OrthoEHR
Sign InGet Started

Privacy Policy

Last updated: March 21, 2026

1. Introduction

This Privacy Policy applies to the orthodontic practice (the “Practice”) identified on the patient opt-in form and to its use of OrthoEHR (the “Platform”) for scheduling, record management, and patient communications. It describes how information is collected, used, stored, and protected when the Practice uses the Platform to communicate with patients and manage patient data.

2. Information We Collect

Provider Information

  • Name, email address, and login credentials
  • Practice name, phone number, and office address
  • Tax identification number (for billing configuration)
  • Staff member details (names, roles, contact information)
  • Payment and billing information processed through Stripe

Patient Information

  • Name, date of birth, gender, and contact information
  • Mailing address
  • Orthodontic treatment records, clinical notes, and treatment plans
  • Dental imaging (photographs, radiographs, intraoral scans)
  • Appointment history and scheduling data
  • Insurance information and billing records
  • Guardian or family member details (for minor patients)
  • Communication history (SMS messages, email correspondence)

Automatically Collected Information

  • Browser type, device information, and IP address
  • Usage patterns and feature interaction data
  • Log data and error reports

3. How We Use Your Information

  • Providing and operating the OrthoEHR platform, including patient record management, scheduling, billing, and clinical workflows
  • Sending appointment reminders, treatment updates, billing notices, and other practice communications via SMS or email on behalf of the Provider
  • Processing payments and managing insurance claims
  • Improving and maintaining the security, performance, and reliability of our services
  • Responding to support requests and inquiries
  • Complying with legal obligations, including healthcare regulations

4. SMS and Email Communications

The Practice may use the Platform to send SMS text messages and emails to patients for appointment notifications, appointment reminders, appointment confirmations, and other practice-related communications.

  • Patients may receive recurring automated messages from their orthodontic practice through OrthoEHR, including appointment notifications, reminders, and confirmation requests.
  • Message frequency varies based on appointment schedule (typically 1–3 messages per appointment).
  • Message and data rates may apply. Consult your wireless carrier for details.
  • Patients may opt out of SMS messages at any time by replying STOP to any message or by contacting their orthodontic practice directly.
  • Reply HELP to any SMS for support information.
  • Providers are responsible for obtaining appropriate patient consent before sending communications through the platform.

Mobile information and SMS consent. The Practice’s mobile information, including text messaging originator opt-in data and consent, will not be sold, rented, or shared with third parties for promotional or marketing purposes. We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your personal data, including your SMS opt-in or consent status, with third parties that help us provide messaging services (for example: platform providers, phone companies/carriers, and vendors who assist in the delivery of text messages).

5. Orthodontic Office Privacy Policy

The orthodontic practice using OrthoEHR maintains its own privacy policy governing the collection and use of patient information. You can view the office's privacy policy at: https://smileyfacebraces.com/privacy-policy/

6. Data Storage and Security

We take the security of your data seriously. All data is stored in cloud-hosted infrastructure provided by Supabase with the following protections:

  • Encryption at rest and in transit (TLS 1.2+)
  • Multi-tenant data isolation — each organization's data is logically separated and access-controlled
  • Role-based access controls for staff members
  • Audit logging of system activity
  • Secure authentication with hashed credentials

7. Third-Party Services

We use trusted third-party services to provide our platform:

  • Supabase — Database hosting, authentication, and data storage
  • Telnyx — SMS messaging and voice call services
  • Stripe — Payment processing and billing

Each third-party provider maintains their own privacy policies and security practices. We only share the minimum data necessary for each service to function.

8. HIPAA Compliance

OrthoEHR is designed to support HIPAA compliance for covered entities (healthcare providers). We implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. Business Associate Agreements (BAAs) are available upon request for covered entities that require them.

Providers are responsible for ensuring their own HIPAA compliance, including obtaining appropriate patient authorizations and maintaining proper use of the platform.

9. Data Retention and Deletion

  • Patient data is retained for as long as the Provider's account is active and as required by applicable healthcare record retention laws.
  • When a Provider deletes their account, all associated organization data — including patient records, appointments, billing data, and staff records — is permanently deleted from our systems.
  • Providers may delete individual patient records through the platform at any time, subject to applicable record retention requirements.

10. Children's Privacy

Orthodontic treatment frequently involves minor patients. Personal information of minors is collected and managed by the treating Provider and/or the minor's parent or legal guardian through the platform. We do not knowingly collect personal information directly from children. All minor patient data is managed under the Provider's account and subject to the same protections as all patient data.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Opt out of marketing communications
  • Opt out of SMS messaging by replying STOP

Patients should contact their orthodontic practice directly to exercise rights related to their health records. Providers may contact us at the address below.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through the platform. Continued use of OrthoEHR after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: amanshah@berkeley.edu