Back home

Privacy Policy

Effective date: April 29, 2026

At Ample, we respect your privacy and are committed to protecting your personal information. This policy outlines how we collect, use, and safeguard your data.

Plain-Language Summary

We’re Ample AI — an AI receptionist and workflow automation platform built for healthcare clinics. This policy explains three different things in one document:

How we handle information about people who visit our website or become our customers (clinic owners, staff, demo bookers). For this data, Ample AI is the “controller” — we decide how it’s used.
How we handle personal health information (PHI) that flows through our platform when clinics use our services (call recordings, transcripts, appointment details, patient messages). For this data, the clinic is in charge — Ample AI is a Business Associate (under U.S. HIPAA), an Agent (under Ontario PHIPA), or a Service Provider (under PIPEDA and BC PIPA), and we only handle PHI on the clinic’s instructions and under a signed agreement.
How we keep that data safe — encryption, access controls, breach notification, subprocessor management, and cross-border safeguards.

If you’re a patient of a clinic that uses Ample AI and you have a question about your own health information, please contact your clinic directly. Your clinic is the custodian of your health record; we cannot release information to you without their authorization.

If you’re anyone else, contact us at contact@ampleai.co and we’ll route you to our Privacy Officer.

1. Who We Are

This Privacy Policy is issued by:

2771764 Ontario Inc., carrying on business as Ample AI

1065 Canadian Pl, Ste 201 #332, Mississauga, ON, L4W 0C2, Canada

Email: contact@ampleai.co

In this Policy, “Ample AI,” “we,” “us,” and “our” refer to 2771764 Ontario Inc. “Clinic,” “Client,” or “Customer” refers to a healthcare practice that has contracted with us to use the Services. “Patient,” “caller,” or “individual” refers to a person whose information flows through the Services because they interact with a Clinic.

2. Scope of This Policy

This Policy applies to:

The ampleai.co website and any subdomains we operate.
Marketing, demo, onboarding, and support interactions with prospective and current Customers.
The Ample AI platform — our AI receptionist, automated scheduling, intake, reminders, and workflow automation services (the “Services”).
Any personal information we collect, use, disclose, or retain in connection with the above.

This Policy does not apply to:

Websites, apps, EHR/PMS systems, or other platforms operated by our Customers or by third parties, even when linked to from our Services.
Information our Customers collect from their own patients outside of the Services.

3. How We Relate to Health Data Under Each Jurisdiction

Because our Customers are healthcare practices, most personal information that moves through the Services is also health information. Different laws apply depending on where the Clinic is located, and our role is defined by each of those laws.

United States

Applicable law: HIPAA / HITECH (45 CFR Parts 160, 164)
Clinic’s role: Covered Entity
Ample AI’s role: Business Associate
Governing agreement: Master Services Agreement + HIPAA Business Associate Agreement (BAA)

Ontario, Canada

Applicable law: PHIPA, 2004 (s. 17)
Clinic’s role: Health Information Custodian
Ample AI’s role: Agent of the Custodian
Governing agreement: Master Services Agreement + Ontario PHIPA Service Provider Privacy Agreement

British Columbia, Canada

Applicable law: BC PIPA, 2003
Clinic’s role: Organization
Ample AI’s role: Service Provider
Governing agreement: Master Services Agreement + BC PIPA Service Provider Privacy Agreement

Other Canadian provinces / territories

Applicable law: PIPEDA + applicable provincial health information legislation
Clinic’s role: Organization / Custodian
Ample AI’s role: Service Provider
Governing agreement: Master Services Agreement + PIPEDA Service Provider Privacy Agreement

In every jurisdiction, Ample AI handles PHI only on the Clinic’s instructions and only for the purposes set out in the applicable agreement. We do not decide, independently, why or how PHI is processed. If you are a patient whose PHI has been processed through our Services, your rights (access, correction, withdrawal of consent, complaint, etc.) are exercised with and through your Clinic, as the custodian/covered entity.

4. What Information We Collect

4.1 Website and Marketing Data (Ample AI is the controller)

When you visit ampleai.co, book a demo, submit a contact form, or interact with our marketing communications, we may collect:

Identifiers you provide: name, email, phone, clinic/practice name, role, approximate location, messages you send us.
Usage data: pages viewed, referring URLs, device type, browser type, approximate geolocation derived from IP, timestamps.
Cookies and similar technologies: see Section 12.
Scheduling and CRM data: notes from sales calls or support interactions.

