers for AI-assisted note generation, operating under zero-day data retention agreements
• Payment processing: For billing and subscription management
• Analytics: For aggregated usage analysis (website only; de-identified)

All sub-processors are bound by written agreements that require them to protect personal information to a standard comparable to this policy. Sub-processors may only process data for the specific purposes we define.

11.2 Legal Requirements

We may disclose personal information when required by law, regulation, court order, or other lawful process. Where legally permitted, we will notify the affected individual before making such a disclosure. We will challenge any request that we believe to be overbroad, vague, or otherwise improper.

11.3 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of our assets, personal information may be transferred to the successor organization. We will provide notice of any such transfer and ensure that the successor is bound by commitments consistent with this policy.

11.4 Practitioner-Client Sharing

When an End User shares data through the client-facing application (journal entries, mood ratings, activities, wearable summaries), that data becomes accessible to their designated practitioner. Once a practitioner receives data from their client, the practitioner is responsible for managing that data in accordance with their professional and legal obligations.

12. International Data Transfers and Data Residency

Soma Health Solutions Inc. is incorporated and headquartered in St. John's, Newfoundland and Labrador, Canada. Our primary data storage and processing infrastructure is located in Canadian data centers.

Certain sub-processors (such as our AI infrastructure providers) may process data in the United States or other jurisdictions. When data is transferred outside Canada, we ensure that:

• The transfer is necessary to provide the requested services
• The sub-processor is bound by contractual obligations to protect the data
• The level of protection is comparable to that required under Canadian privacy law

If you are located outside of Canada and use our platform, your data will be transferred to and processed in Canada, which is subject to Canadian privacy laws.

13. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:

Upon account termination, Customers have 60 days to export their data. After the 60-day period, all account data, clinical data, and associated records are permanently deleted from our production systems. Backup copies are purged within 30 days of primary deletion.

14. Security Safeguards

We protect personal information with technical, organizational, and physical safeguards appropriate to the sensitivity of the information. Our security measures include:

14.1 Technical Safeguards

• Encryption at rest: All stored data is encrypted using AES-256 encryption
• Encryption in transit: All data transmitted between your device and our servers is protected by TLS 1.2 or higher
• Application-level encryption: Sensitive fields (journal entries, activity details, wearable credentials) are encrypted at the application layer in addition to storage-level encryption
• Wearable credential isolation: Wearable device credentials are permanently encrypted and are never decrypted, even by Soma personnel
• Secure authentication: Support for multi-factor authentication and secure session management
• Audit logging: Comprehensive logging of data access and administrative actions

14.2 Organizational Safeguards

• Role-based access control (RBAC): Access to personal information is restricted to authorized personnel on a need-to-know basis
• Confidentiality agreements: All employees and contractors are bound by confidentiality obligations
• Security training: Team members receive training on data protection and secure handling practices
• Vendor management: Sub-processors are evaluated for security practices before engagement and are bound by contractual data protection requirements

14.3 Infrastructure Safeguards

• Canadian data center hosting with physical access controls
• Redundant backups with encrypted storage
• Regular security monitoring and vulnerability assessments
• Incident detection and response procedures

15. Data Breach Notification

In the event of a breach of security safeguards involving personal information, Soma will take the following steps in accordance with PIPEDA's mandatory breach reporting requirements:

15.1 Assessment

We will promptly assess the breach to determine whether it creates a real risk of significant harm to any individual. Factors considered include the sensitivity of the information involved, the probability that the information has been or will be misused, and the potential consequences for affected individuals.

15.2 Notification

If a breach creates a real risk of significant harm:

• Affected individuals: We will notify you as soon as feasible, and in any event within 72 hours of confirming the breach
• Office of the Privacy Commissioner of Canada (OPC): We will report the breach to the OPC as required under PIPEDA
• Other organizations: We will notify any other organization or government institution that may be able to reduce the risk of harm

15.3 Notification Contents

Breach notifications will include:

• A description of the circumstances of the breach
• The date or time period during which the breach occurred
• A description of the personal information involved
• Steps we have taken and are taking to reduce the risk of harm
• Steps you can take to mitigate potential harm
• Contact information for our Privacy Officer

15.4 Record Keeping

We maintain records of all breaches of security safeguards, regardless of whether they meet the threshold for reporting. These records are retained for a minimum of 24 months and are available to the OPC upon request.

