INTRODUCTION
Tavali, Inc., a Delaware corporation ("Tavali," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our revenue-intelligent clinical AI platform and related services (the "Services").
This Privacy Policy applies to information we collect through:
• Our website at www.tavali.ai (the "Website")
• Our cloud-based SaaS platform and mobile applications
• Email, text, and other electronic communications
• Interactions with our sales, support, and customer success teams
• In the ordinary course of business, such as at conferences, webinars, or training sessions
Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, do not access or use our Services.
This Privacy Policy is incorporated into and forms part of our Terms of Service available at www.tavali.ai/terms-of-service.
1. DEFINITIONS
For purposes of this Privacy Policy:
"Clinical Data" means protected health information (PHI) as defined by HIPAA and other patient health information processed through the Services, including clinical notes, perio charts, audio recordings of patient encounters, treatment plans, eligibility information, and claims data.
"Customer" means the dental practice, organization, or entity that subscribes to our Services.
"Derived Data" means de-identified, anonymized, or aggregated data derived from Personal Information or Clinical Data that does not identify any individual patient or Customer.
"Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes but is not limited to names, email addresses, phone numbers, IP addresses, and account credentials.
"User" means any individual authorized by Customer to access the Services, including dentists, hygienists, dental assistants, office managers, and administrative staff.
2. INFORMATION WE COLLECT
2.1 Information You Provide Directly
We collect information that you provide directly to us, including:
Account Registration Information:
• Name, email address, phone number
• Job title, role, and credentials (e.g., dental license number)
• Practice name and location(s)
• Business address and billing information
• Username and password
Clinical Data (Processed as Business Associate):
• Audio recordings of patient-clinician conversations
• Transcripts and clinical notes generated through our AI scribe
• Perio examination data (probing depths, bleeding points, recession, mobility)
• Patient demographics (name, date of birth, contact information, insurance information)
• Insurance eligibility and benefits information
• Treatment plans and clinical recommendations
• Dental procedure codes (CDT codes) and diagnosis codes (ICD-10)
• Radiographic images and intraoral photographs (if uploaded)
• Claims data and remittance information
• Medical history and clinical findings
Practice Management Data:
• Appointment schedules and provider calendars
• Patient lists and census information
• Fee schedules and financial arrangements
• Insurance carrier information
Communications:
• Information you provide when you contact customer support
• Feedback, survey responses, and testimonials
• Messages sent through the Services
• Information provided during training or onboarding sessions
2.2 Information Collected Automatically
When you access or use our Services, we automatically collect certain information:
Device and Usage Information:
• IP address, browser type and version, and device identifiers
• Operating system, screen resolution, and device settings
• Pages visited, features used, and time spent on the Services
• Search queries and actions taken within the Services
• Date and time of access and session duration
• Referring and exit pages and URLs
Location Information:
• General geographic location based on IP address
• Practice location information provided during registration
Log Data:
• System activity logs, error reports, and diagnostic data
• API calls and integration events
• Performance metrics and system health data
2.3 Information from Third Parties
We may receive information about you from third parties, including:
Practice Management Systems (PMS):
• Patient demographics and insurance information
• Appointment data and provider schedules
• Existing clinical notes and treatment history
• Fee schedules and financial data
Clearinghouses and Payers:
• Eligibility verification responses (EDI 271)
• Claim acknowledgments and status updates (EDI 277, 997, 999)
• Remittance advice (EDI 835)
• Denial reason codes and payer-specific rules
Business Partners:
• Contact information for leads and prospects
• Referral information from dental associations or consulting firms
2.4 Cookies and Tracking Technologies
We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing activities. For detailed information about our use of cookies, please see our Cookie Policy at www.tavali.ai/cookies.
Types of cookies we use:
• Essential cookies: Required for the Services to function
• Performance cookies: Help us understand how visitors use the Services
• Functionality cookies: Remember your preferences and settings
• Analytics cookies: Collect information about Service usage and performance
You can control cookies through your browser settings, but disabling certain cookies may limit your ability to use some features of the Services.
