1. Scope

This Privacy Policy explains how Autonomy collects, uses, discloses, and safeguards information when you use our websites and customer portals (including velyndental.com and portal.velyndental.com/signin), products, and related services (collectively, the Services).

2. Information We Collect

Information You Provide

Account & Contact Data: name, business name, email, phone number, billing address.
Business Configuration: service menus, hours, pricing, routing rules, scripts, FAQs, calendars, and integration settings.
Communications: messages, emails, or other communications with us.
Payment Data: payment method details processed by our payment processors (e.g., Stripe). We do not store full card numbers.

Information Collected Automatically

Usage & Log Data: device/browser info, IP address, timestamps, pages viewed, referral URLs, product interactions.
Cookies & Similar: cookies, local storage, and similar technologies for essential functions, analytics, and preferences.

Voice, SMS, and Conversation Data

Call/SMS Metadata: caller/callee numbers, call/SMS routing and timing, carrier data, status codes.
Recordings & Transcripts (if enabled): audio recordings and/or transcriptions of calls or voicemails. You are responsible for obtaining legally required consent before enabling call recording or transcript storage.

Information from Third Parties

Integrations: information from connected calendars, CRMs, scheduling tools, and payment processors.
Service Providers: we may receive technical or usage data from providers assisting with hosting, analytics, messaging, or payments.

3. How We Use Information

We use information to:

Provide, operate, secure, and troubleshoot the Services;
Configure and personalize receptionist behavior per your rules;
Book appointments, send confirmations, and process transactions;
Communicate with you about updates, security, and support;
Monitor service health, detect/prevent abuse, and ensure compliance;
Analyze usage to improve features and performance;
Comply with legal obligations.

3.1. Practice Integrations and Authorized Access

When you connect practice-management systems, calendars, texting tools, or other approved integrations, we handle the credentials and data required to provide the Services:

Integration Credentials

OAuth Credentials: When you authorize supported third-party services, we may receive and store access tokens and refresh tokens. These are encrypted at rest and used only for the workflows you authorize.
API Keys and Connection Settings: If a supported integration requires API keys or connection settings, those credentials are stored securely and limited to the components that need them to operate the Service.
Scope of Access: We request only the permissions needed to handle the configured workflows for your account, such as appointment booking, schedule lookup, or practice messaging.

Data Accessed Through Integrations

Practice Schedules: When scheduling integrations are enabled, we may access appointment slots, provider calendars, appointment types, and related availability data to book or reschedule patients.
Patient and Contact Data: Supported integrations may provide patient identifiers, contact details, or message-delivery data needed to complete the configured workflow.
Operational Logs: We may retain limited operational logs to troubleshoot integration failures, delivery issues, or deployment problems.

Token Storage and Security

Encryption: All API tokens and OAuth credentials are encrypted at rest using industry-standard encryption (AES-256).
Access Controls: Token access is restricted to authorized service components on a need-to-know basis with role-based access controls.
Token Rotation: OAuth refresh tokens are used to obtain short-lived access tokens, minimizing exposure risk.
Revocation: You may revoke integration access at any time through your account settings or the third-party service permission-management interface.

Your Control Over Integration Data

Disconnect Integrations: You can disconnect any third-party integration from your account settings at any time.
Delete Cached Data: When you disconnect an integration, we delete cached data from that service within 30 days unless legally required to retain it longer.
Access Logs: You can request a log of which integrations accessed your data and when by contacting support@velyndental.com.
Data Portability: You may export your data in machine-readable formats (JSON, CSV) through your account dashboard or by requesting it via email.

4. Sharing and Disclosure

We share information with:

Service Providers / Subprocessors for hosting, storage, telephony, messaging, analytics, support, and payments (e.g., cloud hosting, voice/SMS carriers, email services, scheduling, CRM, and payment processors). Examples may include providers such as Stripe (payments), telephony carriers and messaging aggregators, analytics platforms, email delivery services, and cloud infrastructure.
Integration Partners at your direction (e.g., calendar and CRM connections you enable).
Legal and Safety: when required by law or to protect Autonomy, our users, or the public.
Business Transfers: in connection with a merger, acquisition, financing, or sale of assets.

We do not sell personal information.

5. International Data Transfers

We are based in the United States. If you access the Services from outside the U.S., your information may be transferred to, stored in, or processed in the U.S. and other countries. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for cross-border transfers.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect information. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Data Retention

We retain information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce agreements. You may request deletion of certain information, subject to legal or contractual limits.

8. Your Choices & Rights

Communication Preferences: you may opt out of non-essential emails via unsubscribe links or by contacting us.
Access, Update, Delete: you may request access to, correction of, or deletion of your personal information by emailing support@velyndental.com.
Cookies: browser settings may let you block or delete cookies. Some features may not function without essential cookies.

GDPR (EEA/UK) Notice

If you are in the EEA or UK, Autonomy is a data controller for website and account data and a processor for end-customer call/SMS data we handle on your behalf. Depending on your location and the context, you may have rights to access, rectify, erase, restrict processing, data portability, or object. You also have the right to lodge a complaint with your local supervisory authority. Our legal bases include performance of a contract, legitimate interests, consent, and compliance with legal obligations.

California (CCPA/CPRA) Notice

For California residents, we provide the disclosures required by the CCPA/CPRA. We do not sell personal information as defined by the CCPA. You may request access, deletion, and correction, and you may limit the use of sensitive personal information (if collected) by contacting support@velyndental.com.

9. Children and Minors

The Services are not directed to children under 13 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

10. Third-Party Sites and Services

Our Services may link to third-party sites or services. Their privacy practices are governed by their own policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new last-updated date. Your continued use of the Services after the update becomes effective signifies your acceptance.

12. Contact Us

For questions or requests regarding this Privacy Policy, contact support@velyndental.com or write to the address above.