Data Breach Notification Policy

EletvaAi (operating as Aria Dental) · Last Updated: April 25, 2026

This policy describes how EletvaAi handles data security incidents and notifies affected parties in accordance with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA).

1. Purpose

EletvaAi operates Aria Dental, an AI voice receptionist platform for dental clinics. This policy establishes procedures for identifying, containing, and reporting data security incidents to protect the privacy of clinic partners and their patients.

2. What Constitutes a Breach

A data breach is any unauthorized access, use, disclosure, modification, or destruction of data in our systems. This includes, but is not limited to:

Unauthorized access to patient scheduling data or clinic records
Loss or theft of devices containing clinic or patient information
Accidental disclosure of clinic data to unintended parties
System compromise, hacking, or ransomware incident
Unauthorized internal access by employees or contractors

Not every security incident constitutes a reportable breach. Each incident is assessed individually to determine whether notification obligations apply under HIPAA and applicable state law.

3. Detection & Assessment

Upon discovering a potential breach, EletvaAi will:

Immediately isolate affected systems to prevent further exposure
Assess the scope and nature of the incident within 24 hours
Determine what categories of data were affected and how many individuals may be impacted
Document all findings, containment steps, and remediation actions
Engage legal counsel and, where applicable, a forensic investigator

4. Notification Timeline

Affected Clinics

Notified within 24 hours of confirmed breach discovery. Initial notification may be verbal, followed by written confirmation within 72 hours.

Affected Patients

Notified within 60 days of breach discovery, as required by HIPAA. Notification coordinated with the affected clinic.

HHS (if PHI involved)

U.S. Department of Health & Human Services notified within 60 days. If 500 or more individuals are affected, media notification in the relevant jurisdiction is also required.

State Regulators

Additional notifications made as required by applicable state breach notification laws, within the timeframes prescribed by each state.

5. Notification Content

All breach notifications will include:

A plain-language description of what happened and when
The types of data involved (e.g., names, phone numbers, scheduling information)
Steps taken to contain the breach and prevent recurrence
Steps individuals can take to protect themselves
Contact information for questions and further assistance

6. Business Associate Obligations

EletvaAi acts as a Business Associate under HIPAA for clinics that handle Protected Health Information (PHI). In that capacity, we are obligated to:

Notify the affected Covered Entity (the clinic) of any breach of unsecured PHI without unreasonable delay and within 60 days of discovery
Provide all information reasonably available to allow the clinic to fulfill its own notification obligations
Cooperate fully with any regulatory investigation

7. Remediation & Prevention

Following any confirmed breach, EletvaAi will conduct a root cause analysis and implement corrective measures, which may include:

Security patches and system hardening
Access control review and credential rotation
Staff security training
Updates to internal data handling procedures
Third-party security audit

8. Contact

To report a security concern or suspected breach, contact us immediately:

Security: legal@ariadental.co

Legal: legal@ariadental.co

General: hello@ariadental.co

9. Policy Review

This policy is reviewed annually and updated as needed to reflect changes in law, technology, or our data practices. Material updates will be communicated to clinic partners.

EletvaAi · ariadental.co · Founder: Milind Naik