Privacy Policy

1. Introduction

Solace is operated by Aevum AI Inc. ("we," "us," or "our"), a company incorporated in Canada. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Solace meditation application and related services (the "Service"). Aevum AI Inc. is the data controller responsible for your personal data. We are committed to protecting your privacy and handling your data transparently. If you have any questions or concerns, please contact us at hello@solace.you.

2. Information We Collect

We collect the following categories of information:

(a) Account information - your name and email address, collected via Google OAuth when you sign in.

(b) Meditation preferences - how you feel, your chosen goal, preferred session duration, and optional custom text you enter.

(c) Session metadata and content - timestamps, duration, cost data, and the full text of your generated meditation script, associated with each session.

(d) Generated audio - MP3 files produced by our text-to-speech provider. Audio is stored in two locations: on our servers (in an encrypted storage bucket for session replay and cross-device access) and cached locally on your device (in IndexedDB for offline playback).

(e) Payment data - payment processing is handled entirely by Stripe, Inc. We never see or store your full card numbers. Stripe may collect your email address and billing details in accordance with its own privacy policy.

(f) Device-local data - user display name and consent preferences stored in your browser's localStorage. This data remains on your device and is not transmitted to our servers unless you update your display name.

(g) Crisis event data - when our automated safety classifier is triggered by your input, we record: the event category (such as "crisis" or "blocked content"), the detection method, and the text you entered that triggered the classifier. This data is stored for duty-of-care and safety-improvement purposes. Crisis event data is removed when your account is deleted.

(h) Analytics data (consent-gated) - if you consent via our cookie banner, we collect: page views, feature usage events (including meditation preferences such as feeling and goal), browser metadata, and session duration. When you are signed in, your anonymous user identifier and subscription plan are shared with our analytics provider (PostHog) to associate usage data with your account. We do not share your email address with analytics providers. We do not collect analytics data without your consent.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

Contract performance - processing necessary to provide the Service you have requested, including generating meditation sessions, managing your account, and processing payments.

Legitimate interest - processing necessary for security, abuse prevention, safety classification, and service improvement, where our interests do not override your fundamental rights. We have conducted a balancing test and determined that our safety classifier (which stores crisis-triggering inputs) serves a legitimate interest in protecting user welfare.

Consent - analytics scripts are loaded only after you provide consent via our cookie banner. You may withdraw consent at any time by clearing your browser's localStorage or by using the "Cookies" link in the page footer. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

4. How We Use Your Information

We use the information we collect to:

Generate personalised meditation scripts and audio narration. Store your session history for replay and cross-device access. Process payments and manage your subscription. Detect and respond to crisis-related inputs via our safety classifier. Improve the Service through aggregate, consent-gated analytics. Protect the Service against abuse, fraud, and misuse.

Solace collects only the information reasonably necessary to provide the Service. We do not collect unrelated personal data. We do not use your meditation preferences or generated content to train AI models. We do not sell your personal data to any third party.

5. AI Processing Disclosure

Meditation scripts are generated by a large language model provided by a third-party AI service. Voice narration is produced by an AI text-to-speech provider. Your display name (if provided) and meditation preferences (feeling, goal, duration, and optional custom text) are sent to the large language model provider to generate your personalised script. No other personal data (such as your email or payment information) is included in the AI prompt.

The generated script text is then sent to the text-to-speech provider to produce audio narration. No user-identifying information is sent to the text-to-speech provider. No human employed by Aevum AI Inc. or its sub-processors reviews your inputs or generated outputs as part of normal service operation.

Generated audio files are stored on our servers in an encrypted storage bucket. Audio is also cached on your device for offline playback. Server-stored audio is deleted when you delete a session or your account.

6. Third-Party Sub-Processors

We use the following service providers to operate the Service: Supabase (database, authentication & file storage, US), Stripe (payment processing, US), a text-to-speech provider (voice narration, US/EU), an AI model provider via OpenRouter (script generation, US), PostHog (product analytics, consent-gated, US), Vercel (hosting, web analytics, observability, US/global), and BetterStack (uptime monitoring, log analytics & alerting, EU).

7. Cross-Border Data Transfers

Aevum AI Inc. is based in Canada. Your data may be transferred to and processed in the United States by our sub-processors. For users in the European Economic Area, transfers to the United States rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or on the recipient's participation in an adequate transfer framework. For users in Japan, we provide notice per APPI Article 28 regarding cross-border transfers to countries that may not have equivalent data protection standards. For users in South Korea, we provide notice per PIPA regarding overseas transfer of personal information.

8. Cookies, Local Storage & IndexedDB

Essential cookies: Supabase authentication session cookies, required for the Service to function. These cannot be declined while using the Service.

localStorage: user preferences stored entirely on your device, including consent status (solace-consent) and display name (unwind-user-name).

IndexedDB: cached meditation audio files, stored entirely on your device. Up to 10 sessions are cached locally. Older entries are automatically evicted.

Analytics (consent-gated): PostHog (product analytics) and Vercel Web Analytics are loaded only after you accept analytics via our cookie banner. PostHog collects page views, feature usage events (including meditation preferences), and browser metadata. Vercel Web Analytics collects page-level performance data. We do not use advertising cookies or third-party tracking cookies. Analytics data includes meditation preferences (feeling, goal) as event properties when you generate a session.

9. Data Retention

Account data: retained while your account is active. Following verification of a deletion request, account data is removed within a reasonable timeframe. Encrypted platform backups may retain copies for a short period (typically up to 7 days) before automatic purging.

Session metadata and scripts: retained while your account is active and removed when your account is deleted.

