SolBeat — Privacy Policy

Effective date: May 22, 2026 Last updated: June 12, 2026 Version: 1.1 (Pilot)

1. Who We Are

SolBeat ("SolBeat", "we", "us", or "our") is a residency program management platform built for anesthesia residency programs and the residents, attending physicians, and program administrators who use them.

The service is operated by SolBeat (the "Operator"), based in Israel, reachable at info@solbeat.icu.

For the purposes of the Israeli Privacy Protection Law, 5741-1981 (the "PPL"), and where applicable Regulation (EU) 2016/679 (the "GDPR"), the Operator is the data controller of personal data processed through SolBeat.

This policy explains what personal data we collect through https://solbeat.icu (and its associated domains), how we use it, who we share it with, how long we keep it, and what rights you have. It applies to anyone who uses SolBeat in any role: program administrators, attending physicians (including those who serve as educational supervisors), and residents.

2. The Personal Data We Collect

We collect personal data in three ways: (1) data you give us directly, (2) data the program administrator enters about you (for example, when you are invited as a resident), and (3) data we collect automatically as you use the service.

2.1 Account and profile data

Full name, name prefix (Dr./Prof./etc.), email address, phone number
Encrypted password hash (only if you sign in with email/password)
Role in the program — Administrator, Attending, or Resident
For attendings: capability flags assigned by your program administrator (whether you can manage exams, evaluate simulations, evaluate rotations, and whether you serve as an educational supervisor); the specific rotation types you are permitted to evaluate
If you are assigned as an educational supervisor: the list of residents currently assigned to you for educational supervision
For residents: residency start date, program assignment, graduation status, the identity of your assigned educational supervisor (if any)
Personalization preferences such as the order in which sidebar navigation items appear

2.2 Authentication and security data

Sign-in method (email/password or Google OAuth)
For OAuth sign-ins: the basic profile information (name, email) returned by the identity provider
Failed login attempt records (email, IP address, and timestamp), used to enforce rate limiting and prevent brute-force attacks; these records are deleted automatically after 24 hours

2.3 Educational and performance data

Rotation assignments, schedules, and progress
Rotation exchange requests — when a resident asks to swap one of their assigned rotations, we record the open request, any offers received, the accepting resident, the program administrator's decision (approved or denied), and the date of the decision. Rotation exchanges are visible to other residents in the same program who hold a matching rotation for the same period (so that a possible swap partner can see and accept the offer) and to program administrators (who approve or deny the swap)
Rotation change requests — when a resident asks the program administrator to change one of their assigned rotations, we record the request message written by the resident, the request status, the administrator's decision and any decision notes, and the date of the decision
Procedure-skill evaluations (DOPS — Direct Observation of Procedural Skills), including the supervision level recorded by the evaluator
Clinical evaluation exercises (CEX), including the clinical context entered by the resident: patient age (numeric), sex, past medical history (free text), surgery type, case type, ASA score, case date, and the supervision level
Case logbook entries — the resident's own log of cases performed, including: patient age, ASA score, anesthesia type, surgical discipline, surgery type, case urgency, airway device, regional/neuraxial details, hemodynamic monitoring flags, optional reflection notes, optional link to the resident's rotation, and any custom fields configured by your program administrator
Simulation evaluations — scenarios completed, evaluator, scores, dates, and progress against the program's annual simulation requirement
Rotation evaluations — at the end of a rotation, structured feedback from one or more permitted attendings, including ratings on configurable scale fields, free-text answers, and an outcome (Passed / Repeat Required) with optional reason
Educational supervisor meetings — date, agenda or topic, summary notes, and any associated period report attached by the supervisor
Admin review meetings — date, attendees, summary, goals, and any associated period report attached by the program administrator
Quiz, exam, and board exam results — the numeric scores, dates, and notes entered by an administrator. SolBeat does not currently store uploaded files or attachments for exam results.
Multiple-choice exam (MCQ) responses, scores, time-of-first-access for timed exams, score-correction history, and per-question answer history
Evaluation comments and free-text feedback written by attendings or supervisors

2.4 Communications and feedback data

Email we send you — invitations, password reset links, evaluation requests and reminders, rotation evaluation requests, supervisor and admin meeting notifications, MCQ publication and result-release notifications, rotation exchange decisions, and program announcements
Web push notifications you opt into through Account Settings — we store the browser-issued push subscription endpoint (an opaque URL specific to your device and browser) and the encryption keys needed to send messages to it. Push notifications are off by default and you can unsubscribe entirely at any time from Account Settings
Notification preferences — per-category switches recording which types of events you want to be notified about, separately for email and for push. All categories are enabled by default; you can disable any email category or any push category at any time from Account Settings, and we store your choices so we know what not to send you
Announcements delivered to you in the application — content, sender, and delivery records (which users an announcement was sent to and whether each has dismissed it)
Password reset tokens — when you request a password reset we issue an opaque token and store only its SHA-256 hash together with the IP address the request came from (for abuse prevention), with a 1-hour expiry; records are removed by a daily cleanup job 7 days after expiry
Notification and reminder records — which reminders or emails were sent, when, and to whom
Feedback submissions you make through the in-app Help & Feedback form — category, subject, description, and optional priority
Contact form submissions you make from the public login page — name, email (used as the reply-to address), subject, and message; the originating IP address is processed for anti-abuse rate-limiting
Any other messages you send to our support contact

2.5 Technical and usage data

IP address (collected by our hosting providers as part of standard server logs)
Browser type, operating system, approximate device information
Pages visited, actions taken, and timestamps within the application
Cookies strictly necessary for authentication (see Section 11)
Audit log entries — when an administrator or super-administrator performs a consequential action (creating, changing, deactivating, or deleting an account; sending an announcement; approving a rotation exchange; clearing a lockout; and similar actions), we record who performed the action, what the action was, when it happened, and which user it affected. Audit log entries support security investigations and accountability, are accessible only to super-administrators, and are deleted automatically after 12 months.

2.6 What we do not collect

We do not collect or store identifiable patient information. Residents, attendings, and administrators entering any case-related content (CEX requests, case logbook entries, evaluation comments, simulation evaluations, meeting notes, or feedback) are instructed to use only de-identified clinical context (no patient name, no patient ID/MRN, no date of birth, no contact details, no images that contain patient identifiers). See Section 5.
We do not knowingly collect personal data from children under 18.
We do not collect biometric identifiers (fingerprints, facial recognition, voice prints).

3. How We Use Your Personal Data (Purposes & Legal Basis)

We process your personal data for the following purposes:

#	Purpose	Legal basis (PPL / GDPR)
1	Provide the SolBeat service to your residency program (assigning you to rotations, recording evaluations, hosting exams, generating reports)	Performance of contract / consent given on registration
2	Authenticate you and protect your account (login, rate limiting, security headers)	Legitimate interest in account security
3	Send you transactional emails — invitations, password resets, evaluation requests, evaluation reminders	Performance of contract / legitimate interest
4	Generate compliance reports and quarterly performance reports for your program administrator	Performance of contract
5	Maintain platform security, prevent abuse, investigate incidents	Legitimate interest
6	Comply with our legal obligations (responding to lawful requests, tax/accounting records)	Legal obligation
7	Improve SolBeat — analyze how the product is used to improve features and reliability (uses de-identified / aggregated data — see Section 4)	Legitimate interest
8	Promote SolBeat — publish aggregate statistics ("X programs use SolBeat", "Y evaluations completed") in marketing materials (uses de-identified / aggregated data only — see Section 4)	Legitimate interest
9	Conduct medical education research and publish academic findings (uses de-identified / aggregated data only — see Section 4)	Legitimate interest, subject to your right to object

We will not use your personal data for new, materially different purposes without first updating this policy and, where the law requires, obtaining your consent.

4. Use of De-Identified and Aggregated Data

This section is important and we want it to be plainly understood.

SolBeat may transform personal data collected through the platform into de-identified data (data from which direct identifiers — name, email, phone, user IDs — have been irreversibly removed) and aggregated data (statistics computed across many users such that no individual can be re-identified, e.g. "the average DOPS score across the platform was X").

We may use this de-identified and aggregated data for the following purposes, indefinitely and after your account is deleted:

Internal product analytics — understanding how SolBeat is used so we can improve features, detect bugs, prioritize roadmap.
Marketing and pitches — sharing aggregate statistics with prospective customers, in presentations, on our website, and in investor materials. Examples: total number of evaluations recorded, average quarterly compliance rate across programs, distribution of rotation types.
Academic research and publication — including in peer-reviewed journals, conference posters, and educational presentations, on topics such as resident performance trends, evaluation patterns, the relationship between rotation structure and competency development, and similar medical-education research questions.

What this means in practice:

We will not publish or share your name, email, identifying photos, individual evaluation scores tagged to you, or any other data that can reasonably be linked back to you as an individual.
We will not sell or license raw personal data, or de-identified data sets, to third parties for their own commercial use. Aggregated statistics may appear in our own marketing materials and academic outputs.
You may object to your data being included in research outputs at any time by contacting us — see Section 9. Once data has been published in an aggregated form in a journal article or external presentation, it cannot practically be retracted, but we will exclude your data from any future research datasets.

By using SolBeat, you acknowledge that data you contribute may, in this de-identified and aggregated form, be used for the purposes described above.

5. Patient Case Information

Two SolBeat surfaces capture clinical context relating to patients:

Clinical Evaluation Exercise (CEX) requests — where a resident describes a case for an attending to evaluate; and
The Case Logbook — where a resident logs cases they have personally performed, for their own training record and for review by their educational supervisor and program administrator.

Both surfaces are intended to capture only generic, non-identifying clinical context: patient age, sex, ASA score, anesthesia type, surgical discipline, surgery type, airway device, regional/neuraxial details, hemodynamic monitoring, relevant medical history described in general terms, and the resident's own reflection.

It is the responsibility of the resident, attending, supervisor, and program administrator to ensure that no patient identifiers are entered into SolBeat. This includes (without limitation) patient names, national ID numbers, medical record numbers, dates of birth, contact details, photographs that contain patient features, or any combination of details that would allow a patient to be identified.

To support this, SolBeat displays an amber patient privacy reminder banner at the top of every form that captures patient-related context, including: the case logbook (new and edit), the shared DOPS/CEX evaluation form (used by attendings and administrators and on the public token-based evaluation page), the rotation evaluation form, the simulation evaluation form, the educational supervisor meeting form, the admin review meeting form, and the resident-side request evaluation form. This reminder is a help, not a guarantee — the responsibility ultimately rests with the user entering the data.

SolBeat is not a clinical record system, is not designed to store Protected Health Information, and is not certified as such. If you discover that identifying patient data has been entered into the system, please contact us immediately at info@solbeat.icu so we can remove it.

6. Who We Share Your Data With

We share personal data only with the following categories of recipients:

6.1 Other users of your residency program

SolBeat is a program-management tool. By the nature of the service, your data is visible to other people inside your residency program. It is important that you understand this before you create an account.

SolBeat uses three roles — Administrator, Attending, and Resident — and a set of capability flags that your program administrator assigns to individual attendings. The flags are: can manage exams, can evaluate simulations, can evaluate rotations (granted per rotation type), and is educational supervisor. These flags determine what an attending can see and do beyond the baseline.

If you are a resident, the following people in your program can see your data:

Program administrators (e.g. the program director and academic coordinators) can see everything about you stored in SolBeat — your account profile, your full rotation history, every evaluation submitted about you (DOPS, CEX, simulation, rotation), every exam and quiz result, your case logbook entries, your educational supervisor meeting notes, your admin review meeting notes, and your residency progress and compliance reports. They can also generate printable period reports of your records. This is necessary so they can run the program, monitor your training, and prepare your reviews.
Your assigned educational supervisor (an attending whom your program administrator has flagged as an educational supervisor and assigned to you) has read-only access to your full record — your rotation history, all your evaluations, your exam results, your case logbook, your meetings with them, and your admin review meetings. They can also create, edit, and delete supervisor meeting notes about you, and generate interval period reports. You are told who your supervisor is on your dashboard. Your program administrator can reassign your supervisor at any time; historical meetings remain attached to the supervisor who created them.
Attending physicians who have evaluated you can see your name, account profile (name, prefix, contact details), rotation history, and the evaluations they themselves have submitted about you. By default they cannot see evaluations submitted by other attendings, and cannot see your exam results, your case logbook, or your meetings — unless they hold one of the capability flags below.
Attendings flagged "can manage exams" can see all exam-related data for residents in your program, including your MCQ exam answers and scores after results are released.
Attendings flagged "can evaluate simulations" can see your simulation evaluations and scenario completion progress.
Attendings flagged "can evaluate rotations" for a specific rotation type can see and submit rotation evaluations for residents who completed that rotation type.
Other residents in your program can see the rotation capacity grid, which shows which rotation each resident is assigned to in a given month. They cannot see your evaluations, exam results, case logbook, meetings, or quarterly reports.

If you are an attending, your name, prefix, contact details, and the capability flags assigned to you are visible to your program administrator and to any other attending who needs to know (for example, to select you as an evaluator). The evaluations and meeting notes you have submitted are visible to program administrators, to the resident the evaluation or meeting concerns, and to the resident's assigned educational supervisor.

