Privacy Policy
Last Updated: November 6, 2025
Effective Date: November 6, 2025
1. Introduction
Invox AI ("we," "our," or "us") is committed to protecting your privacy and the privacy of your patients. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered dental practice voice assistant service.
This policy applies to dental practices ("you," "your practice") and their patients who interact with our voice AI system. By using Invox AI, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Practice Information
When you sign up for Invox AI, we collect:
- Practice name and address
- Contact information (email, phone number)
- Business hours and appointment availability
- Services offered and pricing
- Staff information (names, roles)
- Payment information (processed securely via Stripe)
2.2 Patient Information (Call Recordings)
When patients call your practice, we may collect:
- Voice recordings of phone conversations (with explicit consent)
- Personal details: Name, phone number, email address, date of birth
- Health information: Reason for visit, symptoms, dental concerns, treatment history
- Appointment details: Preferred dates/times, service type, urgency
- Call metadata: Date, time, duration, call outcome
2.3 Technical Information
- IP addresses and device information
- Browser type and version
- Usage analytics and performance data
- Error logs and debugging information
3. How We Use Your Information
3.1 Service Delivery
- Answer patient inquiries about services, pricing, and availability
- Book, reschedule, and manage appointments
- Handle emergency dental requests
- Send appointment confirmations and reminders
- Integrate with your Google Calendar and practice management systems
3.2 Quality Improvement
- Train and improve our AI models
- Monitor call quality and agent performance
- Identify and fix technical issues
- Analyze usage patterns to enhance features
3.3 Legal Compliance
- Comply with UK GDPR and dental practice regulations
- Respond to legal requests and prevent fraud
- Maintain audit trails for compliance purposes
4. Legal Basis for Processing (GDPR)
Under UK GDPR, we process personal data based on:
- Consent (Article 6(1)(a)): We obtain explicit consent from callers before recording
- Contract (Article 6(1)(b)): Processing is necessary to provide our services to your practice
- Legitimate Interest (Article 6(1)(f)): Improving our AI, preventing fraud, and ensuring service quality
- Legal Obligation (Article 6(1)(c)): Complying with data protection laws and medical record retention requirements
5. Call Recording Consent
ποΈ Recording Disclosure
At the start of every call, our AI agent informs callers: "This call may be recorded for quality, training, and appointment booking purposes. The recording is stored securely and you can request deletion at any time. Are you okay with that?"
- Callers can decline consent and still receive full service
- Consent is documented in our database for every call
- Callers can withdraw consent at any time by requesting data deletion
6. Data Sharing and Third Parties
6.1 Service Providers
We share data with trusted third-party processors:
- Supabase (Database) - Stores call logs, appointments, and practice data (GDPR-compliant, EU servers)
- Retell AI (Voice AI Platform) - Processes voice calls and transcriptions
- Anthropic (AI Provider) - Powers our Claude-based conversational AI
- Google (Calendar & Sheets Integration) - Syncs appointments and patient data (with your authorization)
- Stripe (Payments) - Processes subscription payments (PCI-DSS compliant)
- Vercel (Hosting) - Hosts our application infrastructure
All service providers are required to maintain GDPR-compliant data processing agreements (DPAs) and implement appropriate security measures.
6.2 We Do NOT Sell Your Data
We will never sell, rent, or trade patient data or practice information to third parties for marketing purposes.
6.3 Legal Disclosures
We may disclose information if required by law, court order, or to protect our legal rights.
7. Data Retention
7.1 UK Dental Records Requirements
In compliance with General Dental Council (GDC) guidance, we retain call recordings and patient data:
- Adult patients: 11 years from the date of last contact
- Child patients: Until the patient reaches age 25, or 11 years from last contact (whichever is longer)
7.2 Practice Account Data
- Active account data is retained while your subscription is active
- After account cancellation, data is retained for 30 days, then permanently deleted
- Billing records are retained for 7 years for tax purposes (UK law)
8. Your Rights Under GDPR
Both dental practices and their patients have the following rights:
π Right of Access (Article 15)
Request a copy of all your personal data we hold
βοΈ Right to Rectification (Article 16)
Correct inaccurate or incomplete data
ποΈ Right to Erasure (Article 17)
Request deletion of your data ("Right to be Forgotten")
π¦ Right to Data Portability (Article 20)
Receive your data in a machine-readable format
π« Right to Object (Article 21)
Object to processing of your data for specific purposes
βΈοΈ Right to Restrict Processing (Article 18)
Limit how we use your data
How to Exercise Your Rights
For Practices: Log in to your dashboard and use the GDPR tools, or contact support@invoxai.com
For Patients: Contact the dental practice directly, or email support@invoxai.com with your request
We will respond to all requests within 30 days as required by GDPR.
9. Data Security
We implement industry-standard security measures:
- Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
- Row-Level Security (RLS): Database-level isolation prevents cross-practice data access
- Access Controls: Role-based permissions and multi-factor authentication
- Regular Audits: Security assessments and penetration testing
- Data Backups: Automated backups with encryption
- Incident Response: 72-hour breach notification to ICO as required by GDPR
10. International Data Transfers
Your data is primarily stored in UK/EU data centers. If data is transferred outside the UK/EU, we ensure:
- Transfers comply with GDPR Article 44 (International Transfers)
- Adequate safeguards are in place (Standard Contractual Clauses)
- Service providers maintain equivalent data protection standards
11. Children's Privacy
Our service is designed for dental practices, not for direct use by children under 16. When children's data is collected through phone calls:
- We require parental consent before recording calls from minors
- Children's records are retained until age 25 (GDC requirement)
- Enhanced data protection measures apply to children's information
12. Cookies and Tracking
We use cookies and similar technologies for:
- Essential Cookies: Authentication, session management, security
- Analytics Cookies: Usage statistics, performance monitoring (anonymized)
- Preference Cookies: Remember your settings and preferences
You can control cookies through your browser settings. Disabling cookies may affect service functionality.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.
For material changes, we will notify you via email at least 30 days before the changes take effect.
14. Contact Us
For questions about this Privacy Policy or to exercise your GDPR rights:
Email: support@invoxai.com
Data Protection Officer: dpo@invoxai.com
Response Time: Within 30 days (GDPR requirement)
15. Supervisory Authority
If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/
Phone: 0303 123 1113
Email: casework@ico.org.uk
By using Invox AI, you acknowledge that you have read and understood this Privacy Policy.
Back to Home