Privacy Policy
Apex Tools AI (“we,” “us,” “our”), operated by Brown Neyra Sales 85 Corp, a Florida corporation, operates the website apextoolsai.com and provides bilingual AI phone receptionist services to dental practices, medical spas, and other businesses (“Practice,” “Customer”).
This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when individuals visit our website or use our business services. This policy applies strictly to users and operations within the United States, with a primary focus on the State of Florida.
1. Important Notice Regarding Patient Data & HIPAA
Apex Tools AI provides services to healthcare providers, dental practices, and medical spas that are covered by the Health Insurance Portability and Accountability Act (HIPAA).
- Business Associate Status: When providing our AI receptionist services to a healthcare Customer, we act as a “Business Associate” under HIPAA.
- Governing Terms: All patient data, voice recordings, call transcripts, and protected health information (PHI) volunteered by patients during calls are governed strictly by the Business Associate Agreement (BAA) executed between Apex Tools AI and the respective Practice, alongside applicable HIPAA regulations.
- Precedence: In the event of any conflict between this Privacy Policy and the terms of an active BAA, the terms of the BAA will control regarding patient data.
2. Information We Collect
A. From Customers (The Practice)
- Account Information: Name, business name, business address, email address, phone number, login session metadata, and account password (securely hashed using PBKDF2-SHA256).
- AI Configuration Data: Business hours, services offered, treatment FAQs, voice and language preferences, and escalation protocols.
- Billing Information: Stripe customer ID and subscription status. All payment processing is handled directly by Stripe; we do not store or see your credit card or financial account numbers.
- Third-Party Integration Credentials: If explicitly authorized by the Customer, we store OAuth tokens for Google Calendar, API keys for NexHealth (Dentrix, Open Dental, Eaglesoft, Carestack, Curve), and Personal Access Tokens for Calendly. These are encrypted with AES-256-GCM at the application layer and stored securely.
B. From Callers & Patients (On Behalf of the Practice)
- Telephony Metadata: Caller ID phone number, call duration, timestamp, and detected language (English or Spanish).
- Conversation Media: Audio recordings of the call and structured text transcripts.
- Volunteered Information: Any personal or health information provided by the caller to the AI (e.g., name, reason for the call, requested appointment details, or insurance provider details).
C. From Website Visitors
- Technical Server Logs: IP address, browser user agent, device type, and requested URL paths.
- Inquiries & Booking Details: Contact details and notes submitted via Cal.com when scheduling a discovery call.
3. Google User Data — Limited Use Disclosure
When a Customer connects their Google Account to enable the Google Calendar integration, Apex Tools AI requests the following specific scopes:
-
https://www.googleapis.com/auth/calendar.events— To view, create, and modify appointment events on your connected calendar, enabling the AI to write scheduled appointments directly into your real-time practice schedule. -
https://www.googleapis.com/auth/userinfo.email— To display the authorized Google identity within your dashboard.
Our use and transfer of information received from Google APIs adheres strictly to the Google API Services User Data Policy, including the Limited Use requirements:
- We use Google user data only to provide and maintain the calendar-syncing features you explicitly authorize.
- We do not transfer Google user data to third parties, except as strictly necessary to host our infrastructure (Cloudflare) or comply with valid federal or Florida state legal mandates.
- We never use Google user data for advertising, marketing, or serving promotional content.
- Human review of Google user data is strictly prohibited unless explicit consent is provided, it is required for critical security investigations, or the data has been fully aggregated and de-identified.
- We do not use Google user data to train generalized machine learning or artificial intelligence models.
How to Revoke: You can instantly disconnect integrations via
your customer dashboard (/dashboard/#integrations), which
deletes stored tokens immediately, or by removing access via
myaccount.google.com/permissions.
4. How We Use and Share Information
We use the collected information exclusively to fulfill our contractual commitments to our Customers and maintain platform operations:
- Operating the real-time AI phone receptionist (routing calls, processing voice metrics, and logging appointments).
- Syncing schedules directly to your Practice Management Systems (PMS) or connected calendars.
- Generating usage reports and analytics for Customer dashboards.
- Processing billing and transactional security notices.
- Investigating, preventing, and mitigating fraudulent or abusive activity.
