Who is the data controller?

Solsta is the data controller. You can contact us at privacy@solsta.io

What information does Solsta collect?

We collect information you provide (such as through Early Access forms) and information collected automatically (such as internet/network activity). This includes identifiers, professional information, and operational context.

What are the purposes and legal bases for data processing?

We process data to respond to Early Access requests, for email marketing via Customer.io (with consent), for lead qualification (with consent), for analytics and service improvement (legitimate interest), and for compliance and protection (legal obligation).

How can I unsubscribe from email marketing?

You can withdraw consent and unsubscribe by using the unsubscribe link in emails, contacting us at privacy@solsta.io, or using the physical mailing address provided.

Who does Solsta share information with?

We share information with service providers including Customer.io (Peaberry Software Inc., USA), Attio (Attio Ltd., UK), and Google Analytics. We may also share with authorities when required.

How long does Solsta retain personal information?

We retain information only as long as necessary. Marketing data is kept for 12 months after unsubscribe/consent withdrawal, lead data for 12 months, operational records for 3 years, and analytics data for 2 months.

What rights do I have regarding my personal information?

You have the right to access, correct, delete, restrict, object, port your data, and withdraw consent. Contact privacy@solsta.io to exercise these rights.

Does Solsta sell or share personal information?

We do not sell personal information and do not share it for cross-context behavioral advertising.

What are my CCPA/CPRA rights?

California residents have the right to know, access, delete, correct, limit use of sensitive information, and opt out of selling/sharing. Contact privacy@solsta.io to exercise these rights.

Privacy Notice

Solsta Privacy Notice (Global)
Effective date: March 30, 2026

Who we are: Solsta Inc. (“Solsta”, “we”, “us”, “our”)

1) Scope
This Privacy Notice explains how we collect, use, disclose, and protect personal information specifically in connection with our Early Access form, related marketing communications, and any downstream processing such as lead qualification and CRM transfer. It does not cover general website browsing or cookie use — for those activities, please see our Privacy Policy. We provide this information at or before the point of collection to meet applicable transparency requirements.

2) Controller Contact
Controller: Solsta Inc.,
1 N. 1st Street, Suite 654
Phoenix, AZ 85004
Phone: (602) 889-3074
Privacy contact: privacy@solsta.io

3) What we collect
Information you provide:
• Identifiers (first name, last name, email) submitted via the Early Access form.
• Professional information (company name, job role/title) submitted via the Early Access form.
• Operational context (whether you are currently running AI agents in production or staging environments) submitted via the Early Access form.
• Any information included in free-text fields.

Information collected automatically:
• Device/usage data (IP address, browser type/version, pages viewed, timestamps) collected via Google Analytics (Google LLC, USA). Google Analytics uses cookies to help us understand how visitors interact with our site. Depending on your cookie preferences, this data may be shared with Google. See our Cookie Notice for details and to manage your preferences.

4) Purposes and Legal Bases
We process your information only for specific, explicit purposes and rely on a lawful basis for each processing activity.
• Respond to your Early Access request and related operational communications (e.g., scheduling a call or provisioning access).
Legal basis: Legitimate interests (to answer your request) or Contract (to take steps at your request before entering a contract).
• Email marketing & automated nurturing sequences via Customer.io (e.g., product updates, launch announcements, onboarding tips), including segmentation and tags to improve relevance.
Legal basis: (opt‑in). Consent must be freely given, specific, informed, unambiguous, and is separate from other terms. You can withdraw consent at any time.
• Lead qualification and pipeline movement (e.g., segmenting contacts by engagement level and transferring qualified leads from Customer.io to our CRM, Attio, for sales follow-up and direct outreach.)
Legal basis: Consent— this transfer is covered by your opt-in at the point of collection. You may withdraw consent at any time by contacting privacy@solsta.io, which will stop further processing for this purpose.
• Analytics and service improvement (e.g., understanding page performance, measuring campaign effectiveness).
Legal Basis: Legitimate interests; where non‑essential cookies/trackers are used, we obtain consent first.
• Compliance and protection (e.g., complying with legal obligations, enforcing terms, protecting security).
Legal basis: Legal obligation / Legitimate interests.

5) Email marketing, unsubscribe, and your choices
• We send marketing emails only if you opt in on the form (checkbox not pre-ticked). You may withdraw consent at any time by clicking Unsubscribe in our emails or by contacting us. We keep records showing what you consented toand when.
• If you have also consented to CRM transfer, withdrawing your marketing consentwill also stop your data from being moved to our sales CRM. If your data has already been transferred to our CRM prior to withdrawal, please contact privacy@solsta.io to request deletion of that record.
• Our marketing emails include an unsubscribe link and our physical mailing address (CAN-SPAM). We honor opt-out requests promptly.

(If you are an existing customer in the UK, PECR’s “soft opt-in” may apply to similarproducts/services if you were given a clear opt-out at collection and in every message;otherwise we rely on consent.)

6) Profiling, segmentation, and automation
We use Customer.io (Peaberry Software Inc., USA) to run automated onboarding and nurture email sequences and to segment contacts based on the information you provide and your engagement with our communications. This section explains how that works and what it means for you.

What we automate: Once you submit the Early Access form and opt in, you will be enrolled in a pre-defined sequence of emails. The timing, content, and continuation of those emails may be influenced by your engagement behavior — for example, whether you open emails or click links.

How we segment: We use engagement signals (such as email opens, link clicks, andinactivity) alongside the information you submitted in the form — including your job role,company, and current AI deployment status — to assign you to segments. These segmentsdetermine which messages you receive and how frequently.

What this means for you: Based on your engagement level and form responses — including whether you are actively running AI agents in production or staging — you may be identified as a qualified lead. If so, your contact information and engagement data may be transferred from Customer.io (Peaberry Software Inc., USA) to our CRM (Attio Ltd., UK) for direct sales follow-up. This is the primary practical consequence of the segmentation process.
‍
What we do not do: We do not make decisions that produce legal or similarly significant effects solely by automated means. A member of our team reviews leads before any transfer to our sales CRM occurs.

Your choices: You can opt out of automated communications at any time by clicking Unsubscribe in any of our emails or by contacting privacy@solsta.io. If you wish to object to being profiled for lead qualification purposes, you may also contact us at that address and we will assess your request.

7) Who we share information with (recipients)

We share personal information only with:
Service providers acting on our instructions:
‍
• Customer.io (Peaberry Software Inc., USA) — email delivery, contact management, and automated nurture sequences. Customer.io Privacy Policy /Data Processing Addendum
• Attio (Attio Ltd., UK) CRM for qualified leads and sales pipelinemanagement. Attio Privacy Policy
• Google Analytics (Google LLC, USA) — website analytics to understand visitor behavior and site performance. Data sharing with Google's other products and services is disabled. Data is retained for 2 months. Google Privacy Policy
• Authorities when legally required.

‍
We do not sell personal information. We do not share personal information with any thirdparties other than the service providers listed above and authorities where legally required,and only for the purposes described in this Notice.

8) International Transfers
f your information is transferred from the UK/EEA to countries without an adequacydecision — for example, to Peaberry Software Inc. (Customer.io) in the USA — we useappropriate safeguards such as Standard Contractual Clauses (SCCs).

Attio (Attio Ltd.) is based in the United Kingdom. The UK maintains an adequacy decisionfor data transfers from the EEA. For transfers of personal data from Solsta (USA) to Attio (UK), appropriate contractual safeguards are in place.

9) Retention
We retain personal information only as long as necessary for the purposes described above:
• Early-Access inquiries: 12 months after last interaction.
• Marketing contacts: until you unsubscribe/withdraw consent or after 12 months of no engagement (then delete or anonymize).
• CRM lead records: per our sales operations schedule 3 years or as required bylaw.
• Analytics: 2 months We disclose retention periods/criteria to satisfy transparency requirements.

10) Your Rights
Depending on where you live, you may have rights to access, correct, delete, restrict, object (including to direct marketing), port your data, and withdraw consent at any time without affecting prior lawful processing. You also have the right to lodge a complaint with a supervisory authority (EEA/UK).
• To exercise rights or preferences, contact: privacy@solsta.io
• For California rights, see California Notice at Collection below.

11) Security
We use administrative, technical, and organizational measures (e.g., encryption in transit, access controls, least-privilege, vendor due diligence) to protect personal information. No system is 100% secure, but we continually improve protections.

12) Children
Our site and services are not directed to children. Do not submit personal information ifyou are under the age where consent requires parental authorization under applicablelaws.

13) Changes
We will update this Notice when needed and indicate the effective date above. If changes materially affect you, we will notify you by reasonable means (e.g., email or website notice).

California Notice at Collection (CCPA/CPRA)
This Notice at Collection applies to California residents and describes what we collect at or before the time of collection, why, how long we keep it, and whether we sell or share it.

1) Categories of personal information we collect

From the Early Access form and your use of our site, we may collect:
• Identifiers: first name, last name, email address.
• Internet / network activity: page views, clicks, IP address, device/browser info.
• Professional information: company or organization name, where provided voluntarily via the Early Access form.
• Operational context: Current AI deployment status (whether you are running AIagents in production or staging), collected via the Early Access form. Thisinformation is used as a lead qualification signal and may influence whether yourcontact record is transferred to our sales CRM.
• Inferences we derive (e.g., product interest segments or engagement levels from email opens/clicks) to tailor communications. We do not intentionally collect sensitive personal information via this form. (If this changes, we will update this Notice and provide appropriate choices.)

We do not intentionally collect sensitive personal information via this form. (If this changes, we will update this Notice and provide appropriate choices.)

2) Purposes for collection and use
We use these categories for:
• Responding to your Early Access request and related operational communications.
• Email marketing and automated lead-nurture sequences (with your opt-in), including segmentation and measuring engagement.
• Analytics and service improvement.
• Security and fraud prevention; compliance with law.

3) Retention periods
• Early-Access inquiries: 12 months from last interaction.
• Marketing contacts: until you unsubscribe or 12 months of no engagement.
• Logs/analytics: 2 months

4) Selling or sharing personal information
• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.

5) Disclosure to service providers
We disclose personal information to service providers that support our operations, such as Customer.io (Peaberry Software Inc., USA) and Attio (Attio Ltd., UK). These providers mayonly use personal information to provide services to us and not for their own purposes.
• Customer.io (Peaberry Software Inc., USA) - email delivery, contactmanagement, and automated nurture sequences Customer.io Privacy Policy / Data Processing Addendum ‍
• Attio (Attio Ltd., UK) CRM for qualified leads and sales pipeline management. Attio Privacy Policy

6) Your CCPA/CPRA rights
California residents have the right to know, access, delete, correct, and limit the use of sensitive personal information (if collected), and the right to opt out of sale or sharing of personal information. We will not discriminate against you for exercising your rights.
How to exercise your rights:
• Email: privacy@solsta.io