4.2 Customer Account Data (Ample AI is the controller)

When a Clinic becomes a Customer, we collect:

Business contact information for the Clinic and its Authorized Users (name, title, email, phone).
Billing information (processed by our payment processor — we do not store full card numbers).
Configuration and workflow information you provide during onboarding (scripts, schedules, provider availability, EHR/PMS connection details, routing rules).
Service usage data (call volumes, connected minutes, message counts, log data, uptime/error events).

4.3 Health Information Processed Through the Services (the Clinic is in charge)

When a Clinic uses the Services to handle calls, scheduling, intake, reminders, or workflow automation, the following may be collected, transmitted, or stored on the Clinic’s behalf:

Patient identifiers disclosed during a call or message (name, date of birth, phone number, email, health card / insurance number to the extent captured by the Clinic’s configured workflow).
Appointment and scheduling information.
Call audio recordings and transcripts where the Clinic’s workflow enables recording (see Section 11).
Free-text messages (SMS, voicemail transcripts, chat messages) to or from patients.
Metadata about communications (time, duration, caller ID, call outcome, escalation events).
Any additional PHI the Clinic chooses to send to us through an integration, upload, or workflow.

We do not request or need patient clinical information beyond what the Clinic routes through the Services.

5. How We Use Information

5.1 Website and Customer Account Data

We use this data to:

Operate, secure, and improve the website and Services.
Respond to inquiries, schedule demos, and deliver marketing communications you opt into.
Onboard, bill, support, and renew Customer accounts.
Produce aggregated analytics about our business and product usage.
Comply with legal obligations and defend legal claims.

Our lawful bases (where required by law) include performance of a contract, consent, our legitimate interests in operating and improving our business, and compliance with legal obligations.

5.2 Health Information Processed Through the Services

We use PHI only to:

Deliver the Services the Clinic has contracted for — answering calls, routing, scheduling, intake, reminders, workflow automation, and EHR/PMS integration.
Provide and improve that specific Clinic’s deployment — reviewing calls and transcripts for quality assurance, support, and troubleshooting, and refining that Clinic’s prompts, scripts, routing rules, booking logic, and configuration to correct mishears, misroutes, and other errors and to optimize the Clinic’s own workflow.
Perform system security, availability, and incident response.
Comply with legal requirements.
Return or destroy PHI on termination of the Clinic’s agreement.

We do not sell PHI. We do not use PHI for our own marketing. We do not make independent decisions about patient care.

5.3 AI Model Training — What We Do and Don’t Do

We draw a clear and contractually binding line between two very different activities:

What we do with identifiable Client Data and PHI: Identifiable call recordings, transcripts, and other PHI may be used to deliver, review, support, troubleshoot, and optimize that Client’s deployment of the Services. This includes sharing recordings and transcripts back to the Client, reviewing them for quality assurance, and refining the Client’s own prompts, scripts, routing, and booking logic. This use is limited to the direct provision of Services to the Client that generated the data and is expressly permitted under each applicable Data Processing Exhibit (HIPAA BAA, Ontario PHIPA, PIPEDA, and BC PIPA forms).

What we do not do without additional authorization: We do not use identifiable PHI or Client Data from one Client to train, fine-tune, or otherwise improve general-purpose AI models, cross-Client models, or other Clients’ deployments. We will do so only where: (a) a Client has given express prior written consent (documented in a written amendment or data processing instruction); or (b) the data has been properly de-identified in accordance with recognized standards (for U.S. Clinics, 45 CFR § 164.514; for Canadian Clinics, established statistical de-identification methods such that individuals cannot reasonably be re-identified). We do not attempt to re-identify de-identified data. A Client may opt out of the use of de-identified or aggregated data derived from its deployment on thirty (30) days’ written notice.

In plain language: identifiable Client recordings and transcripts may be used to deliver, review, support, and optimize that Client’s service. They are not used to train general-purpose or cross-Client models unless expressly authorized in writing or properly de-identified.

6. How We Share Information

We share information only as described below. We do not sell personal information or PHI to anyone, and we do not make it available for anyone else’s advertising.

6.1 Subprocessors and Third-Party Service Providers

We rely on carefully selected third parties to deliver the Services, including cloud hosting, telephony, AI model, analytics, payment processing, and customer support vendors. Each subprocessor that handles Customer data or PHI is bound by a written agreement no less protective than this Policy and, where applicable to U.S. Clinics, by a signed HIPAA Business Associate Agreement. We do not engage subprocessors that cannot commit to these obligations for the data they handle.

