Privacy Policy

The short version

We handle two very different kinds of data: patient health information (PHI) we process on behalf of dental practices under HIPAA and a Business Associate Agreement, and general website and account data from visitors and prospects. [verify]
For PHI, the dental practice is responsible as the covered entity; Tavali acts as its business associate. Patients exercising health-record rights should contact their dental provider. [verify]
We use general data to run our website, respond to demo requests, provide and improve the Service, and meet legal obligations. [verify]
Whether and how customer data or PHI is used to improve AI models is a sensitive question we flag explicitly below. [verify]

This summary is provided for convenience only. The full policy below governs, and is itself a draft pending legal review.

This Privacy Policy explains how Tavali, Inc. handles information in connection with our website and our AI-native dental platform. It is a working template and contains bracketed placeholders, shown like [verify] and [detail], wherever a statement about our actual practices or a company- or jurisdiction-specific detail must be confirmed before publication.

Introduction & scope

Tavali, Inc. (“Tavali,” “we,” “us,” or “our”) provides an AI-native software platform for dental practices, together with our public website. This Privacy Policy describes how we collect, use, share, and protect information in connection with the website and the platform (together, the “Services”).

We intend to apply this policy consistently with our actual data practices. Where this draft describes a practice that has not yet been confirmed, it is flagged with [verify] and must be reconciled with our real practices before this policy takes effect.

This policy does not modify or replace any agreement between Tavali and a customer, including any Order Form, Terms of Service, or Business Associate Agreement, which control where applicable.

How we handle different types of data

Tavali handles two categories of data that are governed differently. Keeping them distinct is important.

Two distinct data categories

(a) Protected Health Information (PHI). When we process patient information on behalf of a dental-practice customer, that information is PHI under HIPAA. In that relationship, the dental practice is the covered entity and acts as the controller of the PHI, and Tavali acts as a business associate (processor) under the Business Associate Agreement (BAA) between Tavali and that practice. The BAA governs our handling of PHI. [verify roles]

(b) General and website data. Information about website visitors, prospects, and account or marketing contacts is handled by Tavali under general privacy law as described in this policy. [verify]

Where a conflict exists between this policy and the applicable BAA with respect to PHI, the BAA controls. [verify]

Information we collect

Subject to verification against our actual practices, we may collect the following categories of information:

Information you provide

Contact and demo-request details submitted through our forms, such as name, work email, organization, and message content. [verify]
Account information for Authorized Users of the platform. [verify]
Communications you send to us (support, sales, or general inquiries). [verify]

Information collected automatically

Device and technical data, such as IP address, browser type, and operating system. [verify]
Usage data about how the website and platform are accessed and used. [verify]
Cookies and similar technologies, as described in Section 6. [verify]

Information from third parties

Information from service providers, analytics tools, or business partners, where permitted. [verify]

This section describes general and website data. PHI processed on behalf of customers is handled under the BAA as described in Sections 2 and 10, not collected by Tavali for its own purposes. [verify]

How we use information

Subject to verification, we may use general and website data to:

Provide, operate, maintain, and secure the Services. [verify]
Respond to demo requests, inquiries, and support requests. [verify]
Process billing and manage subscriptions. [verify]
Send service and, where permitted, marketing communications (with opt-out). [verify]
Improve and develop our products and features. [verify]
Detect, prevent, and address security, fraud, or technical issues. [verify]
Comply with legal obligations and enforce our agreements. [verify]

AI & model training — sensitive, confirm before publishing

Because Tavali is an AI product operating in healthcare, the use of data to train or improve AI models is a high-sensitivity question. This draft makes no representation on the point until confirmed.

[verify — confirm whether and how customer data or PHI is or is not used to train or improve AI/ML models, including any de-identification, customer controls or opt-outs, and any restrictions required under the BAA. State the confirmed practice clearly here.]