16. Your Rights

Under PIPEDA and applicable provincial legislation, you have the following rights regarding your personal information:

16.1 Right of Access

You have the right to request access to the personal information we hold about you. Upon receiving a written request and verifying your identity, we will provide you with an account of the information in our possession, how it has been used, and to whom it has been disclosed. We will respond to access requests within 30 calendar days of receipt.

16.2 Right of Correction

If any personal information we hold about you is inaccurate or incomplete, you have the right to request a correction. You can update most account information directly through the platform. For corrections that cannot be made through the platform, contact our Privacy Officer.

16.3 Right of Deletion

You may request the deletion of your personal information. We will delete or de-identify the information, except where retention is required by law or is necessary for the completion of a transaction or the fulfillment of a legal obligation. Deletion requests are processed within 30 calendar days.

16.4 Right of Data Portability and Export

You have the right to receive a copy of your personal information in a structured, commonly used, and machine-readable format. This includes session transcripts, note drafts, client records, and account data. Export functionality is available through the platform, and additional formats can be requested from our Privacy Officer.

16.5 How to Make a Request

To exercise any of these rights, contact our Privacy Officer:

• Email: support@soma-health.ca
• Mail: Soma Health Solutions Inc., 100 Signal Hill Road, St. John's, NL, A1A 1B3, Canada

We will acknowledge receipt of your request within 5 business days and provide a substantive response within 30 calendar days. If we require additional time, we will notify you of the reason for the delay. There is no fee for making a request, except in cases where requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.

17. Automated Decision-Making and AI

Soma uses AI to generate draft documentation based on session transcripts and practitioner input. This section explains how automated processing works within our platform.

17.1 What AI Does

AI-assisted features generate structured note drafts (in formats such as SOAP, DAP, and BIRP) from session transcripts and practitioner inputs. These drafts are intended to reduce documentation burden by providing a starting point that the practitioner can review, edit, and finalize.

17.2 What AI Does Not Do

• AI does not make clinical decisions or recommendations
• AI does not autonomously finalize or submit documentation
• AI does not profile individuals or make predictions about them
• AI-generated content is never treated as a final record without human review

17.3 Human Oversight

Every AI-generated note draft requires review and explicit approval by the licensed practitioner before it is saved as a completed record. The practitioner has full control to edit, reject, or regenerate any draft. This ensures that professional judgment remains the final authority over all documentation.

18. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and platform for the following purposes:

18.1 Essential Cookies

Required for the platform to function properly. These handle authentication, session management, and security. They cannot be disabled without impairing platform functionality.

18.2 Analytics Cookies

We use analytics tools on our public website to understand how visitors find and use our site. This data is aggregated and does not identify individuals. Analytics cookies are not used within the authenticated platform application.

18.3 Advertising Measurement

Our public website may use the Meta Pixel and similar tools to measure the effectiveness of advertising campaigns. These tools track conversions (such as sign-ups) from advertisements. They are used only on our marketing website, not within the platform where clinical or client data is accessed. You can opt out of advertising tracking through your browser settings or through the advertising platform's opt-out mechanisms.

18.4 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies will prevent you from using certain features of the platform.

19. Children's Privacy

Soma's platform is designed for use by licensed practitioners. We do not knowingly collect personal information directly from children under the age of 13.

If a practitioner works with minor clients, the practitioner is responsible for:

• Obtaining appropriate parental or guardian consent as required by law and professional standards
• Using non-identifying aliases for minor clients within the platform
• Complying with all applicable laws regarding the privacy of minors

If we become aware that we have inadvertently collected personal information from a child under 13 without appropriate consent, we will take prompt steps to delete that information.

20. Wearable Device Data

Soma supports optional integration with wearable devices (currently Fitbit and Apple HealthKit). This section explains how wearable data is handled.

20.1 Connection and Consent

• Connecting a wearable device is entirely voluntary
• End Users must explicitly authorize the connection and the sharing of specific data categories
• End Users can disconnect their device at any time through the application

20.2 What We Collect

We receive data summaries from connected wearable platforms, not raw sensor data. The specific data types depend on the device and the End User's sharing preferences (e.g., step counts, sleep summaries, heart rate averages).

