Privacy Policy

1. Introduction

Dentrecall ("we", "our", or "us") is committed to protecting the privacy of dental clinics and their patients. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our AI-powered recall and patient engagement platform ("Service").

This policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy legislation, as well as applicable provincial privacy laws and applicable US state privacy regulations.

2. Information We Collect

2.1 Clinic Account Information

• Clinic name, address, phone number, and email address
• Account credentials (email and encrypted password via Supabase Auth)
• Subscription and billing information (processed by Stripe — we do not store full credit card numbers)
• Usage data: messages sent, campaigns created, appointments tracked

2.2 Patient Information (Processed on Behalf of Clinics)

Dentrecall acts as a data processor on behalf of dental clinics (the data controllers). Patient data imported or created in the platform may include:

• Name, date of birth, phone number, and email address
• Appointment history and recall dates
• Treatment plan information
• Opt-out preferences (STOP/unsubscribe records)

2.3 Communications Data

• SMS messages sent and received via the platform
• Email communications sent on behalf of clinics
• Message delivery status and patient responses

3. How We Use Information

• Service Delivery: To provide recall messaging, appointment reminders, and patient engagement features
• Platform Improvement: Aggregated, anonymized usage analytics to improve the Service
• Billing: To process subscription payments via Stripe
• Support: To respond to support requests and troubleshoot issues
• Legal Compliance: To comply with applicable laws and regulations in Canada and the United States

We do not sell patient data or use it for advertising purposes.

4. Consent Framework

Dental clinics using Dentrecall are responsible for obtaining appropriate consent from their patients before sending SMS or email communications through our platform. Dentrecall provides consent tracking tools to help clinics meet their PIPEDA obligations.

Patient opt-outs ("STOP" replies) are processed immediately and no further messages are sent to opted-out patients. Opt-out records are maintained in compliance with Canada's Anti-Spam Legislation (CASL).

5. Data Storage and Security

• Data residency: Data is stored on Supabase infrastructure (PostgreSQL database)
• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
• Access controls: Strict multi-tenant isolation — each clinic can only access their own data
• Authentication: Supabase Auth with secure session management
• SMS provider: Twilio (SOC 2 Type II certified)
• Email provider: Resend (SOC 2 compliant)

6. Data Sharing and Third Parties

We share data with the following third-party service providers solely to deliver the Service:

• Twilio: SMS message delivery
• Resend: Email delivery
• Stripe: Payment processing
• Supabase: Database and authentication infrastructure
• Vercel: Application hosting

We do not share personal information with any other third parties without explicit consent, except as required by law.

7. Data Retention

We retain clinic and patient data for the duration of the active subscription plus 90 days after account cancellation, to allow for data export. After that period, data is permanently deleted. Clinics can request early deletion by contacting support.

8. Your Rights

Under PIPEDA and applicable provincial laws, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Withdraw consent and request deletion of your data
• Receive a copy of your data in a portable format
• File a complaint with the Office of the Privacy Commissioner of Canada, or applicable US state privacy authority

9. Contact Us

For privacy questions, data requests, or to exercise your PIPEDA rights, please use our contact form and select "Privacy / Data Request" as the subject: