Legal

Privacy Policy

Last updated: April 4, 2026

This Privacy Policy explains how SiftDental ("Company," "we," "us," or "our") collects, uses, discloses, and protects information when you use our website at siftdental.com and the SiftDental platform (collectively, the "Service"). This policy applies to practice administrators, staff members, and patients who interact with the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Practice name, address, and contact information
  • Payment information (processed and stored by Stripe; we do not store full credit card numbers)
  • Professional credentials (NPI, Tax ID) as provided by you

1.2 Practice Data (Including Protected Health Information)

When you use the Service to manage your dental practice, you and your staff enter data that may include Protected Health Information ("PHI") as defined under HIPAA. This includes:

  • Patient demographics (name, date of birth, address, phone, email, SSN last 4 digits)
  • Clinical records (procedures, diagnoses, treatment plans, progress notes, perio exams, tooth conditions, prescriptions)
  • Insurance information (carrier, plan, member ID, coverage details)
  • Appointment records (dates, providers, notes, status)
  • Billing records (charges, payments, claims, balances)
  • Clinical images (X-rays, photographs, documents)
  • Communication records (SMS messages, call logs)

We process this data solely as a Business Associate under HIPAA, on your behalf and under your direction. We do not use PHI for our own purposes, marketing, or analytics.

1.3 Usage Data

We automatically collect certain information about how you access and use the Service:

  • IP address and approximate geographic location
  • Browser type, operating system, and device information
  • Pages visited, features used, and time spent in the application
  • Error logs and performance data

Usage data does not include PHI. We use it to monitor Service performance, identify issues, and improve the user experience.

1.4 Voice and Audio Data

If you use voice-powered features (such as perio charting or the AI phone receptionist), audio is processed in real-time for speech-to-text transcription. Audio recordings are not stored after transcription is complete. Transcribed text is treated as clinical data and stored within your isolated practice database.

1.5 Cookies and Tracking

We use essential cookies to maintain your authentication session and remember your preferences. We do not use third-party advertising cookies or cross-site tracking. Analytics cookies, if used, are anonymized and do not contain PHI.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — process your practice data, manage your account, and deliver the features you use.
  • Process payments — bill your subscription and process patient payments through our payment processor.
  • Communicate with you — send account notifications, billing receipts, security alerts, and service announcements.
  • Provide support — respond to your support requests, troubleshoot issues, and assist with data migration.
  • Improve the Service — analyze aggregated, de-identified usage patterns to improve features and performance. We never use PHI for this purpose.
  • Ensure security — detect and prevent fraud, abuse, and security threats.
  • Comply with legal obligations — respond to lawful requests from law enforcement or regulatory authorities.

3. How We Share Your Information

We do not sell, rent, or trade your personal information or PHI. We share information only in the following circumstances:

3.1 Service Providers (Sub-Processors)

We use trusted third-party service providers to operate the Service. These providers process data on our behalf and are bound by contractual obligations to protect your information:

  • Google Cloud Platform — cloud infrastructure, database hosting, compute services
  • Stripe — payment processing (PCI-DSS compliant)
  • Twilio — SMS messaging and appointment reminders (when enabled by you)
  • SendGrid — transactional email delivery (when enabled by you)
  • ElevenLabs — voice AI processing for phone receptionist (when enabled by you)
  • Stedi — insurance eligibility verification and claims processing (when enabled by you)
  • Anthropic — AI language model for clinical assistant features

Third-party integrations (Twilio, SendGrid, ElevenLabs, Stedi) are optional and only activated when you provide your own API credentials. Data is shared with these providers only when you explicitly enable the integration.

3.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy.

4. HIPAA Compliance

4.1 Business Associate Agreement

SiftDental acts as a Business Associate under HIPAA when processing PHI on behalf of covered entity dental practices. We will execute a Business Associate Agreement ("BAA") with each subscribing practice upon request. The BAA outlines our obligations regarding the use, disclosure, and protection of PHI.

