Vocalite is built to meet the highest data protection standards in every market we operate in. Here's how we protect your clinic and your patients.
Last updated: March 4, 2026
All data encrypted in transit (TLS 1.2+) and at rest (AES-256). Call recordings, transcripts, and patient data are never transmitted unencrypted.
Vocalite handles scheduling and general inquiries only. We never access, store, or process protected health information (PHI) or clinical records.
Built from day one to comply with HIPAA, PIPEDA, UK GDPR, and privacy laws across every English-speaking market we enter.
Health Insurance Portability and Accountability Act — United States
Vocalite signs a BAA with every clinic before going live. This legally binds us to HIPAA-compliant handling of any information exchanged during calls.
Our AI handles appointment scheduling and general inquiries only. We do not access, store, or process protected health information (PHI), treatment records, diagnoses, or insurance data.
All call data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Recordings are stored in SOC 2 Type II compliant infrastructure.
Role-based access controls ensure only authorized personnel can access call recordings and transcripts. Access is logged and auditable.
Call recordings are retained for 30 days, then automatically deleted. Clinics can request earlier deletion at any time. Transcripts follow the same retention policy.
In the unlikely event of a data breach involving patient information, we notify affected clinics within 72 hours as required by the HIPAA Breach Notification Rule.
All third-party services processing call data (Vapi, ElevenLabs, cloud infrastructure) maintain their own HIPAA-compliant or SOC 2 certifications and sign BAAs where applicable.
All team members with access to clinic data complete HIPAA awareness training. Our AI systems are designed from the ground up to minimize data exposure.
Important: Because Vocalite handles only scheduling and general inquiries — not clinical information — our exposure to PHI is minimal by design. The BAA ensures any incidental PHI captured during calls (e.g., a patient mentioning a condition) is handled in full compliance with HIPAA requirements.
Personal Information Protection and Electronic Documents Act — Canada
Clinics provide informed consent before Vocalite processes calls on their behalf. Callers are informed that AI is assisting with their call when required by provincial regulations.
We collect only the information necessary to deliver our services: caller name, phone number, and appointment details. No health information is collected or stored.
Physical, technical, and organizational safeguards protect all personal information. Encryption in transit and at rest, access controls, and regular security assessments.
Our privacy practices are publicly available. This page and our Privacy Policy detail exactly what data we collect, how we use it, and who has access.
Individuals can request access to their personal information held by Vocalite. Requests are processed within 30 days as required by PIPEDA.
Vocalite takes responsibility for all personal information in our possession, including data handled by our sub-processors. We maintain contracts ensuring equivalent protection.
All commercial electronic messages (emails, SMS) comply with Canada's Anti-Spam Legislation. Recipients can opt out at any time with immediate effect.
We report any breach of security safeguards involving personal information to the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA.
Provincial note: Several Canadian provinces have their own privacy legislation deemed substantially similar to PIPEDA. See our dedicated sections below for Ontario (PHIPA), Alberta (HIA), British Columbia (PIPA), Quebec, and Atlantic Canada.
Personal Health Information Protection Act — Ontario, Canada
Vocalite operates as an agent of the health information custodian (the dental clinic). We follow all PHIPA requirements for handling personal health information on behalf of Ontario clinics.
We support Ontario's "circle of care" consent model. Implied consent applies for treatment-related scheduling; express consent is obtained for all other uses of personal information.
Vocalite handles appointment scheduling and general inquiries only. We do not access, store, or process clinical records, diagnoses, or treatment information governed by PHIPA.
Any breach involving personal health information is reported to the Information and Privacy Commissioner of Ontario (IPC) and affected individuals as required by PHIPA regulations.
Scope: PHIPA applies to dental clinics operating in Ontario instead of PIPEDA for patient health information. Vocalite's practices meet or exceed both PHIPA and PIPEDA requirements.
Health Information Act — Alberta, Canada
Vocalite acts as an affiliate or information manager under Alberta's HIA. We maintain written agreements with clinics specifying our duties and responsibilities for handling health information.
Only the minimum amount of personal information needed for scheduling and inquiries is collected. No diagnostic, treatment, or clinical records are accessed or stored.
Administrative, technical, and physical safeguards protect all information as required by HIA. This includes encryption, access controls, and audit logging.
Breaches involving health information are reported to the Office of the Information and Privacy Commissioner of Alberta (OIPC) and affected individuals as required by HIA.
Scope: HIA governs health information in Alberta instead of PIPEDA. Vocalite's data handling practices are designed to comply with both HIA and PIPEDA requirements simultaneously.
Personal Information Protection Act — British Columbia, Canada
Personal information is collected only for purposes a reasonable person would consider appropriate. We obtain consent before collecting, using, or disclosing personal information.
Personal information is retained only as long as necessary for the identified purpose. Call recordings are automatically deleted after 30 days; clinics can request earlier deletion.
Individuals have the right to access their personal information and request corrections. Requests are processed within 30 business days as required by PIPA.
Privacy breaches that pose a real risk of significant harm are reported to the BC Office of the Information and Privacy Commissioner (OIPC) and affected individuals.
Scope: PIPA is deemed substantially similar to PIPEDA and governs private-sector organizations in British Columbia. Vocalite complies with both PIPA and PIPEDA for BC-based clinics.
Act Respecting the Protection of Personal Information in the Private Sector — Quebec, Canada
Vocalite complies with Quebec's modernized privacy framework (Law 25), including privacy impact assessments, consent requirements, and data portability obligations.
Clear, informed consent is obtained before collecting personal information. Privacy policies are written in plain language and made easily accessible to all individuals.
Quebec residents have the right to request de-indexing and cessation of dissemination of their personal information. We process these requests in accordance with Law 25.
Confidentiality incidents involving personal information are reported to the Commission d'acces a l'information du Quebec (CAI) and affected individuals as required by law.
Scope: Quebec's privacy legislation is deemed substantially similar to PIPEDA. Law 25 (fully in force since September 2024) introduced stricter consent and breach notification rules. Vocalite meets all updated requirements.
PHIA (NB & NL) & PHIPAA (NS) — New Brunswick, Nova Scotia, Newfoundland & Labrador
Vocalite complies with New Brunswick's PHIA, Nova Scotia's PHIPAA, and Newfoundland & Labrador's PHIA. These acts govern how personal health information is collected, used, and disclosed by custodians.
Written agreements are maintained with clinics in Atlantic provinces, clearly defining Vocalite's role, responsibilities, and safeguards as an information manager or agent.
Vocalite handles scheduling and general inquiries only. We do not access, store, or process clinical records, diagnoses, or treatment details governed by provincial health privacy acts.
Privacy breaches are reported to the relevant provincial privacy commissioner and affected individuals in accordance with each province's specific notification requirements.
Scope: These provincial acts are deemed substantially similar to PIPEDA for health information. Vocalite's practices meet the requirements of all three Atlantic Canadian health privacy statutes.
UK General Data Protection Regulation & Data Protection Act 2018 — United Kingdom
We process data under legitimate interest (providing contracted services) and explicit consent. Clinics sign a Data Processing Agreement (DPA) before activation.
Only data strictly necessary for service delivery is collected. No special category data (health data under Article 9) is processed or stored.
Full support for all UK GDPR rights: access, rectification, erasure, data portability, restriction of processing, and objection. Requests handled within 30 days.
Where data is processed outside the UK, we rely on UK-approved Standard Contractual Clauses (SCCs) and ensure adequate levels of protection as required by the ICO.
Vocalite will register with the Information Commissioner's Office (ICO) as a data processor before launching UK operations, as required by law.
All outbound calling in the UK is screened against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers.
Launch timeline: UK operations are planned for Q2 2026. Full ICO registration, DPA templates, and UK-specific data handling procedures will be in place before any UK clinic data is processed.
Australian Privacy Principles (APPs) — Australia
Vocalite's data handling practices are designed to comply with all 13 APPs, covering collection, use, disclosure, quality, security, access, and correction of personal information.
We comply with Australia's Notifiable Data Breaches (NDB) scheme. Any eligible data breach will be reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals.
Before transferring personal information overseas, we take reasonable steps to ensure the overseas recipient complies with the APPs, as required by APP 8.
All commercial electronic messages sent to Australian recipients include accurate sender identification, a functional unsubscribe mechanism, and are sent only with consent.
Outbound calls to Australian numbers are screened against the Australian Do Not Call Register before any contact is made.
Vocalite does not process health information as defined under the Privacy Act. Our AI handles scheduling and inquiries only — no clinical or health records are accessed.
Launch timeline: Australian operations are planned for Q3 2026. OAIC notification, APP-compliant privacy notices, and Australian data handling procedures will be finalised before launch.
Information Privacy Principles (IPPs) — New Zealand
Vocalite's practices align with all 13 IPPs under New Zealand's Privacy Act 2020, covering collection, storage, access, correction, and disclosure of personal information.
Any privacy breach that causes or is likely to cause serious harm will be reported to the Office of the Privacy Commissioner (OPC) and affected individuals as required.
Personal information is only disclosed overseas where the recipient is subject to comparable privacy protections, as required by IPP 12.
All commercial electronic messages to New Zealand recipients comply with consent requirements, include accurate sender details, and provide a clear opt-out mechanism.
Vocalite does not collect or process health information as defined by New Zealand's Health Information Privacy Code 2020. Our services are limited to scheduling and general practice inquiries.
Individuals have the right to access and request correction of their personal information. Requests are handled within 20 working days as required by the Privacy Act 2020.
Launch timeline: New Zealand operations are planned for Q4 2026. OPC engagement and NZ-specific privacy documentation will be completed before any New Zealand clinic data is processed.
If you have questions about how Vocalite handles your data, need a BAA, or want compliance documentation for your records, contact us: