Privacy Policy

Practice Information: When you register, we collect your practice name, address, phone number, email, and business hours. We also collect information about providers (names, specialties, availability) and services offered.

Patient Information: Your practice enters patient data including names, contact information, medical histories, appointment records, insurance details, and treatment plans. This data is entered and managed by your practice — DentinFlow processes it on your behalf.

Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, IP address, and device information. This data is collected via PostHog analytics and is used to improve the Service.

Communication Data: SMS messages, call transcripts, and email communications sent through the platform are stored to provide service functionality and maintain audit trails.

We use collected information to:

• Provide, maintain, and improve the Service
• Process appointments, reminders, and patient communications
• Power AI voice reception and automated workflows
• Generate analytics and practice insights
• Send service-related notifications (billing, updates, security alerts)
• Provide customer support
• Detect and prevent fraud or security incidents

We do not sell personal information. We do not use patient health information for marketing or advertising purposes.

All data is stored on servers located in Canada and the United States, utilizing industry-standard cloud infrastructure providers. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Security measures include:

• Role-based access controls
• Encrypted credential storage
• Regular security audits and monitoring (Sentry)
• Automated backups with point-in-time recovery
• Audit logging of all data access and modifications

While we implement commercially reasonable security measures, no system is 100% secure. We will notify affected practices within 72 hours of discovering a data breach, in accordance with PIPEDA and PHIPA requirements.

DentinFlow integrates with the following third-party services to provide functionality:

• Twilio — SMS messaging and voice calling. Twilio processes phone numbers and message content. Twilio Privacy Policy
• Stripe — Payment processing. Stripe handles payment card data directly; we do not store card numbers. Stripe Privacy Policy
• Vapi — AI voice assistant. Call audio is processed by Vapi for real-time conversation. Transcripts are stored in DentinFlow. Vapi Privacy Policy
• Resend — Transactional email delivery. Resend Privacy Policy
• PostHog — Product analytics (anonymized usage data only). PostHog Privacy Policy

Each third-party provider is selected for their commitment to data security and compliance.

DentinFlow processes personal health information ("PHI") as defined under Ontario's Personal Health Information Protection Act, 2004 (PHIPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Key commitments regarding patient data:

• PHI is processed solely for the purpose of providing the Service to your practice
• Access to PHI is restricted to authorized practice staff and necessary DentinFlow personnel
• PHI is never used for marketing, advertising, or shared with unauthorized third parties
• Practices retain full ownership of all patient data at all times
• A Business Associate Agreement (BAA) governs data handling obligations

Your practice remains the "health information custodian" under PHIPA. DentinFlow acts as an "agent" processing PHI on your behalf.

We retain practice and patient data for the duration of your subscription plus 90 days after termination to allow for data export.

After the retention period, data is permanently deleted from our systems and backups within 30 days, unless legal retention requirements apply.

Call transcripts and SMS logs are retained for 12 months by default. Practices may configure shorter retention periods in their settings.

Analytics data (anonymized) may be retained indefinitely for service improvement purposes.

Under PIPEDA and applicable provincial privacy legislation, you have the right to:

• Access: Request a copy of personal information we hold about you or your practice
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Data Portability: Export your data in a standard, machine-readable format
• Withdraw Consent: Withdraw consent for data processing (this may affect service availability)
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at the address below.

For privacy-related inquiries:

DentinFlow Inc.
Privacy Officer
Email: privacy@dentinflow.com
Toronto, Ontario, Canada

For complaints regarding our privacy practices, you may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.