🔒 Legal

Privacy Policy

How Veluni Health collects, uses, and protects the personal information of patients and clinic administrators.

Last updated: May 27, 2026 Applies to app.velunihealth.com Questions: contact@velunihealth.com
01

Introduction & Scope

Veluni Health ("we", "us", or "our") operates a multi-clinic appointment scheduling platform available at app.velunihealth.com. This Privacy Policy explains what personal data we collect, why we collect it, how it is stored, and the rights you have over it.

This policy covers three groups of users: patients who interact with a clinic's AI scheduling bot or booking website; clinic administrators who manage their practice through the Veluni Health dashboard; and visitors to our platform pages. It applies to all data processed through our services, regardless of which country you are located in.

We are not a healthcare provider and Veluni Health is not a HIPAA covered entity. However, we take the protection of health-adjacent personal information seriously and apply safeguards consistent with recognized industry best practices, as well as the requirements of applicable data protection laws including Brazil's LGPD and the EU/UK GDPR.

02

Information We Collect

We collect only the data necessary to deliver our scheduling and management services. Below is a breakdown by category.

🧑
Patient data (via AI chatbot)
Full name, date of birth (for identity verification and age-gating certain procedures), phone number (digits only), email address, appointment history (doctor, specialty, date/time, status), and conversation transcripts with the AI scheduling assistant.
🏥
Clinic administrator data (via dashboard & onboarding)
Clinic name, street address, phone number, email address, doctor profiles (name, specialty, availability schedule, slot duration, minimum patient age), FAQ content created by the clinic, and dashboard login credentials (username and password stored using a one-way hash — we never store plaintext passwords).
💳
Payment data (via Stripe)
Subscription payments are handled entirely by Stripe Checkout. We never receive, store, or process raw card numbers. Stripe is PCI-DSS compliant and processes this data under its own privacy policy.
⚙️
Technical & operational data
Session state (serialized to a JSON blob in each clinic's isolated SQLite database), anonymized analytics events (intent detection counts, FAQ hit rates, conversation volume metrics), server logs stored in a rotating log file (logs/backend.log, up to 5 MB × 3 backups), and browser localStorage values for onboarding progress and language preference.
03

How We Use Your Information

We use personal data only for the specific purposes listed below. We do not repurpose data beyond what is described here without obtaining fresh consent.

  • To provide the appointment scheduling service — booking, rescheduling, and cancelling appointments on behalf of patients through the AI assistant.
  • To send appointment confirmation and reminder emails to patients.
  • To verify patient identity and apply age restrictions where certain procedures require a minimum patient age.
  • To generate anonymized usage analytics for clinic administrators — appointment volume, bot resolution rates, FAQ effectiveness — so clinics can improve their service.
  • To improve the Veluni Health platform, diagnose technical problems, and maintain the security and reliability of our infrastructure.
  • To comply with applicable legal obligations, including responding to lawful requests from competent authorities.

We do not use patient data for marketing, advertising, profiling, or any purpose unrelated to the scheduling and administration of healthcare appointments.

04

Data Storage & Security

Each clinic's data is stored in a dedicated SQLite database file on our server. These databases are fully isolated — no clinic can access another clinic's patient data. A platform-wide operations database (veluni_platform.db) handles account-level information such as subscription status and configuration.

Our servers are hosted on a remote server infrastructure (Linux VPS). All data in transit is encrypted using HTTPS/TLS. Server access is restricted to authorized personnel only.

Passwords for clinic administrator accounts are stored as one-way cryptographic hashes — we are unable to recover plaintext passwords. Patient conversation transcripts and appointment records are stored only in the clinic's own isolated SQLite database and are not accessible to other clinics or third parties.

⚠️

No method of electronic storage is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected parties as required by applicable law.

05

Third-Party Services

We use a small number of third-party services to deliver core functionality. In each case, we share only the minimum data necessary and we do not permit these services to use your data for their own commercial purposes.

  • Stripe — Payment processing for clinic subscriptions. We redirect clinic administrators to Stripe Checkout and receive only a subscription confirmation token. Stripe processes payment card data entirely within its own PCI-compliant environment. We never see or store raw card numbers. Stripe's privacy policy is available at stripe.com/privacy.
  • Gmail REST API (Google Service Account) — We send appointment confirmation and reminder emails to patients on behalf of clinics using a Google Service Account with the Gmail API. We transmit only the patient's email address, name, and appointment details necessary to compose the notification. No raw SMTP credentials are stored in our codebase or transmitted in plaintext.

We do not use Google Analytics, Meta Pixel, or any other third-party tracking, analytics, or advertising services. We do not use third-party chat or support widgets that could observe patient conversations.

06

Data Sharing

We do not sell, rent, trade, or otherwise transfer personal data to third parties for commercial purposes. Full stop.

Patient data collected through one clinic's bot is never shared with or accessible by any other clinic on the platform. Each clinic's data lives in its own isolated database. A patient interacting with Clinic A will never have their information visible to Clinic B.

We may share personal data only in the following limited circumstances: (1) with Stripe and Google as described in Section 5, under strict data processing agreements; (2) when required by applicable law, court order, or lawful government authority; or (3) in connection with a business transfer such as a merger or acquisition, where the acquirer would be bound by this policy.

🚫

We have no advertising partners. We do not participate in data broker networks. We do not share data with insurance companies, pharmaceutical companies, or any other healthcare-adjacent commercial entities.

07

Data Retention & Deletion

Patient appointment records and conversation transcripts are retained for as long as the clinic's subscription with Veluni Health is active. When a clinic's account is closed, all associated data — including patient records, appointment history, and conversation logs — is permanently deleted from our systems.

Server logs are retained in a rotating format (maximum 5 MB × 3 backup files) and are automatically overwritten as new events are logged. Analytics data is stored in aggregated, anonymized form and does not contain personally identifiable information.

Patients may request the deletion of their personal data held by a specific clinic by contacting that clinic directly or by writing to us at contact@velunihealth.com. When a deletion request is processed, patient records are permanently removed from the SQLite database — we do not maintain "soft delete" archives of patient data.

08

Your Rights

Depending on your jurisdiction, you have the following rights over your personal data. We are committed to honoring these rights regardless of where you are located.

  • Right of access — You may request a copy of the personal data we hold about you.
  • Right of rectification — You may request that we correct inaccurate or incomplete personal data.
  • Right of erasure ("right to be forgotten") — You may request the permanent deletion of your personal data, subject to legal retention obligations.
  • Right to data portability — You may request a machine-readable export of your personal data.
  • Right to object — You may object to certain types of processing, including any direct marketing (though we do not engage in this).
  • Right to restriction — You may request that we restrict processing of your data while a dispute is under review.

These rights are grounded in the EU General Data Protection Regulation (GDPR) and are equally recognized under Brazil's Lei Geral de Proteção de Dados (LGPD), Article 18. Brazilian users may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

To exercise any of these rights, contact us at contact@velunihealth.com. We will respond within 30 days (15 business days for LGPD requests).

09

Children's Privacy

Veluni Health is designed for use by adults scheduling dental appointments. Our platform is not directed at children under the age of 18, and we do not knowingly collect personal data from minors without appropriate parental or guardian consent.

Clinics using our platform may configure a minimum patient age for their bot (via doctor profile settings). When a patient's date of birth indicates they are below the configured minimum age, the scheduling bot will decline to proceed and will direct them to contact the clinic by other means. This enforcement is applied at the time of scheduling and does not override the clinic's own legal obligations regarding the treatment of minors.

If you believe we have inadvertently collected personal data from a minor, please contact us immediately at contact@velunihealth.com and we will delete it promptly.

10

International Data Transfers

Our servers are hosted on remote server infrastructure in the United States. If you are accessing our services from Brazil, the European Union, Spain, or another jurisdiction with data residency considerations, your personal data may be transferred to and processed in the United States.

For Brazilian users, this cross-border transfer is made in compliance with Chapter V of the LGPD and occurs only with appropriate safeguards in place, including contractual protections and our commitment to maintain data protection standards equivalent to those required under Brazilian law.

For users in the European Economic Area (EEA) or the United Kingdom, transfers to the US are made with appropriate legal mechanisms, including Standard Contractual Clauses (SCCs) where applicable. By using our services, you acknowledge and consent to this transfer.

11

Cookies & Tracking

We keep our use of browser storage minimal and purposeful. We do not use advertising cookies, tracking pixels, or any third-party analytics scripts.

The only browser storage we use is localStorage for two strictly essential purposes: (1) saving your language preference so it persists across page loads, and (2) preserving onboarding progress within a single session so that refreshing the page does not lose your entered data. This data never leaves your device and is never transmitted to our servers.

🍪

We do not use tracking cookies, session cookies stored server-side, Google Analytics, Facebook Pixel, Hotjar, or any other behavioral tracking technology. You will never receive targeted ads as a result of visiting our platform.

12

Changes to This Policy

We may update this Privacy Policy from time to time as our platform evolves or as legal requirements change. When we make significant changes, we will update the "Last updated" date at the top of this page and, where required, notify affected users by email.

We encourage you to review this policy periodically. Continued use of the Veluni Health platform after a policy change constitutes acceptance of the revised terms. If you disagree with the changes, you may discontinue use of the platform and request deletion of your data by contacting us.

13

Limited Liability Disclaimer

Veluni Health provides its platform services "as is" and makes no warranties, express or implied, regarding the completeness, accuracy, reliability, or suitability of the platform for any particular purpose. We are not a healthcare provider, and nothing in our platform constitutes medical advice.

To the maximum extent permitted by applicable law, Veluni Health shall not be liable for any indirect, incidental, special, or consequential damages arising from the use of, or inability to use, the platform. Our total liability for any claim arising under this policy shall not exceed the amounts paid by you (or the clinic on your behalf) to Veluni Health in the twelve months preceding the claim. This limitation of liability does not apply where prohibited by law, including under Brazilian consumer protection law (Código de Defesa do Consumidor) or equivalent statutes in other jurisdictions.