Needletail AI

Privacy Policy

Effective as of: December 21, 2025

1. Introduction and Scope

This Privacy Policy describes how Needletail Inc. ("Needletail", "we", "us", or "our") collects, uses, discloses, and protects information in connection with: (a) the public website located at needletailai.com (the "Website"); and (b) our AI-powered, fully managed dental insurance eligibility verification and revenue cycle management services, including any related SaaS platform, integrations, and support (together, the "Services").

By using the Website or the Services, or by otherwise communicating with us, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is governed by the laws of the State of Delaware and applicable U.S. federal law.

If you have any questions about this Privacy Policy, please contact us at legal@needletailai.com

2. Our Role Under HIPAA and Other Laws

For U.S. dental practices, group practices, and DSOs that are Covered Entities or otherwise subject to HIPAA, Needletail generally acts as a "Business Associate" and enters into a Business Associate Agreement ("BAA") with each such customer. Under these agreements, we process Protected Health Information ("PHI") solely to provide the Services and as permitted by the BAA, applicable law, and the customer's written instructions. We do not use PHI for our own marketing purposes.

For information collected through the Website (for example, from visitors or prospective customers) and for business contact information of customer personnel, we act as an independent entity determining the purposes and means of processing, in line with applicable privacy laws. For client and patient data processed within the Services, we act as a processor / Business Associate on behalf of our customers.

3. Information We Collect

3.1 Website Visitors and Prospects

When you visit the Website or interact with us as a prospective customer, we may collect:

  • Contact information you provide: such as name, business email address, phone number, practice name, clinic address, role/title, and the content of messages or inquiries you submit through forms, email, or similar channels.
  • Technical and usage information: such as IP address, browser type, operating system, device identifiers, referring URLs, pages viewed, and timestamps.
  • Information collected via cookies, pixels, tags, and similar technologies: including through tools such as Google Analytics 4 (GA4), Posthog, Microsoft Clarity, LinkedIn Insight Tag, Meta Pixel, Google Tag Manager, and our CRM and marketing tools. These tools help us understand how visitors use the Website and support our sales and marketing activities.

3.2 Customer Personnel

For employees and other personnel of our customers who interact with the Services or with our team, we may collect:

  • Business contact details and identifiers: such as name, business email address, phone number, role/title, and practice or DSO affiliation.
  • Account and usage information: relating to access to and use of the Services, including activity logs and communications with our support and operations teams.

3.3 Patient and Insurance Information (PHI and Related Data)

As part of providing our managed eligibility verification and related RCM Services to our customers, we process data about their patients and their insurance coverage, which may include PHI under HIPAA. This information is provided by our customers and their systems, or obtained from payers and payer portals on their behalf, and can include:

  • Patient and member data: contained in the customer's practice management system, integrated systems, secure file uploads, or APIs, to the extent necessary for eligibility verification and related workflows.
  • Insurance and benefits information: such as payer details, member and group information, plan and coverage details, and eligibility responses from payers and portals.
  • Appointment-related information: and other data the customer determines is needed to perform eligibility verification or revenue cycle operations.

We do not collect patient identifiers directly from the public Website. All PHI is received or accessed in the context of the Services and processed on behalf of our customers under applicable contracts and BAAs.

3.4 Audio, Call Data, and Documents

In connection with our AI-powered and human-assisted workflows, we may process:

  • Audio recordings and transcripts: from calls made to or from payers or other counterparties using our voice agents, as necessary to obtain eligibility information and support quality assurance.
  • Documents and other content: used in the eligibility and RCM processes, such as eligibility outputs from payer portals, verification reports, uploads from customers, and related documentation.

3.5 Categories We Do Not Intentionally Collect Directly

We do not directly collect or store payment card information through the Website or Services; any payments and billing arrangements are handled through other channels determined by our customers or third-party providers. We also do not intentionally collect sensitive identifiers such as Social Security numbers outside the context of PHI provided by or on behalf of our customers under HIPAA.

4. How We Collect Information

We collect information in several ways:

  • Directly from you: when you complete forms on the Website, schedule a meeting, communicate with us by email, or otherwise provide information.
  • Automatically: through cookies and similar technologies when you use the Website or, as applicable, the online components of the Services.
  • From our customers and their systems: including via direct integrations with cloud practice management systems, APIs, secure file uploads, and other mechanisms the customer configures.
  • From payers and payer portals: clearinghouses, and similar systems when we access or retrieve eligibility and benefits information on behalf of customers.

We do not collect PHI from public sources for our own purposes; we process PHI only as provided or authorized by our customers and payers in connection with the Services.

5. How We Use Information

We use the information we collect for the following purposes:

  • To provide and operate the Services: including verifying insurance eligibility, generating and delivering eligibility and benefits information into customers' practice management systems, and supporting related RCM workflows.
  • To configure, maintain, and improve: our integrations, AI agents, and operational processes, including quality assurance, error detection, and performance monitoring, and to use de-identified, aggregated, or non-PHI data where appropriate for analytics and model improvement in accordance with our contracts and BAAs.
  • To provide customer support: respond to inquiries, and communicate with customers and prospects about onboarding, service updates, and account-related information.
  • To send marketing communications: product updates, event information, and other materials; you may opt out of marketing emails at any time using the unsubscribe link or by contacting us.
  • To maintain security and integrity: of the Website and Services, including authentication, access control, logging, monitoring, and fraud or abuse prevention.
  • To comply with legal, regulatory, and contractual obligations: including those under HIPAA, BAAs, and other applicable agreements.

We do not use PHI for cross-selling or third-party advertising, and we do not sell PHI.

6. Cookies, Analytics, and Similar Technologies

We use cookies and similar technologies on the Website and, where applicable, within the Services:

  • Essential cookies: help operate core functionality such as security, load balancing, and session management.
  • Analytics tools: such as GA4, Posthog, Microsoft Clarity, and related technologies, help us understand how visitors and users interact with the Website and Services, so we can improve performance, usability, and content.
  • Marketing and advertising tools: such as LinkedIn Insight Tag, Meta Pixel, Google Tag Manager, and CRM/marketing platforms, support our sales and marketing efforts, including measuring campaign effectiveness and, where permitted, tailoring content and outreach.

You can manage cookie preferences through the cookie banner and preference center provided on the Website, as well as via your browser settings. If you disable certain cookies, some Website or Service features may not function properly.

7. How We Share Information

We share information in the limited ways described below:

  • With customers and their authorized users: to deliver eligibility verification results, reports, and other outputs of the Services.
  • With service providers and subprocessors: that support our infrastructure and operations, such as cloud hosting (e.g., AWS), content delivery and security (e.g., services similar to Cloudflare or reCAPTCHA), email delivery providers, analytics platforms, CRM tools, and AI infrastructure providers. These parties are bound by contractual obligations to use the information only as necessary to perform services for us and to protect it appropriately, and where PHI is involved, we require Business Associate-level protections as applicable.
  • With professional advisors: such as auditors, lawyers, and consultants, as necessary for legitimate business purposes and under duties of confidentiality.
  • In connection with a corporate transaction: such as a merger, acquisition, or sale of assets, subject to appropriate safeguards and continued protection of information.
  • When required by law: regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Needletail, our customers, or others.

We do not sell personal information, and we do not "sell" or "share" PHI for cross-context behavioral advertising as those terms may be defined under certain U.S. state laws.

8. International Transfers

Our primary production infrastructure is located in the United States. In the course of providing the Services and operating our business, information may be accessed by Needletail personnel or service providers located in other countries, subject to appropriate access controls, confidentiality obligations, and contractual safeguards.

Where required by law, we implement additional measures to protect personal information subject to cross-border transfers, in line with our regulatory and contractual obligations.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with legal, regulatory, and contractual requirements, to resolve disputes, and to enforce our agreements.

For PHI and other client data processed as part of the Services, retention periods are guided by applicable law and are further governed by our BAAs, MSAs, and other agreements with customers. Customers may request deletion or export of data in accordance with those agreements and applicable law. We retain Website logs, security logs, and analytics data for a commercially reasonable period to support security, operations, and product improvement.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information we process, consistent with industry standards, HIPAA requirements, and the controls we are implementing as part of our SOC 2 Type 2 efforts. These measures include, as appropriate:

  • Encryption in transit and at rest
  • Role-based access controls
  • Authentication safeguards
  • Logging and monitoring
  • Secure development practices
  • Personnel training

While we work hard to protect information, no method of transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly investigating and addressing security incidents and complying with applicable breach notification obligations under law and our contractual commitments.

11. AI and Automated Processing

Our Services use multiple AI agents, including portal/document, voice, and QA agents, combined with human quality assurance, to help perform dental insurance eligibility verification and related RCM workflows. AI components process PHI and insurance data only to the extent necessary to provide the Services on behalf of our customers and as permitted by applicable BAAs and contracts.

We may use de-identified, aggregated, or non-PHI data, and other information as allowed by our agreements, to improve and refine our models and internal tools. AI outputs are subject to human review and quality checks as part of our operations. Customers remain responsible for their own clinical, operational, and billing decisions made using information provided through the Services.

12. Children's Privacy

The Website and Services are intended for professional users, such as dental practices, group practices, and DSOs, and are not directed to children under 13 years of age. We do not knowingly collect personal information directly from children via the Website.

Any PHI relating to minors that we process is handled only as part of our Services to professional customers and is governed by HIPAA, BAAs, and other applicable agreements. If you believe that a child has provided personal information to us directly through the Website, please contact us so that we can take appropriate steps.

13. Your Choices and Rights

You have certain choices regarding how we use your information:

  • Marketing communications: You may opt out of marketing emails at any time by using the unsubscribe link in those emails or by contacting us at legal@needletailai.com. We may still send you transactional or service-related communications as necessary.
  • Cookies and tracking: You can manage cookie preferences through the cookie banner and preference center on the Website and via your browser settings.

Depending on applicable law, you may have rights to request access to, correction of, or deletion of certain personal information that we hold about you. For information processed as PHI or on behalf of a customer, we may need to direct your request to the relevant customer (for example, your dental provider), and we will support them in responding consistent with our contractual and legal obligations.

14. Third-Party Sites and Services

The Website may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of those third parties, and this Privacy Policy does not apply to information collected by them. You should review the privacy policies of any third-party sites or services you use.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. In the case of material changes, we may provide additional notice, such as posting a prominent notice on the Website or communicating directly with customers, consistent with our contractual obligations and industry practice.

Your continued use of the Website or Services after any changes become effective signifies that you have read and understood the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our privacy practices, please contact us at:

Needletail Inc.
8 The Green, Suite A
City of Dover, County of Kent
Delaware 19901, USA
Email: legal@needletailai.com

Privacy PolicyTerms of ServiceTrust Center