Privacy Policy & Data Ownership Statement

Effective Date: July 4, 2025

What We Make & How Your Data Flows

Axis Operating Systems LLC builds products and services for small businesses. Each has a different privacy model:

• Axis EHR (Local-Only): a PWA where your records, notes, and files live entirely on your device. No servers, no cloud, no remote storage by Axis.
• Axis Voice & SMS AI (Receptionist): a done-for-you automation layer that connects to your Google Sheets, Google Calendar, and Gmail, plus telephony via Twilio (and optional voice/LLM providers you approve). This service processes calls/texts on your behalf in a strict, least-privilege model.
• Axis AI Automation Audit (“AI Audit”): a strategy and workflow-mapping engagement where we review how your operations run, identify repetitive work, and propose or help configure automations inside your own SaaS accounts and tools.
• Axis Managed Automations (Hosted n8n): optional, hosted automation workflows that run on Axis-controlled infrastructure and connect to your SaaS tools (for example, Google Workspace, Twilio, CRMs). These workflows process data on your behalf as a service provider.

None of these offerings are a substitute for medical, legal, financial, or compliance advice, and they are not designed or appropriate for handling emergencies (such as 911 or equivalent services). You remain the controller of your underlying business data and are responsible for how you use these tools in your own environment.

Axis EHR: Local-Only by Design

While a secure login unlocks the PWA interface, all records remain stored locally on your device.

• You create an account to access the app UI, not to store data on our servers.
• Every file lives solely on your computer, phone, or tablet; we cannot access, transmit, or view it.
• No automatic cloud sync. Backups are your choice and remain under your control.

HIPAA Alignment (EHR)

Because ePHI never leaves your device, Axis EHR can reduce exposure to third-party processors and aligns with HIPAA's least-disclosure intent. You remain the sole custodian of ePHI in the local EHR model. However, this architecture by itself does not guarantee HIPAA compliance or any other regulatory compliance. You are responsible for implementing appropriate safeguards and for meeting all legal and professional requirements in your practice.

• No Business Associate Agreement (BAA) is required with us for the local EHR.
• Device security (OS login, encryption, backups) remains your responsibility. You may still need BAAs or other agreements with vendors you choose for backups or hosting.

Axis Voice & SMS AI: Safety-First Integrations

Our receptionist automations connect to Google Sheets, Google Calendar, and Gmail you already own. We securely add Twilio for phone and SMS. You can optionally enable voice/LLM providers. We use OAuth and least-privilege scopes; you may revoke access at any time in your own accounts.

Core You Own

• Google Sheets — source of truth for services, pricing, FAQs, intake fields (we provide a template).
• Google Calendar — 2-way availability; booking/rescheduling/cancel; approval holds.
• Gmail — confirmations, reminders, and summaries sent from your domain (we help with SPF/DKIM).

Processors We Configure for You

• Twilio (telephony): local/toll-free numbers, voice routing, and SMS. A2P 10DLC/Toll-Free registration typically 3 days–3 weeks. Numbers and logs can live in your Twilio account (preferred) or a hosted account we can transfer to you.
• Optional voice/LLM providers: Retell (real-time voice), OpenAI/Google Gemini (bilingual EN/ES intent and responses). These are opt-in and scoped to the workflows you approve. Their use is also governed by those providers’ own terms and privacy policies.

Safety Defaults (Receptionist)

• No model training on your data by Axis. We do not use your conversations to train our own general-purpose models.
• Call recording & SMS transcript storage are OFF by default. If you enable them, they store in your Twilio (or your chosen provider) with retention you control.
• PII minimization: the AI collects only what your Sheet defines (e.g., name, phone, desired time).
• TLS in transit between Google/Twilio/providers; OAuth tokens are stored securely and rotated as required by those providers.
• Human-in-the-Loop: optional approval step before finalizing bookings, especially in higher-risk workflows.
• AI outputs are probabilistic and may be inaccurate. They are not a replacement for clinical, legal, or financial judgement and must not be used for emergencies.

Messaging Compliance & Consent

• A2P 10DLC/Toll-Free verification: we help with registration (legal name, EIN, address, website, use-case, sample messages).
• Opt-in/Opt-out/Help keywords (START/STOP/HELP) are enforced in supported channels.
• We align copy with carrier policies (no SHAFT content; rate limiting; quiet hours when requested), but carriers ultimately decide what is allowed or delivered.

Data & Number Ownership (Receptionist)

• You own your Google Workspace data and (preferably) your Twilio numbers and logs.
• If we provision on your behalf, we can transfer numbers, logs, and configuration upon request (carrier fees may apply).

Axis Managed Automations (Hosted n8n)

For some customers, Axis may host automation workflows (for example, using n8n or similar tools) on infrastructure that we control. These workflows connect to your systems and process data on your behalf. In this context, Axis acts as a service provider / data processor; you remain the data controller.

What Data May Flow Through Hosted Automations

• Data read from and written to your systems (for example, calendar events, contact records, form submissions, tickets, basic CRM fields) according to the workflows you approve.
• Execution logs and error traces needed to monitor, debug, and improve the reliability of your specific workflows.
• Limited metadata about performance (for example, run counts, timestamps, error rates) so we can operate the service.

What We Ask You Not to Send

• Please do not design workflows that send full payment card numbers, government IDs, or other highly sensitive regulated data through Axis-managed automations unless we have a separate written agreement that explicitly covers that data and infrastructure.
• Unless we have a signed Business Associate Agreement and an agreed technical architecture, do not route ePHI/PHI through Axis-managed automations.
• Hosted automations are not designed or intended to receive or process emergency communications.

Storage, Retention, and Security

• Workflow configuration and execution logs are stored in Axis-controlled infrastructure and reputable hosting providers acting as our sub-processors.
• Data in transit between your systems and the hosted automations is protected using TLS where supported by the underlying providers.
• We retain logs only as long as reasonably necessary to operate and secure the workflows, comply with law, and resolve disputes. Upon request, we can work with you on custom retention settings, subject to technical limits.
• Axis does not sell customer data and does not intentionally use data processed by hosted automations to train general-purpose AI models.

Axis AI Automation Audit: Workflow Consulting, Not a Data Warehouse

The AI Automation Audit is a consulting service. We map your workflows, identify high-friction tasks, and recommend or help configure automations using tools and accounts that you own. The audit does not provide medical, legal, or billing advice and is not a compliance certification.

What We May See During an Audit

• Live screen shares of your existing tools (e.g., Google Workspace, CRM, scheduling, forms, internal dashboards).
• Process documents, checklists, and internal SOPs you choose to show us.
• High-level metrics (e.g., hours per week on certain tasks, volume of calls or tickets).

What We Ask You Not to Share

• Do not share live PHI, full payment card numbers, government IDs, or other highly sensitive regulated data on screen or in files unless we have a separate written agreement that explicitly covers that data and toolchain.
• When possible, use redacted or sample data in demos and exports you send to us.

How Audit Sessions Are Hosted & Logged

• We typically meet over your chosen video-conferencing tools (for example, Zoom or Google Meet). Those providers’ privacy policies govern call content and recordings.
• We do not require you to record sessions. If you choose to record, recordings are stored in your own conferencing account or device.
• We may keep high-level written notes, diagrams, or task lists from the audit (for example, “Automate X intake email,” “Connect Twilio to Google Calendar”). We do not intentionally store raw PHI or full customer datasets in our own systems.

Prototypes & Automations Built During the Audit

• When we configure test automations (e.g., using Google Apps Script, n8n, Zapier, or other platforms), we do so inside your accounts wherever possible, or within clearly described managed environments.
• Logs, execution history, and data for those automations remain in your providers (Google, n8n, Twilio, etc.) or in the managed environment described above. You control retention and access in those systems.
• We do not train our own general-purpose models on data handled via these audit prototypes.

What We Collect (Account Level)

We keep only what is required to run your account—not your EHR content or your call/SMS content when it is hosted in your providers.

• Authentication: sign-in details handled by our auth provider; we don’t store raw passwords.
• Billing: standard payment info via our processor; we don’t store full card numbers.
• Support & Audit Notes: your emails, tickets, and high-level notes from AI Audit or configuration work so we can support you and maintain continuity. You can ask us to delete these, subject to legal/record-keeping obligations.

Third-Party Services & Data Location

Axis products rely on third-party providers (for example, hosting, logging, authentication, Google Workspace, Twilio, and optional AI vendors). These providers may process data in the United States and other jurisdictions. Their terms and privacy policies govern their use of data within their platforms. We do not control their availability, practices, or data retention, and we are not responsible for outages, policy changes, or failures of those third-party services.

Meta Platforms (Facebook & Instagram) Data

When you connect Facebook or Instagram accounts, pages, or ad tools to our services, we may access data provided by Meta Platforms (for example, leads, form responses, campaign or ad performance, and basic account information) only to deliver the services you requested. This may include syncing leads into your CRM or scheduling system, triggering follow-up messages you approve, and generating simple performance reports for your own business use.

• We use Meta data only on behalf of the business account that owns it and do not sell Meta data or use it to build profiles for other customers.
• We store Meta data only as needed to provide the service, troubleshoot issues, and meet legal obligations, and we rely on Meta's own tools for most storage and access.
• You can disconnect our access at any time using Meta's settings and our products' own connection settings.

Your Controls

• Revoke Google OAuth and Twilio keys at any time in your own accounts.
• Disable recording/transcripts or set retention windows in Twilio or your conferencing tools.
• Export or edit your Google Sheets and instantly change what the AI can say or collect.
• Request that we delete support threads, diagrams, or high-level notes we control, where legally permitted.

Children's Privacy

Our services are not directed to children under 13. We do not knowingly collect information directly from children under 13. If you believe a child has provided us information, contact us and we will delete it where required by law. If you use Axis products in an environment that involves minors, you are responsible for obtaining any consents and complying with applicable child privacy laws as the data controller.

Changes to This Policy

We may update this page and the effective date. Continued use after an update constitutes acceptance of the revised terms. If you do not agree with changes, you should stop using Axis products and services.

Contact & Questions

Questions about privacy or data responsibility? Email support@axisoperatingsystems.com.