Purpose and Scope

Purpose of This Policy and Who It Applies To

Summit AI Limited is committed to protecting the privacy of everyone

who interacts with our services. This Privacy Policy explains how Summit AI Limited (“Summit AI”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards personal data.

The purpose of this policy is to:

• Explain how personal data is collected, used, stored, and protected

• Help individuals understand and exercise their privacy rights

• Ensure compliance with applicable privacy and data protection laws

• Build trust with our healthcare clinic customers and their patients

This policy applies to all individuals whose data we process, including customers, end users, website visitors, and business partners. This covers all services provided by Summit AI, such as our intelligent phone receptionist.

• Customers: Healthcare clinics and their staff (admin team and clinicians)

• End Users: Patients and callers whose data is processed through our AI receptionist

• Website visitors: Individuals who visit our website at https://usesummitai.com/

• Business Partners: Business partners and vendors

Note: Summit AI Limited processes personal data on behalf of healthcare clinics, which act as the data controllers. Clinics are responsible for their relationship with patients and for ensuring appropriate notices and consents are provided in accordance with applicable healthcare and privacy laws.

Types of Personal Data We Collect

We collect personal data directly when individuals interact with our services. We collect this data in three main ways: directly from individuals, automatically during service use, and from third-party systems.

Data Provided by Individuals (Patients and Clinic Staff)

Clinic Information

• Clinic name and contact information

• Staff names, role and contact details

• Practice Management Software API key, token or equivalent credential

Account Details

• Account credentials and user preferences

• Payment information for service purchases

Call Data (processed on behalf of customers)

• Call recordings and transcripts

• Patient names, contact details and appointment details

  
  

Data Collected Automatically
When using our services, we may automatically collect:

• Call recordings, transcripts, and metadata (e.g., timestamps, call duration)

• Device information (type, operating system, browser)

• Technical data such as IP addresses, device information, and usage patterns

• Usage analytics and log data for security reasons and service improvement

  
  

Data from Third Parties

We may receive data from third-party systems, such as Practice Management Systems (PMS), to assist with appointment scheduling and patient communication.

Children's Data

Our services are intended for healthcare providers and not for children under 16. Clinics are responsible for obtaining parental consent when processing children’s data. Parents or guardians can contact us to access, correct, or delete their child’s data.

How We Use Personal Data

We use personal data to provide and improve our services, communicate effectively, and meet legal requirements. Specifically:

• Service Delivery & Operations: Managing calls, scheduling appointments, and facilitating patient communication

• Support and Communication: Responding to inquiries and providing customer support

• Legal Compliance: Meeting regulatory requirements in New Zealand and Australia

• Marketing (with Consent): Sending updates or promotional materials to clinics, where permitted

Legal Basis for Processing

We process personal data based on:

• Consent: When individuals provide clear consent, such as for call processing and marketing communications. This is withdraw-able at any time.

• Contractual Necessity: To fulfil Summit AI's service agreements with clinics.

• Legitimate Interests: To improve Summit AI's services and ensure operational efficiency, while respecting individual rights.

Data Collection Practices and Data Sharing Notifications

We collect personal data through:

• Direct interactions, such as phone calls, emails, or web forms.

• Integration with third-party systems like PMS platforms.

• Automated tools that capture call recordings and metadata.

We notify individuals about data collection through:

• Privacy notices on our website.

• Onboarding materials shared with clinics.

• Disclaimer messages during AI receptionist interactions.

Clinics are responsible for informing patients about data collection and obtaining any required consents prior to using Summit AI services.

Sharing and Disclosure of Data

We share personal data only when necessary and with safeguards in place:

• Internal Use: Data is accessed only by authorized personnel (executive leadership and authorized service providers) for service delivery and support.

• Third-Party Service Providers: Trusted vendors help manage call recordings, transcripts, and appointment data. Key service providers:

  • Retell AI for call transcript and recording storage (GDPR, HIPAA, PCI-DSS, or SOC 2 compliant)

  • Make.com (Workflow automation, 45-day data retention)

  • OpenAI (Call transcript analysis)

  • Telnyx (Telephony provider)

  • Twilio (Telephony provider)

  • Nookal or Cliniko (Practice management software interfaces used to access and sync appointment and patient information)

  • Stripe (Payment processor)

• Cross-Border Transfers: Where personal data is transferred internationally, Summit AI implements appropriate safeguards, including standard contractual data protection obligations, and other legal safeguards, with service providers.Data Retention and Accuracy

  Retention Periods

  We retain personal data only as long as necessary: