Privacy Policy

Claustro AI ("Claustro AI," "we," "us," or "our") operates the website claustroai.com and provides managed AI-powered patient communication services to medical aesthetic practices and their patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information, including Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA").

By using our website, calling our demo line, submitting a form, or receiving SMS messages from us, you agree to the practices described in this Policy.

1. Information We Collect

1.1 Information You Provide Directly

When you interact with us through our website, phone line, SMS opt-in form, contact form, or during a demo, we may collect:

1.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical information including IP address, browser type, device information, referring URL, pages viewed, and timestamps. We use cookies and similar technologies for site functionality and analytics.

1.3 Call and Message Data

When you call our demo line at (951) 418-2579 or exchange SMS messages with our service, we collect and process the audio recording, transcript, phone number, timestamp, and content of communications. Demo line calls are used to demonstrate the AI receptionist experience and may be recorded and retained for quality, training, and service improvement.

1.4 Protected Health Information (PHI)

When Claustro AI provides services to a medical aesthetic practice ("Covered Entity") under a Business Associate Agreement ("BAA"), we may receive, create, maintain, or transmit PHI on behalf of that Covered Entity. Our handling of PHI is governed by the BAA and HIPAA. This Privacy Policy does not create additional obligations regarding PHI beyond those set forth in the BAA.

2. How We Use Information

We use the information we collect for the following purposes:

3. Legal Bases and HIPAA

Claustro AI is a Business Associate under HIPAA when providing services to Covered Entities that are healthcare providers. We enter into a Business Associate Agreement (BAA) with each customer that qualifies as a Covered Entity. Under the BAA, we implement administrative, physical, and technical safeguards to protect PHI, restrict its use and disclosure to permitted purposes, and report any security incidents or breaches as required.

We also require our subcontractors and service providers who handle PHI (including voice AI infrastructure, telephony, and cloud hosting vendors) to sign BAAs with us and maintain HIPAA-compliant handling of any PHI they receive.

4. SMS Communications and Consent

Claustro AI sends SMS messages only to individuals who have provided express written consent by opting in through a web form, verbal request during a phone call, or written request. By opting in, you agree to receive SMS messages from Claustro AI about your inquiry, demo details, follow-up communications, and (for customers) appointment confirmations, scheduling changes, and service updates.

4.1 Message Frequency and Rates

Message frequency varies based on your interaction with us. Message and data rates may apply depending on your mobile plan. We are not responsible for messaging or data charges from your carrier.

4.2 Opting Out

You can opt out of SMS communications at any time by replying STOP to any message. After you send STOP, you will receive a confirmation message, and we will not send further SMS messages except a final confirmation of opt-out. To resume messages, reply START. For help, reply HELP or contact us at info@claustroai.com.

Mobile information sharing: Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

4.3 Categories of SMS Messages

SMS messages you may receive include:

5. How We Share Information

We do not sell your personal information. We share information only as described below:

5.1 Service Providers (Sub-Processors)

We share information with third-party service providers that help us operate our services, subject to written agreements that require them to protect the information. Our sub-processors, and the status of Business Associate Agreements (BAAs) with each, are as follows:

Our sub-processor list may change over time. Material changes will be reflected in an updated version of this Policy.

5.2 Legal Compliance and Protection

We may disclose information when required by law, subpoena, or legal process, or when necessary to protect our rights, safety, or the rights and safety of others.

5.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections and, where applicable, continuing BAA obligations.

5.4 Aggregated and De-Identified Data

We may create and share aggregated, de-identified, or anonymized data derived from the services (such as conversation flow patterns, operational benchmarks, and service performance metrics) that does not identify any individual or Covered Entity. This use is permitted under our Business Associate Agreements and is used to improve our services and publish industry insights.

6. Data Retention

We retain information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. PHI retention is governed by our BAAs with each Covered Entity. Demo line call recordings and transcripts are retained for a period consistent with our internal operational and compliance policies, typically no longer than 24 months, after which they are deleted or de-identified.

7. Data Security

We implement administrative, physical, and technical safeguards designed to protect information from unauthorized access, use, disclosure, alteration, or destruction. These include encryption in transit and at rest for PHI, access controls, audit logging, and regular security reviews. No system is completely secure; however, we treat security as a foundational discipline and continuously invest in it.

8. Your Rights and Choices

Depending on your location, you may have the right to:

For PHI, additional rights are provided by HIPAA and are exercised through the Covered Entity that provided the PHI to us, not through Claustro AI directly.

To exercise any right, contact us at info@claustroai.com.

9. Children's Privacy

Our services are not directed to individuals under 18, and we do not knowingly collect personal information from children. If we learn we have collected information from a child under 18 without parental consent, we will delete it.

10. International Users

Our services are operated from the United States. If you access our services from outside the United States, your information may be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

11. California Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, correct, and opt-out of the sale or sharing of personal information. Claustro AI does not sell personal information as defined under California law. To exercise your rights, contact us at info@claustroai.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Effective Date" at the top. We encourage you to review this Policy periodically.

13. Contact Us

For questions about this Policy or our privacy practices, contact us at:

Claustro AI
Email: info@claustroai.com
Website: claustroai.com