Privacy Policy

What we collect

When you use the Site to request information, begin plan setup, or contact us, you may provide:

• Full name, email address, phone number (which may be used to receive calls, SMS, and MMS messages subject to the consents you provide), and mailing address
• Date of birth and Social Security Number (SSN), collected for identity verification purposes during plan setup intake
• Business information, including your Employer Identification Number (EIN)
• Payment information, processed through our secure payment provider (Stripe)
• Health questionnaire responses submitted during the plan setup process
• Messages submitted through contact forms, the AI assistant, or email

If you set up coverage for dependents - such as a spouse or children - we collect the same categories of identifying information for each covered individual during plan setup intake, including full name, date of birth, Social Security Number, and their relationship to you. Dependent health questionnaire responses are subject to the same pass/fail handling described below.

When you visit the Site, we also collect certain information automatically through cookies and similar technologies: IP address, browser type, device type and operating system, pages visited, time on site, referring URLs, click behavior, and cookie identifiers.

A note on health questionnaire responses: Health questionnaire responses submitted during plan setup — for you and any dependents — are used solely to determine eligibility. We do not store individual question responses after the eligibility determination is complete. We record only the outcome — approved or not approved — for administrative purposes.

How we use your information

We use the information collected through the Site for the following purposes:

• To process plan setup intake and connect you with plan administration
• To communicate with you about your plan setup status and next steps
• To improve our products and services.
• To send relevant information about the plan, renewals, and updates
• To send transactional SMS or MMS messages related to your inquiry, plan setup, account activity, and plan administration, where you have provided your phone number
• To send promotional SMS or MMS messages about Solo Health Collective products and services, where you have provided express written consent
• To suppress communications to individuals who did not qualify for plan setup, using only outcome data — not the content of their questionnaire responses
• To operate and improve the Site and the visitor experience
• To comply with legal, regulatory, and administrative obligations

We do not sell your personal information to third parties. We do not use your information for unrelated advertising or share it with advertisers.

Mobile information and SMS opt-in data

No mobile information, including phone numbers and SMS opt-in or consent data, will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing with subcontractors that support our operations — such as customer service platforms, CRM providers, and SMS service providers — is permitted as necessary to deliver the messages you have consented to receive. All other categories of mobile data, including text messaging originator opt-in data and consent, will not be shared with any third parties for any other purpose.

How we share your information

We share information collected through the Site only as necessary to provide our services and comply with applicable law.

When you complete or begin plan setup through the Site, we share the information you submit with our plan administration partners as needed to process your application and establish your coverage. Those parties receive only the information necessary to perform their functions and are contractually required to protect it.

We use the following third-party platforms to operate the Site and our marketing and support functions: HubSpot (CRM, marketing automation, SMS messaging, and customer support), Stripe (payment processing), Google Analytics (site analytics and traffic measurement), Meta/Facebook (marketing campaign measurement), Vovance Inc. (Solo AI Assistant platform), and OpenAI, L.L.C. (the AI model powering the Solo AI Assistant). These providers operate under their own privacy policies and data processing agreements.

We may also disclose information when required by law, regulation, legal process, or government request, or when we believe disclosure is necessary to protect the rights, safety, or property of Solo, our members, or others.

Solo AI Assistant

The Solo AI Assistant is the chat-based help feature available on hbgsolo.com and within partner subdomains. This section explains what information we collect through the Assistant, how we protect it, and your rights and controls.

What information we collect

When you use the Solo AI Assistant, we collect:

• Conversation content — the questions you ask and the responses provided
• Session metadata — anonymous session identifiers, timestamps, and basic technical information needed to maintain your chat session
• Account context — if you are signed in, the Assistant has access to information needed to provide a relevant response, such as your member status

You do not need to be signed in to use the Solo AI Assistant. Conversations from anonymous sessions are not linked to any identifying information.

How we protect your information

The Solo AI Assistant is built on a HIPAA-aware platform with multiple layers of protection:

• Encryption — All conversation content is encrypted at rest using industry-standard AES-256-GCM encryption with unique encryption parameters per record. Information in transit between your device, the Assistant, and our service providers is protected by TLS encryption.
• Identity protection — For signed-in members, conversation content is encrypted in a way that limits internal access. Solo administrators cannot view the content of signed-in member conversations directly. Your conversation history is available to you through your account.
• PII handling — Personal information such as names, email addresses, and identifiers are classified as high-sensitivity and handled with elevated protection. Email addresses are indexed using cryptographic blinding so we can look up accounts without exposing email content in our systems.
• PHI access auditing — Any internal access to information classified as Protected Health Information (PHI) is recorded in a dedicated audit log capturing who accessed it, what was accessed, and the reason.
• AI integrity auditing — Every request sent to our AI service providers is cryptographically hashed (SHA-256) and recorded in a separate integrity log. This creates a tamper-evident audit trail of what was processed by AI without duplicating sensitive content.
• Tenant isolation — Solo's data is logically and cryptographically isolated from other organizations using the platform. No other organization can access Solo's data.
• Secrets protection — API credentials used to connect to AI service providers are encrypted at rest using a dedicated encryption key separated from database credentials.

Service providers we work with

The Solo AI Assistant is delivered through partnerships with:

• Vovance Inc. — the platform provider that hosts and operates the AI Assistant infrastructure. We have a Business Associate Agreement (BAA) with Vovance covering the handling of any Protected Health Information that flows through the platform.
• OpenAI, L.L.C. — the AI provider whose language models generate the Assistant's responses. We have a Business Associate Agreement (BAA) with OpenAI covering AI processing of any Protected Health Information.

These providers process data on our behalf under the terms of our BAAs. They are not permitted to use Solo conversation data for their own purposes, including model training.

How long we keep your data

Conversation data is retained for 18 months from the date of last activity. Anonymous session data is retained for 90 days and then deleted. You can request earlier deletion of your conversation history at any time by contacting Solo Concierge.

Your rights and controls

You have the right to:

• Access — Signed-in members can view their own conversation history through their account at any time.
• Deletion — You can request deletion of your conversation history by contacting Solo Concierge. We implement deletion across all systems that store the data, including our service providers, in accordance with the timelines required by applicable law.
• Erasure (GDPR) — Where the General Data Protection Regulation (GDPR) applies to you, you have the right to request erasure of your personal data. Our systems support this through soft-deletion patterns that propagate across PII-bearing records.
• Object or restrict processing — You can ask us to limit how we use your data, subject to applicable law.

To exercise any of these rights, contact Solo Concierge at concierge@hbgnow.com or 646-328-6968.

HIPAA compliance

Solo is a self-funded health plan and treats member health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The Solo AI Assistant is operated as part of this compliance framework. Solo has designated a HIPAA Security Officer responsible for the policies and procedures governing PHI handling. To request information about HIPAA practices or to report a concern, contact Solo Concierge.

Outbound communications and AI-assisted outreach

We may communicate with you by phone, SMS, or email to support your inquiry, help with plan setup, follow up on your saved pricing, and provide information about Solo Health Collective products and services. These communications may be conducted by human representatives — including our sales, support, and member care teams — or by AI-assisted technology, including artificial voice agents and automated messaging systems.

When AI-assisted voice technology is used, you will be informed at the start of the interaction. You may request to speak with a human representative at any time. AI-generated voice communications are considered artificial voice under the Telephone Consumer Protection Act (TCPA) and are made only with your express written consent.

Calls may be recorded for quality, training, and compliance purposes.

How we use cookies

We use cookies and similar tracking technologies to operate the Site, understand how it is used, and support our marketing activities. The following types of cookies may be present on the Site:

• Essential cookies -- required for the Site to function, including session management and the plan setup process
• Analytics cookies -- used to understand traffic patterns and user behavior (Google Analytics, HubSpot)
• Marketing cookies -- used to measure the effectiveness of advertising campaigns (Meta/Facebook pixel, HubSpot)
• Payment processing cookies -- used by Stripe to support secure transactions
• Chat and support cookies -- used by our AI assistant and customer support tools

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Site functionality, including the plan setup process.

Security

We take reasonable technical and organizational measures to protect the information collected through the Site against unauthorized access, disclosure, alteration, or destruction. All sensitive data transmitted through the Site is encrypted in transit using industry-standard protocols. Social Security Numbers and payment information are handled in accordance with applicable security requirements and processed only through secure, access-controlled systems.

Our SaaS and platform vendors maintain their own security controls, which we rely on as part of our overall security posture. No method of transmission or storage is completely secure. If you believe your information has been compromised, please contact us immediately at support@hbgnow.com.

Data retention

We retain information collected through the Site for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, and resolve disputes. Health questionnaire responses are not retained after the eligibility determination is complete. Suppression records - indicating a non-qualifying outcome, without the content of responses - may be retained to prevent future misdirected communications. Analytics and behavioral data is retained in accordance with the data retention policies of our analytics providers.

Email communications

By providing your email address through the Site, you may receive communications related to your inquiry, plan setup, and relevant plan updates. All marketing emails include an unsubscribe option in accordance with the CAN-SPAM Act. You may opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us at support@hbgnow.com.

Transactional communications related to your active plan - such as plan setup confirmations and billing notices - may continue regardless of marketing preferences, as they are necessary to administer your coverage.

SMS and MMS communications

If you provide your phone number and consent to SMS/MMS communications, we may send text messages from Healthy Business Group and Solo Health Collective related to your inquiry, plan setup, account, and plan administration, as well as promotional messages about Solo Health Collective products and services.

Message frequency varies. Message and data rates may apply. You may opt out of marketing texts at any time by replying STOP. Reply HELP for help, or contact support@hbgnow.com or 646-328-6968.

Opting out of marketing texts does not affect transactional messages necessary to administer your coverage. Carriers (including AT&T, T-Mobile, Verizon, Sprint, and others) are not liable for delayed or undelivered messages.

California residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, and the right to opt out of the sale of personal information.

You may also have specific rights related to mobile data, including the right to opt out of SMS and MMS communications and the right to request information about how your mobile data is collected, used, and shared.

We do not sell personal information. To exercise your California privacy rights or submit a request, please contact us at support@hbgnow.com. We will respond to verified requests within the timeframes required by applicable law.

Children's privacy

The Site is intended for use by adults and is not directed at children under the age of 13. Dependent coverage for minors is administered through the enrolling plan member. We do not knowingly collect personal information directly from children under 13 as independent users of the Site. If you believe a child has independently provided us with personal information, please contact us at support@hbgnow.com and we will take steps to remove it.

Links to other websites

The Site may contain links to third-party websites, including vendor portals and partner sites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party site you visit.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the Effective Date at the top of this page. Continued use of the Site after changes are posted constitutes your acceptance of the updated policy.

Contact us

If you have questions about this Privacy Policy or how we handle information collected through the Site, please contact us:

Healthy Business Group / Solo Health Collective
Email: support@hbgnow.com
Phone: 646-328-6968
Website: hbgsolo.com