Privacy Policy
Effective Date: April 13, 2026
Tallis AI ("Tallis," "we," "us," or "our") operates the website withtallis.com and provides an AI-powered patient intake and retention platform for healthcare practices (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect information when you interact with our Service, whether as a healthcare practice ("Practice," "Client"), a patient of a Practice, or a visitor to our website.
By using the Service or providing information to us, you acknowledge that you have read and understood this Privacy Policy.
1. Scope and Applicability
This Privacy Policy applies to all information collected through:
- Our website at withtallis.com
- AI-powered patient intake conversations
- Patient retention and outreach communications (SMS, email, and voice)
- Integrations with practice management systems (PMS)
- Any other interactions with our Service
Important distinction: When Tallis processes patient health information on behalf of a healthcare Practice, the Practice is the HIPAA Covered Entity and Tallis acts as a Business Associate. The Practice's own privacy practices and Notice of Privacy Practices govern how your protected health information (PHI) is used and disclosed. This Privacy Policy describes Tallis's practices as a technology provider.
2. Information We Collect
2.1 Patient Information (Collected on Behalf of Practices)
When patients interact with our AI-powered intake system, we collect the following information at the direction of and on behalf of the Practice:
- Personal identifiers: Full name, date of birth, gender, phone number, email address, and mailing address
- Medical and dental history: Allergies, current medications, medical conditions, previous dental work, dental anxiety indicators, special needs notes, and oral habits
- Insurance information: Carrier name, subscriber ID, group number, and relationship to subscriber
- Appointment information: Scheduling data, appointment types, cancellation and rescheduling history
- Communication records: SMS message content, email interactions, and voice call metadata related to appointment outreach
- Referral source: How the patient learned about the Practice
- Technical identifiers: IP address at the time of intake session
2.2 Practice (Client) Information
From our Practice clients, we collect:
- Practice name, address, and contact details
- Account administrator names and email addresses
- Practice management system configuration and credentials
- Billing and payment information
- Service usage and performance data
2.3 Website Visitor Information
When you visit withtallis.com, we may collect:
- Browser type, operating system, and device information
- IP address and approximate geographic location
- Pages visited, referral URLs, and interaction patterns
- Information you voluntarily provide through contact forms
3. How We Use Information
3.1 Patient Information
We process patient information solely at the direction of and on behalf of the Practice to:
- Facilitate AI-powered patient intake conversations and collect registration data
- Transmit completed intake information to the Practice's management system
- Send appointment reminders, retention outreach, and rescheduling communications via SMS, email, and voice
- Enable patients to reschedule appointments through self-service links
- Generate audit logs for compliance and security monitoring
3.2 Practice Information
- Provide, maintain, and improve the Service
- Manage accounts, billing, and customer support
- Communicate service updates and product changes
- Monitor system performance and reliability
- Comply with legal obligations
3.3 Website Visitor Information
- Analyze website traffic and improve user experience
- Respond to inquiries and requests
- Detect and prevent fraud or abuse
4. How We Share Information
We do not sell, rent, or trade personal information or patient data to third parties.
We share information only in the following circumstances:
4.1 Service Providers (Sub-processors)
We use the following third-party service providers to operate the Service. Each processes data only as necessary to perform their function:
| Provider | Purpose | Data Processed |
|---|---|---|
| Anthropic (Claude API) | AI conversation processing | Intake conversation messages, patient responses |
| Google Cloud Platform | Data storage and hosting | All Service data (Firestore, us-central1 region) |
| Twilio | SMS messaging | Phone numbers, message content for appointment outreach |
| Resend | Transactional email | Email addresses, email content for appointment outreach |
| Vapi | AI voice calls | Phone numbers, voice call content for retention outreach |
We maintain appropriate agreements with each sub-processor, including Business Associate Agreements where required by HIPAA.
4.2 Practice Management Systems
Patient data collected through intake is transmitted to the Practice's designated practice management system (such as OpenDental) as directed by the Practice. This is the primary purpose of the Service.
4.3 Legal Requirements
We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect the rights, property, or safety of Tallis, our clients, or others.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will notify affected Practices before information is transferred and becomes subject to a different privacy policy.
5. Data Retention
We retain information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law:
- Intake session data: Automatically deleted after a configurable time-to-live period (default: 24 hours) via Firestore TTL policies. Once intake data is transmitted to the Practice's management system, the session data in Tallis is marked for automatic expiration.
- Outreach records: Retained for the duration of the outreach workflow and as needed for Practice reporting purposes.
- Audit logs: Retained for 90 days for security monitoring and compliance purposes, then automatically deleted.
- API usage logs: Retained for up to 365 days for service improvement and billing purposes, then automatically deleted.
- Practice account data: Retained for the duration of the client relationship and as required by law after termination.
Data is isolated per tenant (Practice) at the database level, ensuring that each Practice's data is logically separated from all others.
6. HIPAA Compliance
Tallis is designed to support HIPAA compliance for healthcare Practices:
- Business Associate relationship: Tallis operates as a Business Associate under HIPAA. We enter into Business Associate Agreements (BAAs) with each Practice client that uses our Service to process protected health information (PHI).
