HIPAA notice

Health data, treated like health data.

SmileSafe AI takes the protection of your health information seriously. This Notice describes our practices regarding Protected Health Information (PHI) under the U.S. Health Insurance Portability and Accountability Act (HIPAA).

1. SmileSafe's role under HIPAA

HIPAA applies to "Covered Entities" (health plans, healthcare clearinghouses, and most healthcare providers) and their "Business Associates" (entities that handle PHI on behalf of Covered Entities).

• When you use the SmileSafe AI scanner directly as a consumer, SmileSafe acts as a technology platform providing screening, similar to a health and wellness app. In this role, SmileSafe is not itself a HIPAA Covered Entity, but we voluntarily apply HIPAA-aligned safeguards to all PHI we handle.
• When SmileSafe processes information on behalf of a partner dentist (a Covered Entity), SmileSafe acts as a Business Associate under HIPAA. We sign Business Associate Agreements (BAAs) with our dentist partners and follow HIPAA's requirements for the protection of PHI.

2. What we consider Protected Health Information

For SmileSafe AI, PHI includes information that can identify you and relates to your health, such as:

• Photos of your teeth and resulting AI scan reports
• Your name, contact information, and date of birth (when collected)
• Records of appointments you book through SmileSafe
• Notes you share with your dentist through our platform
• Any other health-related information you provide

3. How we protect your PHI

Administrative safeguards

• Designated privacy and security personnel
• Workforce training on privacy and security practices
• Strict access controls — staff only access PHI when necessary for their role
• Business Associate Agreements with all service providers who may handle PHI
• Documented privacy and security policies, regularly reviewed

Physical safeguards

• PHI is stored on secure cloud infrastructure (Google Cloud / Vercel) with industry-standard physical security
• No PHI is stored on local devices, except temporarily during scanning
• Kiosk hardware in public locations does not retain images after the scan is complete

Technical safeguards

• Encryption in transit — all data is transmitted over TLS/HTTPS
• Encryption at rest — all PHI is encrypted in our databases
• Authentication — multi-factor authentication for staff and dentists
• Audit logging — access to PHI is logged and regularly reviewed
• Automatic logout for inactive sessions
• Regular security testing and vulnerability assessments

4. How we use and disclose your PHI

We use and disclose your PHI for the following purposes:

• Treatment — to share your scan and contact info with the dentist you book with
• Healthcare operations — to provide and improve the SmileSafe service
• As required by law — for example, to respond to a court order or public health authority
• With your authorization — for any other purpose, with your written consent (which you can revoke at any time)

We do not:

• Sell your PHI to anyone
• Use PHI for marketing purposes without your written authorization
• Share PHI with employers or insurers without your consent

5. Your rights regarding your PHI

You have the following rights:

Right to access and copy

You may request a copy of your PHI we hold. We'll provide it within 30 days, in the format you request when feasible (PDF, JSON, etc.).

Right to amend

If you believe information we have is incorrect or incomplete, you may request an amendment. We'll respond within 60 days.

Right to an accounting of disclosures

You may request a list of disclosures of your PHI we have made (other than for treatment, payment, or healthcare operations) in the past six years.

Right to request restrictions

You may request restrictions on how we use or disclose your PHI. We'll consider all requests but are not always required to agree.

Right to confidential communications

You may request that we communicate with you in a particular way (e.g. only by email, only at a certain phone number).

Right to a paper copy of this notice

You may request a paper copy of this Notice at any time, even if you receive it electronically.

Right to file a complaint

If you believe your privacy rights have been violated, you may:

• Contact us at viktoriia.f@smilesafeai.com
• File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr

We will not retaliate against you for filing a complaint.

6. Breach notification

In the unlikely event of a breach of unsecured PHI, we will notify you in accordance with the HIPAA Breach Notification Rule. This includes:

• Direct notification to affected individuals within 60 days of discovering the breach
• Notification to the U.S. Department of Health and Human Services
• If the breach affects more than 500 people in a state or jurisdiction, notification to prominent media outlets

7. Minimum necessary standard

We follow the HIPAA "minimum necessary" rule: when using or disclosing PHI for purposes other than treatment, we limit access to the minimum amount of information needed to accomplish the purpose.

8. Your authorization

For any use or disclosure of your PHI not described in this Notice, we will obtain your written authorization. You may revoke an authorization at any time, in writing. Revocation does not affect actions we already took based on the authorization.

9. Notice of privacy practices for partner dentists

Each dentist in the SmileSafe network is independently responsible for their own HIPAA compliance and provides their own Notice of Privacy Practices to their patients. When you book a dentist through SmileSafe, that dentist's notice will govern how they use your PHI as part of treatment.

10. Changes to this Notice

We reserve the right to change this Notice. Any changes will apply to PHI we already have, as well as PHI we receive in the future. We will post the revised Notice on this page and update the "Last updated" date.

11. Contact information

If you have questions about this Notice, would like to exercise your rights, or need to report a privacy concern, please contact:

SmileSafe AI Privacy Officer
Email: viktoriia.f@smilesafeai.com