Xolvion Front Desk

Experience the AI
Book a Discovery Call

Privacy Policy

Xolvion Health Privacy Policy

  • Effective date: September 19, 2025
  • Legal entity: Xolvion LLC (“Xolvion Health,” “we,” “our,” “us”)
  •  Website: xolvionhealth.com (the “Site”)
  •  Services: AI front-desk tools for healthcare practices, including voice handling, messaging, intake, scheduling, reminders, and review outreach (the “Services”).

 

This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Site and Services.

1) Scope & Roles

  • We act as a Business Associate when we provide Services to a covered entity/healthcare provider under a Business Associate Agreement (“BAA”). In that case, our processing of Protected Health Information (“PHI”) is governed by the BAA and HIPAA.

  • We act as a Controller/Business for our own Site analytics, marketing, account administration, and customer relationship data.

2) Information We Collect

A. From Clinics and Staff (B2B):

  • Contact details (name, work email, phone), role/title, practice details (clinic name, address, specialty, locations).

  • Account and billing info (plan tier, payment status), support tickets, configuration settings (routing, scripts, schedules).

  • Usage data (feature usage, logs, device/browser metadata, IP, timestamps).

 

B. From Patients (on behalf of Clinics):

  • Scheduling-only information via SMS/WhatsApp/web chat (e.g., appointment request, service interest, basic eligibility questions, preferred times). We do not request or accept PHI over SMS/WhatsApp, and our flows include clear disclaimers.

  • Voice call audio and call events (answer, duration, routing); if the clinic enables call recording, audio may be processed with consent and according to clinic policy and law.

  • Appointment confirmations, reminders, rescheduling preferences, simple post-visit feedback and review links.

C. Cookies & Similar Technologies (Site only):

  • Essential cookies (security, session), functional analytics (page views, referral, device/browser type, approximate region).

  • You can control cookies via your browser; blocking essential cookies may break functionality.

3) How We Use Information

  • Provide, secure, and improve the Services (set up locations, routing, quiet hours; deliver calls/messages; send confirmations/reminders; log events; troubleshoot).

  • Speed-to-lead responses, intake questionnaires (scheduling-only over messaging), waitlist/back-fill, review outreach.

  • Compliance operations: consent capture, audit trails, rate-limiting, STOP/HELP handling, quiet hours.

  • Business operations: account management, billing, detecting misuse/fraud, legal/regulatory compliance.

  • Site analytics and product improvement (aggregated, de-identified where possible).

4) Messaging & Call Disclosures

  • A2P 10DLC: We use registered messaging with required brand/use-case vetting.

  • Consent: By providing a phone number and opting in, clinics/patients agree to receive automated messages/calls related to scheduling, reminders, and support.

  • Frequency: Varies by workflow (e.g., booking confirmations, 72/24/3-hour reminders).

  • Opt-out: Text STOP to end, HELP for help. Message & data rates may apply. Carriers are not liable for delayed or undelivered messages.

  • Quiet Hours: We honor configured quiet-hour windows where applicable.

  • Call Recording: If enabled by the clinic, we announce recording where required and honor consent requirements.

5) PHI & HIPAA Posture

  • Scheduling-only over SMS/WhatsApp. We design messaging flows to avoid collecting PHI in text.

  • Where Services involve PHI (e.g., via voice intake, or integrations), we process PHI under a signed BAA with the covered entity and follow minimum necessary principles.

  • We implement administrative, physical, and technical safeguards aligned with HIPAA requirements.

6) Sharing & Disclosures

We do not sell personal information. We may share as follows:

  • Service Providers/Subprocessors: Communications carriers and APIs (e.g., telephony/SMS), hosting and cloud infrastructure, analytics (minimized), error monitoring, authentication, and support tools—bound by contract and confidentiality, used only to perform Services.

  • Clinic & Authorized Staff: Patient communications and scheduling context are made available to the clinic that controls the relationship.

  • Legal/Compliance: To comply with law, enforce terms, protect rights, safety, and security, or in response to valid legal requests.

  • Business Transfers: In a merger, acquisition, or asset sale, subject to continued protection consistent with this Policy.

We maintain a current list of critical subprocessors upon request and in our BAA materials.

7) Retention

  • We retain B2B account/admin data for as long as the account is active and as needed for business/legal purposes.

  • Patient interaction data is retained per the clinic’s configuration, applicable law, and our BAA; clinics may request deletion or export where permitted.

8) Security

We use industry-standard safeguards: encryption in transit, scoped encryption at rest, network isolation, access controls (least privilege, MFA for admin), audit logging, and vulnerability management. No system is 100% secure; we promptly investigate and notify as required by law and BAA.

9) Your Privacy Choices & Rights

Clinics & Staff: You may access, correct, or delete account information and manage preferences through admin settings or by contacting us.

Patients: For information collected on behalf of a clinic, please contact your healthcare provider directly. We will support the clinic in responding to rights requests as required by law and the BAA.

California (CCPA/CPRA): California residents have rights to know, access, correct, delete, and opt out of certain data sharing; we do not “sell” personal information. Submit requests via the Contact section below.

10) International Transfers

We may process data in the United States or other countries. Where required, we use appropriate safeguards (e.g., SCCs) and implement additional measures consistent with regulatory guidance.

11) Children’s Privacy

Our Site and Services are not directed to children under 13. We do not knowingly collect personal information from children without appropriate consent and healthcare supervision.

12) Third-Party Links & Sites

Our Site may link to third-party websites. Their privacy practices and content are governed by their own policies.

13) Changes to This Policy

We may update this Policy from time to time. The “Effective date” indicates the latest revision. Material changes will be posted on the Site and, where appropriate, notified to account owners.

14) Contact Us

  • Email: info@xolvionhealth.com