- PHI handling: We process PHI only as permitted or required by our BAA with each Practice and as necessary to provide the Service.
- Minimum necessary standard: We limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose.
- Sub-processor agreements: We maintain appropriate agreements with all sub-processors that may access PHI in the course of providing the Service.
- Breach notification: In the event of a breach of unsecured PHI, we will notify affected Practices in accordance with HIPAA requirements and our BAA obligations.
- Audit controls: We maintain audit logs of system access and data processing activities.
- Data encryption: Data is encrypted in transit (TLS) and at rest within Google Cloud Platform.
Patient rights under HIPAA: If you are a patient, your rights regarding your health information (including the right to access, amend, and receive an accounting of disclosures) are governed by the Notice of Privacy Practices provided by your healthcare Practice. Requests related to your health information should be directed to your Practice.
7. Data Security
We implement administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction:
- Infrastructure: All data is hosted on Google Cloud Platform in the us-central1 region with encryption at rest and in transit.
- Tenant isolation: Patient data is logically isolated per Practice at the database level, preventing cross-tenant access.
- Access controls: Secrets and API credentials are managed through Google Cloud Secret Manager, not stored in application code.
- HTTPS enforcement: All production communications are encrypted via TLS/HTTPS.
- Audit logging: All API requests are logged with timestamps, endpoints, and status codes for security monitoring.
- Automated expiration: Sensitive session data is automatically deleted through TTL policies, minimizing the retention of PHI.
- Secret scanning: Automated checks prevent hardcoded credentials from entering the codebase.
While we strive to protect information using commercially reasonable measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.
8. AI Processing
Our Service uses artificial intelligence to facilitate patient intake conversations and retention outreach. Important details about our AI processing:
- AI provider: Patient conversations are processed through Anthropic's Claude API to understand patient responses and guide intake workflows.
- Purpose limitation: AI processing is used solely to collect and structure patient intake information and to facilitate appointment-related communications. We do not use patient data to train AI models.
- No autonomous medical decisions: Our AI does not make medical diagnoses, treatment recommendations, or clinical decisions. It collects and organizes information provided by patients for review by the Practice.
- Human oversight: All information collected through AI conversations is transmitted to the Practice for human review. Practices retain full control over how patient information is used.
- Data handling by AI provider: Anthropic processes conversation data in accordance with their data processing terms. Under Anthropic's commercial API terms, conversation data is not used to train their models.
9. Patient Rights
9.1 For Patients of Practices
Because Tallis processes patient data on behalf of healthcare Practices, patients should contact their Practice directly to exercise rights related to their health information. These rights may include:
- Access to your health information
- Correction or amendment of inaccurate information
- An accounting of disclosures of your health information
- Restrictions on certain uses and disclosures
- Confidential communications
We will cooperate with Practices in fulfilling patient rights requests in accordance with our BAA obligations.
9.2 Communication Preferences
Patients who receive SMS, email, or voice outreach from Tallis on behalf of a Practice may:
- Reply STOP to any SMS message to opt out of further text communications
- Contact the Practice directly to update communication preferences
- Request that the Practice restrict certain communication channels
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: You may request information about the categories and specific pieces of personal information we have collected about you.
- Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of sale: We do not sell personal information. No opt-out is necessary.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
Note: The CCPA does not apply to protected health information that is subject to HIPAA. For PHI-related requests, please contact your healthcare Practice directly.
To exercise your California privacy rights for non-PHI personal information, contact us at [email protected].
11. Cookies and Tracking Technologies
Our website may use the following technologies:
- Essential cookies: Required for basic website functionality, such as session management and security.
- Analytics: We may use analytics services to understand website usage patterns and improve our Service. Analytics data is collected in aggregate and does not include patient health information.
The patient intake and retention components of our Service are API-based and do not use marketing cookies or cross-site tracking technologies. Patient health information is never used for advertising or marketing analytics.
Most web browsers allow you to control cookies through browser settings. Disabling cookies may affect website functionality but will not affect the core patient intake or retention Service.
12. Children's Privacy
Our Service may process information about minors when a parent or legal guardian provides it during the intake process on behalf of a healthcare Practice. We do not knowingly collect personal information directly from children under 13 without parental consent. The intake process is designed to be completed by a parent or legal guardian when the patient is a minor.
If you believe a child under 13 has provided personal information to us directly without parental consent, please contact us at [email protected] so we can take appropriate action.
13. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you interact with.
14. Data Transfers
All primary data storage and processing occurs within the United States (Google Cloud Platform, us-central1 region). Some sub-processors may process data in other jurisdictions. Where data is transferred outside the United States, we ensure appropriate safeguards are in place in accordance with applicable law.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:
- We will update the "Effective Date" at the top of this page.
- We will notify Practice clients via email or through the Service dashboard.
- For material changes affecting patient data processing, we will provide at least 30 days' advance notice to Practices.
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Tallis AI
Privacy inquiries: [email protected]
Legal inquiries: [email protected]
General support: [email protected]
For patient-specific privacy requests related to health information, please contact your healthcare Practice directly.