Privacy Policy

Effective date: May 16, 2026

1. Who we are

Project Line ('we', 'us', 'our') is the developer of Virtual Medical Assistant (VMA), a SaaS platform for medical and dental clinics. We are established in Israel. For any privacy question or to exercise your rights, contact us at emil.mamadov@projectlineil.com.

2. Scope of this policy

This policy describes how we handle personal data when a clinic (the 'Customer') uses VMA. The clinic is the data controller for its patient information. Project Line acts as a data processor on the clinic's behalf, under written instructions and our Data Processing Agreement.

3. What data we process

• Clinic profile: business name, country, city, address, time zone, working hours, contact phone and email, owner's name, medical license number, taxation mode and tax rates, default currency.
• Doctor account: email, password hash, language preference, UI settings.
• Patient records (entered by the clinic): first/last name, phone, identity document, date of birth, allergies, chronic conditions, current medications, visit history, prescriptions, invoices, appointments.
• Voice calls: caller phone number, call timestamps, call duration. The AI voice agent does not record calls — audio is processed in real time (speech-to-speech) by the OpenAI Realtime API and neither audio nor a transcript is stored.
• Doctor's microphone (desktop app): when the clinician uses voice dictation or the AI clinical assistant, the desktop app captures the doctor's microphone and streams the audio in real time to the OpenAI Realtime API for speech-to-text; the audio is not stored.
• Operational data: log entries, error reports (without PHI fingerprinting), usage statistics.

4. Why we process it

We process the above data solely to operate the service on behalf of the clinic: deliver inbound and outbound calls, manage the clinic's calendar, generate prescriptions, send appointment reminders, allow the clinic to export its data, and provide customer support. We do not use clinic or patient data to train AI models or for advertising of any kind.

5. Lawful basis

For European patients (GDPR): we rely on the clinic's lawful basis for processing patient data (consent or contract for medical treatment), with Project Line acting as processor under Article 28 GDPR. For US patients (HIPAA): a Business Associate Agreement (BAA) is available at /baa.

6. Sub-processors

• Microsoft Azure — hosting, Azure SQL Database (Israel Central), Azure Storage. HIPAA-eligible.
• OpenAI — Realtime voice + transcription, zero-data-retention enterprise terms; no model training on clinic data.
• Twilio — inbound/outbound telephony. HIPAA-eligible.
• Meta (WhatsApp Business) — delivery of approved templates only.
• Stripe / Cardcom / Green Invoice / Tranzila (per clinic choice) — payment tokenisation. We never see PAN.

7. Where data is stored

Primary storage: Microsoft Azure SQL Database in the Israel Central region. Daily encrypted backups are retained 7–35 days (point-in-time restore). Each clinic has its own isolated row-set with token-scoped access — no cross-clinic visibility, even by us, without explicit access.

8. How long we keep it

While the clinic's subscription is active, we keep all data necessary to operate the service. Within 30 days of cancellation we permanently delete all clinic and patient records, except encrypted backups which expire within an additional 35 days. The clinic can request immediate deletion by email at any time.

9. Sharing & disclosure

• To sub-processors above, strictly for service operation.
• To comply with a binding legal order; we will notify the clinic unless prohibited.
• In the event of a business transfer, with prior notice and the same level of protection.

10. Your rights

Patients should address access, correction or deletion requests to their clinic first — the clinic is the controller. The clinic can fulfil these from the VMA application directly. If the clinic does not respond within 30 days, you may contact us at emil.mamadov@projectlineil.com or submit a request via the Patient Portal. Clinics have the right to: (a) export their complete dataset as a ZIP at any time; (b) request permanent deletion within 30 days; (c) receive a copy of our DPA / BAA on request; (d) lodge a complaint with their local DPA (CNIL, AEPD, Garante, BfDI, ICO, IL PPA, US HHS-OCR).

11. Security

• Transport. TLS 1.2+ enforced on every endpoint. HSTS. Strict CSP with nonce-based script whitelisting; X-Frame-Options: DENY; X-Content-Type-Options: nosniff.
• Encryption at rest. Azure SQL TDE (AES-256). Encrypted backups 7–35 days.
• Secrets management. All API keys, connection strings and tokens stored encrypted in Azure App Service Configuration — never in source code.
• Authentication. Opaque 256-bit session tokens, SHA-256-hashed, constant-time comparison. Access token 8h, refresh 30d.
• Per-tenant isolation. Every SQL query enforces ClinicId. Cross-clinic access is technically impossible.
• SMS / Email codes. 6-digit, 10-min lifetime, single-use.
• Rate limiting. 3-tier (public 20/5min, mobile 10/15min, authenticated 40/5min).
• PII redaction. Phone/email/identity numbers are scrubbed from logs before reaching Application Insights.
• Audit log. Hash-chained tamper-evident entries with subject/action/outcome/timestamp/IP.
• Voice. Audio is streamed directly to OpenAI Realtime over WebSocket and is not recorded — neither audio nor transcripts are stored; only call metadata is kept.
• Incident response. 72-hour GDPR Art. 33 breach window. Affected clinics notified by email.

12. Children

Clinics may treat patients under 18. We rely on the clinic to obtain parental consent for processing minors' data in accordance with the clinic's jurisdiction.

13. Changes to this policy

We will post any material change to this page at least 30 days before it takes effect, and notify the clinic's primary contact by email.

14. Contact

Project Line
Email: emil.mamadov@projectlineil.com
Jurisdiction: Israel