Privacy Policy

Solin · Last updated: May 23, 2026 · Effective Date: May 21, 2026 · Version 2.1

1. Introduction and Scope

This Privacy Policy ("Policy") governs the collection, use, disclosure, retention, and protection of personal information by Solin ("Solin," "we," "us," or "our") in connection with our website at solinapp.com and our mobile and desktop applications (collectively, the "Services").

Solin operates from the Province of Quebec, Canada. This Policy is designed to comply with:

the Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by An Act to modernize legislative provisions as regards the protection of personal information (Quebec Law 25 / Bill 64, in force September 22, 2023);
the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (PIPEDA); Canada's Anti-Spam Legislation, SC 2010, c 23 (CASL); and
all other applicable Canadian federal and provincial privacy and electronic communications legislation.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the terms of this Policy. If you do not agree, you must immediately discontinue use of the Services.

2. Definitions

"Confidentiality Incident" means any unauthorized access to, use, communication, publication, or loss of Personal Information, as defined under Quebec Law 25.

"Personal Information" means any information about an identifiable individual, including name, email address, usage data, and any other data that can be used, alone or in combination, to identify a person.

"Processing" means any operation performed on Personal Information, including collection, storage, use, disclosure, transmission, deletion, or destruction.

"Sensitive Personal Information" means Personal Information that, due to its nature or the context of its use, requires heightened protection, including health information, financial information, biometric data, and information that may be used for identity theft.

"Services" means all products, applications, websites, APIs, and related services offered by Solin.

"User" means any individual who accesses or uses the Services.

3. Personal Information We Collect

3.1 Information You Provide Directly

Account information: Email address, display name, and authentication credentials provided through sign-in with Google, sign-in with Apple, or magic link authentication.
User-generated content: Tasks, notes, calendar entries, schedules, goals, habits, and any other content you create or input within the Services.
Calendar integration data: When you connect Google Calendar or Apple Calendar, we access calendar event metadata (titles, dates, times, attendees) solely to provide scheduling features. We do not access the body or attachments of calendar events unless you explicitly share them through the Services. Calendar data is never sold, shared with advertisers, or used to build profiles for third-party purposes. See Section 10 for full calendar data provisions.
Communications: Messages, feedback, support requests, and other communications you send to us.

3.2 Information Collected Automatically

Usage data: Pages visited, features accessed, buttons clicked, session duration, frequency of use, and interaction patterns within the Services.
Device and technical data: Browser type and version, operating system, device identifiers, IP address, time zone, and language preferences.
Log data: Server logs, error reports, crash data, and diagnostic information generated by your use of the Services.
Cookies and similar technologies: We use strictly necessary session cookies and functional cookies. Analytics cookies require your prior consent under Quebec Law 25. See Section 9 for full details.

3.3 AI Interaction Data

When you use AI-powered features (such as natural language task entry, scheduling suggestions, or DraftMyDay), the text you input is transmitted to our AI processing provider to generate responses. This data is:

processed solely to provide the requested functionality;
not used to train AI models without your explicit, separate consent;
subject to our AI provider's data processing terms, which we have contractually reviewed for compliance with our privacy obligations;
retained by our AI provider only for the minimum period required for safety and abuse monitoring (typically 30 days), after which it is deleted.

You must not input into AI features: (a) sensitive personal information of third parties; (b) confidential business information you are not authorized to disclose; (c) government-classified information; or (d) any information whose disclosure would violate applicable law.

3.4 Third-Party Authentication Data

If you sign in using Google or Apple, we receive only the information necessary to create and authenticate your account (typically your email address and a unique identifier). We do not receive your passwords or payment credentials from those providers.

