privacy policy

coya collects information necessary to deliver the ai receptionist service. this includes call recordings and transcripts, caller contact information, intake form responses, scheduling data, and practice configuration details. we collect only what is needed to operate the service on your behalf.

your data is used solely to deliver, maintain, and improve the coya ai service for your practice. this includes processing inbound calls, routing to specialists, generating intake forms and provisional treatment plans, booking appointments, and sending reminders. we do not use your data for advertising, profiling, or any purpose unrelated to your service.

all protected health information is stored in a dedicated encrypted vault, completely isolated from operational and analytics data. phi is encrypted at rest using aes 256 and in transit using tls 1.2 or higher. no phi is ever stored in urls, browser storage, or shareable links. access to phi is strictly controlled through role based permissions.

coya ai has a strict zero sale policy. we never sell, rent, trade, or share your practice data or your patients’ personal information with third party marketers, advertisers, or data brokers. your data is your asset. we treat it accordingly.

call recordings and transcripts are retained for the duration of your subscription plus 90 days. upon written request, we will delete specific records within 30 business days. upon account termination, all practice data is exported to you and permanently deleted from our systems within 90 days unless retention is required by applicable law.

coya uses third party infrastructure providers for telephony, cloud hosting, and sms delivery. all third parties that handle phi are bound by business associate agreements with equivalent or stricter data protection requirements. we do not share your data with any third party that is not directly involved in delivering the service.

you have the right to access, correct, or delete your data at any time. you may request a full export of all data associated with your practice account. you may revoke consent for specific data processing activities by contacting us. we will respond to all data rights requests within 30 business days.

the coya website uses minimal, functional cookies required for authentication and session management. we do not use advertising cookies, tracking pixels, or third party analytics platforms that profile visitors. we may collect anonymous, aggregated usage metrics to improve the service.

for questions about this privacy policy or to exercise your data rights, contact us at hello@getcoya.ai. we take every inquiry seriously and will respond within 5 business days.