This Privacy Policy explains how AI VOX, operated by Sujal Samadhiya (sole proprietor d/b/a AI VOX), handles information in the course of providing its AI voice receptionist service to healthcare clinics. AI VOX acts as a Business Associate to the clinics it serves (each a "Covered Entity") under the HIPAA Rules.
Our role
When a patient calls a clinic that uses AI VOX, any health information handled during that call belongs to the clinic, not to AI VOX. We process it solely on the clinic's behalf, under a signed Business Associate Agreement, and only to deliver the service. We never sell patient information, and we never use it for advertising.
Information we process
- On behalf of clinics (PHI): caller name, phone, email, stated reason for the call, appointment details, call audio, transcripts, and AI-derived metadata such as sentiment and summary.
- For clinic accounts: the names, emails, and passwords (hashed) of clinic owners and staff who log into the dashboard.
- For our website: standard technical data such as IP address and browser type, used only to operate and secure the site.
AI VOX does not request or store payment card numbers, full dates of birth, government identifiers, insurance member numbers, or clinical diagnoses. The AI agent is configured to decline collecting payment card information.
How we use it
We use information only to answer and place calls, book and manage appointments, send confirmations, surface calls to clinic staff through the dashboard, and operate and secure the service. We do not use patient information for any purpose beyond delivering the service to the clinic.
How we protect it
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Tenant isolation is enforced at the database level so no clinic can access another's data. Access to production systems is restricted to the founder, protected by multi-factor authentication, and audit-logged. Full detail is in our Security & HIPAA overview.
Who we share it with
We share PHI only with the subprocessors required to run the service, each under a Business Associate Agreement. The complete list is published in our Subprocessor List. We do not sell data and do not share it with advertisers.
Retention and deletion
We retain data according to our Data Retention & Deletion Policy — generally six years for clinical records, in line with HIPAA. Clinics may request export or deletion of their data at any time.
Patient rights
Patients who wish to access, amend, or delete their information should contact the clinic they called — the clinic is the Covered Entity that controls the record. AI VOX will support the clinic in fulfilling any such request.
Contact
Questions about this policy can be directed to work@theaivox.com.