Server-stored audio: retained while the associated session exists. Removed when you delete a session or your account.

Device-cached audio: stored on your device only and cleared when you sign out or clear your browser data.

Payment records: retained by Stripe per its policies and applicable tax law requirements (up to 7 years). We retain Stripe customer and subscription identifiers in our database until account deletion.

Crisis events: retained while your account is active and removed when your account is deleted.

Analytics data: retained by PostHog and Vercel according to contractual terms and their published retention policies. We configure analytics settings to minimise data retention where possible.

10. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:

Access your personal data. Rectify inaccurate data. Erase your data ("right to be forgotten"). Restrict processing. Data portability (receive your data in a structured, machine-readable format). Object to processing based on legitimate interests.

You may exercise these rights via the self-service tools on your account page (data export and account deletion), or by emailing hello@solace.you. You may also designate an authorised agent to submit a request on your behalf; the agent must provide written proof of authorisation. We will respond to verified requests within 30 days. If we deny a request, we will explain our reasons and inform you of your right to lodge a complaint with your supervisory authority.

11. Your Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with the following rights:

Right to know what personal information we collect, use, and disclose. Right to delete your personal information. Right to correct inaccurate personal information. Right to opt-out of the sale or sharing of your personal information. Right to non-discrimination for exercising your privacy rights.

We do not sell or share your personal information as defined by the CCPA. We honour Global Privacy Control (GPC) browser signals as a valid opt-out request. You may also visit our opt-out page. You may designate an authorised agent to submit requests on your behalf with written proof of authorisation. If we deny a request, you may appeal by emailing hello@solace.you.

12. Your Rights (PIPEDA)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act provides you with the right to:

Access your personal information held by us. Request correction of inaccurate information. Challenge our compliance with these privacy principles. To exercise these rights, contact us at hello@solace.you. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

13. Your Rights (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados including:

Confirmation of the existence of processing. Access to your data. Correction of incomplete or inaccurate data. Anonymisation, blocking, or deletion of unnecessary data. Data portability. Deletion of data processed with your consent. Information about public and private entities with which we have shared your data. A formal Data Protection Officer (DPO) will be appointed if required by an ANPD resolution.

14. Your Rights (APPI / Japan)

If you are located in Japan, we disclose the purpose of use of your personal information at the time of collection as required by the Act on the Protection of Personal Information. Cross-border transfer consent is provided via this policy per Article 28. You have the right to request disclosure of your personal data, correction of inaccurate data, or cessation of use of your data.

15. Your Rights (PIPA / South Korea)

If you are located in South Korea, the Personal Information Protection Act provides you with the right to access your personal data, correct inaccuracies, suspend processing, and request deletion. We collect consent for analytics via our cookie banner. A domestic representative will be designated if required by applicable regulations.

16. Your Rights (Australia Privacy Act)

If you are located in Australia, you have the right to access and correct your personal information under the Privacy Act 1988. We do not use automated decision-making that produces legal or similarly significant effects on individuals. Complaints regarding our handling of your personal information may be directed to the Office of the Australian Information Commissioner (OAIC).

17. Children's Privacy

Solace is not intended for persons under 16 years of age. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected data from a person under 16, we will delete the account and associated data promptly.

18. Automated Decision-Making

Our AI systems generate meditation content (scripts and voice narration) based on your preferences. This content generation is the core function of the Service and does not constitute automated decision-making that produces legal or similarly significant effects on you.

Our safety classifier automatically screens user inputs for crisis-related content. When triggered, it displays crisis resources and records the event. This classifier is a protective measure and does not restrict your access to the Service beyond that individual request.

Neither system constitutes automated decision-making under GDPR Article 22, CCPA automated decision-making technology (ADMT) provisions, or Australian ADM rules.

19. Do Not Track / Global Privacy Control

We honour Do Not Track (DNT) and Global Privacy Control (GPC) browser signals. When either signal is detected, analytics are automatically declined and analytics scripts are not loaded. No additional action is required on your part.

20. Data Security

We implement the following security measures: all connections to the Service are encrypted via HTTPS/TLS. Data is encrypted at rest in our database and file storage. Row-level security (RLS) policies are enforced on all database tables to ensure users can only access their own data. Audio files are accessible only via time-limited signed URLs. All API endpoints are protected by rate limiting and input validation. We employ a Content Security Policy to restrict browser-side network requests. We review our dependencies for known vulnerabilities.

No system is perfectly secure. We cannot guarantee absolute security but we take reasonable and appropriate measures to protect your data.

21. Data Protection Assessment

Solace processes general wellness information such as meditation preferences (feeling, goal, and duration). Users may voluntarily include information about their emotional or mental state when describing how they feel. Such information is processed solely to provide the Service and is not used for profiling, advertising, or automated decisions with legal or similarly significant effects. We do not conduct large-scale systematic monitoring of individuals. Based on this assessment, a formal Data Protection Officer (DPO) is not currently required. Privacy inquiries may be directed to hello@solace.you.

22. Supervisory Authorities

European Union: you may lodge a complaint with your local Data Protection Authority.

Canada: the Office of the Privacy Commissioner of Canada (OPC).

Brazil: the Autoridade Nacional de Proteção de Dados (ANPD).

Australia: the Office of the Australian Information Commissioner (OAIC).

South Korea: the Personal Information Protection Commission (PIPC).

23. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date at the top of this page and, where practicable, provide notice through the Service. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

24. Contact

If you have questions about this Privacy Policy or your data, please contact Aevum AI Inc. at hello@solace.you.