Privacy Policy

Effective Date: October 4, 2025

1) Who We Are & Scope

This Privacy Policy describes how Applied AI – Healthcare (“Applied AI – Healthcare,” the “Healthcare arm,” “we,” “our,” or “us”) collects, uses, discloses, and safeguards personal information in connection with our U.S. healthcare-focused website and services, including https://appliedaihealth.org (the “Site”) and our AI agents and automations (voice, chat, SMS, call handling, scheduling, reminders, review workflows, social posting, and related integrations) (collectively, the “Services”).

Applied AI – Healthcare is a business unit of Applied AI and is not a separate legal entity. This Policy applies to the Healthcare arm only. Other Applied AI verticals (e.g., solar, dispensaries, door-to-door) may be served under other brand sites and may have separate notices.

We operate in the United States and target U.S. users. This Policy applies when we act as a business/controller (e.g., Site visitors or our direct marketing). When we provide Services to a healthcare customer and process personal information strictly on that customer’s documented instructions, we act as a service provider/processor; in those cases, the customer’s privacy notice governs, and this Policy applies only in a supplementary manner.

We provide operational AI solutions. We do not provide medical advice, diagnosis, or treatment. Do not use the Services for emergencies. Call 911 or contact a medical professional.

2) Contact Information

Business Name: Applied AI – Healthcare (a business unit of Applied AI)

Website: https://appliedaihealth.org

Email (privacy): [email protected]

Business Location: Massachusetts, United States

Jurisdiction: United States (serving all U.S. states; based in Massachusetts)

3) Audience & Minimum Age

The Services are intended for adults (18+). We do not knowingly collect personal information from children under 18. If you believe a minor has provided personal information, contact [email protected] and we will take appropriate steps to delete it.

4) HIPAA/PHI Clarification

Unless expressly agreed in a separate, signed Business Associate Agreement (“BAA”) with a healthcare customer, we do not intend to collect, receive, store, or otherwise process Protected Health Information (“PHI”) as defined by HIPAA and its implementing regulations.

No PHI without a BAA. If a healthcare customer requires PHI handling, it must be governed by a separate BAA and supported by appropriately configured Services and vendors.

Absent a BAA, do not submit PHI. If you disclose PHI to us without an executed BAA, that disclosure is unauthorized and at your sole risk to the maximum extent permitted by law. We reserve all rights and defenses.

5) Information We Collect

We follow a data-minimization approach and collect only what is reasonably necessary to deliver and support the Services.

Categories of information we may collect:

a. Identifiers & contact information – name, email address, phone number, organization, role/title.

b. Operational scheduling details – basic information needed to schedule or reschedule appointments (e.g., preferred date/time, clinician/practice name). We design flows to avoid PHI.

c. Communications & content – messages or inquiries you send us; operational voice/SMS/chat interactions with our agents; related transcripts; and call metadata (e.g., timestamps, call status).

d. Technical/usage information – IP address, device and browser information, pages viewed, time on page, and basic diagnostic logs necessary for security and operations.

e. Billing & payments – billing contact details, invoices, payment confirmations. Card payments are processed by Stripe; we do not store full payment card numbers.

f. Lead/interest (non-clinical) data – information you provide to request demos, book consultations, or receive reminders or marketing communications.

g. Uploads/configuration – content, prompts, or parameters you supply to configure AI agents and workflows.

We do not seek sensitive categories such as PHI, biometrics/voiceprints used for identification, government IDs, or precise geolocation. Do not submit such data unless a separate BAA specifically permits and governs it.

6) Sources of Information

a. Directly from you (forms, calls, SMS, chat, emails, configuration inputs).

b. Automatically from your device (limited technical logs and cookies—see Section 15).

c. From our customers/partners where needed to integrate operational calendars or similar non-sensitive resources.

d. From service providers (e.g., telephony carriers, security/CDN providers) in the ordinary course of delivering the Services.

7) How We Use Information

We use personal information to:

a. Provide and operate the Services – voice/SMS/chat handling, scheduling, reminders, review workflows, social posting, and support.

b. Communicate with you – confirmations, service notices, administrative messages, and relevant marketing (opt-out any time).

c. Improve and maintain quality – service monitoring, debugging, analytics, safety evaluations, and performance optimization (without PHI).

d. Security and fraud prevention – protect the Services, investigate abuse, and ensure availability.

e. Compliance and enforcement – comply with legal obligations, enforce agreements, and protect rights and safety.

f. Automated decision-making: Our AI agents assist with operational tasks (e.g., capturing information, routing, scheduling). Outputs are non-determinative and typically escalate or hand off to a human for the final step. We do not make “final” decisions about individuals solely by automated means.

8) AI & Model-Improvement Practices

We may use de-identified, aggregated, or minimal operational interaction data to enhance service quality and safety (e.g., reduce errors, improve prompt routing).

We integrate with third-party AI providers via API (e.g., OpenAI, Google Gemini, xAI Grok, Perplexity) and strive, where available, to disable provider training and minimize retention. However, each provider’s own terms and retention practices apply; some may retain content for fraud/security or model improvement.

If you require stricter controls (e.g., no training or shorter retention), contact us before onboarding. We will assess feasibility within the selected stack and document configuration choices with you.

PHI prohibition reminder: We do not accept PHI without a signed BAA. Do not submit PHI otherwise.

9) Legal Bases / U.S. Focus

We target the United States. Where a legal basis is required (e.g., if non-U.S. users interact with the Site), we generally rely on: Contract (to provide Services), Legitimate Interests (operations, improvement, security), Consent (marketing; non-essential cookies), and Legal Obligation (compliance).

10) Sharing & Disclosures

We do not sell or share personal information for cross-context behavioral advertising. We disclose personal information only to:

a. Service providers / processors acting on our behalf under written agreements, including:
i. Hosting/Infrastructure: Microsoft Azure (primary U.S. hosting), Cloudflare (security/CDN), Namecheap (domain/DNS).
ii. AI/LLM Providers (via API): OpenAI, Anthropic, Google (Gemini), xAI (Grok), Perplexity (model inference).
iii. Telephony/Voice/SMS: Twilio (and, where applicable, Vonage).
IV. Transcription/ASR: vendor ASR services selected for a given deployment.
V. CRM/Automation: GoHighLevel (GHL).
VI. Payments: Stripe (we do not store full card data).
These providers may only process personal information consistent with our instructions and this Policy.

b. Business transfers – in connection with a merger, acquisition, or asset sale, subject to this Policy’s protections.

c. Legal or safety reasons – to comply with law or lawful requests, or to protect rights, property, or safety.

Third-party responsibilities: Each third party’s independent privacy and security commitments apply to its services. To the maximum extent permitted by law, we are not responsible for a third party’s acts or omissions.

11) International Transfers

We host and process primarily in the United States and aim to avoid cross-border transfers. Some providers use distributed infrastructure; if limited processing occurs outside the U.S., we contractually require appropriate safeguards and will endeavor to minimize such transfers and/or configure U.S. region processing where feasible.

12) Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law, then delete or de-identify it. Unless otherwise agreed in writing with a customer and supported by the vendor stack, our default targets are:

a. Account & profile data: for the life of the account, then deletion upon closure (subject to legal holds).

b. Operational transcripts (voice/SMS/chat) & call recordings: up to 90 days.

c. System/security logs: up to 12 months.

d. Marketing/contact records: until you opt out or request deletion.

e. Billing/invoices & tax records: as required by law (typically 3–7 years).

If you require stricter retention, contact us before onboarding so we can assess feasibility.

13) Security

We implement commercially reasonable administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls/RBAC, MFA/SSO where available, network security, audit/logging, vendor due diligence, and employee awareness. We periodically review risks and update controls.

Important healthcare notice: The Healthcare arm is not designed to store or process PHI without a signed BAA and additional controls. Do not submit PHI absent a BAA. To the fullest extent permitted by law, we disclaim liability for unauthorized PHI disclosures caused by submissions that violate this Policy, and reserve all defenses. No security program is perfect; we cannot guarantee absolute security.

14) Your Privacy Choices & Rights

a. Marketing opt-out: You may opt out of marketing emails by using the unsubscribe link, and out of SMS by replying STOP.

b. Access/Deletion/Correction: You may request access to, correction of, or deletion of your personal information.

c. U.S. state law rights: Depending on your state, you may have additional rights (e.g., to know, delete, correct, limit use of sensitive personal information). We do not sell or share personal information for targeted advertising.

d. Appeals: We do not offer a general appeal process. If applicable law provides a right to appeal in your jurisdiction, we will inform you how to exercise it in our response.

Submit requests at [email protected]. We may need to verify your identity before fulfilling a request.

15) Cookies & Similar Technologies

We use cookies and similar technologies to operate, secure, and measure the Services. A cookie consent banner and “Cookie Settings” preference manager are available on the Site.

Categories we use:

a. Essential (Strictly Necessary): required for core functionality and security. These are always active.

b. Analytics/Performance: help us understand usage to improve reliability and user experience.

c. Functional (optional): remember choices or enhanced features (used sparingly on the Healthcare site).

d. Advertising/Targeting: not used on the Healthcare site; we do not engage in cross-site behavioral advertising here.

Your choices:

a. On first visit (and periodically thereafter), the banner will request your consent for non-essential cookies. You can accept, reject, or customize categories.

b. You may withdraw or change your consent at any time by clicking the on-site “Cookie Settings” button (typically found in the footer or via the banner).

c. Browser settings may also control cookies; however, some features may not function without essential or permitted cookies.

Global Privacy Control (GPC) / Do Not Track (DNT):

a. Where our consent tool supports GPC (and where required by law), we treat an active GPC signal as an opt-out of sale/share and disable non-essential cookies in applicable regions.

b. Because we do not sell/share personal information for targeted advertising on the Healthcare site, DNT/GPC may have limited additional effect on data practices beyond cookie preferences.

Retention: Cookie lifetimes vary by category and provider (typically session-based up to 13 months). Specific tags/cookies and their lifetimes may be listed within the “Cookie Settings” manager.

16) Voice, Calls & SMS (Consent; Recording; Transcription)

By providing a phone number and interacting with our AI agents or requesting communications, you consent to receive calls and texts related to the Services (e.g., scheduling, reminders, confirmations). Message and data rates may apply.

We may record and/or transcribe calls and messages for service delivery, quality assurance, troubleshooting, and improvement. If you do not consent to recording or transcription, do not use voice features. You may opt out of SMS at any time by replying STOP.

17) No Medical Advice; Emergency Disclaimer

The Services are operational (e.g., intake, scheduling, reminders, billing support, reviews). We do not provide medical advice, diagnosis, or treatment. If you have a medical emergency, call 911 or contact a qualified clinician.

18) Service Provider / Processor Role

For many customer deployments, we act as a service provider/processor processing personal information on the customer’s behalf and instructions. In those cases, the customer’s privacy notice applies to processing performed for that customer. This Policy governs our role as a business/controller (e.g., Site visitors; our direct marketing).

19) International Users

The Services are intended for U.S. users. If you access the Services from outside the United States, you understand your information may be processed in the U.S., which may have different data protection laws than your jurisdiction.

20) State-Specific Disclosures

a. California (CPRA): We do not “sell” or “share” personal information for cross-context behavioral advertising. You may request access, deletion, or correction, and to limit use of sensitive personal information (which we do not seek on the Healthcare arm). Authorized agents may submit verified requests on your behalf.

b. Colorado / Connecticut / Virginia / Utah, etc.: You may have rights to access, delete, or correct data and opt out of targeted advertising and “sales.” We do not engage in those activities on the Healthcare arm. Where an appeal right exists, we will inform you of the process in our response as required by law.

21) Changes to this Policy

We may update this Policy from time to time. The “Effective Date” above reflects the latest version. If we make material changes, we will post the updated Policy on the Site. Your continued use after an update constitutes acceptance of the revised Policy.

22) Liability-Sensitive Healthcare Statement

To the maximum extent permitted by applicable law:

a. We disclaim liability for user-initiated disclosures of PHI or other sensitive information made contrary to this Policy or without a signed BAA.

b. We are not responsible for third-party platforms’ independent acts, omissions, or their separate privacy/security practices.

c. We reserve all defenses and limitations available under law and contract.

Nothing in this Policy limits any non-waivable consumer rights under applicable law.

23) How to Contact Us

For questions, privacy requests, or complaints, contact:
a. Applied AI – Healthcare

b. Email: [email protected]

c. Location: Massachusetts, United States

Summary (Not a substitute for the Policy)

Applied AI – Healthcare collects minimal, non-PHI data to run operational AI for healthcare businesses (voice/chat/SMS, scheduling, reminders, reviews). We host primarily in the U.S., use vetted providers (Azure, Cloudflare, Twilio, Stripe, selected LLMs), and do not sell/share personal information for targeted advertising. A cookie consent banner and “Cookie Settings” manager let you control non-essential cookies and withdraw consent at any time. We do not accept PHI without a signed BAA. You can opt out of marketing and request access or deletion at [email protected].