Privacy Policy

Statlinx Privacy policy Effective Date: August 23, 2025

1. Introduction

At Statlinx, safeguarding the privacy of our clients and their patients is central to our mission. As a provider of telephone answering services tailored for healthcare organizations, we routinely handle Protected Health Information (PHI) and strictly adhere to HIPAA, as well as relevant international data protection laws, including the GDPR where applicable. This Privacy Policy explains how we collect, use, protect, and disclose information entrusted to us.

2. Data We Handle

We collect and process the following data types:

● Protected Health Information (PHI): Patient names, contact details, appointment information, and other message contents received through our call services.

● Client Data: Business contact information (names, addresses, emails, telephone numbers) and billing data related to healthcare organizations.

● System Metadata: IP addresses, timestamps, and system logs used for performance, audit tracking, and security monitoring.

3. Purpose of Data

Use Data is collected and used solely for:

● Delivering telephone answering and message-handling services to healthcare clients.

● Ensuring compliance with legal, contractual, and regulatory obligations (e.g., HIPAA).

● Managing billing and providing client support.

We do not use personal or health data for marketing, nor do we resell or share it for commercial purposes.

4. Data Storage & Subprocessors

We rely on:

● LiquidWeb: A SOC2 and HIPAA-compliant data center for our CRM, where PHI is stored and processed.

● OVH: SOC2 certified, Self-managed hosting for our PBX (FreePBX) systems, secured and maintained by IT Personnel. All subprocessors are contractually bound to confidentiality and data protection obligations.

5. Security Measures

● nCall CRM access is restricted via IP authentication, enforced Multi-Factor Authentication (MFA), and requires the nCall desktop application to be installed on the authorized user’s device.

● PBX server access is restricted to Statlinx IT staff and secured via RSA-key SSH authentication only; no password-based access is permitted. nCall server access is limited to IT personnel via secure Remote Desktop Protocol (RDP) sessions.

● Data in transit is encrypted (TLS-enabled email, secure messaging).

● System access is limited to authorized personnel with robust credentials and key management.

6. Data Retention & Offboarding

● Billing and operational records are retained for as long as legally required

● PHI is retained for the duration of the client’s active service

● Upon client offboarding, data is permanently deleted from our systems.

7. Disclosure of Information

We do not share PHI or client data except:

● When legally required (e.g., subpoena or court order), or

● To fulfill contracted services under HIPAA and security-compliant subprocessors.

8. Data Subject Rights Clients may:

● Request access to their account data.

● Request corrections or deletions (subject to lawful retention).

● Inquire about data handling or security practices.

For patient PHI, rights are governed under HIPAA and handled via the client organization.

8.1 Privacy Request Intake and Tracking

1. Statlinx maintains a standardized intake and tracking process for privacy inquiries and data subject requests.

2. Requests may be submitted to privacy@statlinx.com or via the contact information in Section 10.

3. All requests are logged with date and time received, requester identity, request type, systems involved, verification performed, actions taken, and response date.

4. Where requests pertain to PHI handled on behalf of a covered entity, Statlinx forwards the request to the client and tracks the referral and final disposition.

5. Statlinx acknowledges requests promptly and responds within applicable legal timeframes.

6. Logs and communications are retained for at least six years where HIPAA applies.

9. Updates to This Policy

We may update this policy periodically. Any changes will be posted on our website with a new effective date. Clients will be notified via email of material updates.

10. Contact Us

Statlinx 500 Summer St, Suite 301 Stamford, CT 06901, USA

Email: privacy@statlinx.com

Phone: (914) 831‑4300

Customer support requests that include PHI must use secure nCall messaging or TLS-protected email; general questions may use the posted business phone number or support email.

11. Quarterly Privacy Compliance Review

1. Statlinx conducts a quarterly review of its privacy program.

2. The review includes training completion, BAAs status, access controls for systems processing PHI, incident and inquiry trends, DR and backup status for systems that store PHI, and open remediation items.

3. The IT Director compiles metrics, documents findings and corrective actions in Drata, and provides a summary to Executive Staff for oversight.