4.2 Minimum Necessary Standard

We adhere to the HIPAA Minimum Necessary standard. Our personnel access PHI only when necessary to provide support, maintain the Service, or respond to your requests. Access is logged and auditable.

4.3 Breach Notification

In the unlikely event of a data breach involving PHI, we will notify affected practices and individuals as required by HIPAA and applicable state laws. Notification will occur without unreasonable delay and no later than 60 days after discovery of the breach.

4.4 De-Identification

Any aggregated data used for Service improvement is de-identified in accordance with the HIPAA Safe Harbor method. De-identified data cannot be used to identify any individual patient.

5. Data Security

We implement comprehensive security measures to protect your information:

  • Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest — All stored data, including database contents and backups, is encrypted using AES-256 encryption.
  • Tenant isolation — Each practice receives a dedicated database and application infrastructure. Data is never commingled between practices.
  • Access controls — Role-based access controls restrict data access to authorized personnel. All access is authenticated via JWT tokens with short expiration periods.
  • Audit logging — Data access and modifications are logged for accountability and compliance purposes.
  • Automated backups — Database backups are performed automatically and stored in encrypted, geographically redundant storage.
  • Infrastructure security — Our infrastructure runs on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance certifications.

6. Data Retention

  • Active accounts — We retain Your Data for as long as your account is active and you maintain a paid subscription.
  • After cancellation — Your Data is retained in read-only mode for 30 days after subscription cancellation to allow for data export. After 30 days, all data and infrastructure are permanently deleted.
  • Account information — Basic account information (name, email, billing history) may be retained for up to 7 years after account closure for legal and accounting purposes.
  • Usage data — Aggregated, de-identified usage data may be retained indefinitely for Service improvement.
  • Communication records — Support correspondence is retained for 3 years after your last interaction.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — Request a copy of the personal information we hold about you.
  • Correction — Request correction of inaccurate or incomplete personal information.
  • Deletion — Request deletion of your personal information, subject to legal retention requirements.
  • Portability — Request your data in a portable, machine-readable format.
  • Restriction — Request that we limit the processing of your personal information in certain circumstances.
  • Objection — Object to the processing of your personal information for specific purposes.

To exercise these rights, contact us at privacy@siftdental.com. We will respond to verified requests within 30 days. Note that PHI access and amendment rights are governed by HIPAA, and requests related to patient data should be directed to the dental practice that maintains the patient relationship.

8. Patient Portal Users

If you access SiftDental through a patient portal provided by your dental practice, your dental practice is the data controller for your health information. SiftDental processes your data on behalf of the practice. For questions about how your dental practice uses your information, please contact them directly.

Patient portal features that require account creation collect your name, email address, and authentication credentials. Your clinical data is accessed from the practice's existing records — the patient portal does not collect additional health information.

9. Children's Privacy

The Service is designed for use by dental professionals and adult patients. We do not knowingly collect personal information from children under 13 without verifiable parental consent. Patient records for minors are entered and managed by the dental practice, not by the minor directly.

10. International Data Transfers

The Service is hosted in the United States on Google Cloud Platform infrastructure. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. By using the Service, you consent to this transfer. We implement appropriate safeguards for international data transfers as required by applicable law.

11. State-Specific Privacy Rights

11.1 California (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act. We do not sell personal information. You may request disclosure of the categories and specific pieces of personal information we have collected, request deletion, and opt out of the sale of personal information (which we do not engage in). To exercise these rights, contact privacy@siftdental.com.

11.2 Other States

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and Texas) may have similar rights. We honor all applicable state privacy law requirements. Contact us at privacy@siftdental.com to exercise your rights.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this policy indicates when it was last revised.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

SiftDental — Privacy Team
Email: privacy@siftdental.com
Website: https://siftdental.com/contact

For HIPAA-related inquiries or to request a Business Associate Agreement, contact: hipaa@siftdental.com