PRIVACY POLICY

We take privacy seriously. Here's exactly what we do with your data.

Last updated: May 2026. Written in plain English — not legalese.

1. Who we are

Sorta AI is a patient intake automation platform built for outpatient clinics. We're headquartered in El Paso, Texas. If you have questions about this policy, contact us at privacy@getsorta.io.

2. What information we collect

We collect different information depending on your relationship with Sorta.

Clinic staff (you signed up for Sorta)

  • Name and email address at registration
  • Clinic name and location
  • Login activity and usage data
  • Forms and templates you upload

Patients (your clinic uses Sorta)

  • Information patients enter into intake forms — name, date of birth, contact information, insurance details, medical history
  • We collect this on behalf of your clinic, not for our own purposes
  • We are a Business Associate under HIPAA — your clinic is the Covered Entity

Website visitors

  • IP address and browser type via Google Analytics and Microsoft Clarity
  • Pages visited and time spent
  • No personally identifiable information is collected from anonymous visitors

3. How we use information

Clinic staff data

  • To provide the Sorta platform
  • To send product updates and support communications
  • To improve the product based on usage patterns

Patient data

  • Only to provide intake automation services to your clinic
  • Never for marketing
  • Never sold to third parties
  • Never processed through external AI systems — AI only runs at initial form setup to map field locations, never at patient visit time

4. How we protect information

  • All data encrypted in transit via HTTPS
  • Patient data stored on Microsoft Azure HIPAA-eligible infrastructure in the United States
  • Canadian clinic data stored in Azure Canada Central region
  • Multi-tenant isolation — no clinic can access another clinic's data
  • JWT authentication with 24-hour token expiration
  • Patient intake links expire after 7 days

5. AI and patient data

Sorta uses AI in one specific way: during initial form setup, our AI reads your uploaded PDF forms to identify and map field locations. This process runs once, on blank form templates, before any patient has used the system.

After setup, AI is never involved again. When a patient fills out their intake form, their answers go directly to our secure servers. No patient name, date of birth, insurance information, or medical history ever passes through an external AI system. This is an architectural decision we made intentionally for both privacy and HIPAA compliance.

6. Data sharing

We share data with:

  • Microsoft Azure — infrastructure and hosting, covered by Microsoft's HIPAA BAA
  • Resend — email delivery for patient intake links only. Emails contain no PHI — only a random secure link
  • Twilio — SMS delivery for patient intake links only. Messages contain no PHI — only a random secure link

We do not share data with advertisers, data brokers, or any third party for marketing purposes.

7. Your rights

Clinic staff

  • Request a copy of your data
  • Request deletion of your account and data
  • Opt out of marketing communications

Patients

  • Patient rights under HIPAA are managed by your clinic as the Covered Entity
  • Contact your clinic directly for requests to access, amend, or delete your health information

8. Data retention

  • Active clinic data retained while the account is active
  • Deleted accounts: data removed within 30 days
  • Patient form data: retained as directed by the clinic
  • Audit logs: retained for 6 years per HIPAA requirements

9. Contact

Questions about this policy? Email us at privacy@getsorta.io. We respond within 2 business days.