3. HOW WE USE YOUR INFORMATION
3.1 Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Information based on the following legal grounds:
• Contract Performance: Processing necessary to provide the Services you've requested
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these interests don't override your rights
• Legal Obligation: Processing required to comply with applicable laws and regulations
• Consent: Processing based on your explicit consent, which you may withdraw at any time
• Vital Interests: Processing necessary to protect health and safety
3.2 Purposes of Processing
We use the information we collect for the following purposes:
Service Provision and Performance:
• Provide, maintain, and improve the Services
• Process insurance eligibility verification requests
• Generate AI-assisted clinical documentation and perio charts
• Create coverage-aware treatment options and patient education materials
• Assemble, validate, and submit insurance claims
• Track claim status and manage denial workflows
• Integrate with PMS systems and clearinghouses
• Provide customer support and technical assistance
AI Model Training and Improvement:
• Train and improve our speech recognition models
• Enhance natural language processing algorithms
• Improve clinical entity extraction and CDT code mapping
• Develop predictive models for denial risk scoring
• Create benchmarking and analytics capabilities
• Generate Derived Data for research and development
Note: We only use de-identified, anonymized, or aggregated data for AI training. Individual patient identities are never used for model training purposes.
Account and Relationship Management:
• Create and manage your account
• Authenticate users and prevent unauthorized access
• Process payments and manage billing
• Send transactional emails (account notifications, password resets, receipts)
• Provide onboarding, training, and implementation services
• Respond to your inquiries and support requests
Analytics and Business Operations:
• Analyze usage patterns and Service performance
• Generate aggregate statistics and benchmarking reports
• Conduct internal research and development
• Improve our algorithms, workflows, and user experience
• Develop new features and products
• Ensure system security and prevent fraud
Legal and Compliance:
• Comply with HIPAA and other healthcare privacy laws
• Respond to legal process (subpoenas, court orders)
• Enforce our Terms of Service and other agreements
• Protect our rights, property, and safety and those of our users
• Conduct audits and maintain business records
Marketing and Communications (with your consent):
• Send newsletters, product updates, and educational content
• Provide information about new features and services
• Invite you to webinars, conferences, or events
• Request feedback and conduct surveys
• Display your practice name and logo as a customer (with permission)
You may opt out of marketing communications at any time by following the unsubscribe instructions in our emails or contacting us at contact@tavali.ai.
4. HOW WE SHARE YOUR INFORMATION
We do not sell, rent, or trade your Personal Information or Clinical Data. We share information only in the limited circumstances described below:
4.1 Service Providers and Subprocessors
We engage third-party service providers to help us deliver the Services. These providers have access to your information only to perform specific tasks on our behalf and are contractually obligated to protect your information:
• Cloud Infrastructure: Amazon Web Services (AWS) for hosting and data storage
• Speech Recognition: AI/ML service providers for transcription and language processing
• Clearinghouses: EDI clearinghouses for eligibility verification and claims submission
• Payment Processing: Stripe or similar PCI-compliant payment processors
• Customer Support: Zendesk, Intercom, or similar support platforms
• Analytics: Google Analytics, Mixpanel, Datadog for usage analytics and monitoring
• Email Services: SendGrid, Mailchimp, Mailgun or similar for transactional and marketing emails
• CRM and Sales: Salesforce, HubSpot, or similar for customer relationship management
All service providers processing Clinical Data sign Business Associate Agreements (BAAs) as required by HIPAA.
4.2 PMS Vendors and Integration Partners
We share data with your practice management system and other integrated applications as necessary to provide the Services. This includes bi-directional exchange of patient demographics, appointment data, clinical notes, and treatment plans.
4.3 Payers and Clearinghouses
We transmit eligibility requests and insurance claims to clearinghouses and payers on your behalf. This is necessary to verify insurance coverage and process claims for reimbursement.