20.3 How Wearable Data Is Protected

• Wearable data summaries are associated with the client's alias, not their real identity
• Data summaries are encrypted at rest and in transit
• Wearable connection credentials (OAuth tokens) are permanently encrypted and are never decrypted by Soma or its personnel, under any circumstances
• Upon disconnection, wearable credentials are immediately and permanently deleted

20.4 Practitioner Access

Wearable data summaries are shared with the designated practitioner only when the End User has given explicit consent. The practitioner can view these summaries within the platform to support their professional work.

21. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, our products, or applicable law.

• Material changes (changes that reduce your privacy protections or introduce new categories of data collection) will be communicated via email at least 30 days before they take effect. You will have the opportunity to review the changes and, if you disagree, to close your account before the changes become effective.
• Non-material changes (clarifications, formatting updates, or changes that do not reduce your rights) will be posted on this page with an updated effective date.

We encourage you to review this policy periodically. The effective date at the top of this page indicates when the policy was last revised.

22. Complaint Process

If you believe that Soma has not handled your personal information appropriately or has not complied with this policy, you have the right to challenge our compliance.

22.1 Internal Complaint Process

Please direct your complaint to our Privacy Officer:

• Email: support@soma-health.ca
• Mail: Soma Health Solutions Inc., 100 Signal Hill Road, St. John's, NL, A1A 1B3, Canada

We will acknowledge receipt of your complaint within 5 business days. Our Privacy Officer will investigate the matter and provide a written response within 30 calendar days. If additional time is needed, we will inform you of the reason and the expected timeline.

22.2 Office of the Privacy Commissioner of Canada

If you are not satisfied with our response, or if you wish to file a complaint directly, you have the right to contact the Office of the Privacy Commissioner of Canada:

• Website: www.priv.gc.ca
• Toll-free: 1-800-282-1376
• Address: 30 Victoria Street, Gatineau, Quebec, K1A 1H3, Canada

23. Contact Information

For any questions, concerns, or requests related to this privacy policy or our handling of your personal information, please contact us:

24. Legal Relationship

This Privacy Policy forms part of our Terms of Service. By creating an account or using the Soma platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal information as described in this policy.

In the event of a conflict between this Privacy Policy and the Terms of Service, the Terms of Service shall prevail, except where doing so would result in a reduction of the privacy protections described herein.

25. Customer Responsibilities

As a licensed practitioner using the Soma platform, you hold certain responsibilities with respect to data privacy:

• Client consent: You are responsible for obtaining informed consent from your clients before using any recording or transcription features, and before connecting wearable devices
• Professional review: You must review all AI-generated content before incorporating it into your professional records
• Alias management: You should use non-identifying aliases for clients. If you choose an alias that could identify a client, that risk is your responsibility
• Regulatory compliance: You are responsible for complying with the regulatory requirements of your profession and jurisdiction, including record retention obligations that may extend beyond the periods described in this policy
• Data received from clients: Once client data (journal entries, mood ratings, wearable summaries) is shared with you through the platform, your management and use of that data is governed by your professional obligations

26. Accuracy of Personal Information

We take reasonable steps to ensure that personal information in our possession is accurate, complete, and up to date for the purposes for which it is used.

• Customers can update their account information (name, email, credentials, practice details) directly through the platform at any time
• If you identify an inaccuracy in information that cannot be corrected through the platform, contact our Privacy Officer and we will make the correction promptly
• Where we are unable to make a requested correction (for example, where the information is accurate as recorded), we will note the disagreement on file

Soma Health Solutions Inc.

100 Signal Hill Road, St. John's, NL, A1A 1B3, Canada

This policy is effective as of March 25, 2026.

This policy addresses all ten fair information principles under Schedule 1 of PIPEDA: Accountability (Section 3), Identifying Purposes (Section 6), Consent (Section 7), Limiting Collection (Section 4), Limiting Use, Disclosure, and Retention (Sections 8, 11, 13), Accuracy (Section 26), Safeguards (Section 14), Openness (this policy in its entirety), Individual Access (Section 16), and Challenging Compliance (Section 22).