Privacy policy.

1. Introduction

Pearl ("we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with your use of our AI voice assistant service for dental offices (the "Service").

Because Pearl is used in healthcare settings, we operate an audit-ready security program mapped to the safeguards of the Health Insurance Portability and Accountability Act (HIPAA) and to SOC 2 controls. All patient data processed through the Service is handled as Protected Health Information (PHI), and we sign a Business Associate Agreement (BAA) with subscribing practices where applicable.

2. Information we collect

We collect information in several categories.

Account and practice information

• Practice name, address, phone number, and contact details provided during registration.
• Authorized user names, email addresses, and credentials for your Pearl account.
• Practice configuration settings, scheduling rules, and workflow preferences.
• Billing and payment information (processed by our payment processor; Pearl does not store full card numbers).

Patient interaction data

• Voice recordings and transcripts of calls handled by Pearl on your behalf.
• Patient names, contact information, and appointment details exchanged during calls.
• SMS and email message content sent or received through the Service.
• Scheduling actions taken in your Practice Management System (PMS) through the Service.

Usage and technical data

• Log data including IP addresses, browser type, pages visited, and timestamps.
• Device information when you access the call review portal or admin dashboard.
• Aggregated analytics about call volumes, booking rates, and service performance.

3. How we use your information

We use the information we collect to:

• Deliver, maintain, and improve the Service, including processing patient calls and scheduling appointments in your PMS.
• Send staff notifications and interaction summaries as configured by your practice.
• Provide you with access to the call review portal and analytics dashboard.
• Communicate with you about your account, billing, service updates, and support requests.
• Ensure the security and integrity of the Service and comply with legal obligations.
• Generate aggregated, de-identified analytics to understand usage patterns and improve our AI models — patient PHI is never used for AI model training.

4. HIPAA posture and data security

Pearl operates an audit-ready security program mapped to HIPAA safeguards and SOC 2 controls. Patient data handled through the Service is treated as Protected Health Information (PHI), and we sign a Business Associate Agreement (BAA) with subscribing practices where applicable. Our security controls include:

• End-to-end encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control and least-privilege provisioning.
• Centralized logging of application, infrastructure, and access events.
• Encrypted, redundant backups with tested restore procedures.
• Documented incident response plan with on-call escalation.
• Subprocessor and vendor review before onboarding and on a recurring cadence.
• HIPAA and security awareness training for all Pearl staff.

Patient conversations are not used to train AI models. We do not sell patient data to third parties.

Diligence documentation — security overview, policies, risk assessment summary, architecture overview, BAA, and subprocessors list — is available to prospective and current customers under NDA.

Pearl uses a small number of third-party service providers (subprocessors) to deliver the Service. A current list, including the data each handles and the status of our BAA with them, is available to customers on request at info@getpearl.ai.

5. How we share information

We do not sell your information or your patients' information to third parties. We may share information only in the following limited circumstances:

• With your Practice Management System (PMS): To schedule, reschedule, and cancel appointments as directed during patient calls.
• With your VOIP provider: To route and transfer calls as configured by your practice.
• With service providers: Carefully vetted third-party infrastructure providers (cloud hosting, telephony, SMS/email delivery) bound by data processing agreements aligned with HIPAA safeguards.
• For legal compliance: If required by law, court order, or governmental authority, or to protect the rights, property, or safety of Pearl, our customers, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations and HIPAA safeguards.

6. Third-party services

The Service integrates with third-party platforms including Practice Management Systems (Athena, Cloud9, Curve Hero, Dentrix Ascend, eClinicalWorks, ModMed, NextGen Office, NexHealth), VOIP providers (Mango Voice, Weave, and others), and communication platforms (SMS and email providers). These integrations are necessary to deliver the Service.

Our website may use third-party analytics tools to understand site usage. These tools may use cookies and similar technologies as described in our Cookie Policy. We do not permit third-party analytics providers to access PHI.

7. Data retention

We retain account and configuration data for the duration of your subscription and for a reasonable period thereafter to allow for account reactivation or to fulfill legal obligations.

Call recordings, transcripts, and patient interaction data are retained for a default period of 12 months from the date of the interaction, unless your practice requests a different retention period consistent with applicable law. After the retention period, data is securely and permanently deleted.

Upon termination of your subscription, we will delete your data within 90 days, except where retention is required by applicable law.

8. Your rights

As a subscriber, you have the following rights with respect to the data we hold about your practice:

• Access: Request a copy of the data we hold about your practice and its interactions through the Service.
• Correction: Request that we correct inaccurate account or configuration data.
• Deletion: Request deletion of your data, subject to applicable legal retention requirements.
• Portability: Request an export of your call data and interaction history in a machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.

For requests related to patient PHI under HIPAA, the covered entity (your practice) is responsible for handling patient access requests. Pearl will support your practice in fulfilling such requests under the terms of our BAA.

9. Children's privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. Patient data relating to minors that is processed through the Service is handled consistent with HIPAA and applicable law, and is subject to the same security protections as all other patient data.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by posting a notice on our website. The date at the top of this policy reflects the most recent update.

11. Contact us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us at:

• Email: info@getpearl.ai
• Website: getpearl.ai