Legal

Privacy Policy

Last updated: 4 July 2026

Eva (“Eva,” “we,” “us”) provides AI-assisted clinical documentation software to dental practices. This policy explains what information we handle, why, and the choices available to you. It is written in plain language and kept intentionally short.

This is a starting draft. Each clinic should have its own counsel review this policy and adapt it to the clinic's jurisdiction before relying on it.

Our role: processor, not controller

Eva is sold to dental clinics (business-to-business). For the patient information a clinic's clinicians enter into Eva, the clinic is the data controller and Eva is the data processor — we handle that information on the clinic's behalf and under its instructions, not for our own purposes. The clinic remains responsible for the lawful basis for treating patients' data, for obtaining consent and providing disclosures, and for meeting the requirements of its own jurisdiction.

For a limited set of data we collect directly, such as demo requests and clinician account details, we act as the controller. This policy distinguishes the two roles below.

What we collect and why

Marketing and contact data (we are the controller). When you request a demo or contact us, we collect the details you provide: your name, practice name, role, phone number, email address, and any message. We use this only to respond to you, arrange a demo, and follow up about Eva.

Account data (we are the controller). When a clinician account is created, we collect a work email address and password (stored only as a secure hash) to authenticate you and secure your access.

Clinic-entered patient data (the clinic is the controller; we are the processor). Clinicians use Eva to record and document consults. This can include consult audio, the transcript Eva generates from it, and the clinical note Eva drafts for a clinician to review and finalize, which may contain patient health information. Eva processes this data solely to provide the documentation service to the clinic. Eva produces a draft; a clinician reviews and finalizes every note. Eva does not diagnose, prescribe, or write notes into a clinic's practice-management system on her own.

The voice assistant on this website (we are the controller)

You can ask Eva questions by voice or text on our public website. When you do, your question is processed transiently to answer it: speech is transcribed, the question is answered, and the reply is spoken back, using the same approved-providers rule that governs the rest of Eva. We do not store your website conversation on our servers, we do not build visitor profiles from it, and it is not used to train models. We use your network address briefly to protect the assistant from abuse (rate limiting). The website assistant answers questions about Eva; please do not share patient information or other sensitive details through it.

How we use AI, and training

Patient data is never used to train third-party AI models. We select AI providers that offer no-training / zero-retention terms and confirm those terms in writing as part of each provider agreement. Any improvement of Eva from clinic data is opt-in, off by default, and uses only de-identified examples — never sent to a vendor for training.

Legal basis

Our lawful grounds for processing depend on the applicable law, but in simple terms:

  • Marketing and contact data: we process it based on your request and our legitimate interest in responding to you and running our business.
  • Account data: we process it to provide the service you have signed up for (contractual necessity).
  • Patient data:the clinic establishes and documents the lawful basis (such as patient consent and provision of care) as the controller; Eva processes it under the clinic's instructions and a data-processing agreement.

Eva operates across regions and matches each requirement to the law that governs a given clinic's patients. See our Security & Compliance page for how this works by region.

Subprocessors

Eva relies on a small, vetted set of third-party service providers to run the product, covering AI language processing, speech-to-text, hosting, and error monitoring. Each operates under an appropriate agreement, patient data is only ever sent to approved providers, and any provider that handles patient data does so under terms that reflect our no-training / zero-retention and security requirements.

The full named subprocessor register (each provider, the data it touches, and the agreement covering it) is available to you and your compliance reviewer on request, under NDA.

Security

We treat data protection as part of the product. Controls in place today include encryption in transit (TLS) and at rest (AES-256), per-clinic isolation at the database level, an approved-providers-only rule for patient data, no patient data in system logs, error monitoring scrubbed of patient data, and a tamper-evident, append-only audit trail.

We do not claim HIPAA, SOC 2, or any other certification. None are certified yet. The available controls, and the ones still being built, are described in full on our Security & Compliance page.

Data retention

Transcripts and clinical notes are kept as the clinical record. Raw consult audio is retention-configurable per clinic: keep it (the default), delete it once a note is signed off, or delete it after a set number of days. Only the raw audio is ever deleted, and every deletion is written to the audit trail.

Marketing, contact, and account data are kept for as long as needed to respond to you and maintain your account, and then deleted or de-identified. Because the clinic is the controller of patient data, the clinic sets the retention policy for its records within Eva's configurable options.

Your rights and how to exercise them

For patients: Eva does not have a direct relationship with patients. If you are a patient and want to access, correct, or delete your information, please contact the dental practice that treated you; it is the controller of your data. We will support that practice in fulfilling your request.

For clinics: Clinics can delete patient records within Eva today. A portable patient-data export (to help fulfil data subject access requests) is being built. As a controller of your marketing, contact, or account data, you may ask us to access, correct, or delete it.

To exercise any right, or to ask a privacy question, contact us at the address below. We will respond within the timeframe your applicable law requires.

Cookies

Eva uses only essential cookies needed to sign you in and keep the application working. The app declines non-essential and tracking cookies. We do not use advertising cookies.

Children

Eva is a professional tool for dental practices and is not directed at children, and we do not knowingly collect information directly from children. Any patient information, including that of minor patients, is entered by clinicians and governed by the treating practice as controller.

Changes to this policy

We may update this policy as Eva evolves. The “last updated” date at the top reflects the current version, and we will make material changes clear.

Contact us

For privacy questions or to exercise a right, contact us at privacy@evatco.ai. Clinics reviewing Eva can also ask us to walk a compliance reviewer through our posture and share our documentation (DPA, subprocessor register, security overview, breach-response procedure) under NDA.

This policy describes platform practices. It is not legal advice, and each practice remains responsible for consent, disclosure, and legal compliance in its own jurisdiction.