Suvayo Privacy Policy

Effective Date: 07/07/2026  ·  Last Updated: 07/08/2026

1. Who We Are and What This Policy Covers

This Privacy Policy explains how Suvayo (“Suvayo,” “we,” “us”) collects, uses, and shares information in connection with Suvayo, our employee scheduling and business-operations platform for healthcare practices (the “Service”), and our website at Suvayo.ai.

What the Service does today: Suvayo helps practices schedule and manage their employees/staff (not patients), and, with a practice’s authorization, can read data from the practice’s Google Drive (e.g., files the practice chooses to connect) and QuickBooks (e.g., expense and vendor-bill data) to support scheduling, billing, and reporting features. Files imported from Google Drive may also be analyzed using a third-party AI model to help extract and organize information for the Service’s intake and scheduling workflows (see Section 3D). The Service does not connect to any electronic health record (EHR) system and does not access, receive, or process any patient health information. Patient-data / EHR functionality is not built and is not part of the Service today; if that ever changes, this policy will be updated before any such feature goes live.

This policy covers:

This policy does not cover Protected Health Information (“PHI”), because the Service does not access or process PHI. See Section 2.

2. We Do Not Handle Patient Data (PHI)

Suvayo does not access, receive, store, or process Protected Health Information (“PHI”). The Service is an employee/staff scheduling and business-operations tool — it schedules a practice’s employees, and, with the practice’s authorization, reads business data from the practice’s Google Drive and QuickBooks accounts. It does not connect to any electronic health record (EHR) or practice-management system, and it has no patient-facing features (no patient logins, no patient scheduling, no patient communications).

Because we do not process PHI:

If we ever build features that access patient health information (for example, an EHR integration), we will update this policy before that feature goes live, and we will put a BAA in place with each relevant practice and any vendor that would handle that data, consistent with HIPAA.

Patients: Suvayo does not interact with patients in any way. If you are a patient of a practice that uses Suvayo, this Service and this policy have nothing to do with your health information — please direct any privacy questions about your medical records to your healthcare provider directly.

3. Information We Collect

A. Information you provide to us

B. Information collected automatically

C. Employee scheduling data

D. Data read from connected Google Drive and QuickBooks accounts

We do not knowingly collect information directly from patients or consumers.

4. How We Use Information

We use account, business, scheduling, and usage information — including data read from connected Google Drive and QuickBooks accounts — to:

We do not use this information for advertising, and we do not sell it.

5. How We Share Information

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We share information only:

Subprocessors and connected services

We do not process PHI, so no vendor below has, or needs, a signed Business Associate Agreement (BAA) with us.

ProviderPurposeData involvedBAA in place?
RenderApplication hostingAccount, scheduling, and usage data — no PHINot applicable — no PHI processed
Google Drive (Google)Read-only access to files/data the practice connects, per Section 3DFile data/metadata the practice authorizes — no PHINot applicable — no PHI involved
QuickBooks (Intuit)Read-only access to expense-related accounting data (vendor bills, purchases, and expense transactions), per Section 3DVendor bill, purchase, and expense data the practice authorizes — no PHINot applicable — no PHI involved
Anthropic (Claude)AI-assisted analysis of imported documents for intake/scheduling workflows, per Section 3DContent of documents submitted for analysis — no PHINot applicable — no PHI submitted
PostHogProduct analytics / error tracking (when enabled for your account)Usage and diagnostic data — no PHINot applicable — no PHI captured
Microsoft 365 / Exchange OnlineTransactional, reminder, and support email (when configured as our email sender)Name, email, message contentNot applicable — no PHI involved

We will update this list as our vendors or integrations change.

6. Data Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit (TLS), role-based access controls, and least-privilege access for staff. No system is 100% secure, so we cannot guarantee absolute security.

Breach notification. If a breach of security affects your information, we will notify affected customers and regulators as required by applicable law.

7. Data Retention

8. Cookies and Tracking

Our website and app use cookies and similar technologies for:

We do not use third-party advertising cookies or tracking pixels for ad targeting. You can control cookies through your browser settings; disabling essential cookies may break login functionality.

9. Your Choices and Rights

Practice staff / account holders may:

California residents (CCPA/CPRA). California’s privacy law generally applies to for-profit businesses that do business in California and meet at least one of: (1) annual gross revenue over $26,625,000 (this figure is inflation-adjusted every two years); (2) annually buying, selling, or sharing the personal information of 100,000 or more California consumers or households; or (3) deriving 50% or more of annual revenue from selling or sharing personal information. Note: the exemptions that once applied to business-to-business and employee personal information expired at the end of 2022 — if this law applies to your business, employee and B2B data are covered like any other personal information, not exempt.

If applicable, California residents have the right to know, access, correct, and delete personal information, to opt out of “sale”/“sharing” (we do neither), to limit use of sensitive personal information, and not to be discriminated against for exercising these rights. Submit requests to musa@suvayo.ai. We will verify your identity before responding and respond within the timeframes required by law. You may use an authorized agent as permitted by law.

Patients: Suvayo has no patient users and does not hold patient data — see Section 2.

10. Children’s Privacy

The Service is a business tool for healthcare practices and is not directed to children, and we do not knowingly collect personal information directly from anyone under 18. The Service does not process patient records of any kind, including those of minors. If you believe a child has provided us personal information directly, contact us at musa@suvayo.ai and we will delete it.

11. Where Data Is Stored; International Users

The Service is hosted in the United States and we currently offer it to U.S. customers only. If you access the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S., where privacy laws may differ from those in your jurisdiction.

12. Legal Bases (If Applicable)

For jurisdictions that require a legal basis for processing, we process personal information: to perform our contract with you (providing the Service); for our legitimate interests (securing and improving the Service, communicating with business customers); to comply with legal obligations; and with consent where required (e.g., optional marketing).

13. Changes to This Policy

We may update this policy from time to time. We will post the updated version with a new “Last Updated” date and, for material changes, notify customers by email or in-product notice. Your continued use of the Service after the effective date means you accept the updated policy.

14. Contact Us

Questions, requests, or complaints about privacy:

Suvayo
Attn: Privacy
3660 Summit Dr.
Pocatello, ID 83201
Email: musa@suvayo.ai

If you are a practice with questions about how the Service handles data from your connected Google Drive or QuickBooks accounts, contact us at musa@suvayo.ai