Dalil
PrivacyTerms
Dalil is operated by Ahmad Ibrahim. Contact: ahmad@dalil.bio

Privacy Policy

Last Updated: April 10, 2026

1. Introduction

Dalil is an AI-powered platform for pharmaceutical and biotechnology companies to conduct Virtual MSL Visits — voice-based scientific exchange sessions with healthcare professionals (HCPs), powered by approved scientific content uploaded by the company.

This Privacy Policy describes how we collect, use, store, and protect information when you use the Dalil platform, whether as a company employee, administrator, or healthcare professional participating in a Virtual MSL Visit.

2. Information We Collect

From Company Users (pharmaceutical company employees)

  • Account information: name, email address, job title, company name, and role within the platform
  • Usage data: pages viewed, features used, session duration, and actions taken within the platform
  • Content uploaded: scientific documents (prescribing information, publications, clinical study reports, slide decks, FAQs), compliance materials, and guardrail configurations
  • Conversation data: AI agent configuration, sandbox testing conversations, and administrative interactions

From Healthcare Professionals (HCPs)

  • Information provided by the inviting company: name, email address, title, specialty, institution, city, state, and NPI number
  • Voice conversation data: voice audio during Virtual MSL Visits (processed in real-time, not stored after transcription — see Data Retention)
  • Conversation transcripts: text transcriptions of Virtual MSL Visit conversations, generated automatically
  • AI-generated transcripts: formatted transcripts with citations and summaries delivered after each visit
  • Feedback responses: optional post-visit feedback ratings and comments
  • Technical data: browser type and IP address (used for security, not stored long-term)

Automatically Collected Information

  • Device and browser information (type, version, operating system)
  • IP addresses (for security and abuse prevention — not used for tracking or advertising)
  • Usage analytics via PostHog (anonymized and aggregated)

3. How We Use Information

  • To provide, operate, and maintain the Dalil platform
  • To process and respond to HCP questions during Virtual MSL Visits using AI, sourced exclusively from company-approved content
  • To generate conversation transcripts with citations and deliver them to HCPs via email
  • To extract intelligence insights from conversations — including aggregated topic trends, content gap identification, and competitor mention analysis. These insights serve the company that owns the conversation and are not used for individual HCP profiling for marketing purposes.
  • To improve the platform's AI capabilities, user experience, and reliability
  • To send transactional emails (visit invitations, transcripts, account notifications, access request updates)
  • To enforce platform security, prevent abuse, and maintain immutable audit trails

We do NOT:

  • Sell personal information to third parties
  • Use HCP conversation data for advertising, marketing, or promotional purposes
  • Share data between different company tenants on the platform
  • Use HCP conversation data to train general-purpose AI models

4. Data Isolation and Multi-Tenancy

Each company on Dalil operates in a fully isolated environment. This means:

  • Company A's documents, conversations, HCP data, and intelligence are never accessible to Company B
  • Isolation is enforced at multiple levels: the database level (PostgreSQL row-level security policies), the application level (tenant-scoped API authorization), the file storage level (isolated storage paths), and the AI context level (each conversation only accesses that company's content)
  • Brand-level isolation is also maintained within a company — the AI agent for Brand X only retrieves and cites content approved for Brand X, never content from Brand Y
  • Audit logs are company-scoped and only accessible to authorized administrators within that company

5. AI and Automated Processing

  • Dalil uses artificial intelligence, including large language models from third-party providers, to power Virtual MSL Visits and intelligence extraction
  • AI-generated responses are sourced exclusively from content uploaded by the company. Dalil does not generate medical information from general AI training data. The AI operates in a closed-loop retrieval-augmented generation (RAG) architecture.
  • Voice conversations are processed using third-party speech-to-text and text-to-speech services. Audio data is transmitted securely via WebRTC and is not retained by these third-party services beyond the duration of real-time processing.
  • AI-generated intelligence — including topic extraction, sentiment analysis, content gap identification, and competitor mention tracking — is derived from conversation transcripts and is used solely to serve the company that owns the conversation
  • Dalil's AI may produce inaccurate, incomplete, or outdated information. Companies are responsible for verifying the accuracy of AI outputs and the content they upload. See our Terms of Service for the full AI disclaimer.

6. Third-Party Services

We use the following categories of third-party services to operate Dalil. Specific vendors may change; we select services based on their security practices and data handling policies.

  • Cloud hosting and infrastructure: for application hosting, database management, and file storage
  • AI model providers: for large language model inference (text generation and analysis) and real-time voice interaction (speech-to-text and text-to-speech)
  • Email delivery services: for sending visit invitations, transcripts, and account notifications
  • Analytics services: for anonymized, aggregated platform usage data (not for tracking individual users)
  • Authentication services: for secure user authentication and session management

Data is transmitted to third parties only as necessary to provide the service. We do not sell or share personal data with third parties for their own purposes.

7. Data Retention

  • Account data: retained for the duration of the account plus 30 days after deletion to allow recovery
  • Uploaded documents: retained until deleted by the company administrator. When deleted, the document content and AI embeddings are permanently removed; metadata is archived for the audit trail.
  • Conversation transcripts and intelligence data: retained for the duration of the company's use of the platform. Companies may request deletion at any time.
  • Audit logs: retained for a minimum of 3 years for regulatory compliance purposes. Audit logs are immutable and cannot be modified or deleted during the retention period.
  • Voice audio: not stored after transcription is complete. Audio is processed in real-time via WebRTC and only the text transcript is retained.
  • Access request data: retained for 1 year after submission, regardless of approval status, for security and operational purposes.

8. Data Security

  • All data is encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Access to production systems is restricted to authorized personnel and audited
  • Role-based access controls (RBAC) limit who can view and manage data within each company, down to the brand level
  • Immutable audit logs track every significant action on the platform, including document uploads, guardrail changes, user management actions, and conversation events
  • We conduct regular security reviews of our infrastructure and codebase
  • Database-level row-level security (RLS) policies enforce tenant isolation independently of application code

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You may request a copy of the personal data we hold about you
  • Correction: You may request correction of inaccurate or incomplete data
  • Deletion: You may request deletion of your personal data, subject to legal retention requirements (e.g., audit logs)
  • Portability: You may request your data in a structured, machine-readable format
  • Objection: You may object to certain types of processing of your data
  • Restriction: You may request restriction of processing in certain circumstances

To exercise any of these rights, please contact us at ahmad@dalil.bio. We will respond to your request within 30 days.

10. HIPAA Acknowledgment

  • Dalil is designed with security practices aligned to healthcare data protection standards, including encryption at rest and in transit, access controls, audit logging, and data isolation.
  • Dalil is not currently HIPAA-certified. Companies that require HIPAA compliance should contact us at ahmad@dalil.bio to discuss a Business Associate Agreement (BAA) and specific compliance requirements.
  • Companies should not upload Protected Health Information (PHI) to the platform unless a BAA is in place and mutually agreed upon.

11. Children's Privacy

Dalil is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a person under 18, we will promptly delete it.

12. International Data Transfers

Dalil's infrastructure is located in the United States. Data is processed and stored in the United States. By using Dalil, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via email or a prominent notice on the platform. Your continued use of Dalil after changes are posted constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically.

14. Contact

If you have questions or concerns about this Privacy Policy or Dalil's data practices, please contact us: