Privacy Policy
On this page
1. Scope
This Privacy Policy describes how Aria by Velzyx AI ("Aria," "we," "us") collects, uses, secures and shares information when a dental practice deploys our AI front-office platform ("Service") and when a patient or website visitor interacts with that practice through Aria. It applies to ariadental.ai, the embedded chat widget on practice websites, the inbound voice agent, the outbound and two-way SMS channels, the admin dashboard, and any related APIs.
Aria operates as a Business Associate of the dental practices that subscribe to the Service. The dental practice is the Covered Entity and remains the data controller of patient health information. Aria processes that data on the practice's behalf under a signed Business Associate Agreement (BAA).
2. What we collect
2.1 From patients calling, texting, or chatting with a practice
- Voice call audio. Inbound and outbound phone calls handled by the Aria voice agent are recorded for transcription, quality monitoring and dispute resolution.
- Call transcripts and SMS message content. Including everything the patient says, types, or sends.
- Identifiers patients provide. Full name, date of birth, phone number, email address, and (for booking and verification) insurance carrier, member ID, group number, plan name, and subscriber relationship.
- Appointment context. Provider preference, procedure type, scheduling preferences, prior visits if the patient is on file, and any clinical context the patient shares (e.g., "my crown fell out").
- Payment instruments. When a patient pays a copay or balance through Aria, payment card details are sent directly to our payment processor (Stripe). Aria's servers receive only a tokenized reference, the last four digits, the brand, and the expiry month/year.
2.2 From dental practices and their staff
- Practice profile (legal name, locations, providers, hours, services offered, fee schedule, payer list).
- Admin dashboard credentials and JWT session tokens.
- Connector credentials for Google Calendar, the practice management system (e.g., OpenDental), Stripe, Twilio, Stedi, and email providers. Stored encrypted at rest.
- Configuration choices: voice persona, business rules, reminder cadence, recall windows, intake form fields, and similar.
2.3 From website visitors
- IP address, user-agent, approximate geographic region (derived from IP), pages viewed, referrer, time on page, scroll depth, click events, and form submissions.
- Email addresses voluntarily submitted to download a buyer's guide, request a demo, or subscribe to updates.
- Telemetry from Microsoft Clarity (session replay and heatmaps) and Google Analytics 4 (aggregated event data). Clarity may capture mouse movements, clicks, and keystrokes outside of fields we mask. We mask form input fields by default.
2.4 Generated by the Service
- Call summaries, intent classification, sentiment scoring, booking outcomes.
- System logs (request timestamps, latency, error traces).
- Aggregated metrics (call volume, conversion rate, no-show rate) used for the practice's weekly report.
3. How we use it
We use the data above to (a) deliver the Service the practice has contracted for, (b) keep the Service safe, performant and accurate, and (c) operate our business. Specifically:
- Provide the Service. Answer calls, verify insurance, book and reschedule appointments, send reminders, collect payments, route messages to the practice, and surface analytics in the admin dashboard.
- Quality and safety. Detect failure modes, prevent abuse, debug specific calls when the practice asks us to, and improve transcription and intent recognition accuracy. We do not train foundation models on identifiable patient content.
- Customer support. Respond to practice support requests, troubleshoot integrations.
- Billing and account management. Process subscription payments, send invoices, send service updates.
- Marketing (website only). Measure which marketing pages convert, retarget on first-party properties, send opt-in product updates. We do not market to patients of our customer practices.
4. HIPAA & BAA
Aria is built to support HIPAA compliance for the dental practices that use it. We sign a Business Associate Agreement with every dental practice that handles Protected Health Information (PHI) through the Service. Each subprocessor that touches PHI also signs a BAA with us before any PHI is routed through it. Patient health information is encrypted at rest using AES-256-GCM and in transit using TLS 1.2 or higher. Access to PHI inside Velzyx AI is restricted to the smallest set of personnel needed to operate the Service and is logged.
Aria is a tool to assist a dental practice's front-office workflow. Aria does not make clinical decisions, and patients should not rely on Aria for medical advice. Patients with a dental emergency should call their practice's emergency line or seek in-person care.
5. Retention
- Voice call audio: 90 days by default, configurable per practice in the admin dashboard. Practices on a longer retention plan may extend up to 7 years to support claims and disputes.
- Call and chat transcripts: retained for the lifetime of the practice's account by default, so the practice can search history. A practice may shorten this in dashboard settings.
- SMS message history: 18 months by default; configurable.
- Patient profiles and appointments: retained for the lifetime of the practice's account; deleted on practice termination plus 30 days, unless the practice exports first.
- Payment metadata (last four, brand, expiry): retained for the lifetime of the practice's account. Full PAN data is held by Stripe under PCI-DSS, never on Aria infrastructure.
- Website telemetry: Google Analytics 4 retains event data for 14 months. Microsoft Clarity retains session replays for up to 30 days.
- System logs: 30 days for application logs, 90 days for security logs.
On termination of a practice's account, the practice may export all data within 30 days. After 60 days, all PHI and patient data is permanently deleted from primary systems. Encrypted backups age out within an additional 90 days.
6. Sharing & subprocessors
We do not sell personal data and we do not share patient data with third parties for advertising. Aria shares data only with the subprocessors necessary to deliver the Service or as required by law. Current subprocessors:
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting, encrypted storage, networking | United States |
| Google Cloud Platform | Backup hosting, Calendar API, certain ML inference | United States |
| OpenAI | Voice and language model inference (zero-retention API) | United States |
| Anthropic | Chat model inference (zero-retention API) | United States |
| Retell AI | Real-time voice orchestration | United States |
| Twilio | SMS messaging and voice trunking | United States |
| Stripe | Payment processing (PCI-DSS Level 1) | United States |
| Stedi | Insurance eligibility (270/271 transactions) | United States |
| Sentry | Error and performance monitoring | United States |
| Brevo | Transactional email | United States / EU |
| Cloudflare | DNS, WAF, edge caching for the marketing site | Global |
The current list of subprocessors is maintained in the admin dashboard and updated when material changes occur. Practices receive at least 30 days' notice before a new subprocessor handling PHI is added, with the right to object.
7. Cookies
The Aria marketing website uses essential cookies to keep your session working, plus analytics cookies for Google Analytics 4 and Microsoft Clarity. We do not run advertising or cross-site tracking cookies. The admin dashboard uses essential cookies only. The embedded patient widget on practice websites uses essential session storage to keep a conversation in progress. See the Cookie Policy for the cookie-by-cookie breakdown and how to opt out.
8. Security
- AES-256-GCM encryption at rest for PHI fields and credentials.
- TLS 1.2 or higher in transit for all client and inter-service traffic.
- Strict role-based access. Production data access is gated, logged and reviewed.
- SSO and MFA on all administrative consoles.
- Application secrets stored in a managed secret store, rotated on a schedule.
- Annual external penetration test. SOC 2 Type II is on the 2026 roadmap.
- Documented incident response plan. Security incidents involving PHI are reported to the affected practice without unreasonable delay and within HIPAA's 60-day window.
9. Your rights
If you are a patient of a practice that uses Aria and you want to exercise rights with respect to your data, please contact the dental practice directly. They are the controller of your record. We will support the practice in fulfilling access, correction, deletion, restriction and portability requests.
If you are a website visitor or a prospective customer:
- Access the data we hold about you by emailing privacy@ariadental.ai.
- Correct or delete data we hold about you. We will respond within 30 days.
- Opt out of marketing email at any time using the unsubscribe link in any message.
- Opt out of analytics tracking via your browser, an extension such as the Google Analytics opt-out add-on, or by clearing cookies. See the Cookie Policy.
California residents have additional rights under the California Consumer Privacy Act (CCPA) and CPRA, including the right to know what we collect, the right to delete, the right to opt out of sale (we do not sell), and the right to non-discrimination. We honor verifiable consumer requests in line with CCPA timelines.
10. Changes & contact
We may update this Privacy Policy as the Service evolves or as the law changes. When we make material changes, we will update the effective date at the top, post a notice on the marketing site, and notify subscribed practices by email at least 30 days before the change takes effect.
Privacy questions: privacy@ariadental.ai
Security questions: security@ariadental.ai
Aria by Velzyx AI · 5000 Birch St, Suite 3000 · Newport Beach, CA 92660
This policy is governed by the laws of the State of Delaware, without regard to conflicts-of-law principles. Disputes will be resolved per the dispute-resolution clause in the Aria Terms of Service.