§ 01

Privacy Policy

Effective April 18, 2026 · Version 2.1

Sorena Health, Inc. ("Sorena", "we") provides field sales intelligence software to pharmaceutical companies. This policy describes how we handle information about visitors to our website and representatives of our customers. Customer data, prescribing records, physician lists, territory plans, is governed by our Data Processing Agreement, summarized below.

Information we collect

From the website

  • Contact details you submit through demo requests (name, email, company, role, priority markets).
  • Basic request metadata (timestamp, IP address, user agent) for security and rate limiting.
  • No advertising cookies. No third-party trackers. Analytics are self-hosted and IP-truncated.

From customer deployments

All customer data is processed under our DPA. We do not collect it for our own purposes. See DPA and Sub-processors for details.

How we use information

  • To respond to your request and schedule a demo.
  • To send a single follow-up if we haven't heard back. No drip campaigns.
  • To operate the service under our customer agreements.

Retention

Demo-request information is retained for 18 months, then deleted or anonymized. Customer data retention is specified in the applicable Master Services Agreement and DPA, typically the contract term plus 30 days for export.

Your rights

You may access, correct, delete, or port your personal data at any time. Write to privacy@sorenahealth.com. We respond within 30 days. Brazilian residents: we designate a DPO for every Brazilian deployment under LGPD Article 41, named in the country addendum to your DPA.

Changes

We post changes here with an updated effective date. Material changes are communicated to active customers in writing 30 days before they take effect.

§ 02

Terms of Service

Effective April 18, 2026 · Version 1.4
Plain language These terms govern access to sorenahealth.com. Commercial use of the Sorena platform is governed by a separately signed Master Services Agreement (MSA) and Data Processing Agreement (DPA), not this page.

1. Acceptable use

You agree not to reverse-engineer the site, scrape content programmatically without written permission, or attempt to probe the site for vulnerabilities outside of our coordinated disclosure process at security@sorenahealth.com.

2. Intellectual property

Site content, brand marks, and product screenshots are the property of Sorena Health, Inc. You may reproduce short excerpts for analyst, press, or internal buyer-committee use with attribution.

3. No warranty (for the site)

The website is provided "as is." Product-level warranties and SLAs are contained in the MSA signed with your organization.

4. Governing law

These website terms are governed by the laws of the State of Michigan, United States. Product contracts specify their own governing law and forum, typically aligned with the customer's country of operation.

5. Contact

Questions about these terms: legal@sorenahealth.com.

§ 03

Data Processing Agreement Template

Template v3.0 · Country-specific addenda drafted during scoping

This is the summary of the DPA we execute with every customer before any production data flows. The full executable document is provided under NDA during procurement. Country-specific addenda are attached automatically based on deployment geography.

Structure at a glance

Section Summary
Roles Customer is Controller. Sorena is Processor. Scope of processing is limited to generating pre-visit briefings for Customer's field representatives.
Legal basis Mapped to GDPR Art. 28 and LGPD Art. 37. Country addenda extend to LFPDPPP (MX), Ley 1581 (CO), and Ley 25.326 (AR).
Sub-processors Listed publicly and in Schedule B. 30 days' notice before any addition or material change. Customer right to object with alternative pathway.
Security measures Schedule C: TLS 1.3, AES-256, AWS Secrets Manager with 90d rotation, annual pen test, SOC 2 Type II on roadmap.
Training exclusion Customer data is never used to train shared or foundation models. Provider-level clauses reinforced with Sorena's own contractual prohibition.
Breach notification Within 24 hours of confirmation. Post-mortem within 5 business days. Regulator notifications at Customer's direction.
Termination Customer receives CSV export of all generated briefings within 30 days. Full tenant deletion with signed certificate from Sorena's CISO.
Audit rights Annual customer audit or reliance on Sorena's independent attestation. Reasonable-notice access to logs and environment metadata.
Request the full template To receive the executable DPA, redline-ready in Word format, email legal@sorenahealth.com or request the security pack.
§ 04

Sub-processors

Last updated April 18, 2026 · Reviewed quarterly

These are the third parties we rely on to deliver Sorena Health. We add to this list only when a sub-processor is demonstrably required, and we give customers 30 days' written notice before any addition takes effect.

ProviderPurpose · region
AWSInfrastructure, storage, KMS, sa-east-1 (São Paulo) default.
Amazon BedrockClaude (Anthropic) model hosting via AWS Bedrock. Zero retention.
CloudflareDDoS protection, edge TLS termination. No application data processed.
ElevenLabsVoice synthesis for PT, ES, EN. Text-only input.
PagerDutyOn-call alerting. No customer data.
1PasswordSecrets management for internal team. No customer data.