Privacy Policy

Detailed In Design LLC ("Company," "we," "us," or "our"), an Indiana Limited Liability Company, operates the SolaceSentry platform, an AI-powered violation detection service for safety-critical systems. This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you visit our websites at solacesentry.com and api.solacesentry.com, use our API services, or otherwise interact with our platform (collectively, the "Service").

This Privacy Policy is designed to comply with the Indiana Consumer Data Protection Act (Indiana Code 24-15, "ICDPA"), which took effect on January 1, 2026, as well as other applicable privacy laws. Regardless of whether the ICDPA thresholds apply to our current operations, we proactively comply with its requirements as a demonstration of our commitment to data privacy and consumer protection.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

• "Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable individual, as defined by the ICDPA.
• "Consumer" means an individual who is an Indiana resident acting in an individual or household context. It does not include an individual acting in a commercial or employment context.
• "Sensitive Data" means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed to identify a specific individual; personal data collected from a known child; or precise geolocation data.
• "Observation Data" means the structured data payloads that customers submit to our API for violation detection analysis. This data is defined and controlled entirely by the customer and may include data from healthcare, financial, autonomous, or other safety-critical domains.
• "Controller" means the entity that determines the purposes and means of processing personal data. For personal data of our customers and website visitors, Detailed In Design LLC is the controller.
• "Processor" means an entity that processes personal data on behalf of a controller. For customer Observation Data, Detailed In Design LLC acts as a processor on behalf of the customer (the controller).

We collect the following categories of personal data:

We process personal data for the following purposes:

• Service Delivery: To provide, maintain, and operate the SolaceSentry violation detection service, including processing Observation Data through our AI models and returning analysis results.
• Account Management: To create and manage your account, authenticate your identity, and manage your subscription and billing.
• Payment Processing: To process payments, manage subscriptions, and handle billing inquiries through our payment processor, Stripe.
• Customer Support: To respond to support requests, troubleshoot issues, and provide technical assistance.
• Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, and abuse. This includes monitoring API usage patterns, rate limiting, and maintaining audit logs.
• Service Improvement: To analyze aggregated, de-identified usage data to improve the performance, reliability, and accuracy of our violation detection models.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Communications: To send transactional messages related to your account (e.g., billing receipts, security alerts, service updates). We do not send marketing emails without your explicit consent.

Under the ICDPA, processing of Sensitive Data requires opt-in consent from the consumer.

SolaceSentry does not intentionally collect Sensitive Data (as defined under the ICDPA) for our own purposes. We do not collect racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, genetic data, biometric data, or precise geolocation data from our customers or website visitors.

However, our customers may submit Observation Data through the API that contains health-related information, financial data, or other sensitive information depending on their use case and domain. In these scenarios:

• The customer acts as the Controller of that Observation Data and is responsible for obtaining any required consent from their own end users.
• Detailed In Design LLC acts as a Processor on behalf of the customer, processing Observation Data solely for the purpose of providing the contracted violation detection service.
• We process customer Observation Data only as directed by the customer and do not use it for any other purpose, including model training, advertising, or sale to third parties.
• Enterprise tier customers handling protected health information (PHI) may enter into a Business Associate Agreement (BAA) with us. See Section 16 for details.

We use the following cookies, all of which are strictly necessary for the operation of the Service:

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technologies. We do not participate in cross-site tracking or behavioral advertising.

We share personal data with the following categories of third-party service providers, solely to the extent necessary to operate the Service:

We require all third-party service providers to protect personal data in accordance with applicable law and our contractual requirements. We do not authorize these providers to use personal data for their own purposes.

Customer Observation Data is processed exclusively for the contracted violation detection service. It is not used for model training on other customers' data, not shared with other customers, and not monetized in any way.

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.

When data reaches the end of its retention period, it is securely deleted or irreversibly de-identified. Upon account deletion, we initiate a 30-day grace period during which you may request account restoration. After 30 days, all personal data associated with your account is permanently deleted.

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All data transmitted between your systems and ours is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All data stored on our servers is encrypted at rest using industry-standard encryption algorithms.
• API Key Security: API keys are hashed using SHA-256 before storage. We never store plaintext API keys after initial issuance.
• Sensitive Field Encryption: Sensitive database fields are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256).
• Authentication: JWT-based authentication with HttpOnly, Secure cookies. Passwords are hashed using bcrypt.
• Rate Limiting: Per-tenant token bucket rate limiting to prevent abuse and ensure service availability.
• Access Controls: Role-based access controls and the principle of least privilege for internal access to systems and data.
• Audit Logging: Comprehensive audit logging of all administrative actions and data access.

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability and promptly addressing any security incidents.

All personal data is stored and processed in the United States, specifically in the Hetzner Falkenstein (Germany) and Helsinki (Finland) data center regions within the European Union. We do not transfer personal data outside of the EU/EEA unless required to do so by a third-party service provider (e.g., Stripe may process payment data in data centers located in other jurisdictions in accordance with their privacy policy).

If you are accessing the Service from outside the United States, please be aware that your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

Under the Indiana Consumer Data Protection Act (ICDPA), Indiana consumers have the following rights with respect to their personal data. We extend these rights to all of our users, regardless of their state of residence.

To exercise any of your consumer rights, you may submit a request through any of the following methods:

• Email: Send a request to support@solacesentry.com with the subject line "Privacy Rights Request."
• Portal: Log in to your account and navigate to Profile settings, where you can update, export, or request deletion of your data.
• Support Ticket: Submit a support ticket through the portal with the category "Privacy."

Verification: To protect your privacy, we will verify your identity before fulfilling any request. We may ask you to confirm information associated with your account (e.g., your email address). If we cannot verify your identity, we may deny the request and explain why.

Authorized Agents: You may designate an authorized agent to submit a request on your behalf. The agent must provide written proof of authorization, and we may still require you to verify your identity directly.

Response Time: We will respond to verified requests within 45 calendar days of receipt. If we require additional time due to the complexity of the request or volume of requests, we will notify you of the extension within the initial 45-day period. The total response period will not exceed 90 calendar days from the date of receipt.

Cost: We will not charge a fee to process or respond to your request unless the request is manifestly unfounded or excessive. If we determine that a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline to act on the request, and will explain our reasoning.

If we decline to take action on your consumer rights request, you have the right to appeal our decision. To appeal:

1. Send an email to support@solacesentry.com with the subject line "Privacy Rights Appeal" within 30 days of receiving our decision.
2. Include your original request, the date of our response, and the reason you believe our decision was incorrect.
3. We will review your appeal and respond within 60 days of receipt.
4. Our response will include a written explanation of our decision, including the reasons for our determination.

If your appeal is denied and you believe we have violated the ICDPA, you may file a complaint with the Indiana Attorney General:

The ICDPA provides consumers with the right to opt out of three specific types of data processing. We provide the following information about each:

Despite the above, if you wish to submit a formal opt-out request for any of these categories, you may do so by emailing support@solacesentry.com with the subject line "Opt-Out Request." We will acknowledge your request and confirm that the specified processing activity is not being conducted.

We also recognize and will honor universal opt-out mechanisms, including the Global Privacy Control (GPC) signal, as required by applicable law.

SolaceSentry is designed to serve safety-critical domains, including healthcare. If your use of the Service involves Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the following applies:

• SolaceSentry is built to HIPAA-compliant standards, including encryption at rest and in transit, access controls, audit logging, and secure data handling procedures.
• A Business Associate Agreement (BAA) is available for customers on the Enterprise tier. The BAA defines our obligations as a Business Associate under HIPAA and HITECH.
• Customers on the Shared and Dedicated tiers should not submit PHI unless they upgrade to Enterprise and execute a BAA.
• It is the customer's responsibility to determine whether their data constitutes PHI and to enter into a BAA before transmitting PHI to our Service.

To request a BAA, contact support@solacesentry.com.

The Service is a business-to-business platform designed for use by organizations and their authorized personnel. It is not directed at individuals under the age of 16.

We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will promptly delete such data. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at support@solacesentry.com.

This is consistent with our obligations under the Children's Online Privacy Protection Act (COPPA) and the ICDPA's heightened protections for data collected from known children.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

Material Changes: For any material changes to this Privacy Policy, we will provide notice at least 30 days before the changes take effect. Notice will be provided via:

• Email notification to the address associated with your account
• A prominent notice on our website and within the portal dashboard

Non-Material Changes: For non-material changes (e.g., formatting, clarifications that do not alter the substance), we will update the "Last Updated" date at the top of this page.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Service and request deletion of your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For privacy-specific requests, please use the subject line "Privacy Inquiry" in your email to ensure prompt routing to the appropriate team.