Privacy Policy
Effective Date: July 2, 2026 · Last Updated: July 2, 2026
Claustro AI ("Claustro AI," "we," "us," or "our") operates the website claustroai.com and provides managed AI-powered patient communication services to medical aesthetic practices and their patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information, including Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA").
By using our website, calling our demo line, submitting a form, or receiving SMS messages from us, you agree to the practices described in this Policy.
1. Information We Collect
1.1 Information You Provide Directly
When you interact with us through our website, phone line, SMS opt-in form, contact form, or during a demo, we may collect:
- Name, business name, and role
- Phone number (including mobile number for SMS communications)
- Email address
- Business address and location
- Information about your practice (services offered, patient management system, team size)
- Any additional information you voluntarily submit in messages to us
1.2 Information Collected Automatically
When you visit our website, we automatically collect certain technical information including IP address, browser type, device information, referring URL, pages viewed, and timestamps. We use cookies and similar technologies for site functionality and analytics.
1.3 Call and Message Data
When you call our demo line at (951) 418-2579 or exchange SMS messages with our service, we collect and process the audio recording, transcript, phone number, timestamp, and content of communications. Demo line calls are used to demonstrate the AI receptionist experience and may be recorded and retained for quality, training, and service improvement.
1.4 Protected Health Information (PHI)
When Claustro AI provides services to a medical aesthetic practice ("Covered Entity") under a Business Associate Agreement ("BAA"), we may receive, create, maintain, or transmit PHI on behalf of that Covered Entity. Our handling of PHI is governed by the BAA and HIPAA. This Privacy Policy does not create additional obligations regarding PHI beyond those set forth in the BAA.
2. How We Use Information
We use the information we collect for the following purposes:
- To respond to your inquiries and provide information about our services
- To send SMS messages you have opted in to receive (see Section 4)
- To operate, maintain, and improve our services
- To communicate with you about your account, service updates, or scheduling changes
- To comply with legal obligations, protect our rights, and enforce our Terms of Service
- For analytics, aggregate reporting, and service performance measurement (in a de-identified format)
3. Legal Bases and HIPAA
Claustro AI is a Business Associate under HIPAA when providing services to Covered Entities that are healthcare providers. We enter into a Business Associate Agreement (BAA) with each customer that qualifies as a Covered Entity. Under the BAA, we implement administrative, physical, and technical safeguards to protect PHI, restrict its use and disclosure to permitted purposes, and report any security incidents or breaches as required.
We also require our subcontractors and service providers who handle PHI (including voice AI infrastructure, telephony, and cloud hosting vendors) to sign BAAs with us and maintain HIPAA-compliant handling of any PHI they receive.
4. SMS Communications and Consent
Claustro AI sends SMS messages only to individuals who have provided express written consent by opting in through a web form, verbal request during a phone call, or written request. By opting in, you agree to receive SMS messages from Claustro AI about your inquiry, demo details, follow-up communications, and (for customers) appointment confirmations, scheduling changes, and service updates.
4.1 Message Frequency and Rates
Message frequency varies based on your interaction with us. Message and data rates may apply depending on your mobile plan. We are not responsible for messaging or data charges from your carrier.
4.2 Opting Out
You can opt out of SMS communications at any time by replying STOP to any message. After you send STOP, you will receive a confirmation message, and we will not send further SMS messages except a final confirmation of opt-out. To resume messages, reply START. For help, reply HELP or contact us at info@claustroai.com.
Mobile information sharing: Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
4.3 Categories of SMS Messages
SMS messages you may receive include:
- Demo and inquiry follow-up: Information about how our demo works, next steps, and follow-up related to your specific inquiry.
- Appointment and account communications (for customers): Confirmations, changes, and reminders related to appointments or account activity for practices using our services.
- Service updates: Occasional messages about material changes to your service or account.
5. How We Share Information
We do not sell your personal information. We share information only as described below:
5.1 Service Providers (Sub-Processors)
We share information with third-party service providers that help us operate our services, subject to written agreements that require them to protect the information. Our sub-processors, and the status of Business Associate Agreements (BAAs) with each, are as follows:
- Google Workspace — email, productivity, and internal document storage. BAA executed with Google under Google Workspace's HIPAA Business Associate Amendment.
- Retell AI — voice AI infrastructure for the Claustro AI receptionist. BAA executed under Retell AI's standard Business Associate Agreement.
- Twilio — telephony and SMS transport. Twilio offers HIPAA-eligible services under an Enterprise-tier BAA. Claustro AI architects SMS communications so that message content does not contain Protected Health Information; where PHI transport via Twilio is required for a specific customer engagement, we execute a BAA with Twilio prior to that engagement.
- Xano — backend database and API orchestration. Xano offers a HIPAA + BAA tier that Claustro AI activates prior to any customer engagement that involves Protected Health Information. Non-PHI operational data (marketing site inquiries, sales leads, demo requests) is processed under Xano's standard terms.
- Vercel — marketing website hosting. Claustro AI does not route Protected Health Information through Vercel-hosted infrastructure. All Protected Health Information processing occurs on infrastructure with an executed BAA.
Our sub-processor list may change over time. Material changes will be reflected in an updated version of this Policy.
5.2 Legal Compliance and Protection
We may disclose information when required by law, subpoena, or legal process, or when necessary to protect our rights, safety, or the rights and safety of others.
5.3 Business Transfers
If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections and, where applicable, continuing BAA obligations.
5.4 Aggregated and De-Identified Data
We may create and share aggregated, de-identified, or anonymized data derived from the services (such as conversation flow patterns, operational benchmarks, and service performance metrics) that does not identify any individual or Covered Entity. This use is permitted under our Business Associate Agreements and is used to improve our services and publish industry insights.
6. Data Retention
We retain information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. PHI retention is governed by our BAAs with each Covered Entity. Demo line call recordings and transcripts are retained for a period consistent with our internal operational and compliance policies, typically no longer than 24 months, after which they are deleted or de-identified.
7. Data Security
We implement administrative, physical, and technical safeguards designed to protect information from unauthorized access, use, disclosure, alteration, or destruction. These include encryption in transit and at rest for PHI, access controls, audit logging, and regular security reviews. No system is completely secure; however, we treat security as a foundational discipline and continuously invest in it.
8. Your Rights and Choices
Depending on your location, you may have the right to:
- Access, correct, or delete information we hold about you
- Object to or restrict certain processing
- Withdraw consent (including SMS opt-out via STOP)
- Receive a copy of your information in a portable format
- File a complaint with a data protection authority
For PHI, additional rights are provided by HIPAA and are exercised through the Covered Entity that provided the PHI to us, not through Claustro AI directly.
To exercise any right, contact us at info@claustroai.com.
9. Children's Privacy
Our services are not directed to individuals under 18, and we do not knowingly collect personal information from children. If we learn we have collected information from a child under 18 without parental consent, we will delete it.
10. International Users
Our services are operated from the United States. If you access our services from outside the United States, your information may be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.
11. California Privacy Rights
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, correct, and opt-out of the sale or sharing of personal information. Claustro AI does not sell personal information as defined under California law. To exercise your rights, contact us at info@claustroai.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Effective Date" at the top. We encourage you to review this Policy periodically.
13. Contact Us
For questions about this Policy or our privacy practices, contact us at:
Claustro AI
Email: info@claustroai.com
Website: claustroai.com