Borna AI Privacy Policy

Last Updated: December 1, 2025

Borna AI ("we," "us," or "our") respects your privacy and knows that you care about protecting your personal information. This privacy policy identifies what information we collect from you when you use borna.ai (the "Site," including all subdomains) and the services made available on it (the "Services") and explains how we may use or share that information. We will only use and share your information as described in this privacy policy.

This Site primarily operates as a(n) for-profit business website. This privacy policy applies to information we collect from you on the Site; through the Services; in email, text, and other electronic correspondence; and through any mobile or desktop application through which we may communicate. This privacy policy does not apply to information we collect offline or that any third party collects from you after you follow links on the Site, including any advertising and affiliate links.

Important Notice

PLEASE READ THIS PRIVACY POLICY AND OUR TERMS OF USE CAREFULLY. THE TERMS STATED IN THIS PRIVACY POLICY CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU AND BORNA AI BY USING THIS SITE AND THE RELATED SERVICES, YOU UNCONDITIONALLY AGREE TO BE BOUND BY THE TERMS STATED IN THIS PRIVACY POLICY AND OUR TERMS OF USE, INCLUDING ALL EXCLUSIONS AND LIMITATIONS OF LIABILITY, AND WARRANT THAT YOU HAVE FULL AUTHORITY AND CAPACITY, LEGAL AND OTHERWISE, TO USE THE SERVICES. YOU MAY NOT ACCESS OR USE THIS SITE OR THE SERVICES IF YOU DO NOT AGREE TO ANY PART OF THESE TERMS. WE RESERVE THE RIGHT TO PERIODICALLY MAKE UPDATES TO THIS PRIVACY POLICY AS OUR PRACTICES CHANGE. YOUR CONTINUED USE OF THE SITE AFTER SUCH CHANGES CONSTITUTES YOUR ACCEPTANCE OF THE CHANGES, SO PLEASE CHECK BACK PERIODICALLY FOR UPDATES.

HIPAA Compliance Statement

Borna AI provides software and services for dental practices ("Covered Entities"). When we process Protected Health Information ("PHI") on behalf of Covered Entities, we act as a Business Associate under HIPAA and HITECH. We require a Business Associate Agreement ("BAA") before any PHI is transmitted, uploaded, or stored on our platform.

PHI includes individually identifiable health information such as medical history, appointment notes, treatment information, diagnosis data, and any other health-related data linked to an individual. We only use PHI to provide services to the Covered Entity, do not use PHI for marketing, and only disclose PHI to authorized personnel or subcontractors under a BAA. PHI is never sold. We follow the HIPAA "minimum necessary" rule when using or disclosing PHI.

1. Information We Collect

We may collect and use the following types of information from those who use the Site and the Services:

  • Protected Health Information (PHI): When used in connection with a Covered Entity, we collect PHI such as patient names, contact details, medical/dental history, appointment data, insurance information, and treatment-related submissions. PHI is collected only as needed to provide our services and only under a valid Business Associate Agreement.
  • Personal Information (non-PHI): Name, email, phone (when not tied to health data), account registration information, billing details, usage activity, device information, and support communications.
  • Automatically Collected Data: IP address, device and browser data, log files, minimal analytics (non-PHI only).
  • Information by which you may be personally identified, such as your name, address, email address, phone number, billing and credit card information, and other information that may not be publicly available ("personal information").
  • Information about you that does not identify you personally, including, but not limited to, your personal interests, online interactions, viewing data, requests for Services, communications with us and third parties, advertisement interactions, search queries, product reviews, and any other activities when using the Site or the Services.
  • Information you provide when you register with the Site and the Services, when adding or updating account preferences, and when subscribing for any Services.
  • Information about your transactions using the Site and the Services, including, but not limited to, your purchases and order history.
  • Information you provide when submitting information to be posted or otherwise displayed on public areas of the Site or transmitted to other visitors or third parties on the internet (collectively, "User Contributions"). User Contributions must not include PHI unless specifically uploaded through a designated HIPAA-compliant form or workflow. PHI must never be posted publicly under any circumstance. PHI may only be uploaded through secure, designated HIPAA workflows. Although we always seek to protect your information, we cannot guarantee that our security over User Contributions is impenetrable. We also cannot control how other visitors and third parties that gain access to User Contributions will use such information.

