Privacy Policy

1. Introduction

Solai Financial Group ("Solai," "we," "us," or "our") is a healthcare financial consulting firm based in San Diego, California, serving dental and healthcare practices. We provide bookkeeping, financial consulting, process automation, Power BI reporting, advanced Excel modeling, and QuickBooks optimization services.

We are committed to protecting the privacy and security of all personal information and protected health information ("PHI") entrusted to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our Client Portal, or engage our professional services.

By accessing our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our website or services.

2. Scope of This Policy

This Privacy Policy applies to:

• Our website at solaifinancial.com and all associated web pages
• Our SharePoint-based Client Portal
• All professional services we provide, including bookkeeping, financial consulting, automation, and reporting
• All communications between you and Solai Financial Group, including email, phone, and portal-based messaging

3. Information We Collect

3.1 Information You Provide Directly

• Contact information: Name, email address, phone number, mailing address, and practice name when you contact us, request a consultation, or engage our services
• Business and financial information: Financial statements, bank and credit card transaction data, payroll records, accounts payable/receivable data, tax documents, insurance reimbursement records, vendor invoices, and other financial data necessary to perform our services
• Practice management data: Production reports, collection reports, scheduling data, payer mix data, and other operational data from your practice management software (e.g., Eaglesoft, Dentrix, Open Dental)
• Client Portal information: Documents, messages, task requests, and other information you submit through our SharePoint Client Portal
• Communication records: Emails, phone call notes, meeting notes, and other correspondence related to our services

3.2 Information Collected Automatically

When you visit our website, we may automatically collect:

• Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution
• Usage data: Pages visited, time spent on pages, referring URL, and navigation paths
• Cookies and similar technologies: As described in Section 11 below

3.3 Information from Third Parties

We may receive information about you from:

• Your accounting software providers (e.g., QuickBooks, Xero) when you authorize integrations
• Your practice management software when you provide data exports or authorize access
• Your banking institutions when you authorize bank feed connections
• Your payroll providers (e.g., Gusto, ADP) when you authorize data sharing
• Referring professionals, such as your CPA, attorney, or practice management consultant

4. How We Use Your Information

We use the information we collect for the following business purposes:

• Service delivery: Performing bookkeeping, financial consulting, reporting, and automation services as described in your engagement agreement
• Financial analysis and reporting: Preparing financial statements, KPI dashboards, Power BI reports, cash flow forecasts, insurance reimbursement analyses, and other financial deliverables
• Communication: Responding to your inquiries, providing service updates, delivering monthly summaries, and conducting review calls
• Client Portal operations: Facilitating document sharing, task management, and secure communication through our SharePoint Client Portal
• Compliance: Meeting our legal, regulatory, and professional obligations, including HIPAA, tax reporting, and anti-fraud requirements
• Service improvement: Analyzing how our website and services are used to improve our offerings, optimize workflows, and develop new service features
• Business operations: Managing our engagement relationships, billing, collections, and internal administrative functions

We will not use your information for purposes materially different from those described above without providing you with notice and, where required by law, obtaining your consent.

5. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We may disclose your information in the following limited circumstances:

5.1 Service Providers

We may share information with trusted third-party service providers who assist us in delivering our services, including:

• Microsoft Corporation: Cloud hosting, SharePoint Client Portal, Microsoft 365 applications, and Power BI services (governed by the Microsoft Data Processing Agreement)
• Intuit Inc.: QuickBooks Online accounting software for clients using our bookkeeping services
• Payment processors: For billing and fee collection purposes

All service providers are contractually obligated to use your information only to perform services on our behalf and to maintain appropriate confidentiality and security measures.

5.2 Professional Advisors

We may share information with your other professional advisors (e.g., CPA, tax attorney, practice management consultant) only when you authorize us to do so or when collaboration is necessary to perform the services described in your engagement agreement.

5.3 Legal Requirements

We may disclose your information when required by law, regulation, legal process, or governmental request, including:

• Court orders or subpoenas
• Tax authority inquiries (IRS, California FTB, EDD)
• Regulatory examinations or audits
• To protect the rights, property, or safety of Solai Financial Group, our clients, or others

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any such change in ownership or control of your personal information.

6. HIPAA Compliance & Protected Health Information

6.1 Business Associate Obligations

When we provide services to covered entities (dental practices, healthcare providers, health plans), we execute a Business Associate Agreement ("BAA") that governs our permitted uses and disclosures of PHI. We use and disclose PHI only as permitted or required by our BAAs and applicable law.

6.2 PHI Safeguards

We implement and maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI ("ePHI"), including:

• Administrative safeguards: Written HIPAA policies and procedures, workforce training on PHI handling, designated privacy and security officer, sanctions policy for violations, and regular risk assessments
• Physical safeguards: Controlled access to workstations and devices that process ePHI, secure disposal of physical media, and facility access controls
• Technical safeguards: Encryption of ePHI at rest and in transit, multi-factor authentication for systems containing PHI, access controls limiting PHI access to authorized personnel, audit logging and monitoring, and automatic session timeouts

6.3 Minimum Necessary Standard

We apply the minimum necessary standard to all uses and disclosures of PHI. We access, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.

6.4 De-Identification Practices

Where financial analysis and reporting do not require individually identifiable health information, we implement de-identification protocols. For example, during QuickBooks migrations and ongoing bookkeeping, we structure charts of accounts and transaction records so that financial reporting remains accurate without storing PHI in accounting systems that are not HIPAA-compliant (such as QuickBooks Online, which does not execute BAAs).

6.5 Subcontractors

Any subcontractors who may access PHI on our behalf are required to execute Business Associate Agreements with us and to implement safeguards that are no less rigorous than our own.

6.6 Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected covered entity without unreasonable delay and no later than the timeframe specified in the applicable BAA (and in no event later than 60 calendar days from discovery of the breach), in accordance with 45 CFR §§ 164.400–414. Our notification will include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, breached, as well as any other information required by HIPAA and HITECH.

6.7 Individual Rights

To the extent that we maintain PHI on behalf of a covered entity, we will cooperate with the covered entity to facilitate the exercise of individuals' rights under HIPAA, including rights of access, amendment, accounting of disclosures, and restrictions on use and disclosure, as required by our BAAs.

7. Data Security

We implement and maintain a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all client information. Our security measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Multi-factor authentication for all systems containing client data
• Role-based access controls limiting data access to authorized personnel on a need-to-know basis
• Regular security assessments and vulnerability scanning
• Endpoint protection including antivirus, anti-malware, and device encryption
• Secure cloud infrastructure through Microsoft 365 and Azure (SOC 2 Type II, ISO 27001, HITRUST CSF certified)
• Employee security awareness training
• Incident response plan with defined procedures for identifying, containing, and remediating security incidents
• Secure disposal of data and media when no longer needed

While we implement rigorous safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining industry-leading protections appropriate to the sensitivity of the information we handle.

8. Data Retention

We retain personal information and client data for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal, regulatory, and professional obligations:

• Active engagement records: Retained for the duration of our professional relationship plus seven (7) years following the termination of services, consistent with IRS record retention requirements and California professional standards
• Financial records and work papers: Retained for a minimum of seven (7) years from the date of the applicable tax year or service period
• Protected Health Information: Retained as required by the applicable BAA and HIPAA regulations, typically six (6) years from the date of creation or last effective date of the BAA, whichever is later
• Website analytics data: Retained for up to twenty-four (24) months
• Communication records: Retained for the duration of our engagement plus seven (7) years

Upon expiration of the applicable retention period, data is securely destroyed using methods appropriate to the data type and sensitivity, including secure deletion of electronic records and shredding of physical documents.

9. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), provides you with specific rights regarding your personal information.

9.1 Your Rights

Subject to applicable exemptions, California residents have the right to:

• Right to Know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information
• Right to Delete: Request that we delete personal information we have collected from you, subject to certain exceptions (e.g., legal and regulatory retention obligations)
• Right to Correct: Request that we correct inaccurate personal information we maintain about you
• Right to Opt Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. Therefore, there is no need to opt out
• Right to Limit Use of Sensitive Personal Information: Where we collect sensitive personal information (such as financial account information), we use it only for purposes authorized by the CCPA/CPRA
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights

9.2 Exercising Your Rights

To exercise your California privacy rights, you may contact us by:

• Email: adamatmar@solaifinancial.com
• Phone: (619) 768-2216

We will verify your identity before processing your request. We will respond to verifiable consumer requests within forty-five (45) calendar days of receipt. If we require additional time, we will notify you of the extension and the reason for it (up to an additional 45 days).

9.3 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We may require the authorized agent to provide proof of written authorization and may independently verify your identity before processing the request.

9.4 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

• Identifiers: Name, email address, phone number, mailing address, IP address
• Financial information: Bank account details, credit card numbers, financial statements, tax identification numbers (collected only in the course of providing professional services)
• Commercial information: Records of services engaged, invoicing history
• Internet activity: Website browsing history, search history on our site, interactions with our website
• Professional or employment-related information: Practice name, professional role, business structure
• Sensitive personal information: Financial account information, tax identification numbers (used only for the purpose of providing professional services)

10. Financial Privacy (GLBA & CFIPA)

As a provider of financial services, Solai Financial Group complies with the Gramm-Leach-Bliley Act ("GLBA"), the FTC Safeguards Rule, and the California Financial Information Privacy Act ("CFIPA").

• We maintain a written information security plan appropriate to the size and complexity of our firm and the sensitivity of the client data we handle
• We do not disclose nonpublic personal financial information to non-affiliated third parties except as permitted by law (e.g., to service providers performing services on our behalf, or as required by legal process)
• Under CFIPA, we will not share your financial information with non-affiliated third parties for their own marketing purposes without your prior explicit opt-in consent
• You have the right to opt out of any permissible sharing of your nonpublic personal financial information with non-affiliated third parties by contacting us at the address below

11. Cookies & Tracking Technologies

Our website may use cookies and similar technologies to enhance your browsing experience:

• Essential cookies: Required for basic website functionality, such as navigation and security. These cannot be disabled
• Analytics cookies: Help us understand how visitors interact with our website by collecting information such as pages visited and time on site. This data is aggregated and anonymized

We do not use advertising cookies or tracking pixels for behavioral advertising purposes. We do not sell data collected through cookies. Most web browsers allow you to control cookies through browser settings. You may disable non-essential cookies at any time through your browser preferences.

12. Third-Party Links & Services

Our website and services may contain links to third-party websites or services that are not owned or controlled by Solai Financial Group, including links to Microsoft SharePoint, QuickBooks Online, and other platforms. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the privacy practices of third parties.

13. Children's Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will promptly delete that information. If you believe we may have collected information from a child, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, provide additional notice (such as a notice on our website or an email notification to active clients). We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions or concerns about this Privacy Policy, our privacy practices, or wish to exercise any of your privacy rights, please contact us:

Solai Financial Group
San Diego, California
Email: adamatmar@solaifinancial.com
Phone: (619) 768-2216

For HIPAA-related inquiries or to report a potential privacy or security concern involving Protected Health Information, please contact us at the email or phone number above with the subject line "HIPAA Privacy Inquiry."