Skip to main content
AIDentalClaims

Privacy Policy

Last updated: March 25, 2026

AIDentalClaims ("we," "us," or "our") operates the AIDentalClaims platform (the "Service"), a software-as-a-service product that helps dental practices and billing teams analyze, optimize, and manage insurance claims. Because our Service processes protected health information ("PHI") as defined by the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and its implementing regulations, we maintain rigorous privacy and security practices.

This Privacy Policy describes what information we collect, how we use and share it, and the rights you and your patients have regarding that information. By accessing or using the Service, you agree to this Privacy Policy. If you are a covered entity under HIPAA, our processing of PHI on your behalf is further governed by the Business Associate Agreement ("BAA") executed between us.

In the event of any conflict between this Privacy Policy and a signed BAA, the terms of the BAA shall control with respect to PHI.

1. Information We Collect

We collect several categories of information in connection with the Service. The specific types depend on how you interact with the platform and what integrations you enable.

1.1 Account Information

When you create an account, we collect personal information necessary to provision and secure your access, including:

  • Full name and professional title
  • Email address
  • Phone number
  • Login credentials (passwords are salted and hashed; we never store plaintext passwords)
  • Role and permission level within your organization
  • Multi-factor authentication enrollment data

1.2 Practice and Organization Information

To configure the Service for your dental practice, we collect organizational details such as:

  • Practice or business legal name
  • National Provider Identifier (NPI) number(s)
  • Tax Identification Number (TIN)
  • Business address(es) and phone number(s)
  • Practice management system type and version
  • Billing and subscription information

1.3 Clinical Data and Protected Health Information (PHI)

In the course of providing claims intelligence services, we may process PHI on your behalf, which may include:

  • Patient names and demographic information
  • Dates of service and dates of birth
  • Dental procedure codes (CDT codes) and diagnosis codes
  • Clinical notes, treatment narratives, and chart data
  • Radiographic and intraoral image references
  • Claim submission history and adjudication results
  • Explanation of Benefits (EOB) data
  • Any other individually identifiable health information as defined under 45 CFR § 160.103

We process PHI solely as a Business Associate on your behalf and in accordance with our BAA and HIPAA regulations.

1.4 Insurance and Payer Information

To support claims analysis and optimization, we may collect and process:

  • Insurance carrier names and payer IDs
  • Plan types, group numbers, and subscriber IDs
  • Fee schedules and reimbursement rates
  • Benefits verification data
  • Prior authorization requirements and responses
  • Denial reason codes and appeal outcomes

1.5 Usage Data

We automatically collect information about how you interact with the Service, including:

  • Pages visited, features used, and actions taken within the platform
  • Timestamps and duration of sessions
  • Device type, operating system, and browser version
  • IP address and approximate geographic location (city/region level)
  • Referring URL and exit pages
  • Error logs and performance metrics

1.6 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to maintain session state, authenticate users, remember preferences, and (with your consent) analyze usage patterns. For full details, see Section 14 (Cookies) below.

2. How We Collect Information

2.1 Directly from You

We collect information you provide directly when you create an account, configure your practice settings, enter or upload data, submit support requests, or otherwise communicate with us.

2.2 Automatically Through the Service

When you use the Service, we automatically collect usage data, device information, and log data through server logs, cookies, and similar technologies. This collection is essential for security monitoring, access control, and service reliability.

2.3 From Integrations and Third-Party Systems

If you connect the Service to your practice management system (PMS), electronic health record (EHR) system, clearinghouse, or other third-party platforms, we receive data from those systems as authorized by you. We only collect data that is necessary for the features you have enabled, and you may revoke integration access at any time through your account settings.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations

  • Providing, maintaining, and improving the claims intelligence features of the Service
  • Analyzing claims data to identify optimization opportunities, coding patterns, and denial trends
  • Generating AI-powered recommendations for claim submissions, narratives, and appeals
  • Processing and managing your account and subscription
  • Providing technical support and responding to your inquiries

3.2 Service Improvement via De-Identified Data

We may use de-identified data (from which all HIPAA identifiers have been removed in accordance with the Safe Harbor method described in Section 6) to improve our algorithms, train machine learning models, conduct research on claims trends, and enhance the overall quality of the Service. De-identified data is no longer considered PHI under HIPAA.

3.3 Communications

  • Sending transactional notifications related to your account, billing, and service status
  • Providing product updates, feature announcements, and educational content relevant to your use of the Service
  • Responding to inquiries, support tickets, and feedback

You may opt out of non-essential communications at any time by adjusting your notification preferences or by using the unsubscribe mechanism in our emails. We will never use PHI for marketing purposes.

3.4 Legal Compliance

We use information as necessary to comply with applicable laws and regulations, including HIPAA, state privacy laws, and tax and financial reporting obligations. This includes maintaining audit trails and responding to lawful requests from regulators or law enforcement.

3.5 Security and Fraud Prevention

We use information to detect, investigate, and prevent unauthorized access, fraud, abuse, and other harmful activity. This includes monitoring login attempts, analyzing access patterns, and enforcing session controls.

4. Legal Basis for Processing

4.1 HIPAA Treatment, Payment, and Health Care Operations (TPO)

As a Business Associate, we process PHI on behalf of covered entities for purposes of treatment, payment, and health care operations as permitted under 45 CFR § 164.506 and as specified in the applicable BAA. No patient authorization is required for these uses, though the covered entity remains responsible for obtaining any required patient consents under applicable state law.

4.2 Contractual Necessity

We process account information and practice information as necessary to perform our contractual obligations under our Terms of Service and subscription agreements.

4.3 Legitimate Interests

We process usage data and non-PHI information based on our legitimate interests in operating, securing, and improving the Service, provided those interests are not overridden by your rights and freedoms.

4.4 Consent

Where required by law, we obtain your consent before processing certain non-PHI data, such as the use of non-essential analytics cookies. You may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

5. How We Share Information

We do not sell, rent, or trade your information, including PHI, to third parties. We share information only in the following limited circumstances:

5.1 Subprocessors and Service Providers

We engage a limited number of vetted subprocessors to help deliver the Service. Each subprocessor that handles PHI has executed a Business Associate Agreement (or equivalent data protection agreement) with us and is contractually bound to protect your data. Our current subprocessors include:

  • Amazon Web Services (AWS)— Cloud infrastructure, hosting, data storage, and encryption services. BAA in place.
  • Anthropic— AI and large language model services used for claims analysis and narrative generation. All data transmitted to Anthropic is de-identified in accordance with HIPAA Safe Harbor standards (see Section 6). BAA in place.
  • Payment Processor— Billing and payment processing services. The payment processor receives only the billing information necessary to process transactions and does not have access to PHI. BAA in place where applicable.

5.2 At Your Direction

We may share information with third parties when you explicitly direct us to do so, such as when you enable an integration with your practice management system or authorize the export of data to another platform.

5.3 Legal Requirements

We may disclose information if required to do so by law, regulation, subpoena, court order, or other governmental request. When permitted, we will provide you with advance notice of such disclosures. Any disclosure of PHI for legal purposes will comply with the minimum necessary standard under HIPAA (45 CFR § 164.502(b)).

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice within the Service of any change in ownership or use of your information, and you will have the opportunity to request deletion of your data prior to the transfer. Any successor entity will be bound by the terms of existing BAAs.

5.5 No Sale of PHI

We will never sell protected health information. We do not use PHI for marketing, advertising, or any purpose not expressly authorized by our BAA and permitted under HIPAA. This commitment applies regardless of whether a transaction meets the technical definition of a "sale" under HIPAA, the California Consumer Privacy Act, or any other applicable law.

6. De-Identification of Data

When clinical data is processed by our AI systems (including third-party AI providers such as Anthropic), we apply de-identification procedures in compliance with the HIPAA Safe Harbor method (45 CFR § 164.514(b)(2)). This means we remove or generalize all 18 categories of identifiers specified by HIPAA before the data leaves our controlled environment, including:

  • Names
  • Geographic data smaller than a state (street address, city, county, zip code, and equivalent geocodes)
  • All dates directly related to an individual (birth date, admission date, discharge date, date of death) and all ages over 89
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

We have no actual knowledge that the remaining information could be used, alone or in combination, to identify an individual. Our de-identification process is documented and subject to periodic internal review and validation. De-identified data is not subject to HIPAA restrictions and may be used by us to improve the Service, conduct research, and generate aggregate analytics.

7. Data Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your information in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C) and industry best practices. Our security measures include, but are not limited to:

7.1 Encryption

  • Data at rest: All data, including PHI, is encrypted using AES-256 encryption via AWS Key Management Service (KMS) with customer-managed encryption keys.
  • Data in transit: All communications between your browser and our servers, and between our internal services, are encrypted using TLS 1.3. We enforce HSTS and do not support deprecated cipher suites.

7.2 Authentication and Access Controls

  • Multi-factor authentication (MFA) is required for all user accounts.
  • Role-based access control (RBAC) ensures users can only access the data and features appropriate to their role.
  • The principle of least privilege is applied to all internal systems and personnel access.
  • Automatic session timeouts terminate inactive sessions after a configurable period (default: 15 minutes).

7.3 Monitoring and Audit Logging

  • All access to PHI is logged in tamper-evident audit trails that record the user, action, data accessed, and timestamp.
  • Security events are monitored in real time with automated alerting for anomalous activity.
  • Audit logs are retained for a minimum of six (6) years in accordance with HIPAA requirements.

7.4 Infrastructure Security

  • Our infrastructure is hosted within HIPAA-compliant AWS data centers with enterprise-grade security controls.
  • We perform regular vulnerability scans, penetration testing, and code reviews.
  • All production deployments undergo security review as part of our change management process.
  • We maintain and regularly test an incident response plan in compliance with the HIPAA Breach Notification Rule.

While no method of transmission or storage is 100% secure, we are committed to protecting your data with industry-leading safeguards and continuously improving our security posture.

8. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, subject to the following retention periods:

  • Account and practice data: Retained for the duration of your active subscription plus thirty (30) calendar days following termination or expiration to allow for data export and account recovery.
  • Protected health information (PHI): Retained for the duration of your active subscription plus thirty (30) calendar days following termination, unless a longer retention period is required by the applicable BAA or by law.
  • Audit logs:Retained for a minimum of six (6) years from the date of creation, as required by HIPAA (45 CFR § 164.530(j)).
  • Billing and transaction records: Retained for seven (7) years in accordance with applicable tax and financial regulations.
  • De-identified and anonymized data: May be retained indefinitely, as it no longer constitutes PHI or personally identifiable information.

At the end of the applicable retention period, data is securely deleted using cryptographic erasure or overwritten in accordance with NIST SP 800-88 guidelines.

9. Data Deletion

You may request deletion of your data at any time by contacting us at privacy@aidentalclaims.com or through the account settings within the Service.

9.1 Deletion Process

  • Upon receiving a verified deletion request, we will confirm receipt within five (5) business days.
  • We will complete the deletion of your account data and PHI within thirty (30) calendar days of confirmation.
  • You will receive a written confirmation when the deletion process is complete.

9.2 Data Retained After Deletion

Certain information will be retained even after a deletion request to comply with our legal obligations:

  • Audit logs and access records will be retained for the full six (6) year HIPAA retention period.
  • Billing and transaction records will be retained as required by applicable tax and financial regulations.
  • De-identified data that has already been aggregated or incorporated into analytical models cannot be attributed back to you and will not be deleted.
  • Information that we are required to retain by law, regulation, or legal proceeding (including litigation holds) will be preserved until the applicable retention obligation expires.

9.3 Backup Systems

Due to the nature of our backup infrastructure, deleted data may persist in encrypted backup systems for up to ninety (90) days following deletion from production systems. Backup copies are encrypted at rest and are not used for any operational purpose after deletion from production. Backups containing deleted data are automatically purged through our regular backup rotation cycle.

10. Individual Rights Under HIPAA

Under HIPAA, individuals (patients) have specific rights regarding their PHI. Because we process PHI as a Business Associate on behalf of covered entities (dental practices), these rights are generally exercised through the covered entity. We will cooperate with covered entities to fulfill the following individual rights:

10.1 Right of Access

Individuals have the right to access and obtain a copy of their PHI maintained by the covered entity, as set forth in 45 CFR § 164.524. We will provide the covered entity with the requested PHI in a timely manner (within thirty (30) days, with one thirty-day extension if necessary) and in the electronic format requested, where feasible.

10.2 Right to Amendment

Individuals have the right to request amendments to their PHI as set forth in 45 CFR § 164.526. Upon receiving an approved amendment request from the covered entity, we will incorporate the amendment into the relevant records within the Service.

10.3 Right to an Accounting of Disclosures

Individuals have the right to receive an accounting of certain disclosures of their PHI made in the six (6) years prior to the request, as set forth in 45 CFR § 164.528. We maintain detailed audit logs that enable us to assist covered entities in fulfilling these requests.

10.4 Right to Request Restrictions

Individuals have the right to request restrictions on certain uses and disclosures of their PHI as set forth in 45 CFR § 164.522. If the covered entity agrees to such restrictions and communicates them to us, we will implement the restrictions within the Service to the extent technically feasible.

10.5 Right to Confidential Communications

Individuals have the right to request that the covered entity communicate with them through alternative means or at alternative locations, as set forth in 45 CFR § 164.522. We will support the covered entity in honoring these requests as they pertain to communications generated through the Service.

