Privacy Policy

This policy describes how Wilma AI, Inc. (“Wilma,” “we”) handles personal information when you (a) visit our website, (b) sign up for or use the Wilma platform, or (c) contact us.

When Wilma processes Protected Health Information (PHI) on behalf of a dental practice, the practice is the HIPAA Covered Entity and Wilma is a Business Associate acting under a signed BAA. The terms of the BAA control over this policy for that PHI.

• Account information — name, email, practice name, role, phone, password hash.
• Call audio & transcripts — the audio of inbound and outbound calls, real-time transcripts, and structured outcomes (appointments, triage tags, insurance notes).
• SMS content — messages exchanged between Wilma and patients on behalf of your practice.
• Practice configuration — provider list, ops, hours, fee schedule, recall plans, scripts.
• PMS data— patient demographics, appointment history, insurance and benefits, clinical notes — only what's needed to schedule and verify benefits.
• Technical data — IP address, browser, device, pages viewed, timestamps. We use first-party cookies for authentication and security only.

• Run the Service: answer calls, book appointments, write to your PMS.
• Detect fraud, abuse, and threats; investigate incidents.
• Improve quality for your practice — Wilma adapts to your providers, ops, and patterns over time.
• Send service-related emails (billing, outages, security alerts).
• Comply with legal obligations and enforce our agreements.

What we don't do:we don't use patient data to train models for other customers. We don't sell personal information. We don't serve third-party advertising on our product.

• Subprocessors we use to operate the Service (infrastructure, telephony, customer support). See the full list on the Subprocessors page.
• Your practice management system — appointments, notes, and patient updates are written back to your PMS at your direction.
• Authoritieswhen required by law (subpoena, court order), after we've evaluated the request for validity and scope.
• Successors in a merger, acquisition, or asset sale — your data stays bound by the same protections.

Call audio and transcripts are retained for the period configured by your practice (default: 90 days). Structured outcomes, appointment records, and billing data are retained as long as your account is active and as required by law. On account closure, we'll export your data on request and delete it within 60 days, subject to legal-hold obligations.

Depending on where you live, you may have the right to access, correct, delete, or export your personal information; to object to or restrict certain processing; and to opt out of certain sharing. To exercise these rights, contact email our privacy team. We'll respond within 30 days. We won't retaliate for valid privacy requests.

We encrypt data in transit (TLS 1.3) and at rest (AES-256). Access to production systems is restricted, logged, and reviewed quarterly. We maintain SOC 2 Type II controls. For more detail see our Security page.

Wilma operates in the United States. We process and store customer data in U.S. regions. If you access the Service from outside the U.S., you understand and consent to your data being transferred to the U.S. for processing.

The Service is not intended for users under 16. We don't knowingly collect information from children directly. PHI relating to minor patients is processed under the direction of the practice and governed by the BAA.

We'll post any material changes here and notify customers by email at least 30 days before they take effect.

Questions? Email our privacy team. For HIPAA-specific questions, contact our HIPAA Privacy Officer at email our HIPAA team.