What this Policy Covers
This Privacy Policy pertains to the use of the Sundial Product website at www.sundial.ai. It covers how Sundial Product Inc. ("Sundial") treats personal information that Sundial collects and receives through the website or other means. It also describes the choices available to you regarding our use of personal information and how you can access and update this information. Personal information is information about you that is personally identifiable, like your name, address, email address, or phone number. Children under 13 are not permitted to use the services provided by Sundial, so this Privacy Policy makes no provision for children's use of this website or the use of services of Sundial. However, if you learn that your child has provided us with personal information, you may contact us as set forth below, and we will take steps to delete such personal information.
Information Collected and How It Is Used
You do not have to give us any personal information, such as name, email address, phone number, or Social Security number, to visit the Sundial website. Primarily, Sundial provides data analytics software services to our clients through software solutions and platforms that are designed in accordance with our clients' instructions ("Services"). If you are a customer of a client of Sundial, then personal information may have been given to our client (i.e., business using Sundial's data analytics software platform), and the privacy policy of our client shall apply to the collection of that personal information. Personal information given to Sundial's client is used solely by Sundial to set up Sundial's data analytics software platform for and provide technical support to our client. Depending on our client's business, the information collected may include personal information, account information, marketing information, billing information, or other forms of information.
If you request information or support from Sundial, then personal information (e.g., name, address, phone number, email address) may be requested so that Sundial can provide the support requested. This personal information is used to provide corresponding technical and operational support and information about the services provided by Sundial.
If you use the "Careers" or "Open Roles" portion of the Sundial website, then personal information (e.g., name, address, phone number, email address) may be requested to enable Sundial to make informed hiring decisions. However, Sundial uses this personal information solely to make hiring decisions.
If you visit the Sundial website, internet or network activity information (e.g., browsing history, IP address, geolocation information) may be automatically collected from your browser. As further discussed below, this information may be used by third parties, such as marketing partners, data service partners, and analytics services, to provide services to Sundial.
Our clients may choose to use our Services and software to process their data, which may contain personal information. The data that we process through our Services and software is processed by us purely as a data processor, on behalf of our client, and in accordance with our client's instructions. Our privacy practices governing the processing of such data will be in accordance with contracts that we have in place with our clients.
Sundial does not sell personal information. Sundial's clients may sell personal information for various reasons or purposes, but Sundial does not participate in or control the sale of personal information by its clients. Please contact the corresponding Sundial client if you have any questions about the sale of your personal information by that client.
We will retain personal information that we process on behalf of our clients for as long as needed to provide services to our clients, comply with legal obligations, resolve disputes, and enforce our agreements.
Information Sharing and Disclosure
Except to provide services you have requested, or when we have your permission, personal information is not rented, sold, or shared with other people or non-affiliated companies for Sundial's promotional purposes. We may share your name and email address with certain of our working partners. If you would not like your personal information shared with these partners, please notify us at support@sundial.so.
Third-party vendors, including Google, show our ads on sites on the Internet and use cookies to serve ads based on a user's prior visits to our website. Users may opt-out of this third party's use of cookies by visiting the applicable third-party advertising opt-out page.
Information about you may be transferred to another company if Sundial is acquired by or merges with said company. In this event, Sundial will notify you by email or by putting a prominent notice on the Sundial website before information about you is transferred and becomes subject to a different policy.
Personally identifiable information or other information may be disclosed under special circumstances, such as to comply with a subpoena or when your actions violate the legal rights or policies of Sundial. It may be necessary to share this information to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to physical safety, violations of Sundial's legal rights, policies, or otherwise as required by law.
We use third-party services, such as career placement services, client relations management services, advertising, and marketing services, and billing and payment services, to provide services to our clients. Personal information may be shared with these third parties to provide corresponding services to you.
Cookies and Other Tracking Technologies
This Privacy Policy pertains to the use of the Sundial Product website at www.sundial.ai. It covers how Sundial Product Inc. ("Sundial") treats personal information that Sundial collects and receives through the website or other means. It also describes the choices available to you regarding our use of personal information and how you can access and update this information. Personal information is information about you that is personally identifiable, like your name, address, email address, or phone number. Children under 13 are not permitted to use the services provided by Sundial, so this Privacy Policy makes no provision for children's use of this website or the use of services of Sundial. However, if you learn that your child has provided us with personal information, you may contact us as set forth below, and we will take steps to delete such personal information.
Web Beacons / Tags
Software technology called web beacons or tags may be used in combination with cookies to better manage the content on the Sundial website by informing Sundial what content is effective. Through third-party services, we may link the information we store in web beacons or tags to personal information you may submit while on the Sundial website. Third-party services may also use web beacons and tags and other tracking technologies to track personal and non-personal information about visitors to the Sundial website. This Privacy Policy does not cover the use of web beacons or tags by any third-party tracking utility.
HIPAA Compliance
Sundial may process data on behalf of clients that is subject to the Health Insurance Portability and Accountability Act ("HIPAA"). In such cases, Sundial acts as a Business Associate and enters into Business Associate Agreements (BAAs) with applicable clients.
When handling Protected Health Information (PHI) on behalf of a client, Sundial:
Processes PHI solely as directed by the client and in accordance with the executed BAA
Implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI
Does not use or disclose PHI other than as permitted or required by the BAA or as required by law
Reports any Security Incident or Breach of Unsecured PHI to the client without unreasonable delay, and in no case later than 60 calendar days from discovery
Ensures that any subcontractors with access to PHI agree to the same restrictions and conditions
Sundial does not store health data directly. Client data processed through Sundial's platform is handled in accordance with the client's instructions and the terms of the applicable BAA.
Session Management
To protect against unauthorized access, Sundial enforces automatic session termination for all users after a defined period of inactivity. Users will be required to re-authenticate after their session expires. This measure is in place to help prevent unauthorized access to the platform and to comply with applicable security requirements.
Security
The security of your personal information is important to us. Sundial is SOC 2 Type II certified, having undergone independent audits of its security controls, availability, and confidentiality practices. Key security measures include:
Encryption at rest: All data stored in Sundial's managed storage (including Delta Lake files on S3/GCS and metadata in databases) is encrypted using AES-256 encryption, managed by cloud-native encryption services such as AWS KMS. Client data can be encrypted with a client-specific key for additional segregation.
Encryption in transit: All data communications are protected via TLS/SSL encryption, whether data is in motion from a client's warehouse to Sundial's processing cluster or from the Sundial API to a user's web browser.
Access controls: Sundial enforces strict role-based access controls. Authentication supports integration with single sign-on (SSO) via SAML, and SCIM for automated account provisioning.
Temporary credentials: When accessing client data sources, Sundial uses temporary, scoped credentials (e.g., AWS STS assume-role) rather than stored long-term credentials.
Infrastructure security: All servers and containers are hardened with restricted permissions. The environment is regularly penetration-tested and vulnerability-scanned.
While we follow industry best practices to protect the personally identifiable information submitted to us, both during transmission and once we receive it, no transmission method over the Internet, or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
Breach Notification
In the event of a data breach involving personal information or Protected Health Information, Sundial will:
Investigate the incident promptly upon discovery
Notify affected clients without unreasonable delay, and in no case later than 60 calendar days from discovery of a breach involving unsecured PHI
Cooperate with clients and regulatory authorities as required
Take reasonable steps to mitigate any harmful effects of the breach
Accessing, Updating, or Correcting
Your Personal Information
According to California law, California residents may request and obtain a list of third parties to whom Sundial has disclosed their personal information (if any), as well as the type of personal information disclosed to those parties. California residents may also request deletion of certain collected personal information and may opt-out of the collection of personal information. Except as otherwise provided in this Privacy Policy, Sundial does not share personal information with third parties for its own marketing purposes. If your personally identifiable information changes, or if you would like to access the personally identifiable information that has been collected and stored by Sundial, or if you would like to request deletion of the personally identifiable information that has been collected and stored, please contact us at support@sundial.so. We will respond to your request to change, access, or delete this personally identifiable information within a reasonable timeframe. We will not discriminate against you for exercising your right to change, access, or delete your personally identifiable information.
Information Related to Data
Collected For Our Clients
Sundial may collect information under the direction of our clients, and therefore, Sundial may have no direct relationship with the individuals whose personal information it processes. The collection of this information may be subject to the privacy policy of our client. If you are a customer of one of our clients and no longer wish to be contacted by that client, please contact the client you interact with directly. We may transfer this personal information to companies that help us provide services. The service agreements with our clients cover subsequent transfers to third parties.
Access and Retention to Data
Controlled by Our Clients
Since there may be no direct relationship between Sundial and customers of our clients, an individual who seeks to access, correct, or delete this personal information should direct their inquiry to the Sundial client (the data controller).
Changes to This Privacy Policy
We may update this Privacy Policy at any time for any reason. We encourage you to periodically review this page for the latest information on our privacy practices.
Questions
If you have any questions about this Privacy Policy, please contact us at support@sundial.so
Effective Date
This Privacy Policy is effective on March 24, 2026.
