Effective Date: 2026-03-15
San Justo Research Corporation, operating as "soso" ("we," "us," or "our"), provides business-to-business AI automation software-as-a-service ("Services"). Our customers include healthcare organizations, for whom we process protected health information under signed agreements.
This Privacy Policy describes how we collect, use, disclose, and protect information when you use our Services or otherwise interact with us.
When we serve healthcare clients, our roles under applicable law are as follows:
Our Commitments to You
We collect information that you provide directly to us or that is generated through your use of our Services:
When providing Services to healthcare clients, we process protected health information ("PHI") and personal health information on their behalf. This may include:
All patient information is processed exclusively pursuant to signed Business Associate Agreements or equivalent data processing agreements. We are not the source of truth for patient records — our customers' systems of record are authoritative.
Our application platform collects IP address, approximate geolocation (via ipinfo.io), browser type, and device identifiers for security purposes — including session tracking, new-device login alerts, and audit logging.
Our marketing website additionally uses PostHog (analytics and session recordings), Google Analytics, Google Tag Manager, and Mux (video analytics). These marketing analytics tools are not used on the application platform.
We use the information we collect to:
We use patient information solely to perform the Services on behalf of our healthcare clients, as permitted under our BAAs and applicable law. We apply the minimum necessary standard, accessing only the information reasonably necessary to accomplish the intended purpose.
We strip personally identifiable information from application logs and operational data before storage through a Data Loss Prevention pipeline.
We share information only in the following circumstances:
We do not sell personal data as defined under the CCPA/CPRA. We do not share personal data for cross-context behavioral advertising.
We operate as a Business Associate under HIPAA and the HITECH Act, processing PHI solely on behalf of Covered Entity clients pursuant to signed BAAs. We maintain administrative, technical, and operational safeguards as required by the HIPAA Security Rule — including encryption, access controls, audit logging, and workforce training — and apply the minimum necessary standard to all uses and disclosures of PHI.
Breach notification. In the event of a breach of unsecured PHI, we will notify the applicable Covered Entity without unreasonable delay and no later than 60 days of discovery. Encryption meeting NIST standards qualifies for the breach notification safe harbor under HITECH.
Individual rights. HIPAA provides individuals with rights to access, amend, and receive an accounting of disclosures of their PHI. Because we process PHI as a Business Associate, these requests should be directed to the applicable Covered Entity; we support our clients in fulfilling them. PHI retention and disposal are governed by the applicable BAA and the Covered Entity's instructions.
Under PHIPA, we act as an Agent of Health Information Custodians (s. 17), processing personal health information only as directed by our clients. Canadian personal health information is stored within Canadian infrastructure (Google Cloud northamerica-northeast) unless the customer provides written instructions otherwise.
We maintain electronic audit logs per PHIPA s. 10.1, available to customers on request and retained for six years. In the event of a privacy breach, we will notify the applicable Health Information Custodian at the first reasonable opportunity and in any event within 48 hours of becoming aware of any theft, loss, or unauthorized use or disclosure.
Under PIPEDA, we act as a service provider processing personal information on behalf of our customers for identified purposes with meaningful consent. Our designated Privacy Officer can be reached at privacy@soso.sh.
We maintain a breach register for all incidents (minimum 24 months per the Breach of Security Safeguards Regulations, SOR/2018-64), and breaches posing a real risk of significant harm are reported to the OPC and affected individuals as soon as feasible. Where personal information is transferred across borders, we remain accountable under PIPEDA Principle 4.1.3, and service providers in other jurisdictions are bound by contractual obligations providing comparable protection.
Our marketing website uses cookies and similar technologies including PostHog (analytics and session recordings), Google Tag Manager, and Google Analytics. You can manage cookies through your browser settings; disabling them may affect site functionality.
Do-Not-Track. No uniform standard for DNT signals has been finalized. We do not currently respond to DNT browser signals.
We retain information only as necessary for our business operations, the provision of Services, and to satisfy legal requirements. At the end of the applicable retention period, information is securely deleted or de-identified.
| Data Type | Retention Period |
|---|---|
| Protected Health Information (PHI) | Per BAA and customer configuration |
| Customer account data | Duration of contract + 90 days |
| Trial and demo data | 30 days after trial ends |
| Marketing contacts | Until opt-out or 2 years of inactivity |
| Application and access logs | 1 year |
| Automation logs | 14 days |
| Security incident records | 6 years |
| Financial records | 7 years |
| De-identified / aggregated data | Retained indefinitely |
We maintain physical, technical, and administrative safeguards to protect your information, including encryption at rest and in transit, multi-factor authentication, role-based access controls, and audit logging. We are pursuing SOC 2 Type II certification and conduct regular security assessments.
While we employ reasonable security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of information transmitted to or stored by our Services. You are responsible for protecting your account credentials and limiting access to your devices.
You may exercise the following rights by contacting us at privacy@soso.sh:
California residents have additional rights to know, delete, correct, limit use of sensitive personal information, and receive categories disclosure. We do not sell personal information, so no opt-out is necessary. You may designate an authorized agent to submit requests on your behalf. We will not discriminate against you for exercising your rights.
Canadian residents may access and correct personal information per PIPEDA Schedule 1, Principle 4.9 and PHIPA ss. 52–54, and withdraw consent subject to legal or contractual restrictions. Complaints may be filed with the Office of the Privacy Commissioner of Canada or, for Ontario health data, the Information and Privacy Commissioner of Ontario.
Children's privacy. Our Services are not directed to individuals under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, please contact us at privacy@soso.sh.
Third-party links. Our Services may contain links to third-party websites or services not operated by us. This Privacy Policy does not apply to those services, and we are not responsible for their privacy practices.
Changes to this policy. We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through in-app notification.
Contact us. If you have questions or concerns, please contact us: