Privacy policy

Last updated: April 26, 2026

Your patients confide in you what is most intimate. Solva protects that silence the way you do: never transmitted, never reused, no exceptions. No call, no message ever feeds a public AI model.

1. Data controller

Solva — sole proprietorship (auto-entrepreneur regime) operated by Théo Sanz.
Registered address: 253 rue Hippolyte Fizeau, 34000 Montpellier, France.
SIREN: 944 511 930 · SIRET: 944 511 930 00017.
For data collected through this website (contact form, analytical cookies), Solva acts as data controller.

For health data processed within the Solva service (calls, transcripts, appointments), Solva acts as processor on behalf of the customer practice, which remains data controller under article 28 of the GDPR.

2. Data protection contact

Solva is not required to appoint a Data Protection Officer (DPO) given its current structure, but remains fully committed to GDPR compliance. For any question regarding your personal data or to exercise your rights:

Email: contact@getsolva.fr
Reply within 30 days maximum.

3. Data collected

Through getsolva.fr:

  • Contact data you provide voluntarily: name, email, phone, practice name, team size, free-text message.
  • Browsing data collected via cookies (with consent): IP address, browser type, pages visited, traffic source, session duration.

Through the Solva service (on the customer practice side):

  • Recordings and transcripts of inbound and outbound patient calls.
  • Patient data: first name, last name, date of birth, phone number, reason for visit, medical history voluntarily shared by the patient.
  • Appointment data: date, time, practitioner, status, reminders sent.
  • Technical metadata: caller number, call duration, audio quality.

4. Legal bases for processing

In accordance with article 6 of the GDPR:

  • Contractual performance (art. 6.1.b): for delivery of the Solva service subscribed to by the practice.
  • Legitimate interest (art. 6.1.f): for B2B prospecting toward practices, service improvement, and system security.
  • Consent (art. 6.1.a): for analytical cookies and marketing communications.
  • Legal obligation (art. 6.1.c): for invoice retention, accounting, and tax compliance.

For health data specifically, processing is based on article 9.2.h of the GDPR (administrative management of healthcare by a professional bound by patient confidentiality).

5. Purposes

  • Respond to contact requests, organize demonstrations.
  • Deliver the Solva service: pick up calls, book appointments, send reminders.
  • Improve the service through aggregated and anonymized analytics.
  • Ensure system security and prevent fraud.
  • Comply with our legal, accounting, and tax obligations.

6. Hosting and data location

Health data processed by Solva (transcripts, patient records, appointment history) is hosted in France on Scalingo, a HDS-certified (Health Data Hosting) and GDPR-compliant cloud provider. Databases are encrypted at rest (AES-256) and communications encrypted in transit (TLS 1.3).

The getsolva.fr website is served by Vercel Inc. (USA); no patient data ever transits through this infrastructure. Contact data submitted via the form is encrypted in transit (TLS 1.3).

7. Processors and recipients

Solva relies on a limited set of technical processors, all contractually bound to comply with GDPR and patient confidentiality through a Data Processing Agreement (DPA):

  • Scalingo (France) — HDS hosting of health data, database, application service execution.
  • Twilio Inc. (USA / telecom operator) — routing of inbound and outbound phone calls. Transfer governed by the European Commission's Standard Contractual Clauses.
  • Deepgram Inc. (USA) — speech-to-text recognition, real-time audio stream processing. No data reuse for model training, per DPA.
  • Soniox Inc. (USA) — complementary speech recognition, same no-reuse commitments.
  • ElevenLabs Inc. (USA / United Kingdom) — text-to-speech synthesis for agent responses. Voice data not retained beyond generation time.
  • OpenAI (USA / Ireland) — language models accessed via Enterprise API with contractual zero-data-retention and no training on customer data.
  • Vercel Inc. (USA) — hosting of the getsolva.fr marketing site only (never patient data).

Transfers to processors located outside the European Union (Twilio, Deepgram, Soniox, ElevenLabs, OpenAI) are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, complemented by technical safeguards (end-to-end encryption, data minimization, zero data retention) and organizational measures (audits, healthcare-specific DPAs).

A detailed and continuously updated list of processors is shared with the customer practice at contract signature and remains available on request at contact@getsolva.fr.

8. Retention period

  • Prospect contact data: 3 years from last contact.
  • Call recordings: 6 months maximum, unless a shorter duration is explicitly requested by the practice.
  • Transcripts and patient records: in line with medical record retention requirements (duration set with the customer practice, typically 20 years after the last consultation).
  • Billing data: 10 years (accounting and tax obligation).
  • Analytical cookies: 13 months maximum.

9. Technical and organizational security

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Access restricted to strictly necessary staff, with strong authentication (SSO + MFA).
  • Logging and monitoring of all access to patient data.
  • Regular security testing (annual pentests, continuous dependency scanning).
  • Daily encrypted backups, business continuity plan.
  • Continuous staff training on patient confidentiality and GDPR.

10. Your rights

Under articles 15 to 22 of the GDPR, you may at any time exercise the following rights:

  • Right of access: obtain confirmation and a copy of the data we process about you.
  • Right of rectification: have any inaccurate or incomplete data corrected.
  • Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing.
  • Right to portability: receive your data in a structured, machine-readable format.
  • Right to object to processing, particularly for prospecting purposes.
  • Right to set post-mortem instructions regarding your data.

To exercise these rights, contact contact@getsolva.fr. Reply within 30 days maximum.

11. Complaint to the CNIL

If you believe your rights have not been respected, you may at any time file a complaint with the French Data Protection Authority (CNIL):

CNIL · 3 Place de Fontenoy · TSA 80715 · 75334 Paris Cedex 07, France
www.cnil.fr/en/plaintes

12. Cookies

The website uses two categories of cookies:

  • Strictly necessary cookies for the website to function (language preference, security). No consent required.
  • Analytical cookies (anonymized audience measurement), set only after explicit consent via the cookie banner. You may withdraw consent at any time from the footer.

No advertising cookie or marketing profiling cookie is set.

13. Minors

The Solva service is not directly intended for minors. Data of minor patients processed within the service is handled exclusively under the responsibility of the customer practice and the authority of legal representatives.

14. Changes to this policy

This policy may evolve. Any substantial change is notified by email to Solva customers at least 30 days before it takes effect, and signaled on getsolva.fr.

15. Contact

For any question regarding your data or this policy:
Email: contact@getsolva.fr
Mail: Solva, 253 rue Hippolyte Fizeau, 34000 Montpellier, France.