Privacy policy
What we collect, and why.
Last updated June 2026. This is a plain-language summary of how TakeFax handles data. The binding policy and our BAA are available on request at legal@takefax.com.
What we collect
- Account data: name, work email, clinic name, and the subdomain you claim.
- Operational data: the fax/Direct messages routed to your workspace, their extracted fields, and the actions your team takes on them.
- Usage data: standard logs (IP, timestamps, request metadata) used to operate and secure the service.
Protected Health Information (PHI)
- Inbound documents may contain PHI. We process PHI solely to provide the triage service to you, the covered entity.
- Live PHI requires a signed Business Associate Agreement (BAA) on a Practice plan. On other tiers, pilot with synthetic or de-identified documents.
- PHI is encrypted in transit (TLS 1.3) and at rest (AES-256), isolated per tenant.
Subprocessors
- Hosting + edge: Vercel. Data store: Upstash (Redis). Document storage: Vercel Blob.
- AI inference: routed via the Vercel AI Gateway to BAA-covered model endpoints on the Practice plan.
- Fax transport: your connected provider (Telnyx / Documo). A current subprocessor list is available on request.
How we use AI
- Models read your documents only to classify and extract fields for your workspace.
- Your data is never used to train models — ours or any provider's.
- Per-tenant model request logs are retained 30 days, then purged.
Retention + deletion
- You control retention of triaged records in your workspace.
- On account closure we delete workspace data per the terms of your agreement and our BAA, excluding what law requires us to retain.
- Request an export or deletion any time at privacy@takefax.com.
Your choices
- Access, correct, export, or delete your account data by emailing privacy@takefax.com.
- As a covered entity, you direct how PHI in your workspace is handled; we act on your instructions as a business associate.
Questions about this policy? Email privacy@takefax.com.