If you are a program administrator, your name, prefix, and contact details are visible to other administrators and to attendings and residents in your program (for example, on shared admin meeting records and as the issuer of invitations).

Across all roles, certain operational data (login activity, account changes, error logs without personal content) is accessible to the SolBeat operator strictly for security, debugging, and support purposes (see Section 6.2).

If you have questions about who specifically in your program holds which capability flags or who your educational supervisor is, contact your program administrator directly.

6.2 Service providers (sub-processors)

We use the following third-party service providers to operate SolBeat. They process personal data on our behalf and only for the purposes we instruct:

Provider	Purpose	Where data is processed
Vercel Inc.	Hosting the application and running scheduled cron jobs	United States
Neon Inc.	PostgreSQL database hosting	United States (region-dependent)
Resend Inc.	Transactional email delivery (account, evaluation, reminder, announcement, and password-reset emails)	United States
Google LLC	Optional sign-in via Google OAuth	United States / global
Browser push services — Google Firebase Cloud Messaging, Apple Push Notification Service, Mozilla Push Service, Microsoft Windows Push Notification Services	Delivery of web push notifications you have opted into. These services operate at the browser level and receive only the encrypted notification payload and your browser-issued subscription endpoint. They are reached only if and when you enable push notifications in your Account Settings.	Global (United States / EU / device-dependent)

Each of these providers is contractually obligated to maintain appropriate security and confidentiality measures.

A small number of named individuals on the SolBeat operator team (the "super-administrators") have operator-level access to SolBeat for the limited purposes of incident response, account recovery, security investigation, policy enforcement, and platform support. Super-administrator access is granted through a hard-coded allowlist of email addresses set in a server-side configuration; it is not a role you can be promoted to from within the application. All consequential super-administrator actions are recorded in the audit log described in Section 2.5.

6.3 Legal recipients

We may disclose personal data when we are legally required to do so — for example, in response to a court order or lawful request from a regulator — or when necessary to protect the rights, property, or safety of SolBeat, our users, or others.

We do not sell your personal data to advertisers, data brokers, or any other third party.

7. International Data Transfers

Because our hosting and infrastructure providers (Vercel, Neon, Resend) operate primarily from the United States, your personal data is transferred outside of Israel and outside the European Economic Area in the course of normal operation. If you opt into push notifications, encrypted notification payloads also pass through the browser push service operated by the maker of your browser or operating system (Google, Apple, Mozilla, or Microsoft), which may route them globally.

For Israeli residents: this transfer is conducted in reliance on the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001, on the basis that the receiving providers are bound by contractual data-protection terms equivalent to Israeli law, and that the data subject has consented to the transfer by using the service.

For users in the EU/EEA: where applicable, transfers are conducted under the European Commission's Standard Contractual Clauses or equivalent safeguards entered into with each provider.

8. How We Protect Your Data

We take reasonable technical and organizational measures to protect personal data, including:

TLS/HTTPS encryption for all data in transit
Encrypted storage at rest by our hosting providers
Bcrypt password hashing — we never store your password in readable form
Strict role-based access control inside the application (a resident cannot access another resident's evaluations; an attending cannot access an unrelated program)
Login rate-limiting and lockout after repeated failed attempts to defend against brute-force attacks (and a separate rate-limit on password-reset requests)
Security HTTP headers (HSTS, X-Frame-Options, Content-Type protection, Referrer-Policy, Permissions-Policy)
Self-service password reset using single-use, time-limited (1-hour) opaque tokens, stored only as a SHA-256 hash; a successful password change automatically signs out other sessions
Audit logging of consequential mutations performed by administrators and super-administrators
Routine application updates, dependency patching, and automated secret scanning on commits

No system can be guaranteed perfectly secure. If a personal data breach occurs that is likely to cause a meaningful risk to you, we will notify you and the relevant regulator within the timelines required by law.

9. Your Rights

Under the PPL and, where applicable, the GDPR, you have the following rights with respect to your personal data:

Right of access — to request a copy of the personal data we hold about you.
Right of rectification — to request that inaccurate or incomplete data be corrected. You can update most account fields yourself in Account → Settings.
Right of deletion — to request that we delete your personal data, subject to lawful exceptions (for example, where we must keep records to comply with our legal obligations, or where the data is needed to maintain the integrity of historical academic records of your residency).
Right to object — to object to processing of your personal data based on our legitimate interests, including its inclusion in research datasets going forward.
Right to restrict processing — in certain circumstances.
Right to data portability — to receive your personal data in a structured, machine-readable format, where technically feasible. Note that you can already export much of your own data through the application — see Section 10.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. In particular, you may unsubscribe from web push notifications, change which notification categories you receive, or revoke your acceptance of optional flows at any time from Account → Settings.
Right to lodge a complaint — with the Israeli Privacy Protection Authority (https://www.gov.il/he/departments/the_privacy_protection_authority) or, if you are in the EU, with your local supervisory authority.