4.4 Business Transfers
If Tavali is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
4.5 Legal Requirements and Protection of Rights
We may disclose your information if required to do so by law or in response to:
• Subpoenas, court orders, or other legal process
• Government or regulatory requests
• Requests from law enforcement or public authorities
• Protection of Tavali's rights, property, or safety
• Prevention of fraud, security threats, or illegal activity
• Enforcement of our Terms of Service or other agreements
Where permitted by law, we will notify you before disclosing your information in response to legal requests.
4.6 With Your Consent
We may share your information with third parties when you provide explicit consent, such as:
• Displaying your practice as a customer in our marketing materials
• Publishing testimonials or case studies
• Integrating with third-party applications you authorize
4.7 Aggregated and De-Identified Data
We may share Derived Data that has been aggregated or de-identified so that it cannot reasonably be used to identify any individual or specific practice. This includes:
• Industry benchmarking reports
• Usage statistics and trends
• Research publications and presentations
• Insights shared with dental associations or research institutions
5. HIPAA COMPLIANCE AND CLINICAL DATA
5.1 Business Associate Relationship
Tavali acts as a Business Associate to Customers who are Covered Entities under the Health Insurance Portability and Accountability Act (HIPAA). We enter into a separate Business Associate Agreement (BAA) with each Customer that governs our handling of protected health information (PHI).
5.2 Permitted Uses and Disclosures of PHI
We use and disclose PHI only as permitted or required by:
• The Business Associate Agreement with Customer
• HIPAA Privacy and Security Rules
• Other applicable healthcare privacy laws
5.3 Safeguards for Clinical Data
We implement comprehensive administrative, physical, and technical safeguards to protect Clinical Data:
Administrative Safeguards:
• HIPAA training for all employees
• Background checks for employees with access to PHI
• Policies and procedures for data handling and incident response
• Designated Privacy and Security Officers
• Regular risk assessments and audits
Physical Safeguards:
• Secure data centers with access controls and surveillance
• Encryption of data at rest (AES-256)
• Secure disposal of hardware containing PHI
• Facility access logs and badge systems
Technical Safeguards:
• Encryption of data in transit (TLS 1.3)
• Multi-factor authentication (MFA)
• Role-based access controls (RBAC)
• Audit logging of all PHI access and modifications
• Network firewalls and intrusion detection systems
• Regular security testing and vulnerability assessments
• Secure backup and disaster recovery procedures
5.4 Breach Notification
In the event of a breach of unsecured PHI, we will notify affected Customers within 60 days of discovery, as required by HIPAA. We will provide information about the breach, the data involved, and steps being taken to mitigate harm.
5.5 Individual Rights Under HIPAA
Individuals have rights with respect to their PHI, including rights to access, amend, and request accounting of disclosures. As a Business Associate, we assist Customers in fulfilling these rights. Requests should be directed to the Customer (the Covered Entity), not to Tavali directly.
5.6 Minimum Necessary Standard
We limit access to PHI to the minimum necessary to accomplish the intended purpose, consistent with HIPAA requirements and best practices.
6. DATA RETENTION
6.1 Retention Periods
We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
Account Information: Retained for the duration of your subscription and for a reasonable period thereafter to manage the business relationship and comply with legal obligations.
Clinical Data: Retained according to the terms of the Business Associate Agreement and applicable healthcare record retention laws. Audio recordings of clinical encounters are retained for a minimum of seven (7) years to support medico-legal defensibility and comply with state dental record retention requirements.
Transaction Data: Eligibility requests, claims data, and remittance information are retained for at least seven (7) years to comply with healthcare billing and audit requirements.
Usage Data and Logs: Generally retained for 12-24 months for security, troubleshooting, and analytics purposes.
Marketing Data: Retained until you opt out of marketing communications or request deletion, or for a reasonable period if you are no longer an active customer.
Derived Data: May be retained indefinitely as it does not identify specific individuals or practices.
