Suvayo Privacy Policy
1. Who We Are and What This Policy Covers
This Privacy Policy explains how Suvayo (“Suvayo,” “we,” “us”) collects, uses, and shares information in connection with Suvayo, our employee scheduling and business-operations platform for healthcare practices (the “Service”), and our website at Suvayo.ai.
What the Service does today: Suvayo helps practices schedule and manage their employees/staff (not patients), and, with a practice’s authorization, can read data from the practice’s Google Drive (e.g., files the practice chooses to connect) and QuickBooks (e.g., expense and vendor-bill data) to support scheduling, billing, and reporting features. Files imported from Google Drive may also be analyzed using a third-party AI model to help extract and organize information for the Service’s intake and scheduling workflows (see Section 3D). The Service does not connect to any electronic health record (EHR) system and does not access, receive, or process any patient health information. Patient-data / EHR functionality is not built and is not part of the Service today; if that ever changes, this policy will be updated before any such feature goes live.
This policy covers:
- Account and business information about our customers (healthcare practices) and their staff who use the Service;
- Data read from connected Google Drive and QuickBooks accounts, as authorized by the practice; and
- Website visitor information (cookies and similar technologies).
This policy does not cover Protected Health Information (“PHI”), because the Service does not access or process PHI. See Section 2.
2. We Do Not Handle Patient Data (PHI)
Suvayo does not access, receive, store, or process Protected Health Information (“PHI”). The Service is an employee/staff scheduling and business-operations tool — it schedules a practice’s employees, and, with the practice’s authorization, reads business data from the practice’s Google Drive and QuickBooks accounts. It does not connect to any electronic health record (EHR) or practice-management system, and it has no patient-facing features (no patient logins, no patient scheduling, no patient communications).
Because we do not process PHI:
- We do not have, and do not need, a Business Associate Agreement (BAA) with any vendor at this time. No subprocessor listed in Section 5 handles PHI, so none has a signed BAA today.
- We are not currently operating as a HIPAA “Business Associate,” and our practice customers are not acting as a “Covered Entity” with respect to their use of this Service.
- Employee schedule data is ordinary employment/business data, not PHI, even though our customers are healthcare practices.
If we ever build features that access patient health information (for example, an EHR integration), we will update this policy before that feature goes live, and we will put a BAA in place with each relevant practice and any vendor that would handle that data, consistent with HIPAA.
Patients: Suvayo does not interact with patients in any way. If you are a patient of a practice that uses Suvayo, this Service and this policy have nothing to do with your health information — please direct any privacy questions about your medical records to your healthcare provider directly.
3. Information We Collect
A. Information you provide to us
- Account and registration data: name, work email, phone number, job title, practice/organization name and address, login credentials.
- Billing data: billing contact and billing address, used for invoicing. Suvayo does not currently collect or process credit card or other payment card information within the Service — billing and payment are handled outside the app. If in-app payment processing is added in the future, we will update this policy to identify the payment processor before that feature goes live.
- Support and communications: messages, emails, and attachments you send us.
B. Information collected automatically
- Usage and device data: log data such as IP address, browser type, device identifiers, pages viewed, features used, timestamps, and error/diagnostic data.
- Cookies and similar technologies: see Section 8.
C. Employee scheduling data
- Schedule and shift data: employee/staff names, roles, shift times, availability, time-off requests, and related scheduling information entered by the practice. This is employment/business data about the practice’s staff — it is not patient information and is not PHI.
- De-identified and aggregate data: we may create de-identified or aggregated data (e.g., anonymized usage statistics) that does not identify any person or practice.
D. Data read from connected Google Drive and QuickBooks accounts
- Google Drive: with the practice’s authorization, we read files the practice specifically selects through a file-picker interface from their connected Google Drive account (e.g., importing a specific schedule, report, or document into the Service). We request Google’s
drive.filescope, which limits our access to only the files a user explicitly picks — we do not have blanket access to a practice’s entire Drive. - AI-assisted document analysis: files imported through the Drive file-picker (and other documents a practice provides to the Service) may be analyzed using Anthropic’s Claude AI models to extract, categorize, or summarize information as part of the Service’s intake and scheduling workflows. This analysis is used only to power that requested feature — it is not used to serve advertising. Under Anthropic’s commercial API terms, data submitted through the API is not used to train Anthropic’s models by default.
- Google API Services User Data Policy: Suvayo’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
- QuickBooks: with the practice’s authorization, we read expense-related data from the practice’s connected QuickBooks account — specifically vendor bills, purchases, and expense transactions — for the purpose of billing reconciliation and reporting. Our app requests the
com.intuit.quickbooks.accountingscope, which is currently the only scope Intuit’s QuickBooks Online API offers for accounting data (Intuit does not provide a narrower, expense-only, or strictly read-only scope). While this scope technically permits both reading and writing data, our application issues only read (GET) requests against expense-related data and implements no create, update, or delete operations against a practice’s QuickBooks data. - Data from Google Drive and QuickBooks — including any AI-assisted analysis of that data — is used solely to provide the Service’s scheduling, billing, reporting, and document-intake features to the connected practice. It is not sold, not used for advertising, and not used to train Suvayo’s or any third party’s general-purpose AI models.
- None of this data is patient health information — it is business, financial, and administrative data belonging to the practice.
We do not knowingly collect information directly from patients or consumers.
4. How We Use Information
We use account, business, scheduling, and usage information — including data read from connected Google Drive and QuickBooks accounts — to:
- provide, operate, secure, and support the Service, including scheduling, billing, and reporting features;
- set up accounts, authenticate users, and administer billing and invoicing;
- communicate with you about the Service (support, service announcements, security alerts, and — with the ability to opt out — product news);
- monitor performance, debug, and improve the Service, including through de-identified or aggregated analytics;
- enforce our Terms of Service and protect against fraud, abuse, and security threats; and
- comply with law and legal process.
We do not use this information for advertising, and we do not sell it.
5. How We Share Information
We do not sell personal information, and we do not share it for cross-context behavioral advertising. We share information only:
- With subprocessors/service providers who help us run the Service, under contracts that restrict their use of the data (see the table below).
- With your practice/organization: if you use the Service as a staff member, your organization’s administrators can see your account activity and schedule within the Service.
- For legal reasons: to comply with law, subpoena, or legal process; to protect the rights, safety, or property of Suvayo, our customers, or others.
- In a business transfer: in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
- With your direction or consent.
Subprocessors and connected services
We do not process PHI, so no vendor below has, or needs, a signed Business Associate Agreement (BAA) with us.
| Provider | Purpose | Data involved | BAA in place? |
|---|---|---|---|
| Render | Application hosting | Account, scheduling, and usage data — no PHI | Not applicable — no PHI processed |
| Google Drive (Google) | Read-only access to files/data the practice connects, per Section 3D | File data/metadata the practice authorizes — no PHI | Not applicable — no PHI involved |
| QuickBooks (Intuit) | Read-only access to expense-related accounting data (vendor bills, purchases, and expense transactions), per Section 3D | Vendor bill, purchase, and expense data the practice authorizes — no PHI | Not applicable — no PHI involved |
| Anthropic (Claude) | AI-assisted analysis of imported documents for intake/scheduling workflows, per Section 3D | Content of documents submitted for analysis — no PHI | Not applicable — no PHI submitted |
| PostHog | Product analytics / error tracking (when enabled for your account) | Usage and diagnostic data — no PHI | Not applicable — no PHI captured |
| Microsoft 365 / Exchange Online | Transactional, reminder, and support email (when configured as our email sender) | Name, email, message content | Not applicable — no PHI involved |
We will update this list as our vendors or integrations change.
6. Data Security
We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit (TLS), role-based access controls, and least-privilege access for staff. No system is 100% secure, so we cannot guarantee absolute security.
Breach notification. If a breach of security affects your information, we will notify affected customers and regulators as required by applicable law.
7. Data Retention
- Account and billing data: retained for the life of the customer relationship and afterward as needed for legal, tax, accounting, and dispute-resolution purposes, then deleted or de-identified.
- Usage/log data: retained for 12 months, then deleted or aggregated.
- Customer/practice data (including schedule and connected Drive/QuickBooks data): retained while the practice’s subscription is active. After termination, practices may export their data for 30 days; we then delete or de-identify it within 90 days, subject to backup cycles and legal holds.
- Connected Google Drive / QuickBooks data after disconnection: if a practice disconnects (revokes) its Google Drive or QuickBooks connection without terminating its subscription, we stop reading any new data from that account and delete the stored connection credentials immediately. Data already imported into the Service before disconnection continues to be retained under our normal customer data retention practices described above, unless the practice requests deletion of that data, in which case we complete the deletion within 30 days, subject to backup cycles and legal holds.
8. Cookies and Tracking
Our website and app use cookies and similar technologies for:
- Essential functions (login sessions, security) — always active;
- Analytics/product improvement (PostHog) — to understand feature usage and fix errors.
We do not use third-party advertising cookies or tracking pixels for ad targeting. You can control cookies through your browser settings; disabling essential cookies may break login functionality.
9. Your Choices and Rights
Practice staff / account holders may:
- Access and correct account information in account settings, or by contacting us;
- Delete their account data by contacting us at musa@suvayo.ai (subject to our legal retention needs and their organization’s role as the account owner — if your practice controls the workspace, some requests may need to come from your administrator);
- Disconnect (revoke) their practice’s Google Drive or QuickBooks connection at any time — either from within the Service (Settings > Connected Accounts) or directly through Google’s or Intuit’s own account permissions pages. Disconnecting immediately stops further data access and deletes our stored connection credentials; see Section 7 for how previously-imported data is handled;
- Opt out of marketing emails via the unsubscribe link (service and security emails will still be sent).
California residents (CCPA/CPRA). California’s privacy law generally applies to for-profit businesses that do business in California and meet at least one of: (1) annual gross revenue over $26,625,000 (this figure is inflation-adjusted every two years); (2) annually buying, selling, or sharing the personal information of 100,000 or more California consumers or households; or (3) deriving 50% or more of annual revenue from selling or sharing personal information. Note: the exemptions that once applied to business-to-business and employee personal information expired at the end of 2022 — if this law applies to your business, employee and B2B data are covered like any other personal information, not exempt.
If applicable, California residents have the right to know, access, correct, and delete personal information, to opt out of “sale”/“sharing” (we do neither), to limit use of sensitive personal information, and not to be discriminated against for exercising these rights. Submit requests to musa@suvayo.ai. We will verify your identity before responding and respond within the timeframes required by law. You may use an authorized agent as permitted by law.
Patients: Suvayo has no patient users and does not hold patient data — see Section 2.
10. Children’s Privacy
The Service is a business tool for healthcare practices and is not directed to children, and we do not knowingly collect personal information directly from anyone under 18. The Service does not process patient records of any kind, including those of minors. If you believe a child has provided us personal information directly, contact us at musa@suvayo.ai and we will delete it.
11. Where Data Is Stored; International Users
The Service is hosted in the United States and we currently offer it to U.S. customers only. If you access the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S., where privacy laws may differ from those in your jurisdiction.
12. Legal Bases (If Applicable)
For jurisdictions that require a legal basis for processing, we process personal information: to perform our contract with you (providing the Service); for our legitimate interests (securing and improving the Service, communicating with business customers); to comply with legal obligations; and with consent where required (e.g., optional marketing).
13. Changes to This Policy
We may update this policy from time to time. We will post the updated version with a new “Last Updated” date and, for material changes, notify customers by email or in-product notice. Your continued use of the Service after the effective date means you accept the updated policy.
14. Contact Us
Questions, requests, or complaints about privacy:
Suvayo
Attn: Privacy
3660 Summit Dr.
Pocatello, ID 83201
Email: musa@suvayo.ai
If you are a practice with questions about how the Service handles data from your connected Google Drive or QuickBooks accounts, contact us at musa@suvayo.ai