To exercise any of these rights, contact us at info@solbeat.icu. We will respond within 30 days, or sooner where the law requires.

10. Data Retention, Backups, and Your Responsibility to Export

10.1 How long we keep your data

We keep personal data for as long as your account is active and for as long as needed to provide the service to your residency program. Specifically:

Active resident records are retained for the full duration of the residency.
Graduated resident records are retained in a read-only state by the program administrator after graduation, as part of the program's permanent academic archive. Graduation is a one-way action; this is by design, because residency records form part of a physician's permanent training history.
Account profile data (name, email, phone) is retained as long as your account exists.
Security and housekeeping records are deleted on automated daily schedules: failed login attempt records after 24 hours, password reset token records 7 days after they expire, dismissed in-app announcement delivery records after 90 days, and audit log entries after 12 months.
De-identified and aggregated data derived from your usage may be retained indefinitely (see Section 4).

When you stop using the service or your account is deleted at your request, we will delete or anonymize personal data within a reasonable period, subject to lawful retention obligations.

10.2 Backups

We maintain continual backups of the SolBeat database and storage in cooperation with our hosting providers. These backups exist to protect against data loss caused by infrastructure failure, software bugs, or operational error. Backup retention windows are determined by our infrastructure providers and are typically rolling (older backups are routinely overwritten).

Backups are operational safeguards. They are not an end-user data archive and are not intended to provide on-demand restoration of arbitrary historical states for individual users.

10.3 Your responsibility to export your own data

This is important. You are responsible for exporting and keeping your own copies of any data that is important to you, such as evaluation records, rotation history, exam results, and quarterly reports.

SolBeat provides built-in export tools for this purpose, including:

Excel exports of resident lists, attending lists, rotation plans, capacity grids, and MCQ exam results
Printable / downloadable PDF reports for individual residents (quarterly reports)
Per-resident detail views from which information can be saved or printed

We strongly recommend that residents export their full rotation plan, evaluation history, and exam results at meaningful milestones — for example at the end of each year of residency, and at the end of residency. We strongly recommend that program administrators export records on a regular schedule (for example, quarterly or annually).

While we make commercially reasonable efforts to preserve your data and to maintain the platform's availability, SolBeat does not guarantee permanent or perpetual retention of any specific record and does not accept liability for data loss arising from circumstances including (without limitation): infrastructure failures beyond our reasonable control, account termination, retention-policy lapses with our sub-processors, or your failure to make and keep your own export copies. To the maximum extent permitted by applicable law, our liability in respect of data loss is limited as set out in our Terms of Service.

11. Cookies and Similar Technologies

SolBeat uses a small number of cookies and similar local-storage mechanisms strictly necessary to operate the service:

Authentication session cookies (set by NextAuth) to keep you signed in.
A CSRF protection cookie used to secure sign-in forms.
A short-lived invite cookie (pending_invite) used during the invite-based registration flow.
A cookie acknowledgement cookie (solbeat-cookie-consent) that remembers you have seen the cookie banner so we don't show it on every page.
Local browser storage and service worker caches used by the Progressive Web App (PWA) to cache assets for offline use.

We do not use third-party advertising cookies, advertising trackers, or cross-site analytics cookies.

For the full list — including each cookie's name, purpose, and lifetime — see our separate Cookie Notice.

12. Children

SolBeat is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us so we can delete it.

13. Changes to This Policy

We may update this policy from time to time — for example, to reflect new features, new sub-processors, or changes in the law. When we make material changes, we will:

Update the "Last updated" date at the top of this page;
Notify users by email or by a prominent in-app notice; and
Where the law requires it, request renewed consent.

The current version of this policy is always available at https://solbeat.icu/privacy (or wherever this page is published).

14. Contact

Questions, requests, complaints, or to exercise any of the rights described in Section 9, contact:

SolBeat Israel Email: info@solbeat.icu

For complaints in Israel, you may also contact the Privacy Protection Authority (Ministry of Justice): https://www.gov.il/he/departments/the_privacy_protection_authority.

This policy is provided in English. If a translation is provided in another language and there is a conflict between versions, the English version prevails.