How we share information

Subject to verification, we may share general and website data with the following categories of recipients:

Service providers and subprocessors who perform services on our behalf (such as hosting, analytics, payment processing, or communications), under appropriate contractual obligations. [verify — maintain a current subprocessor list]
As required by law, such as to comply with a legal obligation, regulation, or valid legal process, or to protect rights, safety, and security. [verify]
Business transfers, in connection with a merger, acquisition, financing, or sale of assets, subject to this policy. [verify]

Sale of personal information

[verify — typically: “We do not sell your personal information.” Confirm this is accurate, including under the CCPA/CPRA definitions of “sell” and “share,” before publishing.]

PHI is shared only as permitted by the applicable BAA and HIPAA. [verify]

Cookies & tracking technologies

We and our providers may use cookies and similar technologies on our website to enable functionality, remember preferences, and understand usage. The specific cookies and analytics tools in use must be inventoried and disclosed. [verify — list categories and tools]

You can control cookies through your browser settings and, where provided, through our cookie preferences mechanism. [cookie banner / preferences link] Some features may not function properly if certain cookies are disabled.

Data retention

We retain information for as long as needed to provide the Services, fulfill the purposes described in this policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

Retention periods depend on the type of data and the purpose for which it is held. [verify — specify retention periods, e.g., website/analytics data for [retention period]; account data for the Subscription term plus [retention period]]

Retention and deletion of PHI are governed by the applicable BAA and the customer’s instructions. [verify]

Data security

We maintain administrative, technical, and physical measures designed to protect information against unauthorized access, use, alteration, and disclosure. Each measure below must be confirmed against what is actually in place before publication.

Encryption of data in transit and, where applicable, at rest. [verify]
Access controls and role-based permissions. [verify]
Logging, monitoring, and other operational safeguards. [verify]

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We do not claim any certification or attestation in this draft; any such claim must be independently verified before it is stated. [verify]

Your privacy rights

Depending on where you live and the applicable law, you may have rights regarding your personal information, such as the rights to access, correct, delete, or port your data, and to object to or restrict certain processing. [verify applicability]

California residents (CCPA/CPRA)

If you are a California resident, you may have rights to know, access, correct, and delete personal information, and to opt out of certain sharing, subject to legal exceptions. We do not discriminate against you for exercising these rights. [verify applicability and details]

Other jurisdictions

Residents of other states or countries may have similar or additional rights under applicable law. [verify — list applicable jurisdictions and rights]

How to exercise your rights

To make a request regarding general or website data, contact us at [privacy contact email]. We will verify your request as required by law. For health-record (HIPAA) rights, see Section 10. [verify process]

HIPAA & PHI

PHI is governed by the BAA

When Tavali processes PHI on behalf of a dental-practice customer, Tavali acts as a business associate under HIPAA, and that PHI is governed by the Business Associate Agreement (BAA) between Tavali and the customer (the covered entity), not by this Privacy Policy. [verify]

If you are a patient seeking to access, amend, or otherwise exercise rights over your health information, please contact your dental provider (the covered entity), who is responsible for those records. [verify]

Tavali will support its customers’ HIPAA obligations as set out in the applicable BAA. [verify]

International data transfers

Tavali is based in the United States, and information may be processed in the United States or other countries where we or our service providers operate. [verify]

Where required, we will use appropriate safeguards for cross-border transfers. [verify — specify mechanisms, e.g., standard contractual clauses, if and when applicable]

Children’s privacy

Our Services are intended for use by dental practices and their personnel and are not directed to children, and we do not knowingly collect personal information from children through our website for our own purposes. [verify]

Patient information, which may include information about minors, may be processed on behalf of a dental practice as PHI under the applicable BAA, where the practice is responsible as the covered entity. [verify]

Third-party links & services

Our website and platform may link to or integrate with third-party websites and services that we do not control. This policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party you interact with. [verify]

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services, by updating the “Last updated” date above, or by other means as appropriate. [verify notice method]

Your continued use of the Services after an update takes effect indicates your awareness of the updated policy, to the extent permitted by law.

Contact us

Questions about this policy?

If you have questions or requests regarding this Privacy Policy or our handling of general or website data, please contact us:

Tavali, Inc.

Privacy: privacy@tavali.com [confirm or replace]

Privacy / data-protection contact: [DPO / privacy contact, if applicable]

Mailing address: [Company Address]

For health-record (HIPAA) requests, please contact your dental provider as described in Section 10.