Privacy Policy

1. Relationship to Other Agreements

This Privacy Policy works together with:

• our Terms of Service, and
• our Business Associate Agreement (BAA) (for PHI governed under HIPAA).

If any conflict arises between this Privacy Policy and a signed BAA to the extent it relates to PHI, the BAA controls.

2. Information We Collect

We collect information in three broad categories: Business/Account Data, Operational & Communications Data, and Technical Data (including cookies/analytics).

2.1 Business and Account Information

When your dental practice creates an account, books a demo, or purchases a subscription, we collect:

• Practice name and contact details
• Access credentials and preferences
• Billing and payment details (processed via third-party processors like Stripe)
• Information provided during sales calls, onboarding, surveys, support, or training

2.2 Operational & Communications Data

When you use the Services, we may collect and process:

• Telephone calls, voicemails, call metadata, telephony logs, recordings, transcripts, and AI-generated responses
• SMS/MMS messages, emails, chat transcripts, and appointment-related communication
• Practice workflow data such as scheduling, reminders, missed call details, routing logic, and basic insurance-related inputs entered by your staff
• User-created prompts, scripts, flows, tagging, and configurations

Some of this may include Protected Health Information (PHI) under HIPAA.

2.3 Technical Data, Cookies, and Analytics

When you visit our Site or Services, we collect:

• Device type
• Browser information
• IP address
• Location approximations
• Access times and navigation behavior
• Error logs and diagnostic data

We use cookies and similar technologies to:

• Authenticate users
• Maintain session preferences
• Analyze site usage
• Improve marketing effectiveness

You may disable cookies, but doing so may disrupt some features.

3. How We Use Information

We use the information we collect to:

• Operate, improve, and secure the Services
• Authenticate users and protect accounts
• Enable AI receptionist, routing, messaging, scheduling, and automation
• Provide onboarding, support, troubleshooting, and training
• Process subscriptions and billing
• Enforce anti-abuse, TCPA, HIPAA, and security controls
• Send product updates, learning resources, and marketing communications (opt out anytime)

Use of De-Identified or Aggregated Information

We may use or share de-identified and/or aggregated information:

• to analyze trends,
• improve accuracy and performance,
• develop features and AI enhancements.

When information is de-identified in accordance with HIPAA, it is no longer considered PHI.

4. How We Use and Protect PHI (HIPAA)

When serving dental practices, we act as a Business Associate under HIPAA. PHI is handled only pursuant to:

• HIPAA requirements,
• our BAA, and
• your documented instructions as a Covered Entity.

Key commitments:

• PHI is encrypted in transit and at rest
• Access to PHI is restricted based on role and necessity
• PHI is not sold, rented, or used for cross-context advertising
• PHI is not used to train public, shared, or third-party foundation models
• We may process de-identified, aggregated data to enhance service performance

We will notify affected customers of any confirmed breach involving PHI within the timelines defined by the HIPAA Breach Notification Rule and our BAA.

You (the Covered Entity) are responsible for obtaining patient consent and ensuring lawful PHI submission.

5. How We Share Information

We do not sell, lease, or share personal information for cross-context behavioral advertising.

We share information only as follows:

5.1 Subprocessors / Service Providers

We engage third-party vendors who support the Services, including:

• Telephony and carrier networks
• Cloud hosting infrastructure providers
• AI processing providers
• Scheduling tools (optional)
• Billing and payment systems
• Analytics, monitoring, and support tools
• CRM delivery infrastructure

All subprocessors are contractually bound to:

• maintain confidentiality,
• implement security safeguards, and
• limit information use solely to service delivery.

Where required, we execute Business Associate Agreements or equivalent controls with subprocessors.

5.2 Legal & Safety

We may disclose data if required by:

• law or regulation,
• lawful request, or
• in defense of rights, property, systems, or the safety of users or the public.

Where feasible and legally allowed, we will notify you in advance.

5.3 Business Transfers

If we undergo a merger, acquisition, financing, restructuring, or sale of assets, information may be transferred as part of that transaction subject to this Privacy Policy.

6. Data Retention

We retain data:

• as long as your account remains active, or
• as required to meet contractual, security, legal, or compliance obligations.

Once no longer required, data is:

• deleted,
• anonymized, or
• de-identified consistent with HIPAA where applicable.

Your ToS and BAA describe export rights and timelines after termination.

7. Security

We implement technical, administrative, and physical safeguards including:

• Encryption (TLS in transit, AES-256 at rest)
• Access control + least-privilege security
• MFA for internal systems
• Monitoring and audit logs
• Incident response protocols
• Vendor vetting and contracts
• Risk assessments and periodic review of controls

No system is 100% secure; however, we continually improve protections to reduce risk.

8. International Transfers

Our platform is hosted in the United States. If you access the Services from other regions, you consent to the processing of data in the U.S. Practices outside the U.S. are responsible for determining applicable laws and compliance requirements.

9. US State Privacy Rights (e.g., California CPRA)

Certain U.S. state laws give residents data rights, including:

• access / know
• correct
• delete
• portability
• opt out of "sale" or "sharing"

Dental Boost:

• does not sell personal information, and
• does not share personal information for cross-context behavioral advertising under California law.

To exercise state privacy rights, email [email protected] with subject "Privacy Rights Request" and state of residence. Identity verification may be required.

We will not discriminate against individuals for exercising privacy rights.

10. Do Not Track Signals

At this time, because standards for interpreting "Do Not Track" signals are not established, our Site does not respond to them. We will adjust if meaningful standards arise.

11. Your Rights and Choices

Depending on jurisdiction, you may have rights to:

• request access, correction, or deletion
• request copies or portability
• limit or object to certain uses

You can:

• opt out of marketing emails via unsubscribe links
• send privacy requests to [email protected]

Patients must contact their dental provider directly to exercise rights related to health information.

12. Children's Privacy

The Services are not intended for children under 16. We do not knowingly collect information from children. If we learn we have collected such data, we will delete it.

13. Changes to This Policy

We may update this Privacy Policy periodically. The "Last Updated" date reflects the current version. Material updates may be highlighted via email or a prominent notice.

Your continued use after any update constitutes acceptance.

14. Contact Us

For privacy inquiries:

• Email: [email protected]
• Website: https://www.dentalboost.ai