Privacy Policy
solaerp collects only the staff and scheduling information needed to run schedules and send email and SMS notifications, isolates each business's data with database-level Row-Level Security, never sells personal information, and processes staff data on behalf of the employing business.
Last updated June 5, 2026
In Short
solaerp is a self-hosted staff-scheduling tool for small service businesses. Each business (the "Customer") uses solaerp to build schedules and notify its staff by email and SMS. We collect the information needed to run scheduling and notifications, and nothing more.
- We do NOT sell your personal information.
- We do NOT run advertising networks or use advertising or third-party tracking cookies.
- Sign-in is passwordless — we email a magic link and store no passwords.
- Each business's data is strictly isolated in the database using Row-Level Security.
- SMS messages are sent and received through Twilio, our SMS subprocessor; email is sent through the operator's own mail server.
- Data is hosted on the operator's own servers in the United States.
- There is a 14-day free trial with no credit card required, and we do not process online payments or store payment card data.
Who This Policy Covers
This Privacy Policy explains how Solaerp LLC ("we," "us," or "solaerp") handles personal information in connection with the solaerp service and the solaerp.com site. It applies to the businesses that use solaerp (each a "Customer"), to the staff members those Customers add to the service, and to visitors of our website.
Because solaerp is a tool that businesses use to manage their own staff, much of the personal data in the service belongs to a Customer's employees and is handled on that Customer's behalf and instructions. The "Controller and Processor Roles" section explains this relationship in detail.
Information We Collect
We collect only the categories of information needed to operate scheduling, send notifications, secure the service, and provide support. These categories are:
Business and account information
Details about the Customer business and its account, such as business name and the account-level contact information used to set up and administer the service.
Staff records
Information about a Customer's employees that the Customer adds to the service: name, work email address, mobile phone number, and job role.
Schedules and work assignments
Published and draft schedules, recurring shift rules, shift swaps, open-shift offers and claims, shift confirmations, and the work assignments connecting staff to shifts. For dental Customers this includes operatory/chair coverage and dentist-assistant pairing information.
Dental credentials and expiry dates
For dental Customers, credential and license records and their expiry dates, used to track credentials and send expiry reminders.
SMS and email message content and delivery logs
The content of notifications we send — schedule-published alerts, shift reminders, two-way shift-confirmation requests and the replies that confirm them, open-shift offers and claims, and time-sensitive coverage or call-out alerts — together with delivery-status logs for those messages.
Authentication and session data
Information used to sign you in and keep you signed in. Sign-in is passwordless: we email a magic link, and we do not collect or store passwords. Sessions are stored server-side in our database.
Server and usage logs
Minimal technical logs kept for security and reliability, such as IP addresses and timestamps.
How We Use Information
We use the information described above to:
- Operate the scheduling service — build, publish, and manage schedules, recurring shift rules, shift swaps, the open-shift marketplace, and dental coverage and pairing features.
- Send notifications by email and SMS, including schedule-published alerts, shift reminders, two-way shift-confirmation requests, open-shift offers and claims, and time-sensitive coverage or call-out alerts.
- Provide labor-law warning hints (such as overtime or break flags). These hints are informational only and are not legal advice.
- Track dental credentials and licenses and send expiry reminders.
- Authenticate users through passwordless magic-link sign-in and maintain server-side sessions.
- Keep the service secure and maintain an append-only audit and version history of changes.
- Provide customer support and respond to requests.
- Maintain reliability, including database backups and troubleshooting.
Why We Process Information (Legal Bases)
Where a legal basis is required, we rely on the following grounds for processing personal data:
- To perform the service for the Customer under our agreement with that Customer.
- On the instructions of the business, where we process staff personal data on the Customer's behalf as its processor.
- With consent, for SMS messaging — recipients consent to receive text messages, and may opt out as described in the SMS Messaging Policy.
- Legitimate interests, for keeping the service secure, preventing abuse, maintaining audit history, and operating reliably.
Controller and Processor Roles
When a business uses solaerp to manage its staff, that business is the controller of its employees' personal data — it decides what staff data to enter and how it is used. solaerp acts as a processor: we handle that data on the business's behalf and on its instructions, to provide the service.
Because of this relationship, staff members typically exercise their data rights — such as access, correction, and deletion — through their employing business. If you are a staff member, contact your employer first. If we receive a request directly from a staff member, we may refer it to, or coordinate with, the employing Customer.
We act as a controller for the limited information we manage in our own right, such as account administration with the Customer, security and server logs, and communications with the Customer about the service.
SMS Messaging
solaerp uses two-way SMS to send schedule-published alerts, shift reminders, shift-confirmation requests (which staff reply to in order to confirm), open-shift offers and claims, and time-sensitive coverage or call-out alerts. Text messages are sent and received through Twilio, our SMS subprocessor.
Details about how SMS works, consent, opt-out, message frequency, and carrier disclosures are described in our SMS Messaging Policy.
- SMS Messaging Policy
- /legal/sms
Security
We design solaerp to protect Customer data. Our security measures include:
- Per-tenant isolation using PostgreSQL Row-Level Security, so each Customer's data is strictly separated at the database level.
- A database role that cannot bypass Row-Level Security, so the application cannot read across tenants.
- Encryption in transit using TLS / HTTPS.
- An append-only audit and version history, recorded by database triggers, so changes are tracked.
- Nightly database backups (pg_dump).
- Access controls limiting who can access systems and data.
Data Retention
We keep personal information while the account is active and for as long as needed to provide the service. We may also retain information as needed for legal or operational reasons, such as to comply with legal obligations, resolve disputes, maintain security, and preserve audit history.
We delete or return personal data on request or upon account termination, subject to those legal and operational needs. Backups are rotated as part of our normal backup process, and data in backups is removed as backups age out of rotation.
Your Choices and Rights
Depending on where you live and your relationship to solaerp, you may have rights to access, correct, delete, or export your personal information.
- Access — request a copy of the personal information we hold about you.
- Correction — request that inaccurate information be corrected.
- Deletion — request deletion of your personal information.
- Export — request a portable copy of your information.
If you are a staff member, your employer is the controller of your data, so these rights are generally exercised through your employer — contact your employer first to make a request. Where we receive a request directly, we will assist the employing Customer in responding to it.
We do not sell personal information. Consistent with the California Consumer Privacy Act and similar United States privacy laws, we have not sold and do not sell personal information, and we do not share it for cross-context behavioral advertising.
To make a privacy request or ask a question about this policy, contact us at privacy@solaerp.com.
Children and Age Restrictions
solaerp is a workplace tool intended for businesses and their staff. It is not directed to children, and we do not knowingly collect personal information from children. If you believe a child's information has been provided to us, please contact privacy@solaerp.com so we can address it and delete it where appropriate.
International Users and United States Hosting
solaerp is self-hosted on the operator's own servers located in the United States. If you access the service from outside the United States, your information will be processed and stored in the United States, where data-protection laws may differ from those in your location. By using the service, you understand that your information will be handled as described in this policy.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the policy on solaerp.com. This policy is governed by the laws of the State of Florida, without regard to its conflict-of-laws rules.
Contact Us
If you have questions about this Privacy Policy or how we handle personal information, contact us:
- Privacy inquiries
- privacy@solaerp.com
- Support
- support@solaerp.com
- Mailing address
- Hialeah, Florida, United States