LEGAL

Privacy Policy

Last Updated: May 26, 2026

1. Introduction

SignalMatrix AI (“we,” “us,” or “our”) respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website signalmatrixai.com or use our services.

By accessing or using our website, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our website or services.

2. Information We Collect

2.1 Information You Provide

  • Contact Information: Name, email address, phone number, and practice name when you fill out our contact form or request a strategy audit.
  • Business Information: Practice type, marketing budget range, and service interests you select on our forms.
  • Communications: Any messages, feedback, or other information you send to us via email, phone, or our contact forms.

2.2 Information Collected Automatically

  • Device Information: Browser type, operating system, device type, and screen resolution.
  • Usage Data: Pages visited, time spent on pages, click patterns, and referring URLs.
  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to enhance your experience and gather analytics. See Section 6 for details.
  • IP Address: Your Internet Protocol address for analytics and security purposes.
  • Chatbot Interactions: Our website includes an AI-powered chat assistant. When you interact with the chatbot, we collect your messages, responses, and session metadata to respond to inquiries and improve the assistant’s performance. Chat transcripts are retained for up to 90 days.

2.3 AI Receptionist Voice Data Collection

The AI receptionist widget on the page collects:

  • Voice recordings
  • Transcriptions of spoken conversations
  • User microphone access permissions

Voice Data (AI Receptionist): When you use our AI Receptionist voice assistant, we collect and process your voice recordings and transcriptions. This data is used solely to respond to your inquiry and is not retained beyond 30 days unless you become a client. Voice data is encrypted in transit and at rest. By using the voice assistant, you consent to the recording and processing of your audio input.

3. How We Use Your Information

We use the information we collect to:

  • Respond to your inquiries and provide requested services
  • Send you marketing communications about our services (with your consent)
  • Improve our website, services, and user experience
  • Analyze website usage and optimize performance
  • Protect against fraudulent or unauthorized activity
  • Comply with legal obligations

3.1 Automated Decision-Making / AI Processing

Automated Processing: We use artificial intelligence and machine learning systems to power our AI Receptionist and chat assistant. These systems process your inputs automatically to generate responses. No automated decisions are made about your eligibility for services, creditworthiness, or other legally significant outcomes without human review.

4. How We Share Your Information

We do not sell your personal information. We may share your information with:

  • Service Providers: Third-party vendors who assist us in operating our website and delivering services (e.g., email providers, analytics platforms, CRM systems).
  • Legal Requirements: When required by law, regulation, or legal process.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets.
  • With Your Consent: When you explicitly authorize us to share your information.

5. AI Data Processing

SignalMatrix AI uses artificial intelligence and large language model (LLM) technology to power several of our Services, including our AI chat assistant, AI-powered audits, and analytics features. This section explains how your data interacts with our AI systems.

AI Service Providers: We use the following third-party AI inference providers to process queries on our behalf:

  • Groq, Inc. (Llama 3.3 70B) — Primary AI chat inference provider. Data retention: 30 days. Location: United States.
  • Anthropic, PBC (Claude) — Fallback AI chat provider. Data retention: 7 days. Location: United States.
  • Google LLC (Gemini 2.0 Flash) — AI audit engine and secondary chat fallback. Data retention: per Google Data Processing terms. Location: United States.

What Data Is Sent to AI Providers: When you interact with our AI chat assistant or use our AI-powered audit tools, the text of your query is transmitted to one of the above providers for processing. We minimize the personal data included in AI requests — personal identifiers (names, email addresses, phone numbers) are stripped or anonymized before transmission wherever technically feasible. We do NOT send Protected Health Information (PHI) to AI providers unless explicitly authorized under a signed BAA.

No Model Training: All AI providers listed above are used under API-tier or commercial terms that prohibit the use of your input data to train, fine-tune, or improve their AI models. Your data is processed solely to generate a response to your query and is not incorporated into any AI training dataset.

AI Output Accuracy: AI-generated responses may contain inaccuracies or incomplete information. AI outputs are provided for informational purposes only and should not be considered professional advice. Users are encouraged to verify AI-generated information independently. You may request human review of any AI-generated output by contacting us.

Sub-Processor Transparency: A complete list of our AI and other sub-processors, including their purposes, data retention periods, and data processing agreement status, is available upon request. We provide clients at least 30 days’ advance notice before engaging any new AI sub-processor.

6. Automated Decision-Making

SignalMatrix AI uses artificial intelligence to generate recommendations, insights, and content. We are committed to transparency about how these systems work and your rights regarding automated processing.

How We Use AI-Assisted Processing: Our AI systems may be used for: generating responses to chat inquiries, producing marketing content recommendations, analyzing website performance and SEO metrics, scoring lead engagement and campaign effectiveness, and generating audit reports on AI/LLM visibility. These outputs are recommendations only — they do not constitute binding decisions.

No Legally Significant Automated Decisions: We do not make automated decisions that produce legal effects or similarly significantly affect you without human involvement. Specifically, no automated decisions are made regarding: service eligibility, pricing or creditworthiness, employment or professional standing, access to or denial of services, or any outcome with legal or contractual consequences.

Your Rights Regarding Automated Processing: You have the right to:

  • Request Human Intervention: You may request that a human review any AI-generated output, recommendation, or assessment related to your account or services.
  • Contest AI Recommendations: You may contest any recommendation or assessment generated by our AI systems and request a manual review.
  • Obtain an Explanation: You may request a clear explanation of the logic, significance, and intended consequences of any automated processing applied to your data.
  • Opt Out: Where technically feasible, you may request that certain processing activities be performed without AI assistance.

To exercise any of these rights, contact us at [email protected] with the subject line “AI Processing Rights Request.”

7. HIPAA-Ready Practices

As a healthcare marketing agency, we take the protection of health information seriously. Our website does not collect Protected Health Information (PHI). When engaged by healthcare practices, we implement the following HIPAA-ready workflows:

  • Business Associate Agreement (BAA): We execute a signed BAA with every healthcare client before any work begins that may involve access to patient data. Our BAA covers obligations, permitted uses, safeguards, breach notification procedures, and termination protocols in accordance with 45 CFR Parts 160 and 164.
  • Administrative Safeguards: Access to any client data is restricted to authorized personnel only. All team members receive training on HIPAA requirements and data handling procedures.
  • Technical Safeguards: We use encryption (AES-256) for data in transit and at rest, secure authentication, and access controls on all systems that may contain client information.
  • Marketing Compliance: All marketing materials, ad campaigns, and website content are reviewed for compliance with healthcare advertising regulations. We do not use patient testimonials, before/after images, or any identifying patient information without proper written authorization.
  • Breach Notification: In the unlikely event of a data breach, we commit to notifying affected clients within five (5) business days of discovery, in accordance with HIPAA breach notification requirements.
  • Data Minimization: We follow the minimum necessary standard — we only request, use, or disclose the minimum amount of information needed to accomplish the intended purpose.

A copy of our standard Business Associate Agreement is available upon request. Please contact us at [email protected] for a copy.

5.1 AI Receptionist Privacy Practices

Our AI Receptionist product uses voice recognition and natural language processing to handle patient inquiries. When you call the AI Receptionist:

  • Recording Notice: Calls are recorded and transcribed for quality assurance and system training. A voice prompt will notify you at the beginning of each call.
  • Voice Biometrics: We do not use voice recordings for biometric identification purposes.
  • Data Retention: Recordings are retained for 30 days unless the call results in an appointment, in which case it is retained as part of the client’s customer record.
  • Human Escalation: You may request to speak with a human representative at any time by saying “transfer me to a person.”
  • Opt-Out: If you do not wish to interact with the AI, you may hang up and call our main office line at (704) 361-5800.

8. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential Cookies: Required for website functionality (session management, security).
  • Analytics Cookies: Help us understand how visitors interact with our website (e.g., Google Analytics).
  • Marketing Cookies: Used to deliver relevant advertisements and track campaign performance.
  • Third-Party Cookies: Some cookies are placed by third-party services we use, including Google Analytics. These third parties may collect information about your online activities across different websites.

You can control cookies through your browser settings. Disabling certain cookies may limit website functionality.

6.1 Cookie Consent Management

When you first visit our website, you will see a cookie banner. Clicking “Accept” enables all cookies. Clicking “Decline” disables marketing and analytics cookies but allows essential cookies required for website functionality. You can change your cookie preferences at any time through the cookie settings link in our website footer. Your consent expires after 12 months, at which point you will be re-prompted.