3.5 Granular Data Retention Schedule

Data Category	Retention Period	Legal Basis
Account information (email, name)	Duration of account + 30 days post-deletion	Contract performance
User-generated content (tasks, notes)	Duration of account + 30 days post-deletion	Contract performance
Calendar integration data	Duration of active integration; deleted within 30 days of revocation	Consent
AI interaction inputs	30 days (AI provider); not retained by Solin beyond session	Legitimate interest (safety)
Usage analytics (PostHog)	24 months rolling	Consent / Legitimate interest
Error and crash logs (Sentry)	90 days	Legitimate interest
Billing and transaction records	7 years	Legal obligation (Canadian tax law)
Security and access logs	12 months	Legitimate interest (security)
Backup copies	Up to 90 days post-deletion	Operational necessity
Communications with support	3 years	Legitimate interest (dispute resolution)
Behavioral event log (behavioral_events)	Up to 12 months, then archived; deleted with account	Contract performance (personalization)
Derived behavioral patterns (behavioral_patterns)	Duration of account + 30 days post-deletion	Contract performance (personalization)
Onboarding questionnaire responses	Duration of account + 30 days post-deletion	Consent
Notification preferences	Duration of account + 30 days post-deletion	Contract performance
Push notification tokens / web push subscriptions	Until the device unregisters, the OS reports the token invalid, or you delete your account (whichever is sooner)	Consent
Confidentiality Incident Register	5 years minimum	Legal obligation (Quebec Law 25)

3.6 Behavioral Telemetry and Performance Data

To personalize scheduling suggestions and improve plan quality, the Services record anonymized behavioral signals derived from how you use the planner. This data is stored on our servers in two database tables (behavioral_events and behavioral_patterns) and is used solely to tailor the Services to you.

What we store: timestamps, durations, hour-of-day integers, day-of-week, anonymous category slugs (such as "deep-work" or "admin"), the UUIDs of the records each event refers to, and your user ID. Schema-level validation prevents task titles, note content, calendar event titles, habit names, intention text, or any other free-text content from entering these payloads.
Derived patterns: on a weekly schedule, we compute aggregate snapshots (peak focus window, capacity trend, day-of-week completion factor, category avoidance, habit timing) from the raw event log and store them in behavioral_patterns. Snapshots hold one row per user per pattern; older raw events older than 12 months may be archived.
How it is used: solely to personalize plans for you within the Services — feeding the DraftMyDay AI prompt, the sidebar voice, the weekly review email, and proactive notifications. We do not use behavioral data for advertising, do not sell it to data brokers, and do not share it with third parties for any purpose other than the AI sub-processor processing the prompt that requested it.
Cascade and export: all rows are FK-cascade on user deletion. Both tables are included in the data export endpoint described in Section 8.

3.7 Onboarding Personalization Questionnaire

During onboarding, we may offer a short five-question questionnaire about your typical peak energy window, daily capacity, planning tendency, hard days of the week, and biggest planning challenge. Answering is optional; the questionnaire can be skipped, and you may decline any individual question.

What we store: if you complete or skip the questionnaire, your answers are persisted in a single JSON column on your user record (users.onboarding_intelligence) as enum slugs only. No free-text input is collected.
How it is used: to seed your personalized scheduling model with reasonable defaults during the first three weeks of use. The seeded values are progressively replaced by your observed behavior as data accumulates.
Cascade and export: the column is included in your data export and is deleted along with your account.

3.8 Information We Do Not Collect

We do not collect:

Government-issued identification numbers (SIN, passport, driver's license)
Financial account numbers or credit card data (handled entirely by Stripe)
Biometric data
Health or medical information
Precise geolocation data
Information about minors under 13 years of age

4. Purposes and Legal Bases for Processing

Purpose	Description	Legal Basis
Service delivery	Account creation, feature access, data sync, fulfilling requests	Contract performance
Behavioral personalization	Recording usage signals (durations, completion times, anonymous category slugs) to tailor scheduling suggestions, the sidebar voice, weekly insights, and proactive notifications	Contract performance
Push notifications	Sending proactive in-app, mobile push, and browser push notifications you have opted in to receive	Consent
Calendar integration	Accessing and displaying your calendar data to provide scheduling features	Consent
AI features	Processing natural language inputs to generate scheduling and productivity suggestions	Contract performance / Consent
Transactional communications	Sending magic links, account notifications, receipts	Contract performance; CASL s.6(6) implied consent
Analytics and improvement	Understanding feature usage, identifying bugs, improving the Services	Consent (analytics cookies); Legitimate interest (aggregated server analytics)
Security and fraud prevention	Detecting, preventing, and responding to unauthorized access and abuse	Legitimate interest
Legal compliance	Complying with applicable laws, regulations, and governmental orders	Legal obligation
Business operations	Managing subscriptions, processing payments, enforcing Terms of Service	Contract performance; Legitimate interest

5. Electronic Communications and CASL Compliance

5.1 Types of Electronic Messages We Send

We send the following categories of electronic messages:

Transactional messages: Magic link sign-in emails, account verification, billing receipts, and service-critical notifications. These are sent pursuant to CASL Section 6(6) (implied consent for existing business relationship) and do not require express opt-in consent.
Service update messages: Notices of material changes to these Terms, the Privacy Policy, or the Services. These are sent on the basis of legal obligation and are not commercial in nature.
Product updates (optional): Feature announcements and newsletters. We will only send these if you have provided express consent. You may withdraw consent at any time.

