Privacy Policy

2.1 Protected Health Information (PHI)

We process PHI as a "Business Associate" under the Health Insurance Portability and Accountability Act (HIPAA). This information is accessed through integration with your practice management system and may include:

• Patient demographic information (e.g., name, date of birth, contact details)
• Appointment history and scheduling data
• Treatment plans and procedure codes
• Provider-patient assignments and clinical notes relevant to scheduling

2.2 Practice Information

We collect data related to your dental practice to customize and manage our Service:

• Practice management system data, specifically for integration with Open Dental
• Provider schedules, procedure timings, and operational preferences
• Staff user accounts, roles, and access permissions
• Subscription and billing information
• Communications related to technical support and service management

2.3 Technical Information

We automatically collect technical data to ensure the performance, security, and functionality of our platform:

• Device and browser information (e.g., IP address, operating system, browser type)
• Usage analytics and platform performance metrics
• System logs, error reports, and security event data
• Authentication and access records

3.1 Primary Purposes

• Scheduling Optimization: To analyze historical and real-time data to create efficient and productive schedules.
• Practice Management Integration: To seamlessly sync with your Open Dental software, ensuring data consistency and accuracy.
• AI-Powered Analytics: To provide insights into practice performance, provider productivity, and chair utilization.
• Service Delivery: To manage user accounts, provide real-time schedule adjustments, and deliver automated appointment communications.

3.2 Secondary Purposes

• Platform Improvement: To enhance our AI algorithms and service features using de-identified and aggregated data.
• Technical Support: To diagnose and resolve technical issues and provide customer assistance.
• Compliance and Security: To monitor for security threats, ensure HIPAA compliance, and conduct internal audits.
• Business Operations: To process payments, manage subscriptions, and communicate important service updates.

4.1 No Sale of PHI

Dental AI does not and will not sell, rent, lease, or otherwise trade PHI or personal information to any third party for marketing, advertising, or commercial purposes.

4.2 Permitted Disclosures

We disclose PHI only under the following specific circumstances:

• To the Covered Entity: To your practice, as part of providing our contracted services.
• For Healthcare Operations: For functions such as quality assurance, compliance, and business planning, as permitted under HIPAA.
• As Required by Law: When compelled by a court order, subpoena, or other legal mandate.

4.3 Business Associates

We may engage third-party vendors (subcontractors) to support our service delivery, such as cloud hosting providers. We maintain formal Business Associate Agreements (BAAs) with all such vendors who may have potential access to PHI, contractually obligating them to uphold the same stringent security and privacy standards we maintain.

4.4 Data Location

All PHI is processed and stored on secure, HIPAA-compliant infrastructure located within the United States. We do not transfer PHI outside of the United States.

5.1 Technical Safeguards

• Encryption: All PHI is protected with AES-256 encryption, both in transit and at rest.
• Access Controls: We enforce multi-factor authentication, role-based access, and the principle of least privilege to limit data access.
• Audit Logging: We maintain comprehensive audit logs of all access, modification, and disclosure of PHI.
• Network Security: Our infrastructure is protected by firewalls, intrusion detection systems, and other advanced security protocols.

5.2 Administrative Safeguards

• HIPAA Training: All employees and contractors undergo regular training on HIPAA regulations and data security best practices.
• Risk Assessments: We conduct periodic security risk analyses and vulnerability testing.
• Incident Response Plan: We have a formal plan to promptly respond to and notify you of any security incidents or data breaches.

5.3 Physical Safeguards

• Data Centers: Our services are hosted in SOC 2-certified data centers with 24/7 physical security, monitoring, and restricted access.

6.1 Retention Period

We retain PHI and practice data on our servers for the duration of our service agreement and in accordance with the specifications set by each client. System and security logs are retained for a minimum of six years to comply with HIPAA requirements.

6.2 Data Deletion

Upon the termination of our service agreement, all PHI associated with your practice will be securely and permanently deleted from our active systems according to your specified timeline. We will provide a written certification of data destruction upon request. De-identified, aggregated data may be retained for analytical and platform improvement purposes.

8.1 Essential Cookies

We use necessary cookies for core platform functionality, such as user authentication, session management, and security monitoring. These cookies do not contain PHI.

8.2 Analytics

We use analytics tools to monitor platform performance and user engagement. This data is de-identified and aggregated to help us improve our Service. No PHI is ever used for general analytics purposes.

12.1 Privacy Officer

For any questions, concerns, or requests related to this Privacy Policy or our data handling practices, please contact our Privacy Officer:

12.2 HIPAA Complaints

You also have the right to file a complaint with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated.