LEGAL // PRIVACY
Privacy Policy
Last updated: May 5, 2026
Brainiacs Tech Solutions LLC("Brainiacs") takes the privacy of customers, prospects, and visitors seriously. This Privacy Policy describes what information we collect, how we use it, who we share it with, and your rights.
Information we collect
- Account data — name, email, company, phone, password (hashed with HIBP screening).
- Billing data — processed by Stripe; we never store full card numbers.
- Usage data — per-app metered usage (request counts, voice minutes), audit logs.
- Customer Data you submit — records you create within MedFlow, DentalFlowDesk, etc.
- Communications — emails, support tickets, voice receptionist transcripts.
- Technical data — IP addresses, user agents, security audit logs.
How we use information
- To provide, maintain, and improve the Services.
- To process payments and manage subscriptions (via Stripe).
- To send transactional emails, scheduled-call invites, and operational notifications.
- To detect, prevent, and respond to fraud, abuse, and security incidents.
- To comply with legal obligations.
Encryption and security
All Customer Data records (quotes, invoices, customers, deals, tasks, call notes, signatures) are encrypted at rest using AES-256-GCM with HKDF-derived per-record keys. Every write is logged in an audit trail. TLS 1.2+ is enforced on all network communication. Two-factor authentication (TOTP) is available for all accounts and required for administrators. Passwords are screened against the HaveIBeenPwned k-anonymity API at signup and password change.
HIPAA — Protected Health Information (PHI)
MedFlow and DentalFlowDesk are designed to be operated as Business Associate services for HIPAA-covered Customers (Covered Entities). Brainiacs will execute a Business Associate Agreement (BAA) with any Customer who handles PHI inside these products. Until a BAA is executed, Customers are responsible for ensuring they do not enter PHI into the Services.
Under any executed BAA we commit to: (1) using and disclosing PHI only as permitted by the BAA, (2) implementing administrative, physical, and technical safeguards that meet 45 CFR §§ 164.308–312, (3) notifying the Customer of any breach of unsecured PHI within 30 days of discovery (or sooner where required), (4) flowing down BAA obligations to any sub-processor that touches PHI, and (5) returning or destroying PHI upon termination.
Sub-processors used in HIPAA workloads must themselves be either HIPAA-eligible with a signed BAA on file or never receive PHI. See the "Sub-processors" section below for our current map.
To request a BAA, email support@brainiacstechsolutions.com with subject line "BAA request" and your legal entity name.
Sub-processors
We share data with the following third-party sub-processors solely to deliver the Services. The HIPAA column indicates whether the sub-processor offers a BAA and whether we have one on file for HIPAA workloads. The canonical, programmatically- generated list lives at /subprocessors.
| SUB-PROCESSOR | PURPOSE | HIPAA / BAA |
|---|---|---|
| Stripe | payment processing | PCI DSS Level 1; no PHI flows to Stripe |
| Twilio | voice receptionist telephony | BAA available; required for medical products |
| ElevenLabs | text-to-speech | No BAA today; no PHI sent (script template only) |
| Deepgram | speech-to-text | BAA available on enterprise; required for medical |
| Anthropic | LLM inference | BAA on Zero-Data-Retention tier; required for medical |
| OpenRouter | LLM routing fallback | No BAA; disabled for medical workloads |
| Cloudflare | DNS, CDN | BAA available on Enterprise; we do not transit PHI through CF |
We do not sell Customer Data. We may disclose data when legally required (court order, subpoena) and will notify you unless prohibited. Material changes to this sub-processor list are emailed to admin contacts at least 14 days before taking effect, giving you time to object.
Your rights
You may request access to, correction of, or deletion of your personal data by emailing support@brainiacstechsolutions.com. Deletion requests are processed within 30 days unless retention is required by law.
California residents (CCPA / CPRA)
California residents have the right to know what personal information we collect, to access and delete it, to correct inaccuracies, to opt out of any "sale" or "sharing" of personal information, and to limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. Send requests to support@brainiacstechsolutions.com with subject "CCPA request". We verify identity by email round-trip.
We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale/sharing under CCPA/CPRA. If your browser sends GPC, we record an opt-out automatically and you do not need to file a separate request.
EU / UK residents (GDPR / UK-GDPR)
You have the rights of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. We are the data controller for our marketing site and the data processor for Customer Data submitted into the products. A Data Processing Addendum with Standard Contractual Clauses (Module 2 / 3) is available on request. Lawful bases used: contract performance (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)) for security and fraud prevention, and consent (Art. 6(1)(a)) for optional marketing emails.
Children
The Services are B2B and are not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
Data retention
Active customer data is retained for the life of the subscription plus 30 days for export. Audit logs are retained for 24 months. Backups are retained for 30 days. Upon a verified deletion request we purge from production within 30 days and from backups on the next backup-rotation cycle (typically ≤ 30 days).
Breach notification
If we discover a security incident affecting your data, we will notify you without undue delay, and within 72 hours where required by GDPR, 30 days for HIPAA-covered PHI under any executed BAA, or as required by applicable state breach-notification laws (e.g., California Civ. Code §1798.82). The notice will describe the categories of data involved, the steps we have taken, and the steps you can take.
International transfers
Our infrastructure is currently hosted in the United States. By using the Services you consent to the transfer of your data to the US. EU/UK customers can request a DPA with Standard Contractual Clauses; we use the EU Commission's 2021 SCC templates and the UK's International Data Transfer Addendum.
Cookies and tracking
We use first-party cookies for authentication and session management only. We do not use third-party advertising cookies or cross-site tracking. We honor the Global Privacy Control (GPC) signal as an opt-out for any future advertising cookies.
Changes to this Policy
Material changes will be communicated via email and posted here at least 30 days before taking effect.
Contact
support@brainiacstechsolutions.com
Brainiacs Tech Solutions LLC
650 Ponce De Leon St, Suite 300 #1688
Atlanta, GA, 30308
United States
This Privacy Policy is a starting framework. Customers handling PHI, EU/UK data, or California sensitive data should request our DPA / BAA before going live and consult their own counsel.