Data Sharing Disclosures
We do not sell, rent, trade, or monetize personal data or patient information. To deliver our automated services, data subsets are processed by the following specialized third-party sub-processors:
| Provider | What We Share | Core Operational Purpose |
|---|---|---|
| Cloudflare, Inc. | Encrypted account records, call logs, tokens, and system databases. | Secure infrastructure, edge hosting, and encrypted cloud storage. |
| Vapi, Inc. | Caller phone numbers, live audio streams, and conversational text. | Voice AI engine orchestration and real-time processing. |
| OpenAI, L.L.C. | Anonymized text-only conversation transcripts. | LLM inference processing. (OpenAI does not train models on API data.) |
| ElevenLabs, Inc. | AI-generated outbound text strings only (no customer PII or caller audio). | Text-to-speech voice synthesis. |
| Deepgram, Inc. | Live caller audio streams (streamed dynamically; not retained by vendor). | Real-time speech-to-text transcription. |
| Twilio, Inc. | Caller phone numbers, carrier metadata, and urgent SMS alert payloads. | Inbound/outbound telecommunication routing. |
| Stripe, Inc. | Name, business email, and direct credit card inputs. | Compliant payment processing and subscription billing. |
| Resend, Inc. | Recipient email addresses and transactional notification text. | Transactional system email delivery. |
| NexHealth / Cal.com | API tokens, appointment details, and associated patient contact names. | Writing completed appointments into the Customer’s chosen system. |
Other Legal Transfers
We may disclose specific information if required by a valid law enforcement subpoena, Florida court order, or to protect the safety, legal rights, and physical security of Apex Tools AI, our customers, or the public.
5. Data Storage, Retention, and Security
Data Geolocation
All customer account metrics, configuration criteria, transcripts, and integration credentials reside in Cloudflare D1 databases located within North American cloud data regions.
Retention Schedules
- Customer Account Information: Kept for the duration of an active business subscription, plus 90 days following formal account cancellation.
- Call Transcripts and Audio Recordings: Retained automatically for 90 days, unless a shorter custom retention window is dictated by the Practice’s BAA.
- Financial Records: Stripe billing histories are preserved for 7 years to meet federal IRS and Florida Department of Revenue guidelines.
Technical Safeguards
- Transport Security: All data in transit is forced over HTTPS using HTTP Strict Transport Security (HSTS).
- Password Protections: User passwords are encrypted using PBKDF2-SHA256 utilizing a minimum of 100,000 iterations along with individual unique salts.
- Application Cryptography: Integration tokens and keys are encrypted at the application level via AES-256-GCM before writing to storage, with primary keys managed distinct from the application via isolated Cloudflare Secret managers.
6. Call Recording Compliance (Florida Law Notice)
The State of Florida enforces a strict two-party/all-party consent law for wiretapping and recording electronic communications (Fla. Stat. § 934.03).
Important Compliance Duty: It is the sole legal responsibility of the Customer (the Practice) to ensure that their phone configuration includes a proper introductory greeting informing all inbound callers that their call is being recorded and processed by automated artificial intelligence tools prior to routing the stream to Apex Tools AI.
7. Your Rights and Choices
As a business platform operating under United States and Florida commercial guidelines, we grant the following control vectors to all active accounts:
- Access & Corrections: You can review, update, or correct your registration details inside your client dashboard profile at any time.
- Data Portability & Erasure: You can request a programmatic export of your account data or demand the destruction of non-legally mandated client records by writing to hello@apextoolsai.com. Account closure actions will be finalized within 30 days.
Children’s Privacy (COPPA)
Our platform is built exclusively as a business-to-business platform and does not knowingly solicit or collect data directly from children under the age of 13. If a patient under 13 interacts with our automated phone receptionist service on behalf of a Practice, that data is handled under strict HIPAA privacy protocols as delegated by the healthcare provider.
8. Amendments and Contact
Changes to This Policy
We reserve the right to modify this document. If a change materially relaxes restrictions regarding how we handle your information, we will notify all active account holders via email at least 14 days before those modifications go into effect.
Contact Information
For privacy questions, compliance inquiries, or to execute data requests:
Apex Tools AI
Operated by Brown Neyra Sales 85 Corp
Email:
hello@apextoolsai.com