Privacy Policy
1. Introduction
Apex Clinic Admin is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our website at apexadmin.ai and our AI healthcare administration services.
2. Our Role Under HIPAA
We are a HIPAA Business Associate. We provide technology services to healthcare providers and process Protected Health Information (PHI) on their behalf.
We maintain comprehensive HIPAA compliance including:
Administrative, physical, and technical safeguards
Business Associate Agreements with all clients
Regular security assessments
Workforce training on privacy and security
3. Information We Collect
From Healthcare Providers (Clients):
Business name and contact information
User names and email addresses
Billing and payment information
IP addresses and usage data
Login activity and system access logs
Protected Health Information (PHI) - Processed on Behalf of Clients:
Patient names, dates of birth, contact information
Medical history and treatment information
Appointment schedules and clinical notes
Insurance and billing data
SMS, voice call, and email communications
Automatically Collected:
Cookies and tracking technologies
Website analytics and usage patterns
System performance data
4. How We Use Information
Client Business Information:
Provide and improve our services
Process payments and manage accounts
Send service updates and support communications
Comply with legal obligations
Detect fraud and security threats
Protected Health Information:
We use PHI only as directed by healthcare providers for:
Operating CRM and patient management systems
Facilitating AI voice agent communications
Sending appointment reminders via SMS and email
Supporting patient onboarding and treatment tracking
Compliance with legal requirements
We do NOT:
Use PHI for our own marketing
Sell or rent PHI to third parties
Make medical decisions
De-Identified Data:
We may create de-identified data (with all identifying information removed) for analytics, service improvements, and research.
5. How We Share Information
Service Providers (Sub-Processors):
We share data only with approved partners who help us deliver services:
AWS: Cloud infrastructure and data storage
Twilio: Voice and SMS communications
OpenAI: AI language processing (de-identified data only)
Vapi: Voice AI technology
N8N: Workflow automation
All partners are bound by data protection agreements and prohibited from using data for their own purposes.
Legal Requirements:
We may disclose information when required by:
Court orders or legal process
HIPAA regulations
Public health authorities
Law enforcement agencies
We do not sell personal information or PHI.
6. Data Security
We implement comprehensive security measures:
Technical Safeguards:
End-to-end encryption (TLS 1.2+)
Encryption at rest (AES-256)
Multi-factor authentication
Role-based access controls
Intrusion detection systems
Physical Safeguards:
AWS data centers with 24/7 security
Redundant infrastructure
Environmental controls
Administrative Safeguards:
Security policies and procedures
Employee background checks
Regular training and risk assessments
Incident response procedures
7. Data Retention & Deletion
Client Business Information: Retained during business relationship and up to 7 years after closure for legal purposes.
Protected Health Information:
Retained during active subscription
30 days to retrieve data after termination
Permanently deleted within 90 days from all systems
8. Your Rights
For Patients:
Patient rights under HIPAA must be exercised through your healthcare provider, not directly with us:
Access your medical records
Request corrections to information
Receive accounting of disclosures
Request restrictions on use
Opt-out of SMS/email communications
For Healthcare Providers (Clients):
Access all information we maintain about your organization
Request correction of inaccurate data
Request deletion (subject to legal retention)
Receive data in portable format
Opt-out of marketing communications
To exercise rights, contact: [email protected]
Cookie Choices:
Control cookies through browser settings. Note: Disabling cookies may limit functionality.
9. Children's Privacy
Our services are not intended for individuals under 18. While healthcare providers may treat minors, we process such information only as directed and in accordance with applicable laws.
10. State Privacy Rights
California (CCPA/CPRA):
California residents have rights to know, delete, correct, and opt-out of sale of personal information. We do not sell information.
Other States:
Residents of Virginia, Colorado, Connecticut, Utah, and other states with privacy laws have similar rights.
Note: PHI is exempt from state privacy laws when covered by HIPAA.
11. International Data Transfers
Our services operate in the United States. If you access from outside the U.S.:
Your information will be transferred and processed in the U.S.
U.S. privacy laws may differ from your jurisdiction
By using services, you consent to U.S. processing
12. Breach Notification
In the event of a PHI breach:
We notify affected clients within 60 days
Clients are responsible for notifying patients per HIPAA
We cooperate with all breach investigation and reporting requirements
