VisionOur Story
Platform — Live
AVEENA — AI Voice ReceptionistMyCare — 24/7 Patient PortalIB365 CRM — Practice Management
Coming Soon
OHMNIC — Business IntelligenceMedFlow AI — Voice-to-Chart
Resources
DocumentationLet's Talk — (888) 252-3019

Privacy Policy

Effective Date: March 23, 2026  |  Last Updated: March 23, 2026

1. Introduction

InboundAI365, LLC (“IB365,” “we,” “us,” or “our”) is committed to protecting your privacy and the privacy of your patients. This Privacy Policy explains how we collect, use, disclose, store, and safeguard information when you use the IB365 platform, including the CRM, Aveena AI voice receptionist, MyCare patient portal, SMS messaging, and all related services (collectively, the “Services”).

This Privacy Policy applies to all users of the Services, including healthcare practice administrators, staff, providers, and patients who access the MyCare portal. By using the Services, you consent to the practices described in this policy.

2. Information We Collect

2.1 Practice Information: Practice name, address, phone number, email, specialty, provider details, business hours, insurance acceptance lists, service catalogs, and operational configuration when you register and configure your account.

2.2 Staff Information: Names, email addresses, phone numbers, roles, professional credentials, scheduling preferences, and authentication credentials for practice staff and providers.

2.3 Patient Information (PHI): When our AI systems and platform process patient communications and records on your behalf, we handle Protected Health Information including: names, dates of birth, phone numbers, email addresses, insurance information, appointment details, communication records, and any other information provided during calls, chats, or portal interactions.

2.4 Usage Data: Information about how you interact with the Services, including login times, features accessed, pages viewed, AI queries submitted, call durations, API usage, and system performance metrics.

2.5 Device & Technical Data: Browser type, operating system, IP address, device identifiers, referring URLs, and general location information derived from IP address.

2.6 Communication Data: Call recordings (when enabled), call summaries, SMS messages, chat transcripts, and email communications processed through the Services.

2.7 Payment Information: Credit card numbers, billing addresses, and transaction history. Payment card data is processed by our payment processor (Stripe) and is not stored on IB365 servers.

3. How We Use Your Information

  • To provide, maintain, and operate the Services, including AI voice reception, patient portal, CRM, and SMS messaging
  • To process and manage patient calls, appointments, and communications on your behalf
  • To authenticate users and maintain account security
  • To process payments and manage billing
  • To send administrative notifications about your account, service updates, and security alerts
  • To respond to support requests and provide customer service
  • To comply with legal obligations, including HIPAA, TCPA, and applicable state and federal laws
  • To detect, prevent, and address fraud, security issues, and technical problems
  • To generate de-identified, aggregate analytics to improve the Services (see Section 9)
  • To enforce our Terms of Service and protect the rights, property, and safety of IB365, our users, and the public

4. HIPAA Compliance

IB365 operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We maintain administrative, physical, and technical safeguards to protect PHI in accordance with the HIPAA Security Rule. We will execute a Business Associate Agreement (BAA) with all Covered Entity customers before processing PHI.

IB365 will report any breach of unsecured PHI within thirty (30) calendar days of discovery. We will cooperate with your practice in fulfilling breach notification obligations to affected individuals and the U.S. Department of Health and Human Services.

5. AI Data Processing

5.1 How AI Processes Data. The Aveena voice receptionist and CRM AI chat assistant process conversation data using third-party large language model (LLM) providers. When a patient calls or chats, conversation data is transmitted to LLM providers for natural language understanding and response generation. The AI then executes actions (scheduling, lookups, etc.) against your practice database.

5.2 What Is NOT Done With Your Data. IB365 does NOT use PHI, patient data, or Customer Data to train, fine-tune, or improve AI or machine learning models — whether IB365's own models or those of third-party LLM providers. Your data is processed solely to provide the Services you subscribed to.

5.3 Data Retention by AI Providers. IB365 selects LLM providers that do not retain conversation data beyond the immediate processing request. However, temporary caching may occur for processing purposes, typically for less than thirty (30) days.

5.4 Automated Decision-Making. The Services use automated processing to schedule appointments, route calls, update records, and generate responses. These automated actions are administrative in nature and do not involve clinical decision-making. You retain the ability to review, modify, or override any automated action.

6. Data Security

We implement industry-standard and healthcare-specific security measures including:

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • PostgreSQL row-level security (RLS) for multi-tenant data isolation at the database level
  • Role-based access controls (RBAC) with least-privilege enforcement
  • Comprehensive audit logging of all data access with who, what, when, and from where
  • Automatic session management with configurable timeout
  • Rate limiting and brute-force protection on authentication endpoints
  • Regular vulnerability assessments
  • Incident response procedures and dedicated security team

While we implement these safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information using commercially reasonable measures.

7. Data Sharing & Third-Party Services

We do not sell your personal information or PHI. We share information only in the following circumstances:

7.1 Subprocessors. We share data with service providers who assist in delivering the Services, including: voice synthesis providers (for Aveena), large language model providers (for AI chat and voice), cloud infrastructure providers (for hosting), database providers (for storage), payment processors (for billing), authentication providers (for login), and telephony providers (for phone and SMS). All subprocessors handling PHI are contractually required to maintain HIPAA compliance.

7.2 Legal Requirements. We may disclose information when required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7.3 Business Transfers. In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

7.4 With Your Consent. We may share information with third parties when you have given explicit consent.

7.5 Mobile Information. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Your phone number and mobile device information collected through the Services, including the MyCare patient portal, AI receptionist, and SMS messaging features, will only be used to provide the healthcare communication services you have consented to receive.

8. Cookies, Tracking & Session Storage

8.1 CRM Application. The IB365 CRM uses cookies for authentication, session management, and user preferences. These are essential cookies required for the application to function.

8.2 MyCare Patient Portal. The MyCare portal uses browser sessionStorage (not cookies) for session tokens. Session data is cleared when the browser tab is closed. No persistent tracking cookies are used on the patient portal.

8.3 Marketing Website. The ib365.ai website may use analytics cookies to understand visitor behavior. No PHI is collected on the marketing website.

8.4 Do Not Track. We respect Do Not Track (DNT) browser signals on our marketing website. The CRM and MyCare applications do not use tracking technologies beyond essential session management.

9. De-identified & Aggregate Data

We may create de-identified, aggregate data from information collected through the Services. De-identified data cannot reasonably be used to identify any individual or practice. We may use such data for service improvement, benchmarking, analytics, and research purposes. De-identified data is not subject to this Privacy Policy or the restrictions on PHI.

10. Data Retention

We retain information as follows:

  • Customer Data & PHI: Retained for the duration of your subscription plus thirty (30) days post-termination for export. Permanently deleted after thirty (30) days. Backups purged within ninety (90) days.
  • Call recordings and transcripts: Retained according to your practice's configured retention policy and applicable healthcare regulations (minimum six (6) years for HIPAA).
  • SMS consent records: Retained for a minimum of four (4) years per TCPA requirements.
  • Audit logs: Retained for a minimum of six (6) years per HIPAA requirements.
  • Payment records: Retained as required by tax and financial regulations.
  • Account information: Retained for thirty (30) days post-termination, then deleted.

11. Your Rights

Depending on your location and applicable law, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Data Portability: Request your data in a machine-readable format (CSV, JSON)
  • Restrict Processing: Request that we limit how we use your information
  • Object: Object to certain processing activities
  • Withdraw Consent: Where processing is based on consent, withdraw consent at any time
  • Non-Discrimination: We will not discriminate against you for exercising any privacy rights

To exercise any of these rights, contact us at privacy@ib365.ai. We will respond within thirty (30) days. For HIPAA-related requests, please work with your healthcare practice directly, as they are the Covered Entity responsible for your medical records.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Information: You may limit our use of sensitive personal information to purposes necessary for providing the Services.

To exercise these rights, contact privacy@ib365.ai or call (888) 252-3019. We will verify your identity before processing requests.

13. Children's Privacy

The Services are not directed at children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. The MyCare patient portal may be accessed by minor patients for appointment viewing, but such access is managed through the parent/guardian's practice relationship. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. Contact us at privacy@ib365.ai if you believe we have inadvertently collected information from a child.

14. International Data Transfers

The Services are operated in and intended for use within the United States. All data is stored and processed within the United States. If you access the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

15. Data Breach Notification

In the event of a data breach involving unsecured PHI or personal information, IB365 will: (a) investigate the breach promptly; (b) notify affected Customers within thirty (30) calendar days of discovery; (c) provide details about the nature of the breach, types of information involved, and steps taken; (d) cooperate with Customers in notifying affected individuals and regulatory authorities as required by HIPAA, state breach notification laws, and other applicable regulations; and (e) take steps to mitigate harm and prevent future breaches.

16. Do Not Sell My Personal Information

IB365 does not sell personal information. We do not sell, rent, lease, or trade personal information or PHI to any third party for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising or targeted marketing by third parties.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting the updated policy on this page with a new “Last Updated” date; (b) sending an email notification to the address on your account; and (c) displaying a notice within the Services. Your continued use of the Services after the effective date of changes constitutes acceptance of the updated policy.

18. Contact Us

For questions about this Privacy Policy, data practices, or to exercise your privacy rights:

InboundAI365, LLC
11344 Coloma Rd
Gold River, CA 95670
Privacy inquiries: privacy@ib365.ai
General: info@ib365.ai
Phone: (888) 252-3019
Web: ib365.ai

© 2026 InboundAI365, LLC. All rights reserved.