Important: We do not place analytics or tracking tools on any page or workflow that collects PHI. Google Analytics is disabled wherever PHI may appear. We do not send PHI to marketing tools, analytics platforms, or tracking systems.

We may combine information you provide us with other information about you that we obtain from your past use of the Site and Services, from our business partners, and from other companies. We may access other information about you collected from third parties, such as social media and marketing companies. We will treat any non-personal information that is combined with personal information as if it were all personal information.

Automatic Data Collection

We collect the following types of information from you as you use the Site through automatic data collection technologies:

  • Log file information commonly collected by host servers when you visit websites, including internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamps, referring/exit pages, domain names, landing pages, pages viewed, click counts, and similar information. This information is not connected to personal information and is used for purposes of administering the Site, analyzing trends, tracking visitor activity, and collecting demographic data.
  • Other details regarding your activities on the Site and Services, including your equipment, operating system, software, traffic information, and location data.

Our automatic data collection includes the use of the following technologies:

  • Cookies. A "cookie" is a small piece of data that is stored on a visitor's hard drive in order to store information about visitor preferences and activities on the Site. We use this information to optimize the experiences of our visitors. In the event that our business partners, affiliates, or advertisers on the Site use cookies, we will not have access or control over such cookies. However, any use of cookies will not relate to any personally identifiable information about you. You may also choose to refuse to accept cookies by configuring the appropriate setting on your browser. However, doing so may prevent you from being able to access parts of the Site or Services and may prevent the Site from functioning properly.
  • Google Analytics. Google Analytics is never used on pages or workflows where PHI is entered, stored, or transmitted. We may use Google Analytics or similar services to collect non-personal information from you regarding your use of the Site. Google Analytics is a web analytics service offered by Google, Inc. that mainly uses cookies to report on your interactions on the Site and analyzes how you use the Site. For more information on Google Analytics, including how to set up privacy controls on how Google Analytics collects your information, please see the help article, Safeguarding your data.

2. How We Use Your Information

We control the systems and content necessary to provide the service. Personal information and PHI remain subject to the rights described in this policy. We will not sell or rent your information to third parties. We use information collected from you or about you, including personal information, for the following purposes:

  • To administer the Site and enforce our rules and policies.
  • To provide access to Site content and Services to you.
  • To customize Site content and Services according to your preferences.
  • To improve the Site and Services.
  • To research and analyze the usage data, preferences, and trends of our visitors.
  • To diagnose technical or Service-related problems.
  • To maintain security over your information, the Site, and its contents.
  • To fulfill any requests for information, products, or Services.
  • To facilitate transactions you make on the Site or Services, which may include sending payment statements or receipts, or assisting with payment collection.
  • To display your User Contributions.
  • To contact you regarding your account or profile.
  • To carry out our responsibilities and enforce any contracts between you and us, including billing and collection rights.
  • For any other use as we may indicate at the time you provide the information.
  • To fulfill any other purpose with your consent.

All information collected belongs to Borna AI except PHI, which remains the property of the Covered Entity. PHI is only processed on behalf of the Covered Entity and is never owned by Borna AI. We may create de-identified data in accordance with the HIPAA Safe Harbor method. De-identified data is not PHI and may be used for improving our services or analytics.

HIPAA Use of PHI. As a Business Associate, we use PHI only to provide the services requested by the Covered Entity, maintain the platform, enable communication between patients and providers, support scheduling, forms, reminders, and patient workflows, and provide customer service and technical support. We do not sell PHI, use PHI for advertising or marketing, or for our own internal analytics.

SMS / Mobile Phone Numbers. We collect mobile phone numbers to provide SMS-based service communications (appointment reminders, account notifications, and support). Mobile opt-ins are collected through our website forms or directly when provided to a Borna AI representative. Mobile phone numbers and opt-in status will be used only to deliver service messages and will not be sold or shared with third parties for marketing purposes. We may share mobile phone numbers with trusted service providers (for example, carriers and messaging vendors) only to enable message delivery and system operation. To opt out or request deletion of your mobile number, email info@borna.ai or call (833) 641-2200. For full details, please review our SMS Terms & Disclosure. We do not transmit PHI via SMS. Please do not submit PHI through SMS communications.

