Privacy Policy

To the extent Track processes personal information of California residents, Solentis complies with the CCPA as amended by the CPRA. As a service provider operating under written contract with its Clients, Solentis:

• Does not sell or share personal information for cross-context behavioral advertising.
• Does not retain, use, or disclose personal information outside the scope of the service provider relationship.
• Honors instructions from Clients to delete or restrict processing of personal information consistent with CCPA obligations.

California residents who are users of Track may exercise their rights by contacting the Client organization that deployed Track, or by contacting Solentis directly at marcomendoza@avilapeakpartners.com. See Section 9 for the full list of rights available.

Track sends transactional and operational emails including task assignment notifications, completion confirmations, daily digest summaries, and authentication codes. These emails are sent via Resend, a third-party email delivery provider, on behalf of the Client organization.

• All commercial email includes a physical mailing address and a functional opt-out mechanism.
• Transactional emails (account security, two-factor authentication) are sent only when triggered by a user action and are not subject to commercial opt-out requirements.
• Users may update their notification preferences within Track's settings at any time.

Track integrates with WhatsApp via Meta's Cloud API to deliver task notifications and to support Sofia, an AI-powered conversational agent. WhatsApp messages sent through the platform are organizational communications between users and the Service — they are not unsolicited marketing messages to consumers.

• WhatsApp notifications are sent only to users whose phone numbers have been registered in Track by an authorized administrator of the Client organization.
• Users may disable WhatsApp notifications at any time in their Track notification preferences.
• Solentis does not initiate unsolicited commercial text or voice communications to consumers.

Where Track is deployed by a financial institution (including registered investment advisers, broker-dealers, or wealth management firms), Solentis operates as a nonaffiliated third-party service provider under GLBA. In this capacity:

• Solentis does not sell, share, or use nonpublic personal information (NPI) of financial institution customers for any purpose other than providing the contracted Service.
• Solentis maintains a written information security program consistent with the FTC Safeguards Rule (16 C.F.R. Part 314).
• Access to NPI within Track is scoped by role-based access controls and organization-level data isolation.
• Solentis does not use NPI received from financial institution Clients to market other products or services.

Track maintains immutable audit logs of all task-related actions. These logs are designed to support Client compliance with applicable recordkeeping obligations, including SEC Rule 17a-4, SEC Rule 204-2, and FINRA Rule 4511 for financial services Clients, as well as equivalent obligations in other regulated industries. Audit log records are retained for a minimum of six (6) years and cannot be modified or deleted by users or administrators. Clients are solely responsible for ensuring their use of Track satisfies their specific regulatory requirements.

Solentis's privacy and data practices are consistent with the FTC's guidance on fair information practices. This policy accurately describes our data practices. We do not engage in practices that misrepresent how we handle data or that cause substantial harm to individuals that they cannot reasonably avoid.

• Full name and email address (required for account creation and authentication)
• Password, stored as a one-way bcrypt hash (Solentis cannot recover your password)
• Role within your organization (admin, manager, or user)
• WhatsApp phone number (optional; required only to use WhatsApp notifications or the Sofia AI agent)

• Task titles, descriptions, priorities, due dates, statuses, and assignees
• Subtasks and task dependencies
• Comments and activity associated with tasks
• Recurring task templates
• Client records and interaction logs, if the Client organization has enabled the CRM feature

• WhatsApp conversation history between users and the Sofia AI agent, stored per organization and retained for context and compliance review
• Email notification delivery logs (delivery status only; not the full body of emails beyond the notification itself)

When a user sends a WhatsApp voice note to Sofia, the audio is transmitted to Groq (a third-party provider) for transcription using the Whisper speech-to-text model. The transcribed text is then processed by Sofia as though it were a typed message.

• Audio is not stored by Solentis after transcription is complete.
• Transcription is performed by Groq under their applicable terms of service and privacy policy.
• Users who do not wish to use voice transcription may communicate with Sofia via text only.

• Immutable records of all task mutations (create, update, complete, delete, assign) with timestamps, actor identity, and organization context
• Authentication events (logins, two-factor authentication attempts, password resets)
• WhatsApp webhook events (retained for debugging and security purposes)

Audit logs are retained for a minimum of six (6) years and cannot be modified or deleted by users or administrators.

• IP addresses and user agent strings, captured at authentication and webhook events
• Error and exception data collected by Sentry, our application monitoring provider
• Infrastructure metadata from Vercel, our hosting provider

Track does not use cookies for tracking, advertising, or analytics. Session management is handled server-side with a 24-hour hard session expiry.

• Authenticating users and maintaining secure sessions
• Displaying task assignments, priorities, and deadlines to authorized team members
• Sending email and WhatsApp notifications triggered by task events
• Enabling Sofia to respond to task queries and perform task operations via WhatsApp
• Generating daily digest emails summarizing team task status

• Maintaining immutable audit logs for regulatory recordkeeping purposes
• Detecting and preventing unauthorized access, abuse, or fraud
• Responding to security incidents
• Verifying webhook authenticity

• Identifying and fixing application errors via Sentry
• Analyzing aggregate, anonymized usage patterns to improve platform performance

Solentis does not use personal information to train AI or machine learning models. Personal information is not shared with AI providers beyond the transactional API calls required to deliver the Service (see Section 5).

• We do not sell personal information to third parties.
• We do not share personal information for cross-context behavioral advertising.
• We do not use personal information to build consumer profiles for parties other than the Client that owns the data.
• We do not use NPI received from financial institution Clients for any purpose outside the contracted Service.

Solentis engages the following third-party service providers who process data on our behalf under contractual data protection obligations:

Because Track is a B2B platform, the Client organization that deployed Track has administrative visibility into task data, team activity, audit logs, and (for administrators) WhatsApp conversation logs within their organization. Your use of Track is subject to your organization's own policies in addition to this one.

Solentis may disclose information when required to do so by law, regulation, court order, or valid legal process. Where permitted by law, we will notify the affected Client before disclosing their data in response to a legal demand.

In the event of a merger, acquisition, or sale of all or substantially all of Solentis's assets, personal information may be transferred to the successor entity. Users will be notified via email and/or a prominent notice on the Service before information becomes subject to a materially different privacy policy.