A current subprocessor list is maintained and provided to Customers on request. We will update that list as our production architecture evolves and will notify Customers of material changes in accordance with the applicable Data Processing Exhibit.

Stripe is used for Customer billing only; no PHI is shared with our payment processor.

6.2 EHR / PMS Integrations Directed by the Clinic

When a Clinic directs us to connect the Services to an EHR, PMS, calendar, or other system, we send and receive data to and from those systems as the Clinic configures. Those systems are operated by the Clinic or by third parties under separate agreements with the Clinic; their use of data is governed by their own terms and privacy notices.

6.3 Legal, Safety, and Business Transfers

We may share information where required by law or legal process (subpoena, court order, or regulatory demand), to enforce our agreements, to protect the rights, safety, or property of Ample AI or others, or in connection with a merger, acquisition, financing, or sale of all or substantially all of our assets (in which case we will require the recipient to honour this Policy).

6.4 With Your Direction

We share information with third parties when you explicitly direct us to — for example, when you ask us to connect a new integration or forward a record.

7. Where Your Data Is Stored and Processed

We currently operate only in North America. The specific countries and regions in which Customer data and PHI are stored or processed depend on the final production architecture, the Clinic’s jurisdiction, and the subprocessors used for the applicable Service components.

Before onboarding a Clinic, we will confirm the relevant hosting and processing regions and disclose any material cross-border processing that applies to that deployment.

Cross-border implications you should understand:

Where PHI is processed outside the Clinic’s home country, it may be subject to the legal processes of the processing country. In particular, data processed in the United States may be subject to the U.S. CLOUD Act, which can compel U.S.-based providers to disclose data in response to lawful U.S. government requests.
We use contractual, technical, and operational measures (including encryption in transit and at rest, access controls, and subprocessor agreements) designed to provide the level of protection required by the applicable privacy law regardless of processing region.
Canadian Clinics are responsible, as custodians under PHIPA or as organizations under PIPEDA/PIPA, for disclosing to their patients any cross-border processing that applies to their deployment. We will provide the information needed to make that disclosure accurately.

If you would like a detailed description of the data flows for a specific Service component or deployment, contact our Privacy Officer.

8. How Long We Keep Data

Website analytics data: 14 months.
Marketing and prospect data: until you opt out or request deletion, whichever is earlier.
Customer account and billing records: duration of the contract + 7 years for tax and legal compliance.
Call recordings (PHI): 90 days.
Call transcripts (PHI): 12 months.
Appointment and workflow logs: duration of the contract, then deleted on termination per the applicable DPA.
Audit logs: 6 years.

On termination of a Customer contract, we make Customer Data available for export for thirty (30) days, after which we return or securely destroy PHI within sixty (60) days in accordance with the applicable Data Processing Exhibit. This timeline is subject to any legal retention obligation, residual data on encrypted backup media (which is overwritten on the ordinary backup rotation cycle), and any data reasonably required to investigate fraud, a security incident, or an unresolved dispute.

9. How We Protect Data

We maintain administrative, physical, and technical safeguards proportionate to the sensitivity of the data, including:

Encryption: AES-256 (or equivalent) at rest; TLS 1.2+ in transit.
Access control: role-based access, least-privilege provisioning, and multi-factor authentication for all systems that process PHI.
Audit logging: recorded access and modifications for all PHI-bearing systems.
Vulnerability management: regular vulnerability scanning and periodic penetration testing.
Incident response: a documented breach response plan and designated Privacy Officer and Security Officer.
Personnel: background-checked personnel and annual privacy & security training.
Subprocessor oversight: vendor due diligence and written data protection agreements.

9.1 Breach Notification

If we discover a breach of unsecured PHI:

U.S. Clinics (HIPAA): we notify the affected Customer without undue delay and in any event no later than 72 hours after discovery, and cooperate with the Customer’s notification obligations to individuals, HHS, and applicable state authorities.
Ontario Clinics (PHIPA): we notify the Clinic at the first reasonable opportunity and without undue delay, and cooperate with the Clinic’s obligations to the IPC of Ontario and to affected individuals.
Other Canadian Clinics: we notify the Clinic within 72 hours of discovery of any privacy incident and cooperate with PIPEDA or provincial notification requirements (including OPC, OIPC, or provincial commissioner notifications).
For our own website and corporate data, we follow PIPEDA breach notification requirements where applicable and notify affected individuals and the OPC where required by law.

10. Your Rights

The rights available to you depend on (a) whose data you are and (b) the law that applies.

