Privacy Policy

1. Introduction

OrthoEHR (“we,” “us,” or “our”) provides a cloud-based orthodontic practice management platform. This Privacy Policy describes how we collect, use, store, and protect information when you use our website and services, whether you are a practitioner (“Provider”) or a patient whose data is managed through the platform (“Patient”).

2. Information We Collect

Provider Information

• Name, email address, and login credentials
• Practice name, phone number, and office address
• Tax identification number (for billing configuration)
• Staff member details (names, roles, contact information)
• Payment and billing information processed through Stripe

Patient Information

• Name, date of birth, gender, and contact information
• Mailing address
• Orthodontic treatment records, clinical notes, and treatment plans
• Dental imaging (photographs, radiographs, intraoral scans)
• Appointment history and scheduling data
• Insurance information and billing records
• Guardian or family member details (for minor patients)
• Communication history (SMS messages, email correspondence)

Automatically Collected Information

• Browser type, device information, and IP address
• Usage patterns and feature interaction data
• Log data and error reports

3. How We Use Your Information

• Providing and operating the OrthoEHR platform, including patient record management, scheduling, billing, and clinical workflows
• Sending appointment reminders, treatment updates, billing notices, and other practice communications via SMS or email on behalf of the Provider
• Processing payments and managing insurance claims
• Improving and maintaining the security, performance, and reliability of our services
• Responding to support requests and inquiries
• Complying with legal obligations, including healthcare regulations

4. SMS and Email Communications

OrthoEHR enables Providers to send SMS text messages and emails to Patients for appointment notifications, appointment reminders, and appointment confirmations.

• Patients may receive recurring automated messages from their orthodontic practice through OrthoEHR, including appointment notifications, reminders, and confirmation requests.
• Message frequency varies based on appointment schedule (typically 1–3 messages per appointment).
• Message and data rates may apply. Consult your wireless carrier for details.
• Patients may opt out of SMS messages at any time by replying STOP to any message or by contacting their orthodontic practice directly.
• Reply HELP to any SMS for support information.
• Providers are responsible for obtaining appropriate patient consent before sending communications through the platform.

5. Data Storage and Security

We take the security of your data seriously. All data is stored in cloud-hosted infrastructure provided by Supabase with the following protections:

• Encryption at rest and in transit (TLS 1.2+)
• Multi-tenant data isolation — each organization's data is logically separated and access-controlled
• Role-based access controls for staff members
• Audit logging of system activity
• Secure authentication with hashed credentials

6. Third-Party Services

We use trusted third-party services to provide our platform:

• Supabase — Database hosting, authentication, and data storage
• Telnyx — SMS messaging and voice call services
• Stripe — Payment processing and billing

Each third-party provider maintains their own privacy policies and security practices. We only share the minimum data necessary for each service to function.

7. HIPAA Compliance

OrthoEHR is designed to support HIPAA compliance for covered entities (healthcare providers). We implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. Business Associate Agreements (BAAs) are available upon request for covered entities that require them.

Providers are responsible for ensuring their own HIPAA compliance, including obtaining appropriate patient authorizations and maintaining proper use of the platform.

8. Data Retention and Deletion

• Patient data is retained for as long as the Provider's account is active and as required by applicable healthcare record retention laws.
• When a Provider deletes their account, all associated organization data — including patient records, appointments, billing data, and staff records — is permanently deleted from our systems.
• Providers may delete individual patient records through the platform at any time, subject to applicable record retention requirements.

9. Children's Privacy

Orthodontic treatment frequently involves minor patients. Personal information of minors is collected and managed by the treating Provider and/or the minor's parent or legal guardian through the platform. We do not knowingly collect personal information directly from children. All minor patient data is managed under the Provider's account and subject to the same protections as all patient data.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Opt out of marketing communications
• Opt out of SMS messaging by replying STOP

Patients should contact their orthodontic practice directly to exercise rights related to their health records. Providers may contact us at the address below.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through the platform. Continued use of OrthoEHR after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: amanshah@berkeley.edu