Privacy Policy

Version 1.0.0 — Effective 2026-07-07

DRAFT v1.0.0 — pending attorney review. Effective date: 2026-07-07.

1. Scope of This Policy

This Privacy Policy describes how Dental Refer ("we," "us," "our") collects, uses, discloses, and protects information in connection with the dentalrefer.com referral coordination platform (the "Service"). It covers information about account holders and practice staff ("Users"), visitors to our public pages, and — where we act as a Business Associate — patient information handled on behalf of participating practices. Where this Policy conflicts with an executed Business Associate Agreement ("BAA") for the handling of Protected Health Information ("PHI"), the BAA controls.

2. Information We Collect

Account and profile information: name, work email, hashed password, role, organization name and type, NPI number, license number and state, and phone number. Referral and clinical workflow data: patient demographic and clinical information entered by practices to coordinate referrals, uploaded documents and imaging, messages between offices, and specialist reports — this is PHI handled on behalf of the referring and receiving practices. Usage and device information: IP address, browser user-agent, pages viewed, and actions taken, collected in server logs and our audit log. Payment information: subscription billing details processed by Stripe; we receive transaction metadata but never store full card numbers. Communications: support requests and correspondence with our team.

3. PHI and Our Role as a Business Associate

Participating practices are the covered entities responsible for their patients' PHI; Dental Refer processes PHI only as a Business Associate under HIPAA and only as permitted by the executed BAA and applicable law. We use PHI solely to provide the Service — creating, transmitting, and tracking referrals; exchanging documents; messaging between offices; and related support and troubleshooting under minimum-necessary controls. We do not sell PHI, use PHI for advertising, or disclose PHI except as permitted by the BAA, required by law, or directed by the covered entity.

4. How We Use Information

We use information to: provide, maintain, and secure the Service; authenticate Users and enforce role-based access; process subscriptions and payments; send transactional notifications (referral updates, verification codes, security alerts) by email or SMS according to your notification preferences; monitor for fraud, abuse, and security incidents; comply with legal obligations, including HIPAA audit-control requirements; and improve the Service using de-identified or aggregated data that does not identify any individual or practice.

5. How We Share Information

We share information only with: (a) the practices participating in a referral — the referring and receiving offices see the referral data relevant to them; (b) service providers (subprocessors) that host and operate parts of the Service under contract, including cloud hosting and database providers, file storage, email and SMS delivery providers, fax transmission, payment processing, and error-monitoring services — subprocessors that handle PHI are bound by BAAs or equivalent contractual safeguards; (c) legal and safety recipients, when required by law, subpoena, or to protect the rights, safety, or property of users, patients, or the public; and (d) successors, in connection with a merger, acquisition, or sale of assets, subject to this Policy and applicable BAAs. We do not sell personal information and we do not share it for cross-context behavioral advertising.

6. Security Measures

We maintain administrative, technical, and physical safeguards designed to protect information, including: encryption in transit (TLS 1.2+); encryption at rest for the database and file storage, with field-level envelope encryption (AES-256-GCM) applied to PHI fields; role-based access control with organization-level isolation on every PHI record; an immutable, hash-chained audit log recording PHI reads, writes, and downloads; session controls including httpOnly cookies, idle and absolute timeouts, and optional two-factor authentication; virus scanning of uploaded files; and an incident response runbook with defined triage timelines. No system is perfectly secure; we encourage reporting of suspected vulnerabilities to [email protected].

7. Data Retention

We retain account information for as long as your account is active and as needed afterward to comply with legal obligations, resolve disputes, and enforce agreements. PHI processed under a BAA is retained for the duration of the agreement and then returned or destroyed in accordance with the BAA, except where retention is required by law. Audit-log records are retained for a minimum of six (6) years consistent with HIPAA documentation requirements. Backups roll off on a fixed schedule after deletion from production systems.

8. Your Rights and Choices

Users may access and update account information in Settings and may request deletion of their account by contacting [email protected]; we will honor requests subject to legal retention requirements. Patients: rights to access, amend, or receive an accounting of disclosures of PHI are exercised through the dental practice that holds the treatment relationship (the covered entity); if you contact us directly, we will route your request to the appropriate practice as the BAA requires. Depending on your state of residence, you may have additional rights under state privacy laws — contact [email protected] to exercise them, and we will not discriminate against you for doing so.

9. Cookies and Analytics

The Service uses strictly necessary cookies for authentication (httpOnly session cookie), security (CSRF protection), and preferences. Our public marketing pages may collect standard server-side analytics (page views, referrers, coarse geography derived from IP). We do not use third-party advertising cookies or tracking pixels, and we do not serve targeted advertising. Performance telemetry (such as Web Vitals) is collected without PHI.

10. Email and SMS Communications

Transactional messages (verification codes, referral notifications, security alerts) are part of the Service. SMS notifications are sent only after opt-in and can be stopped by replying STOP. Message and data rates may apply. We do not send marketing SMS. Notification channel preferences can be managed in Settings.

11. Children's Privacy

The Service is a professional tool and is not directed to children. We do not knowingly collect personal information directly from children under 13. PHI about minor patients is entered by dental practices in their role as covered entities and is handled under the applicable BAA.

12. International Users

The Service is operated from the United States and intended for U.S. dental practices. If you access the Service from outside the United States, you understand that your information will be processed and stored in the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Each version is numbered and dated, and the current published version is always available at dentalrefer.com/privacy. For material changes we will provide notice through the Service or by email before the change takes effect.

14. Contact Us

Privacy questions or requests: [email protected]. Security reports: [email protected]. Mailing address: [Company address]. If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

See also our Terms of Service and HIPAA posture.