6.2 Deletion Requests
Upon termination of your subscription, we will:
• Provide you with an export of your Clinical Data within 30 days if requested
• Delete or de-identify your Clinical Data within 60 days, except where retention is required by the BAA, legal obligations, or legitimate business purposes
• Retain backup copies for disaster recovery for an additional 90 days, after which they are securely deleted
You may request earlier deletion of specific data by contacting contact@tavali.ai, subject to our retention obligations.
7. DATA SECURITY
7.1 Security Measures
We implement industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:
• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-tenant data isolation with per-tenant encryption contexts
• Multi-factor authentication (MFA) for user accounts
• Role-based access controls (RBAC) with principle of least privilege
• Regular security audits, penetration testing, and vulnerability assessments
• 24/7 security monitoring and intrusion detection
• Incident response and disaster recovery plans
• Secure software development lifecycle (SDLC)
• Employee security training and awareness programs
• SOC 2 Type II certification (in progress)
7.2 No Absolute Security
While we use commercially reasonable efforts to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you transmit information to us at your own risk.
7.3 Your Responsibilities
You are responsible for:
• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Enabling multi-factor authentication
• Promptly reporting any suspected security breaches or unauthorized access
• Ensuring your devices and networks are secure
• Training your staff on security best practices
7.4 Security Incidents
If we become aware of a security incident that compromises your information, we will:
• Notify you promptly in accordance with applicable laws and the BAA
• Investigate the incident and take steps to contain and remediate it
• Provide you with information about the incident and affected data
• Cooperate with your incident response efforts
• Implement additional safeguards to prevent future incidents
8. YOUR PRIVACY RIGHTS
8.1 Rights Applicable to All Users
Regardless of your location, you have the following rights:
Access: Request access to the Personal Information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your Personal Information, subject to legal and contractual retention obligations.
Opt-Out of Marketing: Unsubscribe from marketing communications at any time.
Account Closure: Close your account and request deletion of your data.
To exercise these rights, contact us at contact@tavali.ai.
8.2 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: Request information about the categories and specific pieces of Personal Information we collect, use, and disclose.
Right to Delete: Request deletion of your Personal Information, subject to certain exceptions.
Right to Opt-Out of Sale/Sharing: We do not sell or share Personal Information as defined by CCPA. If this changes, we will update this Privacy Policy and provide an opt-out mechanism.
Right to Correct: Request correction of inaccurate Personal Information.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive Personal Information beyond what is necessary to provide the Services.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights:
• Email: contact@tavali.ai
• Online form: www.tavali.ai/privacy-request
We will verify your identity before responding to your request. For requests involving Clinical Data, we may need to verify your identity through your healthcare provider.
CCPA Categories of Personal Information Collected:
Over the past 12 months, we have collected the following categories:
• Identifiers (names, email, IP addresses)
• Commercial information (transaction history, purchase records)
• Internet activity (browsing history, usage data)
• Geolocation data (general location from IP address)
• Professional information (job title, credentials, employer)
• Audio recordings (clinical encounter recordings)
• Health information (Clinical Data as described in Section 2)
8.3 European Privacy Rights (GDPR/UK GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:
Right of Access (Article 15): Obtain confirmation of whether we process your Personal Information and access to that information.
Right to Rectification (Article 16): Request correction of inaccurate Personal Information.
Right to Erasure (Article 17): Request deletion of your Personal Information in certain circumstances.
Right to Restriction (Article 18): Request restriction of processing in certain circumstances.
Right to Data Portability (Article 20): Receive your Personal Information in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Article 7): Withdraw consent at any time where processing is based on consent.
Right to Lodge a Complaint: File a complaint with your local data protection authority.
To exercise your GDPR rights, contact us at contact@tavali.ai or our EU representative at [To be inserted if applicable].
8.4 Canadian Privacy Rights (PIPEDA)
If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
• Right to access your Personal Information
• Right to correct inaccuracies
• Right to withdraw consent for certain uses
• Right to file a complaint with the Privacy Commissioner of Canada
Contact our Privacy Officer at contact@tavali.ai for assistance.
8.5 Response Timeline
We will respond to verified requests within:
• 45 days for CCPA requests (with possible 45-day extension)
• 30 days for GDPR requests (with possible 2-month extension)
• 30 days for PIPEDA requests
We will notify you if we need additional time and explain the reason for the delay.
9. INTERNATIONAL DATA TRANSFERS
9.1 Data Storage Locations
Your information is processed and stored primarily in the United States on servers provided by Amazon Web Services (AWS). We may also use service providers located in other countries.
9.2 Transfers from the EEA, UK, or Switzerland
If you are located in the EEA, UK, or Switzerland, we transfer your Personal Information to the United States and other countries using the following safeguards:
• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses for transfers to countries without adequacy decisions.
• Data Processing Agreements: Our service providers sign Data Processing Agreements incorporating appropriate transfer mechanisms.
• Supplementary Measures: We implement additional technical and organizational measures to ensure adequate protection, including encryption and access controls.
You may request a copy of the safeguards we use for international transfers by contacting contact@tavali.ai.
9.3 Privacy Shield
Although the EU-U.S. and Swiss-U.S. Privacy Shield frameworks have been invalidated, we continue to honor the Privacy Shield Principles with respect to data transferred under those frameworks.
10. CHILDREN'S PRIVACY
The Services are not intended for use by individuals under the age of 18, and we do not knowingly collect Personal Information from children under 18.
Patient data processed through the Services may include information about minor patients, but such information is collected and provided by healthcare providers (Customers), not directly from the minors themselves. Customers are responsible for obtaining appropriate parental consent where required.
If we learn that we have collected Personal Information from a child under 18 without appropriate parental consent, we will delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@tavali.ai.
11. THIRD-PARTY LINKS AND SERVICES
Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by Tavali. We are not responsible for the privacy practices of these third parties.
We encourage you to review the privacy policies of any third-party services before providing them with your information. This Privacy Policy applies only to information collected by Tavali.
Examples of third-party services you may encounter:
• Payment processors (e.g., Stripe)
• Practice management systems
• Clearinghouses
• Payer portals
• Educational content providers
• Third-party integrations you choose to enable
12. DO NOT TRACK SIGNALS
Some web browsers have "Do Not Track" (DNT) features that signal websites not to track users. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we will update this Privacy Policy if industry standards emerge.
13. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
We will notify you of material changes by:
• Posting the updated Privacy Policy on our Website with a new "Last Updated" date
• Sending an email to the address associated with your account
• Displaying a prominent notice within the Services
Your continued use of the Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you do not agree to the updated Privacy Policy, you must stop using the Services and close your account.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
14. CONTACT INFORMATION
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Tavali, Inc.
Attn: Privacy Officer
3186 Wildflower summit, Encinitas, CA 92024
Email: contact@tavali.ai
For HIPAA-related inquiries or to report a suspected breach of PHI:
Email: contact@tavali.ai
For GDPR-related inquiries (EEA, UK, Switzerland):
Email: privacy@tavali.ai
EU Representative: [To be inserted if applicable]
For CCPA-related requests (California residents):
Email: contact@tavali.ai
Online form: www.tavali.ai/privacy-request
For general customer support:
Email: contact@tavali.ai
We will respond to your inquiry within a reasonable timeframe, typically within 30 days.
15. ADDITIONAL INFORMATION FOR SPECIFIC JURISDICTIONS
15.1 Nevada Residents
Nevada residents may opt out of the sale of certain covered information. We do not sell covered information as defined by Nevada law. If this changes, we will update this Privacy Policy and provide an opt-out mechanism.
15.2 Virginia, Colorado, Connecticut, and Utah Residents
If you are a resident of Virginia, Colorado, Connecticut, or Utah, you may have additional privacy rights under your state's consumer privacy law, including rights to access, correct, delete, and opt out of targeted advertising and profiling. To exercise these rights, contact contact@tavali.ai.
ACKNOWLEDGMENT
BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.
