DeskMD

CHEST LLC · DBA DESKMD

Privacy Policy

Effective: 2026-05-04

DeskMD is operated by Chest LLC (“Chest LLC”, “DeskMD”, “we”, “us”). DeskMD is an AI-powered answering service that handles inbound phone calls for healthcare practices. Because our customers are typically Covered Entities under HIPAA and our service routinely handles Protected Health Information (PHI), this policy is written with healthcare privacy obligations in mind. We are a Business Associate under HIPAA when we handle PHI on a Covered Entity’s behalf.

This policy explains what we collect, why we collect it, who we share it with, how long we keep it, and what choices you have. If you are a patient whose call was answered by DeskMD on your provider’s behalf, please read the section “If you are a patient” below.

1. Who this policy applies to

This policy applies to:

  • Customers — medical, dental, and veterinary practices that subscribe to DeskMD.
  • Authorized users within those practices (owners, providers, staff who log into the DeskMD application).
  • Visitors to www.deskmd.ai.
  • Patients and other callers whose calls are answered by DeskMD on a customer’s behalf — although the relationship with the patient is governed primarily by the customer’s own Notice of Privacy Practices, not ours. We process patient PHI only as a Business Associate of the customer.

2. What we collect

From customers and authorized users:

  • Account and billing information: practice name, owner contact, address, payment method (processed by our payment processor; we do not store full card numbers).
  • Authentication data: email, hashed password, session tokens, multi-factor settings, device and IP information for audit purposes.
  • Configuration data: AI instructions, provider list and aliases, escalation rules, notification preferences, glossary, language settings.
  • Usage data: pages visited, features used, error logs (without PHI), and audit-log events for every PHI access.

From callers (typically patients):

  • Call audio and recordings.
  • Transcripts (in the original language and an English translation when applicable).
  • Structured intake fields: caller name, callback number, named provider, reason for the call, urgency level, category, and any custom fields the practice configured.
  • Phone metadata: caller phone number, call start/end times, duration.

From visitors to our website:

  • Standard server logs (IP, user agent, referrer, timestamp).
  • Cookies and analytics — see “Cookies and analytics” below.
  • Anything you submit through a form (contact, demo request, blog comment).

3. Why we collect it

We use the data above to:

  • Provide the answering service: route calls, capture intake, dispatch SMS/email notifications, store recordings and transcripts so authorized practice staff can act on them.
  • Bill customers and process subscriptions.
  • Authenticate users and protect their accounts (rate limiting, anomaly detection, session security).
  • Maintain audit logs as required by HIPAA and for our own incident response.
  • Improve product reliability and quality. We do not use customer PHI to train AI models. We do not sell PHI under any circumstance.
  • Communicate with customers about service updates, security advisories, and (with consent) marketing.
  • Comply with our legal obligations.

4. HIPAA: our role as a Business Associate

When we handle Protected Health Information (PHI) on a Covered Entity’s behalf, we act as a Business Associate as defined in 45 CFR §160.103. Before any production PHI flows through DeskMD, the customer signs a Business Associate Agreement (BAA) that governs how we may use and disclose PHI.

In summary, our BAA commits us to:

  • Use and disclose PHI only as permitted by the BAA, our underlying agreement with the customer, and applicable law.
  • Implement administrative, physical, and technical safeguards reasonable and appropriate to protect PHI.
  • Report security incidents, including breaches of unsecured PHI, within timeframes required by law and the BAA.
  • Ensure that any subcontractor we engage that creates, receives, maintains, or transmits PHI on our behalf agrees in writing to substantially similar restrictions.
  • Make PHI available, support amendments, and provide an accounting of disclosures consistent with HIPAA’s requirements.
  • Return or destroy PHI at the end of the relationship, where feasible.

Subprocessor BAA completion is required before production PHI is processed through any subprocessor. Where a subprocessor has not yet executed a BAA covering a particular use, we do not route production PHI through that subprocessor.

5. Subprocessors (who else handles your data)

We rely on the following categories of subprocessors to operate DeskMD. Each is bound by a written agreement that obligates them to maintain confidentiality and security at standards consistent with our obligations to you.

Subprocessor Purpose PHI access
Cloud infrastructure provider Cloud hosting, encrypted storage, managed database, key management, email delivery Yes (encrypted at rest)
Telephony provider Phone numbers, voice media streams, SMS notifications Yes (call audio + numbers in transit)
Voice AI provider Real-time voice model and post-call translation Yes during the call; subprocessor BAA required before production PHI
Payment processor Subscription billing No PHI; billing data only

A current subprocessor list is available on request and through our customer portal. We notify customers of material changes to our subprocessor list.

6. How long we keep data

  • Call recordings: 365 days on the Standard plan, 1,825 days (5 years) on the Pro plan. Custom plans may set their own retention.
  • Transcripts and structured intake records: retained for the same duration as recordings unless the customer specifies otherwise in writing.
  • Audit logs: six years from creation, consistent with 45 CFR §164.316(b)(2)(i).
  • Account and billing records: retained for the duration of the relationship plus the period required by tax and accounting law.
  • Backup copies: may persist for up to 90 days after deletion from primary storage; secure-deletion of backups follows on the same schedule as our backup rotation.

Customers may request shorter retention as part of a custom plan. Patients may request deletion of their records — see the section below.

7. Security

We implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of customer and patient data. These include encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 with managed encryption keys), tenant isolation at the database level, principle-of-least-privilege access controls, audit logging of every PHI access, multi-factor authentication for administrative accounts, and regular vulnerability scanning. No system can guarantee absolute security; in the event of a breach, we will notify affected parties as required by HIPAA, the BAA, and applicable state law.

8. If you are a patient whose call was answered by DeskMD

When a patient calls a healthcare practice that uses DeskMD, the practice (the Covered Entity) — not Chest LLC — is the entity directly responsible to you under HIPAA’s Privacy Rule. Your relationship is with the practice. We process your call data only as a Business Associate of the practice and according to its instructions.

If you want to:

  • Access, amend, or correct your records,
  • Request an accounting of disclosures of your PHI,
  • Have your records deleted,

contact your healthcare practice directly. They will instruct us, and we will act on those instructions promptly. If you contact us directly, we will route the request to the practice that holds your records.

9. Your rights under U.S. state privacy laws

Depending on where you live, you may have additional rights under state privacy laws (for example, California’s CCPA/CPRA, Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, and others). These typically include the right to access, delete, correct, or port your personal information, and to opt out of certain types of processing.

Important caveat: most state privacy laws exempt PHI handled under HIPAA. For PHI specifically, your rights flow through HIPAA and your healthcare practice (see section 8). For non-PHI data we hold about you (for example, marketing-list contact information), you may exercise state-law rights by emailing privacy@deskmd.ai. We will verify your identity before responding and will respond within the timeframes required by the applicable law.

We do not sell personal information. We do not engage in targeted advertising in the sense defined by these state laws.

10. Cookies and analytics

www.deskmd.ai uses a small set of cookies and similar technologies:

  • Essential: session cookies needed to operate the application (login, CSRF protection).
  • Analytics: privacy-respecting analytics to understand site usage in aggregate. We do not use third-party advertising trackers on the marketing site or the application.

You can control cookies through your browser. Disabling essential cookies will break login and other functionality.

11. Children’s privacy

DeskMD is a B2B service. Our customers are healthcare practices, and accounts must be held by adults. We do not knowingly collect personal information from children under 13 directly. PHI relating to minor patients is handled according to HIPAA and the Covered Entity’s policies, not by us directly.

12. International users

DeskMD is operated from the United States and is intended for U.S. healthcare practices. Our infrastructure is hosted in the United States. By using DeskMD, you consent to the transfer of your data to the United States. We do not currently market the service to data subjects in the European Union, the United Kingdom, Canada, or other jurisdictions with non-U.S. data-protection regimes; if you are in one of those jurisdictions, please contact us before using the service.

13. Changes to this policy

We may update this policy as the service evolves or as the law changes. Material changes will be announced to customer-account owners by email and posted at the top of this page with a new effective date. Continued use of DeskMD after a material change constitutes acceptance of the updated policy.

14. Contact us

For questions about this policy, requests, or to report a concern:

  • Email: privacy@deskmd.ai
  • Mailing address: Chest LLC, [add registered office address before publishing]
  • For breach reports affecting customer or patient data, please use the same email and mark the subject line “Security Incident Report” so we can prioritize it.