5.2 Unsubscribe Mechanism

Every commercial electronic message we send includes a clear and functional unsubscribe mechanism. You may opt out at any time by:

clicking the "Unsubscribe" link in any email we send; or
contacting us at support@solinapp.com.

We will process unsubscribe requests within 10 business days, as required by CASL. Withdrawal of consent does not affect the lawfulness of prior communications.

5.3 No Harvesting or Purchased Lists

We do not harvest email addresses from third-party sources, purchase email lists, or send electronic messages to addresses obtained without appropriate consent.

6. Disclosure of Personal Information

We do not sell, rent, or trade your Personal Information. We disclose Personal Information only as follows:

6.1 Service Providers and Sub-Processors

Provider	Purpose	Data Shared	Location
OpenAI	AI language model processing	AI input text, session metadata	United States
PostHog	Product analytics and usage tracking	Anonymized usage events, IP address	United States / EU
Sentry	Error monitoring and crash reporting	Error logs, device info, stack traces	United States
Resend	Transactional email delivery	Email address, email content	United States
Stripe	Payment processing and subscription management	Email address, billing metadata	United States
RevenueCat	Mobile subscription management	User ID, subscription status	United States
Google	OAuth authentication; optional Calendar integration	Email address, calendar metadata (if connected)	United States
Apple	OAuth authentication	Email address or relay address	United States

We maintain written data processing agreements with each sub-processor and conduct due diligence to ensure they provide comparable protection for Personal Information.

6.2 Cross-Border Transfers and Privacy Impact Assessments

All sub-processors listed above are located outside Quebec. As required by Quebec Law 25, Section 17, prior to transferring Personal Information outside Quebec, we conduct a Privacy Impact Assessment (PIA) to evaluate whether the Personal Information will receive protection comparable to that provided by Quebec law.

Factors we assess include: (a) the sensitivity of the information; (b) the legal framework of the destination jurisdiction; (c) the contractual safeguards in place with the receiving party; and (d) the purposes for which the information is communicated.

By using the Services, you acknowledge that your Personal Information will be transferred to and processed in the United States and potentially other jurisdictions. We implement appropriate contractual safeguards, including data processing agreements and standard contractual clauses where applicable.

6.3 Legal Requirements

We may disclose Personal Information if required by applicable law, regulation, court order, or governmental authority. Where legally permitted, we will notify you of any such compelled disclosure before complying.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your Personal Information may be transferred to a successor entity. We will provide you with at least 30 days' prior notice by email, and the acquiring entity will be required to handle your Personal Information in accordance with this Policy or provide you with a new privacy notice and an opportunity to opt out.

6.5 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you, without restriction.

7. Security and Confidentiality Incident Response

7.1 Security Measures

We implement and maintain commercially reasonable technical, administrative, and organizational safeguards, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of sensitive credentials at rest using AES-256-GCM
Least-privilege access controls limiting data access to authorized personnel on a strict need-to-know basis
Continuous security monitoring via Sentry
Regular review of our security practices and sub-processor arrangements

No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your Personal Information.

7.2 Confidentiality Incident Response — Quebec Law 25

In the event of a Confidentiality Incident that presents a risk of serious injury to any affected person, Solin will:

Step 1 — Regulatory Notification: Notify the Commission d'accès à l'information du Québec (CAI) as soon as reasonably possible, and no later than 72 hours after becoming aware of the incident, in accordance with the Regulation respecting Confidentiality Incidents (CQLR c r 3.1). The notification will include: (a) the nature of the incident; (b) the Personal Information affected; (c) the approximate number of persons affected; (d) the measures taken or planned to mitigate harm; and (e) our contact information.

Step 2 — Individual Notification: Notify affected individuals as soon as reasonably possible after notifying the CAI, providing: (a) a description of the incident and Personal Information affected; (b) steps taken to reduce the risk of injury; (c) steps affected individuals can take to reduce harm or protect themselves; and (d) our contact information.

Step 3 — Incident Register: Maintain a confidential Confidentiality Incident Register recording all incidents (including those below the notification threshold) for a minimum period of five (5) years, as required by Quebec Law 25.

Notification to affected individuals will be by email to the address on file, or by another method reasonably likely to reach you (e.g., in-app notification, postal mail).

8. Your Rights

8.1 Rights Under Quebec Law 25 and PIPEDA

Right	Description	Response Time
Access	Request a copy of the Personal Information we hold about you	30 days
Rectification	Request correction of inaccurate or incomplete Personal Information	30 days
Erasure	Request deletion of your Personal Information, subject to legal retention obligations	30 days
Withdraw Consent	Withdraw consent to processing based on consent, without affecting prior processing	Immediate (unsubscribe); 30 days (other)
Data Portability	Receive your Personal Information in a structured, machine-readable format (JSON or CSV)	30 days
Object to Processing	Object to processing based on legitimate interests or for direct marketing	30 days
Complaint	Lodge a complaint with the CAI or OPC	N/A

8.2 How to Exercise Your Rights

Submit requests to: support@solinapp.com with the subject line "Privacy Rights Request." We will acknowledge receipt within 5 business days and respond substantively within 30 days. We may extend this period by an additional 30 days where necessary, with prior notice to you. We may require verification of your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

8.3 Right to Lodge a Complaint

Commission d'accès à l'information du Québec (CAI): www.cai.quebec.ca | 1-888-528-7741
Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca | 1-800-282-1376

We encourage you to contact us first so we may attempt to resolve your concern directly.

9. Cookies, Consent, and Tracking Technologies

9.1 Cookie Categories and Consent Requirements

Under Quebec Law 25, non-essential cookies require your prior, informed, and freely given consent.

Category	Purpose	Consent Required	How to Opt Out
Strictly necessary	Authentication, session management, security	No — essential to the Services	Cannot be disabled
Functional	Saving preferences, language, settings	No — directly requested functionality	Account settings
Analytics (PostHog)	Collecting usage data to improve the Services	Yes — opt-in required	Withdraw via settings or support@solinapp.com

9.2 Obtaining and Managing Consent

When you first use the Services, we present a consent notice for analytics cookies. Your consent is freely given, specific, informed, and unambiguous, as required by Quebec Law 25. You may withdraw consent at any time without penalty or degradation of core Services functionality.

9.3 No Advertising or Cross-Site Tracking

We do not use advertising cookies, cross-site tracking pixels, social media pixels, or any technology designed to track you across third-party websites. We do not sell data to data brokers or advertising networks.

10. Calendar Integration — Special Provisions

10.1 Scope of Access

When you connect Google Calendar or Apple Calendar, we request only the minimum permissions necessary:

We access event titles, dates, times, and attendee names to display and sync your schedule within the Services.
We do not access the body text, notes, or attachments of calendar events unless you explicitly paste them into the Services.
We do not access your contacts list beyond attendee display.

10.2 Use Restrictions on Calendar Data

Calendar data is used exclusively to provide the scheduling and productivity features of the Services. We do not:

use calendar data to serve advertising;
share calendar data with any third party except our sub-processors listed in Section 6.1, and only to the extent strictly necessary to provide the Services;
use calendar data to build profiles about you for any purpose other than providing the Services;
disclose calendar data to AI providers except when you explicitly use an AI feature that processes calendar content, in which case you will be informed.

These restrictions apply even if third parties offer us value in exchange for calendar data. We will never monetize your calendar data.

10.3 Revocation

You may revoke calendar access at any time through your account settings or through your Google or Apple account settings. Upon revocation, we will delete all synced calendar data within 30 days.

11. Push Notifications

11.1 Channels and Consent

The Services may send proactive notifications via two channels, each requiring its own consent:

Mobile push (iOS / Android): sent through Apple Push Notification service or Firebase Cloud Messaging via the Expo Push API. Requires you to grant notification permission to the Solin mobile app on your device. A push token issued by your operating system is stored in expo_push_tokens so we can address messages to your devices.
Browser push (web): sent through the W3C Push API and your browser's push service (e.g. Mozilla autopush, Apple Push Notification service, Google FCM). Requires you to grant notification permission to the Solin website in your browser. A subscription record (endpoint URL + cryptographic keys) is stored in web_push_subscriptions.

You may revoke either consent at any time through your device or browser settings. Tokens and subscription records are also cleared from our database whenever the upstream platform reports them invalid (for example, after you uninstall the mobile app or revoke browser permission).

11.2 What Notification Content May Include

Notification bodies are generated by the Services and contain a short generic message (for example, "Your day is waiting") together with at most one referenced data point about your own activity (such as a streak length, a deferral count, or a capacity percentage). No content from your tasks, calendar events, notes, intentions, or other user-generated content is included verbatim in notifications, with one exception: a single notification type ("Task deferred alert") includes the title of a task that you have explicitly marked priority and that the system has detected you are repeatedly avoiding. The title is information you already have on screen; surfacing it is the entire point of that notification, and you can opt out of that notification type individually.

11.3 Frequency Caps

Solin caps proactive notification volume to limit interruption:

No more than two proactive notifications per 24-hour period;
No more than one proactive notification per hour;
A 72-hour cooldown between two notifications of the same type;
Quiet hours: by default 22:00–07:00 in your local timezone. You may adjust the start and end times in Settings → Notifications.

11.4 Per-Type Opt-Out and Global Off Switch

You may toggle individual notification categories on or off, or silence all proactive notifications entirely, in Settings → Notifications. Your preferences are persisted in your account record (users.notification_prefs) and apply across every device on which you use the Services. Transactional messages (Section 5.1) are not affected by these toggles.

11.5 No Marketing or Third-Party Use

Push notifications are used exclusively for the productivity and planning purposes of the Services. We do not use push channels to deliver advertising, do not share push tokens or subscription records with third parties, and do not enrich notifications with data obtained from outside the Services.

12. Privacy by Design

Consistent with Quebec Law 25, Solin incorporates privacy by design and by default into the development and operation of the Services, including:

minimizing collection of Personal Information to what is strictly necessary for identified purposes;
implementing privacy-protective default settings;
conducting Privacy Impact Assessments before implementing new features or sub-processors that involve Personal Information; and
reviewing and updating our privacy practices as technology and law evolve.

13. Automated Decision-Making and AI

We do not make decisions that produce legal or similarly significant effects on you solely by automated means without human review. AI-generated scheduling suggestions and task recommendations within the Services are advisory only and do not constitute automated decisions under Quebec Law 25 or PIPEDA. You retain full control over your data and all decisions made through the Services.

14. Children's Privacy

The Services are not directed to individuals under 13 years of age. We do not knowingly collect Personal Information from children under 13. If you are a parent or guardian and believe your child has provided us with Personal Information without your consent, please contact support@solinapp.com and we will delete such information within 30 days.

15. Third-Party Links and Integrations

The Services may contain links to third-party websites or integrate with third-party services. This Policy does not apply to those services. We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies before use.

16. Changes to This Policy

We reserve the right to update this Policy at any time. For material changes, we will: (a) post the updated Policy at solinapp.com/privacy with a new effective date; and (b) send email notice to the address associated with your account at least 14 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy. If you do not accept the changes, you must delete your account before the effective date.

17. Contact and Privacy Officer

Solin has designated a Privacy Officer responsible for overseeing compliance with this Policy and applicable privacy legislation, as required under Quebec Law 25.

Privacy Officer — Solin
Email: support@solinapp.com
Website: solinapp.com/privacy

We will acknowledge privacy inquiries within 5 business days and respond substantively within 30 days.

18. Governing Law

This Policy is governed by the laws of the Province of Quebec and the federal laws of Canada applicable therein.

This Privacy Policy was last updated on May 23, 2026. Version 2.1. Changes since Version 2.0: added Section 3.6 (Behavioral Telemetry and Performance Data), Section 3.7 (Onboarding Personalization Questionnaire), and Section 11 (Push Notifications); extended retention table (Section 3.5) with behavioral, onboarding, notification preference, and push-token rows; extended purposes table (Section 4) with behavioral personalization and push notification rows.