Privacy Policy
Apex Tools AI (“we,” “us,” “our”) operates the website apextoolsai.com and provides bilingual AI phone receptionist services to dental practices, medical spas, and other small businesses (“Practice,” “Customer”). This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights over it.
1. Who is the data controller
Apex Tools AI is operated by Brown Neyra Sales 85 Corp, a Florida corporation. For privacy questions you can reach us at [email protected].
2. Information we collect
From Customers (the Practice)
- Account information: name, business name, email address, phone number, business address, password (hashed using PBKDF2-SHA256), and login session metadata.
- AI configuration: business hours, services offered, FAQs, voice preference, escalation phone number.
- Billing information: Stripe customer ID, subscription status. We never see or store your credit card; that lives only with Stripe.
- Integration credentials you choose to connect: OAuth tokens for Google Calendar, API keys for NexHealth (Dentrix, Open Dental, Eaglesoft, Carestack, Curve), and Personal Access Tokens for Calendly. Encrypted with AES-256-GCM at the application layer (master key held separately in Cloudflare Secrets) and stored in Cloudflare D1, which also encrypts data at rest at the infrastructure level.
From Patients calling the AI receptionist
- Phone number (from caller ID).
- Voice recording of the call and a text transcript.
- Information the patient volunteers to the AI: name, reason for call, requested appointment date/time, insurance, and similar.
- Language detected (English or Spanish).
From visitors to apextoolsai.com
- Standard server logs: IP address, user agent, request paths.
- If you book a discovery call, the contact information you submit to Cal.com.
3. Google user data — limited use disclosure
When a Customer connects their Google Account to enable Google Calendar integration, Apex Tools AI requests the following Google API scopes:
- https://www.googleapis.com/auth/calendar.events — to create and read appointment events on the connected calendar so the AI can write appointments it books into the Practice’s real schedule.
- https://www.googleapis.com/auth/userinfo.email — to display which Google account is connected so the Customer knows where their appointments are being written.
Apex Tools AI’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google user data only to provide the calendar-syncing feature you opted into.
- We do not transfer Google user data to third parties except as needed to provide the service (Cloudflare hosting infrastructure) or as required by law.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data unless we have your explicit consent, it is required for security investigations or legal compliance, or the data has been aggregated and anonymized.
- We do not use Google user data to train machine-learning models.
You can revoke our access at any time by visiting
myaccount.google.com/permissions
and removing “Apex Tools AI.” You can also disconnect from
inside our dashboard at /dashboard/#integrations, which
deletes the stored tokens immediately.
4. How we use the information
- Operate the AI receptionist (route calls, generate responses, book appointments).
- Sync appointments and calls to your connected calendar or practice management system.
- Generate reports and analytics for your dashboard.
- Send transactional email (login links, account notifications, ticket confirmations).
- Provide customer support and respond to your questions.
- Detect, investigate, and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
We do not sell personal information. We do not share patient call recordings or transcripts with anyone outside the Practice that subscribed to the service, except as required to provide the service (e.g., voice processing by Vapi, transcription by Deepgram, voice synthesis by ElevenLabs, language model inference by OpenAI).
5. Third-party service providers we share data with
To deliver the AI receptionist service, we share specific subsets of data with the following third-party processors. Each is bound by their own privacy policy and data-processing terms. We do not sell, rent, or trade your data to anyone, and we do not use Google user data for advertising.
