SmileConsult
Back to SmileConsult

Privacy Policy

Privacy Policy

Version 1.0 | Effective May 25, 2026

This Privacy Policy describes how SmileConsult LLC ("SmileConsult", "we", "us", "our"), a Texas limited liability company with a notice address of 292 Sandy Creek Trail, Weatherford, TX 76085, collects, uses, stores, shares, and protects information when (a) dental practices and their staff use the SmileConsult platform (the "Service") and (b) patients of those practices submit consultations and receive responses through the Service.

Protected Health Information ("PHI") that SmileConsult creates, receives, maintains, or transmits on behalf of a dental practice is governed primarily by the Business Associate Agreement ("BAA") signed between SmileConsult and that practice and by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This Privacy Policy supplements the BAA and addresses (i) non-PHI personal information of dentists, practice staff, and visitors, and (ii) PHI handling at the level of summary appropriate for a customer-facing privacy notice. The BAA controls if any provision of this Policy conflicts with it as to PHI.

1. Who This Policy Covers

This Policy applies to:

  • Dental practices and their staff ("Dentists", "you") who sign up for and use the SmileConsult Service.
  • Patients of those practices who submit a consultation through a practice's SmileConsult subdomain. Patients should also review the privacy notice provided by their own dental practice; the practice, not SmileConsult, is the Covered Entity that ultimately governs the use and disclosure of their PHI.
  • Visitors to the SmileConsult marketing website at smileconsult.io.

2. Information We Collect

2.1 From Dental Practices at Signup

Practice name; business mailing address; practice phone; practice email; the signing dentist's full name and professional title (e.g., "DDS", "DMD", "Owner"); the dentist's account email and a password (stored as a salted hash, never in plaintext); the chosen subdomain (e.g., yourpractice.smileconsult.io); the chosen patient-portal color scheme; payment-method information collected and tokenized by Stripe, Inc. (we receive only a Stripe customer identifier and the last four digits of the card on file); and the typed signature, IP address, and timestamp captured at the moment of agreement acceptance.

2.2 From Patients Submitting a Consultation

Patient name; email address; password (salted hash); date of birth where the dentist's intake configuration requires it; one or more photographs of the patient's mouth, teeth, or face; written narrative describing the dental concern and treatment preferences; optional contact preference information (preferred call time, preferred contact channel).

2.3 From the Dentist Response Workflow

Video recordings produced by the dentist for the patient, including any screen, webcam, or picture-in-picture composition; audio recordings used as input to AI-assisted transcription; transcripts produced by OpenAI Whisper from those audio recordings; draft and approved consultation summaries produced by OpenAI GPT-class models from those transcripts and the consultation context; smile-design simulation images the dentist generates from patient photos.

2.4 Automatically Collected

IP address and approximate geolocation derived from it; browser type, version, and user-agent string; device type; pages or screens viewed; timestamps of user actions; audit-log entries for security-relevant events (logins, password changes, multi-factor enrollment, agreement acceptance, consent withdrawal, role changes, PHI exports). We use first-party cookies and localStorage for session management and to remember UI preferences; we do not use third-party advertising cookies or cross-site trackers.

2.5 From Public Sources

When you sign up, we may use the Google Places API to autocomplete and validate your practice address. That look-up sends your typed search string to Google but does not associate the search with your SmileConsult account.

3. How We Use Information

We use the information described above to:

a. Operate the Service, including hosting your practice subdomain, accepting patient submissions, recording and storing dentist responses, generating AI-assisted transcripts and summaries (only when the dentist invokes those features), and rendering smile-design simulations;

b. Authenticate users, protect accounts, enforce multi-factor authentication, detect and respond to security incidents, and prevent fraud and abuse;

c. Bill subscriptions through Stripe, process refunds where applicable, and respond to billing disputes;

d. Send transactional emails through Amazon Web Services Simple Email Service ("AWS SES") — account verification, password reset, one-time passcode delivery, consultation status notifications to dentists, billing receipts, agreement-update notices;

e. Provide customer support when you contact info@smileconsult.io;

f. Comply with our legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service and BAA.

We do not sell personal information, share it for cross-context behavioral advertising, or use it for any purpose materially different from the purposes described in this Policy without your consent.

4. AI Subprocessors and Training-Use Prohibition

SmileConsult uses OpenAI, L.L.C. for two AI features: (i) speech-to-text transcription via the Whisper model and (ii) summary-generation via GPT-class models. OpenAI processes that data under a signed Business Associate Agreement with SmileConsult.

By contractual commitment from OpenAI: data submitted via the OpenAI API under the BAA is not used to train, fine-tune, or improve OpenAI models, is retained only for the period required to operate the service (typically less than 30 days, longer if required for legal hold), and is segregated from data submitted under OpenAI's consumer products.

SmileConsult considered using Anthropic's Claude models for AI features and decided against it because we could not reach a Business Associate Agreement with Anthropic that we considered adequate for our HIPAA posture. SmileConsult does not transmit PHI to Anthropic, Google Gemini, Meta Llama services, or any other generative AI provider that does not have a signed BAA with us.

5. Storage and Security

a. Hosting. Patient photos, video, and audio are stored in Amazon Web Services S3 buckets in the U.S. East (Virginia) region, with server-side encryption at rest using AES-256 and access controlled by IAM least-privilege roles. AWS provides this storage under our signed BAA.

b. Database. Application data (accounts, consultation records, audit logs, agreement-acceptance records) is stored in Amazon Web Services RDS PostgreSQL, encrypted at rest with AWS-managed KMS keys.

c. Transport. All traffic between user browsers and our servers, and between our servers and our subprocessors, is encrypted in transit via TLS 1.2 or higher.

d. Authentication. User passwords are stored as PBKDF2 / SHA-256 salted hashes. We require multi-factor authentication on all dentist accounts.

e. Access controls. Workforce members access PHI only on a documented need-to-know basis through individually identified accounts; production access is logged and reviewed quarterly.

f. Audit logging. Security-relevant events are logged to an append-only audit trail retained for the lifetime of the account plus the retention windows described in Section 7.

g. Workforce training. SmileConsult workforce members complete HIPAA and Texas HB 300 training at hire and annually thereafter.

h. Incident response. SmileConsult maintains a documented incident-response plan that defines roles, escalation paths, notification timelines, evidence preservation, and post-incident review.

i. Penetration testing and reviews. SmileConsult conducts at least an annual third-party security review.

No system can be guaranteed 100% secure; if a breach occurs, our notification obligations are described in Section 9 and the BAA.

6. Third-Party Subprocessors

We use the following subprocessors. A BAA is in place with every subprocessor that processes PHI.

| Subprocessor | Purpose | PHI access | BAA | |---|---|---|---| | Amazon Web Services, Inc. | Cloud infrastructure (S3, RDS, SES, ECS, ALB, IAM, Secrets Manager) | Yes | Signed | | OpenAI, L.L.C. | Whisper transcription and GPT summary generation | Yes | Signed | | Stripe, Inc. | Subscription billing and payment-card processing | No (Stripe sees only billing identifiers and card data, not PHI) | Not applicable | | Cloudflare, Inc. | DNS, TLS termination at edge, automated subdomain provisioning for tenant subdomains via Cloudflare for SaaS | Limited (Cloudflare sees request metadata and TLS-terminated payloads in transit) | Signed | | Google LLC (Places API) | Address autocomplete during practice signup only | No | Not applicable |

We will give Practices at least thirty (30) days' notice before adding a new subprocessor that will have access to PHI, including reasonable detail about the subprocessor's role and safeguards.

7. Data Retention and Deletion

a. Patient records. Retained for seven (7) years from the date of the patient's most recent activity on the record, after which the record is permanently deleted. Records for patients who were minors at the time of consultation are retained until the patient's twenty-first (21st) birthday or seven (7) years from the most recent activity, whichever is later.

b. Account records. Retained for the life of the subscription plus seven (7) years after cancellation, then permanently deleted.

c. Audit logs. Retained for seven (7) years after the logged event.

d. HIPAA documentation (policies, training records, risk assessments). Retained for six (6) years from the date of creation or last effective date, whichever is later, in accordance with 45 C.F.R. § 164.530(j).

e. Backups. Encrypted backups roll forward on a thirty-five (35) day cycle. Data deleted from the live system is purged from backups no later than thirty-five (35) days after deletion.

f. De-identified data. De-identified aggregate data created in accordance with 45 C.F.R. § 164.514(b) is not subject to these retention limits.

8. Your Rights

8.1 Patients

Patients should direct most data-access, correction, and deletion requests to the dental practice that treated them, because that practice (not SmileConsult) is the HIPAA Covered Entity. SmileConsult will respond to requests forwarded by the practice within the timelines required by 45 C.F.R. § 164.524 (access) and § 164.526 (amendment) — generally within thirty (30) days of receipt, extendable once by thirty (30) days on written notice.

Patients who reside in states with consumer-privacy statutes (including, as of the effective date, California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia) may have additional rights with respect to non-PHI personal information about them that SmileConsult holds. Note, however, that PHI processed under HIPAA is generally exempt from most state consumer-privacy statutes (HIPAA preemption). For PHI requests, see the BAA-based process above.

8.2 Dentists

Dentists may, at any time, (a) export all Practice records from the dashboard, (b) update their account information directly in account settings, (c) close their account by emailing info@smileconsult.io, and (d) request correction of inaccurate information about themselves or their practice.

8.3 Texas Residents (HB 300)

If you are a Texas resident, the Texas Medical Records Privacy Act (Tex. Health & Safety Code Ch. 181, "HB 300") may give you additional access and disclosure-accounting rights with respect to your PHI. SmileConsult honors valid HB 300 requests on the same procedural basis as HIPAA access requests.

8.4 Exercising Rights

To exercise any right under this Section 8, contact info@smileconsult.io or write to: SmileConsult LLC, Attn: Privacy Officer, 292 Sandy Creek Trail, Weatherford, TX 76085. We will verify your identity before responding, typically by confirming control of the account email or, for patients, by routing the request through your dental practice. We will not discriminate against you for exercising a privacy right.

9. Breach Notification

If SmileConsult discovers a Breach of Unsecured PHI (as those terms are defined in 45 C.F.R. § 164.402), we will notify the affected dental practice (the Covered Entity) without unreasonable delay and in no event later than ten (10) business days after discovery, with the content required by 45 C.F.R. § 164.410. The practice, as Covered Entity, is then responsible for individual patient notification under 45 C.F.R. § 164.404 and HHS / media notification under § 164.406 / § 164.408, with SmileConsult's cooperation. SmileConsult will also comply with applicable state breach-notification statutes, including the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Ch. 521) where applicable.

10. Children's Privacy

The SmileConsult marketing site is not directed at children under thirteen (13), and we do not knowingly collect personal information from children under thirteen through that site. When a dental practice records a consultation for a patient who is a minor, the practice is responsible for obtaining any parental consent required by the practice's state laws, by COPPA where applicable, and by the practice's own informed-consent procedures.

11. International Users

The Service is intended for users in the United States. SmileConsult does not currently market to or knowingly sign up dental practices located outside the U.S. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., where data-protection laws may differ from those in your country.

12. Marketing Communications

We send transactional emails (account, billing, security, agreement updates) under the contractual relationship; you cannot opt out of these while you have an active account. You may opt out of optional product-announcement and educational emails by clicking the unsubscribe link in any such email or by emailing info@smileconsult.io. We do not send marketing communications to patients.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email and an in-app notice at least thirty (30) days before they take effect and will require renewed click-through acceptance at next login. Non-material changes (typos, contact updates) take effect when posted. Each version is archived; you can request a copy of any prior version by emailing info@smileconsult.io.

14. Privacy Officer and Contact

SmileConsult's Privacy Officer is Michael Schaake (also serving as Founder, Owner, and HIPAA Security Officer). All privacy questions, access requests, deletion requests, and other inquiries under this Policy may be directed to:

  • Email: info@smileconsult.io
  • Mail: SmileConsult LLC, Attn: Privacy Officer (Michael Schaake), 292 Sandy Creek Trail, Weatherford, TX 76085
Questions? support@smileconsult.io