Privacy Policy

Platform: The NOXV AI receptionist system, including all APIs, dashboards, communication channels, and integrations. Tenant: A clinic or healthcare provider organization that subscribes to the Platform. Patient / Data Subject: Any individual whose personal data is processed through the Platform, including patients who interact with the AI receptionist and clinic staff. Personal Data: Any information relating to an identified or identifiable natural person, including name, phone number, email address, and appointment information. Sensitive Data: Personal data that reveals health-related information, including medical service requests and provider preferences communicated through the Platform. Processing: Any operation performed on personal data, whether automated or manual, including collection, recording, organization, storage, retrieval, use, disclosure, restriction, erasure, or destruction.

Patient Data: Full name, phone number (E.164 format), email address (if required by the clinic), service requested, provider preference, conversation history, and call transcripts. Clinic Staff Data: Display name, email address, hashed password, and audit logs. What We Do NOT Collect: We do not collect National ID or Iqama numbers, financial or payment card data, biometric data, geolocation data, or social media profiles or identifiers.

We use the information we collect for the following purposes: Appointment booking, rescheduling, and cancellation management. Patient identification using SHA-256 phone number hashing for secure lookup. Conversation continuity across communication channels. Quality assurance and service improvement. Clinic analytics using anonymized and aggregated data. Audit logging and regulatory compliance. Email notifications for appointment confirmations and reminders. Google Calendar synchronization for scheduling.

NOXV never sells personal data. We never share data across tenants. We share only the minimum data necessary with the following sub-processors to deliver our services: OpenAI: GPT-4.1 via Enterprise API for AI conversation processing. OpenAI does not use our data for model training. Google Calendar API: For appointment scheduling and calendar synchronization. Telegram Bot API: For patient communication via Telegram. Twilio: For WhatsApp messaging and voice call handling. ElevenLabs: For AI voice synthesis. SMTP Provider: For email notifications. Cross-border data transfers comply with PDPL Article 29, ensuring adequate protection for personal data transferred outside the Kingdom of Saudi Arabia.

We retain data for the following periods: Active patient records: Duration of subscription plus 12 months. Appointment records: 3 years. Conversation logs: 12 months. Voice recordings: 90 days. Admin audit logs: 24 months. LLM call logs: 12 months. Rate limit logs: 7 days.

Under Saudi Arabia's Personal Data Protection Law (PDPL), you have the following rights: Right to be informed about how your personal data is collected and used. Right of access: Request a copy of the personal data we hold about you. Response within 30 days. Right to rectification: Request correction of inaccurate or incomplete data. Response within 30 days. Right to erasure: Request deletion of your personal data. Response within 30 days. Right to restrict processing: Request limitation of how we process your data. Response within 30 days. Right to data portability: Receive your data in JSON or CSV format. Response within 30 days. Right to object to processing of your personal data. Right to withdraw consent: Takes effect immediately upon request. To exercise any of these rights, please contact us at privacy@noxv.ai.

We implement robust technical and organizational measures to protect your data: TLS 1.2+ encryption for all data in transit. AES-256 encryption for all data at rest. AES-256-GCM encryption for OAuth tokens. scrypt hashing for passwords. Role-based access control (RBAC) with tenant isolation ensuring complete data separation between clinics. Comprehensive audit trails for all data access and modifications. Redis-backed rate limiting to prevent abuse. Input validation and content filtering on all user-submitted data. Idempotency controls to prevent duplicate operations. Continuous monitoring and alerting for security events.

Admin Dashboard: We use session cookies only for authentication purposes. We do not use any third-party tracking cookies on the admin dashboard. Patient Channels: Patient communication channels (Telegram, WhatsApp, Voice) do not use cookies at all.