Privacy Policy

1. Information We Collect

Information You Provide

• Contact information: Name, email address, phone number, clinic name, and job title when you book a demo, submit a form, or contact us.
• Clinic configuration data: Scheduling rules, clinic hours, staff names, service offerings, and call handling preferences provided during onboarding.

Information Collected Through Our Voice Services

When our AI receptionist handles calls on behalf of your clinic:

• Call metadata: Phone numbers (caller and clinic), call duration, timestamps, and language used.
• Call recordings and transcripts: Voice recordings and transcribed text of patient-agent conversations, processed to deliver the service (appointment booking, triage routing, message relay).
• Patient information captured during calls: Name, phone number, reason for calling, preferred appointment times, and any details the patient voluntarily provides.

Information Collected Automatically

• Website analytics: Pages visited, time on site, browser type, device type, and referring URL. We use privacy-respecting analytics and do not track individual users across the web.

2. How We Use Information

We use the information we collect to:

• Deliver and operate the AI voice receptionist service for your clinic.
• Send call summaries, appointment details, and patient messages to clinic staff via WhatsApp, SMS, or email.
• Improve voice recognition, language understanding, and call handling accuracy for your specific clinic setup.
• Respond to your inquiries and provide customer support.
• Send service-related communications (not marketing) about your account.

3. Data Sharing

We share information only in the following circumstances:

• With the clinic you called: Patient call data is shared with the healthcare clinic whose phone line was answered — this is the core function of our service.
• Service providers: We use third-party services to operate our platform (voice processing, speech-to-text, text-to-speech, hosting, messaging). These providers process data on our behalf under contractual obligations to protect it. Key providers include our voice AI platform, speech recognition service, and cloud hosting provider.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected users before their data is subject to a different privacy policy.

4. Data Storage and Security

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access controls: Access to patient data is restricted to authorized personnel only, using role-based access controls and multi-factor authentication.
• Infrastructure: Our services run on enterprise-grade cloud infrastructure with SOC 2 compliant providers.
• Retention: Call recordings and transcripts are retained for the duration specified in your clinic's service agreement. Clinics can request deletion at any time.

5. Data Protection in MENA

We are committed to complying with data protection regulations in the markets we serve:

• UAE: We operate in accordance with the UAE Federal Data Protection Law (2021) and respect Dubai Health Authority (DHA) and Department of Health Abu Dhabi (DOH) data handling requirements. Healthcare data is treated as sensitive personal data.
• Saudi Arabia: We adhere to the Personal Data Protection Law (PDPL) requirements, including explicit consent for processing sensitive healthcare data and heightened security standards.
• Morocco: We comply with Law 09-08 and CNDP requirements for processing personal data.
• General: We process data based on the lawful basis of contract performance (delivering the service your clinic has engaged us for) and legitimate interest (improving service quality).

Clinics may request a Data Processing Agreement (DPA) that specifies data handling terms, retention periods, and responsibilities. Contact us at privacy@sonili.io to request one.

6. Patient Rights

If you are a patient whose call was handled by Sonili on behalf of a healthcare clinic:

• Access: You can request to know what information was captured during your call.
• Correction: You can request correction of inaccurate information.
• Deletion: You can request deletion of your call data.
• Objection: You can object to the processing of your data.

To exercise these rights, contact the clinic directly or reach us at privacy@sonili.io. We will respond within 30 days.

7. Clinic Responsibilities

Healthcare clinics using Sonili are data controllers for their patient data. Clinics are responsible for:

• Informing patients that calls may be handled by an AI assistant, where required by local law.
• Ensuring their use of Sonili complies with applicable healthcare and data protection regulations in their jurisdiction.
• Managing patient consent where required.

Sonili acts as a data processor, handling patient data on behalf of and under the instructions of the clinic.

8. Cookies

Our website uses only essential cookies required for the site to function. We do not use tracking cookies, advertising cookies, or third-party marketing pixels.

9. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If a minor calls a clinic using our service, the call is handled identically to any other call — we do not collect age information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify clinic customers of material changes via email. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact Us

If you have questions about this Privacy Policy or our data practices:

BAA (Business Associate Agreement) available on request for clinics requiring HIPAA-aligned data handling terms.