Privacy Policy
Last updated: April 18, 2026
Sollos 3 (“we”, “us”, “our”) provides operations software for cleaning companies. This privacy policy describes what personal information we collect, how we use it, and the choices you have. We treat customer data as a liability — we collect the minimum needed to run the product and nothing more.
1. What we collect
- Account data — your name, email address, password hash, and the organization name you choose during sign-up.
- Operational data — clients, bookings, invoices, estimates, employees, freelancer contacts, chat messages, timesheets, and other records you enter into the product.
- Field data — clock-in / clock-out timestamps and, with your consent, the GPS coordinates captured at clock-in for verification purposes.
- Payment data — when billing is enabled, payment information is collected and processed directly by Stripe. We do not store credit card numbers on our servers.
- Usage and diagnostic data — error reports and basic application performance metrics collected via Sentry. We do not use third-party analytics, advertising trackers, or cookies for profiling.
2. How we use your data
We use the information we collect to:
- Provide, maintain, and improve the Sollos 3 service.
- Authenticate your identity and enforce access controls within your organization.
- Send transactional emails (password resets, booking confirmations, invoice delivery).
- Send SMS notifications to freelancer contacts when a shift offer is broadcast (via Twilio, when enabled by the organization admin).
- Diagnose and fix bugs, outages, and performance issues.
- Comply with legal obligations and respond to lawful requests.
We do not sell your data, share it with advertisers, or use it to train any machine learning model.
3. Google user data disclosure
Sollos 3 offers an optional Google Calendar integration. When you choose to connect your Google account, we request access to the following scopes:
calendar.events— to read your existing Google Calendar events and display them alongside your Sollos 3 bookings, and to create calendar events for confirmed bookings.
How we use Google Calendar data:
- We read your calendar events to display them as an overlay in the Sollos 3 calendar view, so you can see personal and work events in one place.
- We create events in your Google Calendar when bookings are confirmed, so your schedule stays in sync.
- We store your Google OAuth refresh token (encrypted) in our database so the integration stays connected between sessions.
What we do NOT do with Google data:
- We do not share your Google Calendar data with any third party.
- We do not use your Google Calendar data for advertising, profiling, or any purpose other than the calendar sync feature described above.
- We do not store the contents of your Google Calendar events in our database — they are fetched in real time and displayed only during your active session.
- We do not transfer your Google data to any AI or machine learning model.
You can disconnect Google Calendar at any time from Settings → Integrationsin Sollos 3. When you disconnect, we immediately delete your stored OAuth tokens. Sollos 3’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4. Data isolation
Sollos 3 is a multi-tenant application. Each customer’s data is logically isolated using Postgres row-level security (RLS) policies. Every database query is automatically scoped to your organization — it is not possible for one customer to access another customer’s data through the application.
5. Sub-processors
We use the following third-party services to operate Sollos 3:
| Provider | Purpose | Data processed |
|---|---|---|
| Supabase | Database, auth, file storage, realtime | All operational data |
| Vercel | Application hosting, edge network | HTTP requests, server logs |
| Sentry | Error tracking | Stack traces, browser metadata |
| Resend | Transactional email | Recipient email, message content |
| Stripe | Payment processing | Payment details (PCI-compliant) |
| Twilio | SMS delivery (freelancer bench) | Phone numbers, message content |
| Calendar sync (optional) | OAuth tokens, calendar event data |
6. Cookies
Sollos 3 uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or any third-party cookie-based analytics.
7. Security safeguards
We protect your data with defenses at the database, network, and application layers:
- Tenant isolation enforced by Postgres row-level security — one customer’s data cannot be read by another, even in the event of an application-layer bug.
- TLS 1.2+ in transit; AES-256 encryption at rest for database and file storage.
- Third-party OAuth tokens (Stripe, Google Calendar, Sage) are additionally encrypted with AES-256-GCM before storage using a platform-held key.
- Every Stripe webhook is cryptographically signature-verified and idempotently deduplicated.
- Rate limiting on every public token URL and auth endpoint to prevent brute-force enumeration and credential stuffing.
- Payment card data never touches our servers — Stripe Checkout handles all card processing.
- Append-only audit log of sensitive mutations (payroll, invoice voids, role changes, deletions).
The full list of safeguards, including what we don’t yet claim (e.g. SOC 2 certification), is maintained on our Security page.
8. Data retention
Customer data is retained for the life of the account. When an organization owner schedules deletion from Settings → Your data, the account enters a 30-day grace window during which the owner can cancel with zero data loss. After the window elapses, every row and file is permanently wiped and the organization record becomes a tombstone (retained only to prevent id reuse). Daily database backups rotate on a 7-day cycle.
9. Your rights
Depending on your jurisdiction, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate personal data.
- Request deletion of your data (subject to legal retention requirements).
- Object to or restrict certain processing activities.
- Export your data in a structured, machine-readable format.
Organization owners can self-serve both export and deletion from Settings → Your data in the Sollos app — no email required. The export produces a single JSON bundle containing every row your organization owns. Deletion uses the 30-day grace window described above. For any right not covered by the self-serve UI, or if you are a client or employee contacting us about data held by a Sollos customer, email privacy@sollos3.com. We will respond within 30 days.
10. Children’s privacy
Sollos 3 is a business-to-business product. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected data from a child, we will delete it promptly.
11. Changes to this policy
We may update this privacy policy from time to time. Material changes will be announced by email and inside the product at least 30 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.
12. Contact us
If you have questions about this privacy policy or our data practices, contact us at:
- Email: privacy@sollos3.com
- Website: sollos3.com