9. Data Security

We implement industry-standard security measures to protect your information, including:

  • SSL/TLS encryption for data in transit
  • Secure data storage with access controls
  • Regular security assessments and updates
  • Employee training on data protection practices

No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. Contact form submissions are retained for up to 24 months unless you request earlier deletion.

  • Voice Recordings (AI Receptionist): 30 days from the date of recording, unless you become a client, in which case recordings are retained as part of your client file for the duration of the engagement plus 7 years.
  • Chat Transcripts (AI Assistant): 90 days from the date of conversation, unless the conversation results in a service inquiry, in which case it is retained for 24 months.
  • Analytics Data (Cookies): Google Analytics data is retained for 26 months per our configuration.

11. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information.
  • Opt-Out: Unsubscribe from marketing communications at any time.
  • Data Portability: Request your data in a portable format.

To exercise any of these rights, contact us at [email protected].

9.1 State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, Utah, Oregon, Montana, Texas, or another state with a comprehensive privacy law, you may have additional rights including:

  • The right to confirm whether we process your personal data
  • The right to correct inaccuracies in your personal data
  • The right to delete your personal data
  • The right to opt out of targeted advertising, sale of personal data, or profiling
  • The right to appeal our decision regarding your privacy rights request

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your information, and the right to opt out of the sale of your information. We do not sell personal information.

13. GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), the General Data Protection Regulation (GDPR) and UK GDPR provide you with additional rights regarding your personal data.

Lawful Basis for Processing: We process your personal data on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to perform our obligations under our service agreement with you.
  • Legitimate Interest (Article 6(1)(f)): Processing for our legitimate business interests, such as improving our Services, ensuring security, and communicating with you about relevant opportunities.
  • Consent (Article 6(1)(a)): Where you have given specific, informed consent for a particular processing activity (e.g., marketing communications, analytics cookies). You may withdraw consent at any time.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws and regulations.

Additional Rights Under GDPR: EEA/UK users have the right to:

  • Right to Object (Article 21): Object to processing based on legitimate interest, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Restrict Processing (Article 18): Request restriction of processing while we verify your objection or data accuracy.
  • Right to Withdraw Consent: Withdraw consent at any time for processing activities based on consent.
  • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu. For UK residents, contact the Information Commissioner’s Office (ICO) at ico.org.uk.

Data Protection Contact: For GDPR-related inquiries, please contact us at [email protected] with the subject line “GDPR Inquiry.”

Cross-Border Transfers: Your data is processed in the United States. For transfers from the EEA/UK to the US, we rely on the EU-US Data Privacy Framework (where applicable) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. Copies of our SCCs are available upon request.

Data Processing Agreement: We provide a comprehensive Data Processing Agreement (DPA) that addresses GDPR Article 28 requirements. To request a copy, email us with the subject line “DPA Request.”

14. Children’s Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, please contact us immediately.

15. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically.

17. Do Not Track Signals

Some browsers include a “Do Not Track” feature. Our website does not currently respond to Do Not Track signals. You can control tracking through your cookie preferences and browser settings as described in Section 6.

18. User-Generated Content

If you submit testimonials, reviews, or other content to us, you grant us a non-exclusive, worldwide, royalty-free license to use, reproduce, and display that content in our marketing materials. We will not use any content that contains Protected Health Information (PHI) or patient-identifying information without a signed authorization.

19. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

SignalMatrix AI
Orlando, FL
Email: [email protected]
Phone: (704) 361-5800

For priority handling, please use the following subject lines when emailing us:

  • “Privacy Rights Request” — For access, correction, deletion, or portability requests
  • “HIPAA Inquiry” — For HIPAA-related questions
  • “BAA Request” — To request a Business Associate Agreement
  • “DPA Request” — To request our Data Processing Agreement
  • “AI Processing Rights Request” — For AI-related data processing inquiries or to request human review of AI outputs
  • “GDPR Inquiry” — For GDPR-specific questions or to exercise EEA/UK data rights
  • “Sub-Processor Inquiry” — For questions about our third-party sub-processors
  • “Security Incident” — To report a suspected data breach or security concern

We will verify your identity before processing any privacy rights request and respond within 30 days (45 days for CCPA/CPRA requests).