formisoft

Privacy Policy

Last updated: March 2026

1. Introduction

Formisoft (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our patient engagement platform. By using the Platform, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, phone number, and organization details.

Patient Data

When healthcare providers use Formisoft to collect patient information, that data is stored on behalf of the provider (the “covered entity”). We act as a business associate and process this data only as directed by the provider.

Appointment Data

We collect scheduling information, provider availability settings, and appointment history to facilitate appointment booking and management.

Communication Data

We store SMS messages, email content, and AI voice call transcripts sent or received through the Platform. We also track communication preferences, including opt-in and opt-out status for each patient.

Payment Data

We store transaction records for payments processed through Stripe Connect between providers and patients. Formisoft does not store credit card numbers, bank account numbers, or other sensitive payment credentials. All payment credentials are handled directly by Stripe.

Voice & AI Data

When the AI Virtual Receptionist feature is enabled, we collect call recordings, transcripts, and metadata (caller number, duration, outcome). AI-generated content from the form builder and other AI features is also stored.

Device & Usage Data

We automatically collect information about how you interact with our platform, including your IP address, browser type, operating system, device information, pages visited, features used, and form completion rates.

3. How We Use Your Information

  • To provide and maintain our practice management platform
  • To process form submissions on behalf of healthcare providers
  • To send transactional emails (intake links, notifications)
  • To send SMS and email appointment reminders and follow-ups
  • To process AI voice calls for appointment confirmations and patient communication
  • To facilitate payment collection between providers and patients
  • To power AI features, including form generation and the Virtual Receptionist
  • To execute automated workflows configured by providers
  • To improve our platform and develop new features
  • To detect, prevent, and address fraud, abuse, and security issues
  • To provide customer support
  • To comply with legal obligations

4. Data Security & Residency

We implement appropriate technical and organizational measures to protect personal data, including encryption at rest and in transit (AES-256 and TLS 1.3), role-based access controls, audit logging, and regular security assessments. No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

All data is stored and processed exclusively within the United States on AWS infrastructure. Your data never leaves US borders.

5. Data Retention

We retain account data for the duration of your subscription. Patient data collected through forms is retained until deleted by the healthcare provider or upon account termination. Communication records (SMS, email, voice call transcripts) are retained for the duration of your subscription. Audit logs are retained for a minimum of 6 years for compliance purposes. Upon account termination, you may request an export of your data within 30 days. After 30 days, we may permanently delete your data.

6. HIPAA Compliance

All healthcare providers accept a Business Associate Agreement (BAA) during onboarding. We maintain appropriate administrative, physical, and technical safeguards as required by the HIPAA Security Rule. You can review your BAA status in your Compliance settings.

7. Third-Party Services

We use the following third-party services to operate our platform. Each provider is bound by contractual obligations to keep personal data confidential and to use it only for the purposes for which it is disclosed:

  • Amazon Web Services - Cloud infrastructure and data storage (US regions only)
  • Stripe - Subscription billing and provider-patient payment processing via Stripe Connect
  • Resend - Transactional email delivery
  • Telnyx - SMS delivery, voice calls, and AI Virtual Receptionist telephony
  • Anthropic (Claude) - AI-powered form generation, content processing, and Virtual Receptionist intelligence (no PHI is sent to Anthropic)
  • Cloudflare - Security verification (Turnstile CAPTCHA) and content delivery network
  • Google Analytics - Website traffic analysis and marketing attribution (no PHI is sent to Google)
  • PostHog - Product analytics to improve user experience (no PHI is sent to PostHog)

8. Cookies

We use cookies and similar technologies for authentication, storing your preferences, and product analytics (Google Analytics and PostHog). Google Analytics uses cookies to collect information about your browsing activity, which may include cross-site tracking for marketing attribution. You can manage cookie preferences through the cookie consent banner displayed when you first visit our site. Essential cookies required for authentication cannot be disabled.

9. Data Breach Notification

In the event of a breach involving protected health information (PHI), we will notify affected covered entities within 72 hours as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). We will also cooperate with covered entities in notifying affected individuals and the Department of Health and Human Services as required by law.

10. Disclosure of Information

In addition to the third-party services listed above, we may disclose your information in the following circumstances:

  • To comply with applicable laws, regulations, court orders, subpoenas, or other legal processes
  • To enforce our Terms of Service and other agreements
  • To protect the rights, property, or safety of Formisoft, our users, or the public
  • To detect, prevent, or address fraud, security, or technical issues
  • With your consent or at your direction

11. Business Transfers

If Formisoft is involved in a merger, acquisition, reorganization, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information.

12. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a machine-readable format
  • Object to processing of your data
  • Opt out of SMS and other automated communications

To exercise any of these rights, contact us at privacy@formisoft.com. We will respond to your request within 30 days.

13. Children Under 13

The Platform is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe we have collected information from a child under 13, please contact us at privacy@formisoft.com.

14. Do Not Sell My Personal Information

We do not sell your personal information to third parties. We do not sell or disclose de-identified patient information. We only share data with third-party service providers as necessary to operate the Platform, as described in Section 7 above.

15. Do Not Track

Some browsers offer a “Do Not Track” (DNT) setting. We currently do not respond to DNT signals. Google Analytics, used on our marketing website, may use cookies for cross-site marketing attribution. No protected health information (PHI) is shared with any analytics provider. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

16. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), provides you with additional rights regarding your personal information, including:

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of your personal information (we do not sell or share personal information for cross-context behavioral advertising)
  • The right to non-discrimination for exercising your privacy rights

To exercise your California privacy rights, contact us at privacy@formisoft.com. We will verify your identity before processing your request and respond within 45 days. You may submit up to two requests per 12-month period.

17. Third-Party Links

The Platform may contain links to third-party websites or services that are not operated or controlled by Formisoft. We are not responsible for the content, privacy policies, or practices of any third-party websites. We encourage you to review the privacy policy of any third-party site you visit.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised “Last updated” date and, where appropriate, by email notification. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.

19. Contact Us

For privacy-related inquiries, please contact us at privacy@formisoft.com or through our contact page.