Legal

Privacy Policy

How PayCare AI collects, uses, and protects information — including the protected health information Dobbie handles inside our customers' radiology practices.

Effective January 1, 2026
Last updated January 1, 2026

PayCare AI, Inc. ("PayCare," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we handle information when you visit paycareai.com, request a demo, or interact with our agentic AI teammate, Dobbie, deployed inside a healthcare practice.

1. Scope of this policy

This policy covers our public-facing website and marketing activities. Our handling of patient information inside customer environments is additionally governed by a Business Associate Agreement (BAA) and the customer's own Notice of Privacy Practices.

2. Our role

PayCare operates in two distinct capacities depending on the data:

  • Data controller — for marketing, sales, and recruiting information you provide directly (e.g., demo requests, careers applications).
  • Business associate & service provider — for protected health information ("PHI") that Dobbie processes on behalf of a covered entity customer. Customers remain the data controllers; we act under their written instructions and the executed BAA.

3. Information we collect

3.1 Information you give us

  • Contact details (name, work email, phone, practice name, role)
  • Practice context you submit on the demo form (volume, modalities, pain points)
  • Communications you send to hr@paycareai.com or our team

3.2 Information collected automatically

  • Device and browser metadata (user agent, IP address, screen size)
  • Page-view, click, and session data via privacy-preserving analytics
  • Cookies strictly necessary for authentication and CSRF protection

3.3 Information from third parties

  • Enrichment data from publicly available business sources (e.g., NPI registry, practice directories) used to qualify leads

4. PHI and HIPAA

Dobbie processes PHI strictly inside the systems your practice authorizes — your RIS, EHR, payer portals, telephony, and email. Specifically:

  • PHI remains in your tenancy. We do not copy PHI into PayCare-controlled storage except as required to execute a workflow (e.g., transient transcription of an inbound call), and only for the period needed to complete that workflow.
  • PHI is not used to train foundation models. Period.
  • Every Dobbie action is captured in a tamper-evident audit log accessible to your designated administrators.
  • Access is scoped per-user with role-based controls. Sub-processors that touch PHI are bound by a BAA.

5. How we use information

  • To operate Dobbie on your behalf and execute the workflows your team configures
  • To communicate with you about demos, contracts, product updates, and security advisories
  • To improve our service, with PHI excluded from product analytics
  • To comply with legal obligations and enforce our agreements

6. When we share information

We do not sell personal information. We share information only with:

  • Sub-processors who help us run the service (cloud infrastructure, telephony, observability), under written agreements that match or exceed our own commitments.
  • Your authorized integrations — when Dobbie acts inside a system you've granted it access to (RIS, payer portal, etc.).
  • Legal authorities when compelled by valid legal process, with notice to you where lawful.
  • A successor entity in the event of a merger or acquisition, under equivalent privacy protections.

7. Data retention

  • Marketing data (demo requests, newsletter signups): retained until you ask us to delete it, or 36 months of inactivity, whichever comes first.
  • Customer PHI: retained per the customer's written instructions and the terms of the BAA. Deleted within 30 days of contract termination unless retention is required by law.
  • Audit logs: retained for the duration of the customer relationship plus 6 years, consistent with HIPAA recordkeeping requirements.

8. Your rights

Depending on where you live, you may have certain rights regarding your personal information — such as the right to access, correct, delete, port, or restrict its processing; to object to certain processing; and to lodge a complaint with a supervisory authority. To the extent required by applicable law, we will honor verified requests concerning marketing data we hold about you; email hr@paycareai.com. Patients whose PHI is processed by Dobbie should contact the practice directly — they are the controller of that information.

9. Security

We protect information with technical and organizational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and least-privilege defaults
  • Tamper-evident audit logging on every Dobbie action
  • Mandatory background checks and HIPAA training for all staff
  • An incident response plan with notification timelines aligned to HIPAA and applicable state laws

10. International users

PayCare is operated from the United States. If you access our service from outside the U.S., your information may be transferred to, stored, and processed in the U.S. We rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers covered by GDPR or comparable laws.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will revise the "Last updated" date at the top and notify customers via email or in-product notice. Continued use of our service after the effective date constitutes acceptance.

12. Contact us

Questions, requests, or complaints about this policy or our handling of your information:

Privacy and security matters are routed to our Privacy Officer.

This page is a plain-language summary, not a substitute for legal advice. Where this policy and a signed agreement (e.g., MSA, BAA, DPA) conflict, the signed agreement controls.

Have a security or privacy question before signing?

Contact us and we'll be glad to help.

Email us →