Souverain
© 2026 Souverain Spine
TermsPrivacySecurity
    HomeTermsPrivacyMutual NDA

    Privacy Policy

    Effective 2026-05-01

    This Privacy Policy explains how Souverain Spine, LLC("Souverain", "we") collects, uses, and protects information when you use the application at https://souverain-spine.vercel.app(the "Service"). The Service is operated from and intended for the United States only.

    1. Information we collect

    Information you give us

    • Account information: name, work email, password (hashed), distributorship name, role.
    • Operational data you enter: sales records, commission rules, surgeon names and NPIs, hospital and facility details, inventory, schedules, notes, and signatures. You decide what to enter; we securely store it on your behalf.
    • Billing information: handled directly by Stripe. We receive only the fields needed to manage your subscription (customer id, subscription id, status, period end, last four digits of card). We never see your full card number.

    Information collected automatically

    • Usage and device data: IP address, user agent, referring page, and timestamps used for security, abuse prevention, and basic performance metrics.
    • Cookies and similar technologies: only those needed to keep you signed in (Supabase session) and to remember workspace settings. We do not use advertising or cross-site tracking cookies.

    Information from third parties

    • Public reference data such as the NPPES NPI registry, Open Payments, and FDA device databases is loaded into the Service to enrich your records.
    • Stripe sends webhook events about your subscription. Sentry reports application errors that may include request metadata.

    2. How we use information

    • provide, secure, and improve the Service;
    • process subscriptions and prevent fraud;
    • send transactional email (account, billing, weekly digests, alerts) — we do not send emails without your prior consent;
    • respond to support requests;
    • comply with legal obligations and enforce our Terms.

    We do not sell or rent personal information. And we do not plan to.

    3. Sub-processors

    We share personal information only with vendors that help us run the Service. They are contractually bound to handle data securely and only on our instructions. Current sub-processors:

    • Vercel (US) — application hosting and edge runtime.
    • Supabase (US) — Postgres database, authentication, storage.
    • Stripe (US) — payments and subscription management.
    • Resend (US) — transactional email delivery.
    • Sentry (US) — error monitoring and performance traces.
    • Upstash (US) — rate limiting (only IP and bucket counters, no content).

    We update this list when sub-processors change. If you need a specific sub-processor list as of a certain date, contact privacy@souverain-spine.com.

    4. How long we keep information

    • Account and operational data: while the account is active. When you request deletion, we disable login immediately and erase data permanently after a 30-day grace window.
    • Billing records: retained by Stripe and by us as required for tax and accounting (typically seven years).
    • Logs and error traces: typically 30 to 90 days, then rotated.
    • Backups: encrypted point-in-time backups expire on the provider's schedule (currently 7 to 14 days). Deletion in production propagates to backups as those rotate.

    5. Your rights

    Subject to verification, all users in the United States can exercise the following rights regardless of state. Some are guaranteed by law in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Tennessee (TIPA), Florida (FDBR), Iowa (ICDPA), Delaware (DPDPA), and elsewhere. Souverain extends them to all customers as a baseline:

    • Access and portability: download a complete copy of your data anytime from Settings → Danger zone → Download my data (or call GET /api/account/export).
    • Correction: edit your profile and workspace data directly in the Service. Contact us if you cannot reach a field.
    • Deletion: request permanent erasure from Settings → Danger zone → Schedule deletion (or call POST /api/account/delete). We complete the erasure 30 days after the request.
    • Opt out of sale or targeted advertising: not applicable. We do not sell personal information and do not run targeted advertising.
    • Appeal: if we deny a request, you may appeal by writing to privacy@souverain-spine.com.

    We do not discriminate against users who exercise these rights. We may verify your identity by requiring you to be authenticated as a distributor admin before processing access or deletion requests.

    6. Notice for California residents

    In the previous 12 months we collected the categories of personal information described in Section 1 (identifiers, professional information, commercial information about your business, internet/network activity, inferences from those). The business or commercial purposes are those in Section 2. We disclose those categories to the sub-processors in Section 3 for those purposes only. We do not sell or share personal information for cross-context behavioral advertising. We do not use or disclose "sensitive personal information" for purposes outside the limited business purposes permitted by Cal. Civ. Code §1798.121.

    7. Surgeons, hospitals, and other third parties referenced in Customer Data

    The Service references publicly available information about surgeons and hospitals (such as NPI, name, and Open Payments figures) and operational notes you create about your relationship with them. Surgeons and other third parties referenced in your records are not customers of Souverain. You are responsible for the lawfulness of recording such information, including notice and consent obligations under your state's laws and any professional or contractual obligations. Souverain provides export and deletion tools so you can respond to requests directed at you.

    8. HIPAA

    The Service is designed for protected health information ("PHI") and we do currently sign Business Associate Agreements. Our customers agree in the Terms not to upload PHI without a written agreement with us. If you must process PHI through the Service, contact privacy@souverain-spine.com first.

    9. Security

    We use industry-standard practices: TLS for data in transit, encryption at rest at the database and storage layer, row-level isolation between distributorships, principle-of-least-privilege secrets, and structured audit logging. No system is perfectly secure; report suspected vulnerabilities to /.well-known/security.txt.

    10. International users

    The Service is hosted in the United States and intended for United States customers. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the United States.

    11. Changes to this policy

    We may update this Privacy Policy from time to time. The "Effective" date above reflects the most recent revision. If a change is material we will give reasonable advance notice (for example, by email or in-app notice).

    12. Contact

    Souverain Spine, LLC
    1421 Spectrum, Irvine, CA 92618
    Privacy: privacy@souverain-spine.com
    Support: help@souverain-spine.com