If you are a patient and wish to exercise any of these rights, please contact your dental provider directly. If you are a covered entity and need assistance fulfilling an individual rights request, please contact us at privacy@aidentalclaims.com.

11. State Privacy Laws

In addition to HIPAA, we comply with applicable state privacy laws. The following disclosures are provided to the extent required by these laws. Note that to the extent any data qualifies as PHI governed by HIPAA, HIPAA preempts state law unless the state law provides greater protection or addresses a different subject matter.

11.1 California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

If you are a California resident, you may have the following rights with respect to personal information that is not PHI governed by HIPAA:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request the deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request the correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell or share (as defined by the CCPA/CPRA) personal information, including PHI. Therefore, no opt-out is necessary, but we honor Global Privacy Control (GPC) signals as a valid opt-out request.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA/CPRA rights, contact us at privacy@aidentalclaims.com. We will verify your identity before processing your request and respond within forty-five (45) days.

11.2 Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, you may have the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data or engage in targeted advertising. To exercise your rights or appeal a decision regarding your request, contact us at privacy@aidentalclaims.com.

11.3 Colorado Privacy Act (CPA)

If you are a Colorado resident, you may have the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities. We do not sell personal data or engage in targeted advertising. You may exercise these rights or appeal a decision by contacting us at privacy@aidentalclaims.com. We will respond to your request within forty-five (45) days.

12. Children's Privacy

The Service is designed for use by dental professionals and practice administrators and is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from individuals under eighteen (18) for account registration or direct use of the Service.

The Service may process PHI relating to minor patients as part of claims data provided by covered entities. Such processing is conducted solely as a Business Associate under HIPAA and the applicable BAA, and is subject to the same protections as all other PHI processed through the Service.

If we become aware that we have inadvertently collected personal information from a child under eighteen (18) for account purposes without verifiable parental or guardian consent, we will take prompt steps to delete such information. If you believe a child has provided us with personal information, please contact us at privacy@aidentalclaims.com.

13. Data Residency

All data processed by the Service, including PHI, is stored and processed exclusively within the United States. Our infrastructure is hosted on Amazon Web Services (AWS) in the following regions:

  • US-East-1(N. Virginia) — Primary data center
  • US-West-2(Oregon) — Disaster recovery and redundancy

We do not transfer, store, or process PHI outside of the United States. All subprocessors that handle data on our behalf are contractually required to maintain data residency within the United States. In the event we need to change our data residency practices, we will provide at least sixty (60) days' advance notice and update this Privacy Policy accordingly.

14. Cookies and Tracking Technologies

We use cookies and similar technologies for the purposes described below. You can manage your cookie preferences through the cookie consent banner displayed upon your first visit, or at any time through your browser settings.

14.1 Essential Cookies

These cookies are strictly necessary for the operation of the Service and cannot be disabled. They include:

  • Session authentication tokens that keep you logged in securely
  • CSRF (cross-site request forgery) protection tokens
  • Load balancing and server routing identifiers
  • Cookie consent preferences

14.2 Analytics Cookies (With Consent)

With your explicit consent, we may use analytics cookies to understand how users interact with the Service. These cookies help us measure feature usage, identify usability issues, and improve the user experience. Analytics cookies do not collect or transmit PHI. Data collected through analytics cookies is aggregated and does not identify individual users.

14.3 Managing Cookies

You can control cookies through the following methods:

  • Cookie consent banner: Adjust your preferences at any time through the cookie settings link in the Service footer.
  • Browser settings: Most browsers allow you to block or delete cookies through their settings. Note that blocking essential cookies may prevent the Service from functioning correctly.
  • Global Privacy Control (GPC): We honor GPC signals transmitted by your browser.

We do not use advertising cookies or third-party tracking pixels. We do not participate in cross-site tracking or behavioral advertising.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Provide at least thirty (30) days' advance notice of material changes via email to the address associated with your account and through a prominent in-app notification.
  • Where required by law or our BAA, obtain your affirmative consent before applying material changes to the processing of PHI.

We encourage you to review this Privacy Policy periodically. Continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes for non-PHI data. Changes to PHI processing are governed by the terms of the applicable BAA.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy, our data practices, or your privacy rights, please contact us:

  • Email: privacy@aidentalclaims.com
  • Subject line:"Privacy Inquiry" for general questions; "Data Rights Request" for individual rights requests

We will acknowledge your inquiry within five (5) business days and endeavor to respond substantively within thirty (30) calendar days. For complaints regarding our handling of PHI, you also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at www.hhs.gov/ocr. We will not retaliate against you for filing a complaint.