DentaFlow
TermsHIPAACookies
Contents
1. Who We Are2. Data We Collect3. How We Use Data4. Legal Basis for Processing5. Data Retention6. Data Sharing7. Security8. Your Rights9. International Transfers10. Cookies11. Children12. Client Responsibilities13. Changes14. Contact
Questions?
privacy@usedentaflow.com
Legal

Privacy Policy

Last updated: June 1, 2026 · Effective: June 1, 2026

1. Who We Are

DentaFlow ("we", "us", "our") operates the software platform at usedentaflow.com. This Privacy Policy explains how we collect, use, store, and protect personal information in connection with our Service.

This policy applies to dental clinics that subscribe to DentaFlow ("Clients") and patients who interact with the DentaFlow chat widget on Client websites ("End Users").

DentaFlow acts as a data processor on behalf of Clients. The dental clinic is the data controller responsible for patient data. Patients should consult their clinic's own privacy policy for information about how their data is used.

2. Data We Collect

From Clients (dental clinics):

Business contact information (name, email, phone, address)
Billing information (processed by Stripe — we do not store card numbers)
Clinic configuration data (services, hours, branding)
Dashboard usage and activity data

From End Users (patients via chat widget):

Information voluntarily shared in chat: name, email, phone, service interests, appointment preferences
Conversation transcripts
Technical data: IP address, browser type, device type, referring URL

We do not collect:

Payment card details (handled entirely by Stripe)
Social security numbers or government IDs
Medical records beyond what patients voluntarily share in chat

3. How We Use Data

Client data is used to:

Provide, maintain, and improve the Service
Process payments and send invoices
Send service notifications and account communications
Provide customer support
Detect and prevent fraud or abuse

End User data (patient conversations) is used to:

Enable the AI chat functionality
Display conversation history in the Client's dashboard
Generate leads and appointment requests for the Client
Send appointment reminders and review requests (if enabled by the Client)

We will never:

Sell personal data to any third party
Use patient data for advertising unrelated to the clinic
Share data across different clinic accounts

5. Data Retention

Client account data — retained for the duration of the subscription plus 30 days after cancellation
Conversation and lead data — retained for 2 years from last activity, unless deletion is requested
Appointment records — retained for 7 years for compliance purposes
Billing records — retained for 7 years for tax and financial compliance
Technical logs — 90 days
Backup copies — may persist for up to 30 days after deletion is processed

Upon account termination, Clients may request a data export within 30 days. After that period, all data is permanently deleted.

6. Data Sharing

We share data only with the following service providers, all bound by data processing agreements:

Supabase — database and authentication (USA) — Standard Contractual Clauses
OpenAI — AI conversation processing (USA) — data is not used to train OpenAI models; Standard Contractual Clauses
Resend — email delivery (USA) — Standard Contractual Clauses
Stripe — payment processing (USA/EU) — EU-US Data Privacy Framework participant
Vercel — hosting infrastructure (USA/EU) — Standard Contractual Clauses

All transfers of personal data outside the EEA/UK are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission.

We maintain strict data isolation between Clients — no clinic can access another clinic's data. We do not sell, rent, or trade personal data.

7. Security

We implement industry-standard security measures including:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls
Row-level security in our database (each clinic can only access their own data)
Regular security assessments and automated backups

No internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach, we will notify affected parties as required by applicable law.

8. Your Rights

Depending on your location, you may have the right to:

Access — request a copy of your personal data
Rectification — request correction of inaccurate data
Erasure — request deletion of your data, subject to legal retention obligations
Restriction — request limited processing in certain circumstances
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interests

Clients may exercise these rights by contacting privacy@usedentaflow.com.

End Users (patients) should contact the dental clinic they interacted with, as the clinic is the data controller.

We respond to verified requests within 30 days. EEA/UK residents may lodge a complaint with their local data protection authority. California residents have additional rights under the CCPA.

9. International Transfers

DentaFlow operates from the United States. Data may be transferred to and processed in the USA and other countries where our processors operate.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the EU-US Data Privacy Framework where applicable, and other appropriate safeguards as required by law.

10. Cookies

We use minimal, essential cookies for authentication and session management. We do not use advertising cookies or sell cookie data. See our Cookie Policy at usedentaflow.com/legal/cookies for details.

11. Children

The Service is not directed at individuals under 13 years of age. We do not knowingly collect personal data from children under 13. Contact privacy@usedentaflow.com if you believe we have collected data from a child.

12. Client Responsibilities

As the data controller, each Client is solely responsible for:

Maintaining a compliant privacy policy on their own website
Obtaining all necessary consents from patients before collecting their data via the DentaFlow widget
Complying with all applicable data protection laws (GDPR, CCPA, HIPAA, and others)
Ensuring patients can exercise their data rights

DentaFlow provides the technical infrastructure. Clients provide legal compliance. DentaFlow is not responsible for a Client's failure to comply with applicable laws.

13. Changes

We may update this Privacy Policy at any time. Material changes will be communicated to Clients via email at least 14 days before taking effect. The current version is always available at usedentaflow.com/legal/privacy.

14. Contact

Privacy requests: privacy@usedentaflow.com

HIPAA inquiries: hipaa@usedentaflow.com

General legal: legal@usedentaflow.com

We aim to respond within 5 business days.

Privacy questions: privacy@usedentaflow.com