Privacy Policy

A. Patient Information

When you call a healthcare practice using Xophie, we may collect and process:

• Name and contact information (phone number, email address)
• Appointment details, preferences, and scheduling requests
• Call recordings and audio data
• Call transcripts and AI-generated summaries
• Messages sent via SMS or email
• Interaction history with our AI receptionist
• Insurance information (when provided)
• Reason for visit and healthcare-related inquiry details

The information collected depends on what you choose to provide and what the healthcare practice configures in their system.

B. Practice and Business Information

For healthcare practices using Xophie, we collect:

• Organization name and practice details
• Staff account information and credentials
• Provider scheduling data and availability
• Practice configuration and preferences
• Analytics and usage data
• Billing and payment information

C. Automatically Collected Data

We automatically collect certain technical information:

• Device information and operating system
• IP address and general location data
• Browser type and language preferences
• Log files and system events
• Usage analytics and performance metrics
• Session data and interaction patterns

Xophie uses collected data to:

• Answer patient calls using AI-powered voice assistance
• Schedule, manage, and confirm appointments in real-time
• Send appointment confirmations, reminders, and follow-up communications
• Generate call summaries and transcripts for healthcare providers
• Improve service quality, system performance, and AI accuracy
• Provide analytics and insights to participating healthcare practices
• Maintain system security, prevent fraud, and detect abuse
• Comply with legal obligations and healthcare regulations
• Process billing and manage customer accounts
• Respond to customer support inquiries and provide technical assistance

Xophie does not sell, rent, or share personal data with third parties for marketing or advertising purposes.

Information may be shared only with:

• Your Healthcare Practice: The dental or medical practice you are contacting or working with receives all relevant patient communication data.
• Service Providers: Trusted infrastructure and technology partners required to deliver our services, including:
  • Cloud hosting and storage providers (secure, encrypted infrastructure)
  • Telephony and communication platforms (LiveKit, Twilio)
  • AI processing and natural language services
  • Analytics and monitoring tools (PostHog)
  • Payment processors and billing services
• Legal and Regulatory Authorities: When required by law, court order, subpoena, or to protect our legal rights and comply with healthcare regulations.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice provided in advance.

We require service providers to protect information through contractual and security obligations appropriate to their role.

We implement administrative, technical, and physical safeguards designed to protect your information:

• Encryption: Data is encrypted in transit using industry-standard TLS protocols and at rest through secure cloud infrastructure provided by our infrastructure partners.
• Access Controls: Role-based access controls (RBAC) ensure only authorized personnel can access sensitive information.
• Authentication: Multi-factor authentication (MFA) and strong password requirements for user accounts.
• Secure Infrastructure: Built on infrastructure providers that maintain SOC 2 Type II compliance, including LiveKit, Supabase, Twilio, and AWS.
• Audit Logging: System activity and data access are logged and protected using access controls and retention policies.
• Monitoring: Automated monitoring and alerting tools help detect and respond to potential security issues.

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your information.

Xophie is designed with healthcare privacy best practices and supports HIPAA-aligned workflows. For healthcare practices that are HIPAA covered entities:

• Xophie operates on HIPAA-eligible infrastructure and plans to execute Business Associate Agreements (BAAs) with covered entities where required.
• We implement appropriate safeguards aligned with HIPAA requirements for protecting Protected Health Information (PHI).
• Xophie uses HIPAA-eligible subprocessors and will maintain Business Associate Agreements where required for customers handling PHI.
• System activity and access to sensitive data are logged for compliance and security monitoring.

If you are a patient, your healthcare provider remains the covered entity responsible for your protected health information. Xophie is designed to process this information on behalf of your provider in accordance with healthcare privacy standards.

We retain personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Patient Data: Retained based on the healthcare practice's configuration and applicable legal requirements.
• Call Recordings and Transcripts: Retained for the period set by the healthcare practice (with deletion options available).
• Account and Billing Data: Retained as required for business, tax, and legal purposes.
• Analytics Data: Aggregated and anonymized analytics may be retained indefinitely for service improvement.

Upon termination of service, practice data will be securely deleted or returned in accordance with the service agreement.

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Opt-Out: Opt out of SMS communications by replying STOP or contacting us directly.
• Data Portability: Request transfer of your data to another service provider where technically feasible.
• Objection: Object to certain processing of your information.

To exercise these rights, please contact [email protected]. If you are a patient, you may also contact your healthcare provider directly. We will respond to verified requests within 30 days.

Xophie does not knowingly collect personal information from children under 13 years of age without parental consent. Our services are designed for use by healthcare practices and their adult patients or legal guardians acting on behalf of minors.

Our services may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

Xophie is based in the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using our services, you consent to such transfers.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website with a new “Last Updated” date
• Sending email notifications to registered healthcare practices
• Displaying a prominent notice on our platform

Your continued use of Xophie after changes are posted constitutes acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: