Privacy Policy

Introduction

1. Information We Collect

1.1 Personal Data

We collect personally identifiable information (PII) that you or your organization voluntarily provide, including:

• Full name and contact information (email address, phone number)
• Account credentials (managed via role-based access controls)
• Billing and organizational details
• Usage data: IP address, browser type, pages visited, device identifiers, session timestamps

1.2 Protected Health Information (PHI / ePHI)

When operating as a Business Associate, we may process PHI transmitted to us by Covered Entity clients, which may include:

• Patient identifiers embedded in communications routed through our platform
• Audio recordings of interactions involving patient-related inquiries
• Any other PHI as defined under 45 C.F.R. § 160.103

PHI is processed exclusively under the terms of a fully executed Business Associate Agreement (BAA) with each Covered Entity client. PHI is never used for marketing, analytics, model training, or any purpose not authorized by the applicable BAA.

1.3 Audio Recordings

Interactions with Workforce Wave AI voice agents are recorded and securely stored for quality assurance and regulatory compliance. Recordings are:

• Retained for 12 months unless a shorter period is requested by the client
• Protected by AES-256 encryption at rest and TLS 1.2+ in transit
• Not used to train any Large Language Model (LLM), including OpenAI models
• Accessible only to authorized personnel under strict access controls

1.4 Cookies and Tracking Technologies

We use cookies and similar technologies for session management and analytics. Users may manage cookie preferences through browser settings or via www.youradchoices.com. Google Analytics data collection may be disabled via the Google Analytics opt-out browser add-on.

2. How We Use Your Information

We use collected data solely for the following purposes:

• Delivering, operating, and improving our services
• Quality assurance and AI agent performance evaluation
• Fraud prevention, security monitoring, and regulatory compliance
• Communicating service updates and material changes to clients
• Fulfilling legal obligations and responding to lawful process

We do not use personal data or PHI for targeted advertising, cross-context behavioral tracking, or the training of AI/ML models.

3. Disclosure of Data

Workforce Wave does not sell personal information. We share data only with trusted sub-processors necessary to deliver our services:

• Amazon Web Services (AWS): Secure cloud infrastructure, storage, and compute
• Google Workspace: Email and document management
• Twilio: Telecommunications (call routing, SMS)
• OpenAI (Enterprise / API): Conversational AI processing — data is not used to train OpenAI models; SOC 2 compliant; AES-256 at rest, TLS 1.2+ in transit
• Proprietary White-Labeled AI Platform: HIPAA, SOC 2, and GDPR compliant

All sub-processors handling PHI execute a Business Associate Agreement or equivalent Data Processing Agreement prior to any data access.

Categories of data disclosed to sub-processors:

• Identifiers (names, emails, phone numbers) — for service delivery
• Audio recordings — quality assurance only, under BAA where applicable
• Usage data (IP, timestamps) — system monitoring and diagnostics

4. Data Retention and Deletion

Retention Schedules

• Personal data: Retained for the duration of the client relationship; deleted within 90 days following termination of services
• PHI / ePHI: Retained per BAA terms; minimum 6-year HIPAA documentation retention applies to BAA and related records (45 C.F.R. § 164.530(j))
• Audio recordings: 12 months, unless a shorter period is client-specified
• Usage / analytics data: Up to 18 months

5. Your Legal Rights

Depending on your jurisdiction, you have the right to:

• Access: Obtain a copy of your personal data we hold
• Correction: Request correction of inaccurate or incomplete data
• Deletion / erasure: Request deletion of your personal data
• Portability: Receive your data in a structured, machine-readable format
• Opt-out: Decline marketing communications or certain data uses
• Restriction: Request limitation of processing in specific circumstances
• Lodge a complaint: With your applicable supervisory authority

HIPAA Rights (where applicable)

Individuals whose PHI is processed by Workforce Wave on behalf of a Covered Entity client should direct rights requests (access, amendment, accounting of disclosures) to the Covered Entity directly. We will support Covered Entities in fulfilling such requests per our BAA obligations.

6. Security Practices

Workforce Wave implements administrative, physical, and technical safeguards consistent with HIPAA Security Rule requirements (45 C.F.R. Part 164, Subpart C) and industry best practices:

• Encryption: AES-256 at rest; TLS 1.2+ in transit for all data
• Access controls: Role-based access control (RBAC); least-privilege principle; MFA enforced for all system access
• Audit logging: All access to PHI and sensitive systems is logged and monitored
• Endpoint security: Full-disk encryption, endpoint protection, and MDM on all company devices
• Vulnerability management: Regular internal audits, penetration testing, and dependency scanning
• Incident response: Documented breach notification procedures consistent with 45 C.F.R. §§ 164.400–414 and applicable state law

7. AI Agent Privacy and Security

7.1 Interaction Logging

All AI agent interactions are securely logged in encrypted systems meeting HIPAA, SOC 2, and GDPR standards. Logs are retained only as long as operationally and legally required.

7.2 No LLM Training on Client Data

Interactions with Workforce Wave AI agents — including voice agents — are not used to train any Large Language Model. This applies to all OpenAI and proprietary model components in our stack.

7.3 Access Controls

Access to interaction logs and transcripts is restricted to authorized personnel with a documented business need. All access is logged and subject to periodic audit.

7.4 Client Transparency

Clients receive access to interaction summaries and performance reports to enable independent compliance and efficacy evaluation.

7.5 Privacy by Design

Privacy and security controls are embedded at every stage of AI agent design, development, and deployment — not added as an afterthought.

8. Data Sales and Behavioral Advertising

Workforce Wave does NOT:

• Sell personal information to any third party
• Share data for cross-context behavioral advertising
• Facilitate third-party tracking for advertising purposes

Data is used exclusively to deliver contracted services to our clients.

9. State and International Privacy Law Compliance

Workforce Wave complies with applicable state and federal privacy laws, including:

• HIPAA / HITECH (federal)
• California Consumer Privacy Act (CCPA) / CPRA
• Colorado Privacy Act (CPA)
• Virginia Consumer Data Protection Act (VCDPA)
• General Data Protection Regulation (GDPR) — for EEA residents

Global Privacy Control (GPC)

We recognize GPC signals for California and Colorado residents as a valid opt-out of data sharing for targeted advertising (though we do not engage in targeted advertising).

GDPR

EEA residents have full GDPR rights including access, rectification, erasure, portability, and the right to object. Contact worker@workforcewave.com or our EU representative if applicable.

10. Cookies and Tracking

We use cookies for authentication, session management, and analytics only.

Opt-Out Options

• Adjust browser cookie settings directly
• Visit www.youradchoices.com
• Install the Google Analytics opt-out browser add-on to disable analytics

11. Policy Accessibility and Updates

This policy is publicly available at https://www.workforcewave.com/privacy-policy.

Alternative formats available upon request at worker@workforcewave.com.

Policy updates will be communicated via email notification to active clients and published on our website with a revised effective date. Material changes will be communicated with at least 30 days’ advance notice where feasible.

12. Appendix — LLM and AI Vendor Security

OpenAI Enterprise / API

• Client data is not used to train OpenAI models
• Clients retain ownership of all input and output data
• SOC 2 Type II audited
• Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Additional details: trust.openai.com

AWS

• SOC 2 Type II, ISO 27001, HIPAA-eligible services in use
• PHI stored exclusively in HIPAA-eligible AWS services under BAA

Twilio

• BAA executed for any PHI transmission
• SOC 2 Type II compliant