3. How We Share Your Information

We may share personal information and other data that we collect in the following ways:

  • With our affiliates and subsidiaries for operational purposes. Your phone number will never be shared with third parties for marketing without your explicit consent.
  • With trusted service providers who assist us in delivering services, sending SMS messages, analyzing site usage, or providing support. These providers are contractually obligated to maintain the confidentiality of your information and use it only to perform the services we request.
  • In connection with a merger, acquisition, sale of assets, or similar corporate transaction. If your information becomes subject to a different privacy policy, we will notify you beforehand.
  • When required by law, such as in response to court orders, subpoenas, or other legal processes, or to protect the rights, property, or safety of our users or the public.
  • Only with your explicit consent, or parental consent if the user is a minor.

We may store personal information on servers or databases outside our direct control. Additionally, we may share anonymized or aggregated information that does not personally identify individuals with partners, affiliates, and other third parties. This does not include personally identifiable information such as phone numbers.

Participation in promotions or special events through the Site or Services may involve contacting you via SMS. Your phone number will never be shared with third parties for marketing without your explicit consent. Please review the applicable rules or terms for each event.

4. Links to Other Websites

This Site may contain links to or from other websites. This privacy policy only applies to information collected on this Site, and we are not responsible for other websites' privacy practices. Please be aware of when you exit our Site using such links. We encourage you to review the privacy practices of all other websites you reach through links on our Site.

5. Opt-Out Procedures

As your privacy is important to us, we provide you with the following procedure(s) for opting out of future communications from us:

  • Email. Send an email to info@borna.ai explaining the specific communications or privacy practices you want to opt out of. You may also opt out by clicking "unsubscribe", or a similar button, at the bottom of any emails we may send you and then following the online instructions. However, please note that it may not be possible to opt out of certain emails (for example, confirmation emails related to services you have requested).
  • Phone. Reply STOP to unsubscribe. Call (833) 641-2200 to receive help from our customer support team to opt out.
  • Online. You may visit borna.ai in order to configure your opt-out settings.
  • Cookies. In order to opt out of cookies and other tracking technologies, you can configure or disable cookies in your browser settings. However, please note that doing so may cause parts of the Site to function improperly.
  • Third-Party Accounts. In the event that you have chosen to connect your account to another account you have on a third-party website, you acknowledge and agree that personal information may be provided to the relevant third-party websites hosting until such time as you disconnect your two accounts. You acknowledge that such third-party websites are not subject to this privacy policy. You may disconnect your accounts by either signing in, visiting your account page, and configuring the relevant settings, if available, or emailing us at info@borna.ai with your request.

6. How to Access and Change Your Information

You are responsible for keeping any personal information you provide on the Site current. Requests to access, update, or delete PHI must be directed to the patient's healthcare provider. Borna AI cannot modify or delete PHI unless instructed by the Covered Entity. We will make reasonable efforts to comply with your requests, if possible. If you provided personal information in connection with a specific Service we provide, you may have to update or delete that information by returning to that Service page. Any requests to delete your information are subject to our internal reporting and retention policies as well as any legal obligations that we may have. You can also update or delete some or all of your personal information in your account by signing in, visiting your account page, and configuring the relevant settings. Note that deleting your User Contributions on the Site will not delete copies of your User Contributions that may exist in cached or archived pages or copies that may be stored by other visitors.

7. Notice of California Privacy Rights

Pursuant to California Civil Code Section 1798.83, California residents who use our Site may request certain information regarding any disclosure of personal information to third parties for their direct marketing purposes. To make this request, please email us at info@borna.ai or use the contact information provided below at the end of this policy. Should you choose to email us, please include in the subject line or body of your email the phrase "California Customer Choice Privacy Notice" and specify the personal information you do not wish to be shared with third parties for their direct marketing purposes. Please allow up to thirty (30) days for a response.

8. Security

We take the security of your information seriously and have electronic, physical, and administrative safeguards in place that comply with federal regulations for your protection. These security measures seek to protect your information both online and offline from disclosure, alteration, or unauthorized use. However, please keep in mind that no transmission of data over the internet is guaranteed to be completely secure. Third parties may be able to access private communications illegally; for instance, through the use of hacking and viruses. For non-PHI personal information, you submit information at your own risk. For PHI, Borna AI assumes responsibility as required by HIPAA and applies mandated safeguards. While we implement industry-standard safeguards, no system is completely secure. However, for PHI, we accept responsibility as required by HIPAA and will notify affected parties in accordance with the law.

The information you submit to us is encrypted using Secure Sockets Layer (SSL) data encryption technology and is transmitted securely. You may verify this by locating "https" at the beginning of the address of the webpage or an icon of a closed lock in your browser. The computers and servers we use are also kept in a secure environment behind firewalls. We limit access to your information to those people that need to view it to perform necessary support tasks, including fulfilling your requests. We also require you to create a unique password to help secure your account. It is your responsibility to maintain the secrecy of your password and other login information. Please be aware of when you are submitting User Contributions in public spaces that may be viewed by others. It is your responsibility to avoid submitting information you wish to keep confidential. We will promptly notify you in the event that personal information becomes compromised according to our notification procedures outlined below or as otherwise required by applicable law.

HIPAA Security Measures:

  • Administrative safeguards: workforce training, access control policies, risk assessment & management, incident response procedures. All access to PHI is logged, monitored, and reviewed in accordance with HIPAA requirements.
  • Technical safeguards: encryption in transit (TLS 1.3+), encryption at rest using AES-256, multi-factor authentication (MFA), audit logging and monitoring, role-based access, data integrity controls. PHI is never used to train AI models, machine learning systems, or automated decision-making algorithms.
  • Physical safeguards: secure data centers via Azure HIPAA-compliant hosting, restricted physical access, hardware lifecycle controls. Certain HIPAA-required logs and administrative records may be retained for at least six (6) years, per federal regulation. PHI stored in backups, snapshots, and disaster recovery environments is protected under the same HIPAA safeguards as production systems.

Borna AI may use subcontractors who require access to PHI. All such subcontractors will be bound by HIPAA-compliant Business Associate Agreements and will meet or exceed our security standards.

Breach Notification: If PHI is involved in a breach, we will notify the Covered Entity without unreasonable delay and no later than 60 days, consistent with HIPAA requirements. We will provide all required information, including nature, scope, mitigation steps, and corrective actions. We report all security incidents involving PHI to the Covered Entity, even if they do not meet the threshold of a breach.

9. Children's Privacy

We do not knowingly collect PHI from children except as permitted under HIPAA and only as part of the legitimate services provided to Covered Entities.

10. Patient Rights

Patients have HIPAA rights, including access to their records, requesting corrections, and accounting of disclosures. Patients must exercise these rights through their healthcare provider, not directly through Borna AI.

11. Data Retention & Destruction

PHI is retained only as long as required to deliver services or as required by law or agreement with the Covered Entity. Upon termination or request from the Covered Entity, we will return all PHI or securely destroy PHI following NIST-approved data destruction methods. Secure disposal includes wiping, cryptographic erasure, or physical destruction of media in accordance with NIST standards.

12. Changes to This Privacy Policy

We may update this privacy policy at any time. We will post any changes in our privacy practices on this page with the date of the most recent revision indicated next to "Last Updated" near the top of the page. If we make significant changes to the way we manage our visitors' personal information, we will notify you by email or by posting prominent notice on our Site. It is your responsibility to ensure we have your current email address and to periodically check this page for any updates.

13. Notification Procedures

We reserve the right to determine the most appropriate means of providing you with any notice required or advisable, in our sole discretion, under the terms of this privacy policy or as required by law. We may choose to provide notification by email, physical written notice, posting prominently on the Site, or through other conspicuous means. We do not send PHI via email. Any email notification containing PHI is prohibited unless delivered through a secure, HIPAA-compliant method.

14. Cross-Border Data Transfers

PHI is stored and processed only in HIPAA-compliant data centers located in the United States. Cross-border transfer practices apply only to non-PHI personal information. Your personal information may be processed and transferred to countries other than your own, including, but not limited to, any country in which we operate. Some of these countries may have different laws and practices regarding data protection than your country. By using the Site, you agree to such cross-border transfers of your personal information.

15. Contact Information

Your feedback is important to us. To send us your questions, suggestions, or complaints, please contact us as follows:

Borna AI
17405 NE 35th Pl
Redmond, Washington 98052
Telephone: 833-641-2200
Email: info@borna.ai