| Provider | What we share | Why | Privacy policy |
|---|---|---|---|
| Cloudflare, Inc. | All account data, call logs, transcripts, OAuth tokens (encrypted at rest in Cloudflare D1) | Hosting infrastructure and database | cloudflare.com/privacypolicy |
| Vapi, Inc. | Caller phone number, audio stream, conversation transcript | Voice AI orchestration (real-time call handling) | vapi.ai/privacy |
| OpenAI, L.L.C. | Conversation transcript (text only) for in-call response generation | Language model inference (powers the AI’s conversational responses). OpenAI does not train on this data per their API data-usage policy. | openai.com/policies/privacy-policy |
| ElevenLabs, Inc. | AI’s outgoing text only (no caller audio or PII) | Text-to-speech voice synthesis | elevenlabs.io/privacy |
| Deepgram, Inc. | Live caller audio stream (transcribed in real time, not stored by Deepgram) | Speech-to-text transcription (delivered through Vapi) | deepgram.com/privacy |
| Twilio, Inc. | Caller phone number, call metadata, optional outbound SMS content (urgent alerts) | Telephony — inbound call routing and SMS delivery | twilio.com/legal/privacy |
| Stripe, Inc. | Customer name, email, billing address, payment-card data (handled by Stripe directly — we never see card numbers) | Subscription billing and payment processing | stripe.com/privacy |
| Resend, Inc. | Recipient email address and email content (transactional emails only) | Transactional email delivery (login links, receipts, alerts) | resend.com/legal/privacy-policy |
| Google LLC (Calendar API) | OAuth access token + appointments we create on the customer’s connected Google Calendar | Push booked appointments into the customer’s Google Calendar (only if the customer connects this integration) | policies.google.com/privacy |
| NexHealth, Inc. | API token + appointment + patient name/phone | Push booked appointments into the customer’s practice management system (only if the customer connects this integration) | nexhealth.com/privacy-policy |
| Cal.com, Inc. | API token + appointment metadata | Push booked appointments into the customer’s Cal.com calendar (only if the customer connects this integration) | cal.com/privacy |
Limited transfer of Google user data
Data obtained through Google APIs (Google Calendar) is used solely to provide and improve the appointment-booking integration the customer explicitly authorized. We do not use Google user data to develop, improve, or train generalized AI/ML models, and we do not share Google user data with any third party except as strictly necessary to operate the integration (Cloudflare for storage of encrypted OAuth tokens) or as required by law. Google user data is never used for advertising and is never sold.
Other transfers
We may also disclose information (1) to comply with a valid legal request (subpoena, court order, lawful government request), (2) to enforce our Terms of Service, (3) to protect the rights, property, or safety of Apex Tools AI, our customers, or the public, or (4) in connection with a merger, acquisition, or sale of assets — in which case affected users will receive notice and a chance to delete their data before transfer.
6. Where data is stored
Customer accounts, configuration, call logs, transcripts, and integration credentials live in Cloudflare D1 (a SQLite-backed database) in Cloudflare’s North American region. Audio recordings are temporarily held by Vapi for the duration of the call and a short retention window thereafter. Email is sent through Resend.
7. How long we keep data
- Account data: for the life of your subscription, plus 90 days after cancellation.
- Call transcripts and audio: 90 days by default, shorter on request.
- Stripe billing records: as required by law (typically 7 years for tax records).
- OAuth tokens: until you disconnect the integration or close your account.
8. Security
All traffic to apextoolsai.com runs over HTTPS with HSTS. Passwords are hashed using PBKDF2-SHA256 with 100,000 iterations and a per-user salt. Session cookies are HttpOnly, Secure, and SameSite=Lax. Integration credentials are encrypted at the application layer with AES-256-GCM before being written to the database; the master encryption key is held separately in Cloudflare Secrets. We use Cloudflare’s managed infrastructure for DDoS protection, WAF, and edge security.
9. Your rights
You can:
- Request a copy of the data we hold about you.
- Request correction or deletion of your data.
- Disconnect any integration from your dashboard at any time.
- Close your account by emailing [email protected]; we will delete personal data within 30 days, retaining only what is required for legal/tax purposes.
If you are a California resident, you have additional rights under the CCPA (right to know, right to delete, right to opt out of sale — we don’t sell). If you are in the EU/UK, you have rights under the GDPR (access, rectification, erasure, portability, restriction, objection).
10. Children
Apex Tools AI is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided data to us, contact us and we will delete it.
11. Changes to this policy
We may update this policy. Material changes will be announced by email to customers at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
12. Contact
Questions, requests, or complaints: [email protected]