Privacy Policy
How Hello collects, uses, and protects your information with HIPAA infrastructure.
- Introduction
- Information We Collect
- How We Use Your Information
- HIPAA and Protected Health Information
- Data Sharing and Third Parties
- Data Security
- Data Retention
- Your Rights and Choices
- California Privacy Rights (CCPA/CPRA)
- Colorado Privacy Rights (CPA)
- Cookies and Tracking Technologies
- Children's Privacy
- International Data Transfers
- Changes to This Policy
- Contact Information
1. Introduction
Hello, Inc. ("Hello," "we," "our," or "us") operates the website usehello.ai and provides AI-powered voice agent, conversation, scheduling, payment processing, and analytics services (collectively, the "Services") to healthcare practices and their patients.
This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit our website, use our Services, or interact with our AI voice agents by telephone. It applies to all users, including:
- Website Visitors who browse usehello.ai
- Healthcare Practice Clients ("Clients") who purchase and use our Services
- Patients and Callers who interact with Hello AI voice agents on behalf of our Clients
By using our website or Services, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please discontinue use of our website and Services.
2. Information We Collect
2.1 Information You Provide Directly
We collect information you voluntarily submit through our website forms, including:
- Contact forms and demo requests: First name, last name, email address, phone number, practice name, practice specialty, and message content
- Account registration: Business name, contact information, billing address, and payment details
- Communications: Emails, phone calls, and other correspondence with our team
2.2 Information from Healthcare Practice Clients
When Clients onboard with Hello, we receive information necessary to configure and operate AI voice agents, including:
- Practice name, locations, contact details, and business hours
- Staff names, roles, and routing preferences
- Service offerings, pricing, and scheduling availability
- EHR/PMS system credentials for authorized integrations
- Knowledge base content (FAQs, policies, procedures)
- Custom voice agent configuration preferences
2.3 Information Processed via AI Voice Agents
When patients and callers interact with Hello AI voice agents on behalf of our Clients, we process:
- Call recordings and transcripts: Audio recordings and text transcriptions of AI voice agent conversations
- Caller information: Phone number, name (if provided), and reason for calling
- Appointment data: Requested dates, times, provider preferences, and service types
- Payment information: Deposit amounts and payment confirmations (processed through PCI-compliant third-party processors; Hello does not store full payment card numbers)
- Health-related information: Information voluntarily shared by callers, such as symptoms, conditions, or treatment inquiries
Important: Hello processes patient call data as a Business Associate under HIPAA on behalf of our healthcare practice Clients. See Section 4: HIPAA and Protected Health Information for details.
2.4 Information Collected Automatically
When you visit our website, we automatically collect certain technical information, including:
- Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution
- Usage data: Pages visited, time spent on pages, click patterns, referring URLs, and exit pages
- Location data: Approximate geographic location derived from IP address
- Cookies and similar technologies: See Section 11: Cookies and Tracking Technologies
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 Service Delivery
- Configure, deploy, and operate AI voice agents for our Clients
- Process appointment bookings, confirmations, and reminders
- Facilitate payment collection on behalf of Clients
- Provide call recordings, transcripts, and analytics to Clients
- Perform AI voice agent optimization during onboarding periods
3.2 Communication
- Respond to inquiries, demo requests, and support tickets
- Send service notifications, system updates, and maintenance alerts
- Provide onboarding communications and training materials
- Conduct monthly review calls and strategy sessions (per tier)
3.3 Improvement and Analytics
- Analyze aggregated, de-identified call data to improve AI voice agent accuracy and performance
- Monitor platform performance, uptime, and reliability
- Identify and fix technical issues and errors
- Develop new features and service enhancements
3.4 Legal and Compliance
- Comply with applicable laws, regulations, and legal processes
- Enforce our Terms of Service and other agreements
- Protect the rights, safety, and property of Hello, our Clients, and the public
- Detect, prevent, and address fraud, security, or technical issues
We do not sell your personal information. Hello does not sell, rent, or trade personal information to third parties for their marketing purposes. We never train AI models on individual patient data.
4. HIPAA and Protected Health Information
4.1 Our Role as a Business Associate
Hello provides AI voice agent services to healthcare practices that are Covered Entities under the Health Insurance Portability and Accountability Act ("HIPAA"). In this capacity, Hello acts as a Business Associate and processes Protected Health Information ("PHI") on behalf of our Clients.
4.2 Business Associate Agreements
Hello enters into a Business Associate Agreement ("BAA") with every healthcare practice Client before processing any PHI. The BAA governs our obligations regarding the use, disclosure, and protection of PHI in accordance with HIPAA regulations.
4.3 PHI Safeguards
We implement the following safeguards to protect PHI:
- Administrative safeguards: Workforce training, access management policies, security incident procedures, and regular risk assessments
- Physical safeguards: Secure data center facilities, workstation security, and device controls
- Technical safeguards: encryption at rest with post-quantum-ready key management, TLS 1.2+ encryption in transit, unique user identification, audit controls, and automatic session termination
4.4 Minimum Necessary Standard
Hello limits access to PHI to the minimum necessary to accomplish the intended purpose. Our AI voice agents are configured to collect only the information required to fulfill the caller's request (e.g., scheduling an appointment, answering a question, or collecting a deposit).
4.5 Breach Notification
In the event of a breach of unsecured PHI, Hello will notify the affected Client without unreasonable delay and no later than 60 calendar days after discovery of the breach, in accordance with HIPAA Breach Notification Rules (45 CFR Part 164, Subpart D).
5. Data Sharing and Third Parties
5.1 Service Providers
We share information with third-party service providers who assist us in operating our Services, including:
| Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure | Hosting and data storage | All platform data (encrypted) |
| Telephony Providers | Call routing and connectivity | Phone numbers, call metadata |
| AI/LLM Providers | Natural language processing | Conversation context (de-identified where possible) |
| Payment Processors | Deposit and payment collection | Transaction data (PCI-compliant) |
| EHR/PMS Integrations | Appointment syncing | Scheduling data per Client authorization |
| Analytics | Website analytics | Anonymized usage data |
All service providers with access to PHI are bound by Business Associate Agreements or equivalent data protection agreements.
5.2 Healthcare Practice Clients
We share call recordings, transcripts, appointment data, and analytics with the healthcare practice Client on whose behalf the AI voice agent operates. Clients are the data controllers of their patient data and are responsible for their own compliance with HIPAA and applicable privacy laws.
5.3 Legal Requirements
We may disclose information when required by law, regulation, legal process, or governmental request, including:
- Subpoenas, court orders, or other legal process
- Requests from law enforcement or government agencies
- To protect the rights, safety, or property of Hello, our Clients, or others
- In connection with a merger, acquisition, or sale of assets (with notice)
5.4 With Your Consent
We may share your information for purposes not described in this Privacy Policy with your explicit consent.
6. Data Security
Hello implements comprehensive security measures to protect your information:
| Security Measure | Details |
|---|---|
| Encryption in Transit | TLS 1.2+ for all data transmitted between systems |
| Encryption at Rest | strong encryption in transit and at rest, with post-quantum-ready key management for all stored data, including recordings and transcripts |
| Access Controls | Role-based access with multi-factor authentication for administrative access |
| Tenant Isolation | Strict data separation between healthcare practice Clients |
| Audit Trails | Complete logging of all data access and system modifications |
| Infrastructure Security | Multi-provider architecture with automatic failover and 99.5% uptime target |
| Monitoring | Continuous security monitoring and anomaly detection |
For more information about our infrastructure and reliability, see our Business Continuity and SLA page.
While we implement industry-standard safeguards, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information using commercially reasonable measures.
7. Data Retention
We retain information only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law:
- Website visitor data: Analytics data retained for up to 26 months. Form submissions retained for the duration of the business relationship plus 3 years.
- Client account data: Retained for the duration of the service agreement plus 7 years for tax and legal compliance.
- Call recordings and transcripts: Retention periods are configurable per Client requirements. Default retention is 90 days unless the Client specifies a longer or shorter period. Clients may request deletion at any time.
- PHI: Retained in accordance with HIPAA requirements (minimum 6 years from date of creation or last effective date) and Client BAA terms.
- Billing records: Retained for 7 years in accordance with IRS requirements.
Upon termination of a Client agreement, we will return or securely destroy PHI within 60 days, unless retention is required by law. See our Cancellation and Refund Policy for service termination details.
8. Your Rights and Choices
8.1 For Website Visitors
You have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information, subject to legal retention requirements
- Opt-out: Unsubscribe from marketing communications at any time using the link provided in each email
- Cookie preferences: Manage cookie settings through your browser (see Section 11)
8.2 For Healthcare Practice Clients
Clients may access, export, or request deletion of their account data and associated call data by contacting their account manager or our support team. Data export requests are fulfilled within 30 business days.
8.3 For Patients and Callers
Patients who interact with Hello AI voice agents should direct privacy inquiries to the healthcare practice they called. As a Business Associate, Hello processes patient data on behalf of and under the direction of our Clients. Patients may exercise their HIPAA rights (access, amendment, accounting of disclosures) through their healthcare provider.
If you believe your information has been processed in error, you may contact us directly at the address listed in Section 15.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: Hello does not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To exercise these rights, contact us at privacy@usehello.ai or call (314) 972-3674. We will verify your identity before processing your request and respond within 45 days.
Note: PHI processed on behalf of healthcare practice Clients under HIPAA is exempt from CCPA/CPRA. Patient privacy rights for PHI are governed by HIPAA (see Section 4).
10. Colorado Privacy Rights (CPA)
Hello operates from Denver, Colorado, and is subject to the Colorado Privacy Act (CPA). If you are a Colorado resident, the CPA provides you with the following rights regarding your personal data:
- Right to Access: You may confirm whether we are processing your personal data and access that data.
- Right to Correct: You may request correction of inaccurate personal data.
- Right to Delete: You may request deletion of your personal data.
- Right to Data Portability: You may obtain a copy of your personal data in a portable, readily usable format.
- Right to Opt Out: You may opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. Hello does not sell personal data or engage in profiling that produces legal effects.
Universal opt-out signals: Hello recognizes and honors universal opt-out mechanisms (such as the Global Privacy Control) as required by the CPA.
To exercise these rights, contact us at privacy@usehello.ai or call (314) 972-3674. We will authenticate your request and respond within 45 days. You may appeal a denied request by contacting us with the subject line "CPA Appeal."
Note: PHI processed on behalf of healthcare practice Clients under HIPAA is exempt from the CPA. Patient privacy rights for PHI are governed by HIPAA (see Section 4).
11. Cookies and Tracking Technologies
Our website uses the following cookies and tracking technologies:
| Technology | Provider | Purpose | Duration |
|---|---|---|---|
| Google Analytics | Google LLC | Website traffic analysis, user behavior, and page performance | Up to 26 months |
| Apollo.io Tracker | Apollo.io | Website visitor identification for business development | Session |
| Google reCAPTCHA | Google LLC | Spam and bot prevention on forms | Session |
| Essential Cookies | Hello | Site functionality (navigation preferences, form state) | Session |
Managing cookies: You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling cookies may affect site functionality. You may also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
Do Not Track: Our website does not currently respond to "Do Not Track" browser signals, as there is no industry-standard interpretation of this signal.
12. Children's Privacy
Our website and Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@usehello.ai and we will promptly delete such information.
Note: Minors may interact with our AI voice agents when calling a healthcare practice (e.g., a parent calling on behalf of a child). In such cases, the healthcare practice Client is the data controller and responsible for ensuring appropriate consent and HIPAA compliance.
13. International Data Transfers
Hello is based in the United States and processes data within the United States. If you are accessing our website or Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
By using our website or Services, you consent to the transfer of your information to the United States. We take commercially reasonable measures to protect information transferred internationally in accordance with this Privacy Policy.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable laws. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Post the revised policy on our website
- Notify active Clients via email for material changes affecting PHI handling
We encourage you to review this Privacy Policy periodically. Your continued use of our website or Services after changes become effective constitutes acceptance of the revised policy.
15. Contact Information
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:
- Privacy inquiries: privacy@usehello.ai
- General inquiries: hello@usehello.ai
- Phone: (314) 972-3674
- Mail: Hello, Inc., Attn: Privacy, Denver, CO, United States
We will respond to privacy inquiries within 30 business days. For HIPAA-related concerns, we will respond within 10 business days.