10.1 If You Are a Website Visitor, Prospect, or Customer Contact

You have the right to:

Access the personal information we hold about you.
Request correction of inaccurate or incomplete information.
Request deletion of your information (subject to legal retention obligations).
Withdraw consent to marketing communications at any time.
Lodge a complaint with a data protection authority (see Section 16).

To exercise any of these rights, email contact@ampleai.co with the subject line “Privacy Request.” We respond within 30 days or as required by applicable law.

10.2 If You Are a Patient Whose PHI Has Been Processed Through the Services

Contact your Clinic first. Your Clinic is the custodian / covered entity / organization that is legally responsible for your health record. We cannot grant you access, make corrections, delete records, or respond to consent requests for PHI without the Clinic’s authorization.

We will support your Clinic in responding to:

Access requests (HIPAA 45 CFR § 164.524; PHIPA Part V; PIPEDA Principle 4.9; BC PIPA Part 5).
Amendment / correction requests (HIPAA 45 CFR § 164.526; PHIPA s. 55; PIPA s. 24).
Withdrawal of consent and other individual rights under the applicable law.
Accounting of disclosures under HIPAA 45 CFR § 164.528.

If you have already contacted your Clinic and believe your Clinic has improperly shared PHI with us, please contact our Privacy Officer at contact@ampleai.co and we will assist in the investigation.

10.3 U.S. State Privacy Rights (California and Others)

If you are a resident of California or another U.S. state with a consumer privacy statute (including, at the time of publication, California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others), you may have additional rights to know, access, delete, correct, obtain a portable copy of, and opt out of the sale or sharing of your personal information (we do not sell), along with the right not to be discriminated against for exercising these rights. Submit a request to contact@ampleai.co.

PHI processed through the Services is subject to HIPAA and is generally carved out of most U.S. state consumer privacy laws; however, rights to non-PHI data you provided to us directly (e.g., as a Clinic contact) still apply.

11. Call Recording, Automated Calls, and SMS

Ample AI’s Services may record or transcribe calls when configured to do so by the Clinic. Recordings and transcripts are handled as PHI.

The Clinic is responsible for:

Providing the legally required disclosures before a call is recorded (including two-party / all-party consent where required by provincial, state, or federal law).
Determining and implementing required AI-assisted interaction disclosures.
Obtaining consent for automated calls, prerecorded or artificial voice messages, and SMS communications (including under CASL, TCPA, CAN-SPAM, and provincial/state equivalents).

Ample AI configures disclosures and consent flows at the Clinic’s direction and based on scripts the Clinic has approved. We do not independently determine the sufficiency of those disclosures for the Clinic’s jurisdiction.

12. Cookies and Similar Technologies

We use cookies and similar technologies on ampleai.co for:

Strictly necessary: site security, load balancing, session management.
Functional: remembering preferences.
Analytics: Google Analytics 4 and Google Tag Manager to understand how visitors use the site, improve performance, and measure meeting-booking activity.
Marketing/advertising: Google Ads conversion tracking and related tags used to measure the performance of our advertising campaigns, including meeting-booking conversions.

You can manage cookies through your browser settings. Depending on the visitor’s jurisdiction and applicable law, consent may be required before non-essential analytics or advertising cookies are set. Where such consent is required, we will implement an appropriate cookie notice and consent mechanism. Our Services (the AI receptionist platform itself) do not use advertising cookies or tracking pixels for PHI-bearing interactions.

13. Children’s Privacy

Our website and Services are not directed to children. Clinics that serve pediatric patients may process PHI about minors through the Services as part of ordinary healthcare operations; that processing is governed by the Clinic’s own privacy practices, applicable consent rules for minors under the Clinic’s jurisdiction, and the applicable Data Processing Exhibit.

We do not knowingly collect personal information from a child under the age of 13 through our website or marketing. If you believe a child has submitted information to our website, please contact us and we will delete it.

14. Changes to This Policy

We may update this Policy from time to time. When we do, we will:

Update the “Effective Date” and “Last Updated” at the top.
Post the revised Policy at ampleai.co/privacy-policy.
For material changes to this Policy that affect how Customer PHI is handled, we will notify affected Customers directly where required by law or by our contractual commitments.

Continued use of the Services or the website after an update takes effect constitutes acceptance of the updated Policy, subject to any additional rights or protections required by applicable law or our contractual commitments.

15. How to Reach Us

Privacy Officer, Ample AI

2771764 Ontario Inc.