Privacy Policy

Last updated: March 2026

DentSecond ("we," "our," or "us") operates a technology platform that facilitates dental second opinions from independently licensed dental professionals. The Service is currently available only in the State of California. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (the "Service").

The dental and health information you submit through our Service is treated as Protected Health Information (PHI). We maintain administrative, technical, and physical safeguards consistent with the standards set forth by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state health information privacy laws. If you have questions about your rights or our data practices, contact our Privacy Officer at privacy@dentsecond.com.

1. Information We Collect

Account Information: When you create an account, we collect your name and email address. If you sign in with Google, we receive your name and email from your Google account.

Protected Health Information (PHI): When you submit a second opinion request, we collect health-related information you provide, including:

Photos and X-rays of your dental condition
Descriptions of your dental concern, symptoms, and pain levels
Medical history, including medications and pre-existing conditions
Basic demographic information (age range, gender)

This information is treated as Protected Health Information and is subject to the safeguards described in this policy. By submitting a second opinion request, you consent to the collection and use of this information as described herein.

Payment Information: Payment is processed by Stripe, Inc. We do not collect, store, or have access to your credit card number, CVV, or full card details. We receive a transaction identifier from Stripe for record-keeping purposes. Stripe does not receive your health information.

Device and Usage Information: We may collect information about the device you use to access the Service, including device type, operating system, and app version. This information is not linked to your health information.

2. How We Use Your Information

We use the information we collect to:

Provide the dental second opinion service, including sharing your dental information with the reviewing dentist
Process your payments
Communicate with you about your requests, including notifications about request status changes
Respond to your inquiries and provide customer support
Maintain and protect the Service
Comply with legal obligations

We use your Protected Health Information only for the purpose of providing and supporting the dental second opinion service. We do not use your PHI for marketing, advertising, analytics, research, or any unrelated purpose. If we wish to use de-identified health data for service improvement or research purposes, such de-identification will be performed in accordance with HIPAA Safe Harbor standards, ensuring that no individually identifiable health information is used.

3. How We Share Your Information

With Reviewing Dentists: Your dental information, photos, X-rays, and medical history are shared with the licensed dentist assigned to review your case. This is necessary to provide the Service. All dentists on our platform are US-licensed professionals who have been personally vetted through an in-person verification process. Each dentist is subject to confidentiality obligations and data protection requirements as a condition of using the platform.

With Service Providers: We share information with third-party service providers who assist us in operating the Service:

Amazon Web Services (AWS) — cloud infrastructure and data storage, operating under a signed Business Associate Agreement (BAA)
Stripe, Inc. — payment processing only (Stripe does not receive or process your health information)

We do NOT:

Sell, rent, or trade your personal information or health data to any third party
Share your information for marketing or advertising purposes
Use your dental photos or health information for any purpose other than providing the Service
Share your PHI with any party not directly involved in providing your second opinion

Legal Requirements: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to comply with legal process, protect our rights, or ensure the safety of users.

4. Data Security

We implement technical, administrative, and physical safeguards consistent with HIPAA Security Rule standards to protect your information:

Technical safeguards:

Encryption of all data in transit using TLS/SSL
Encryption of all data at rest using AWS server-side encryption
Secure authentication using Amazon Cognito
Multi-factor authentication (MFA) required for all dentist accounts
Server-side login rate limiting and account lockout protection

Administrative safeguards:

Designated Privacy Officer responsible for privacy and security oversight
Role-based access controls — patients can only access their own data, dentists can only access cases assigned to them
Separate authentication systems for patients and dentists
In-person identity and credential verification for all dentists
Ongoing monitoring of dentist license status
Confidentiality and data protection obligations for all dentists on the platform

Audit controls:

All data access logged through AWS CloudTrail
S3 data event logging on all patient health information storage
Logs retained for audit and compliance purposes

Our infrastructure operates on HIPAA-eligible AWS services under a signed Business Associate Agreement (BAA) with Amazon Web Services.

While we implement these safeguards to protect your information, no method of electronic transmission or storage is 100% secure. We continuously review and improve our security practices.

5. Data Retention and Disposal

We retain your information as follows:

Account information: Retained for as long as your account is active or as needed to provide the Service
Completed request data and PHI: Retained in accordance with applicable state healthcare record retention requirements in your state of residence. Where no specific state requirement applies, we retain records for a reasonable period consistent with industry standards for dental records
Cancelled requests: Retained for 1 year, then securely deleted
Audit logs: Retained for 1 year for security and compliance purposes
Payment records: Retained as required by applicable tax and financial regulations

When data is no longer required to be retained, it is securely deleted from our active systems. We take commercially reasonable steps to ensure that deleted data cannot be recovered.

If you wish to request deletion of your data, please contact us at privacy@dentsecond.com. We will process your request in accordance with applicable law. We may be unable to delete data that we are required to retain by law or regulation.

6. Your Rights

You have the following rights regarding your information:

Access: You may request a copy of the personal and health information we hold about you
Correction: You may request correction of inaccurate information in your records
Deletion: You may request deletion of your data, subject to legal retention requirements
Portability: You may request a copy of your data in a commonly used electronic format
Accounting of disclosures: You may request a record of who your health information has been shared with and when
Restrict sharing: You may request restrictions on how your health information is used or shared, though we may not be able to accommodate all restriction requests if they would prevent us from providing the Service

To exercise any of these rights, contact our Privacy Officer at privacy@dentsecond.com. We will respond to your request within 30 days, or within the timeframe required by applicable law if shorter.

7. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

The right to know what personal information we collect, use, and disclose
The right to request deletion of your personal information
The right to opt out of the sale of your personal information — we do not sell personal information
The right to non-discrimination for exercising your privacy rights

Note that health information collected in connection with providing the Service may be exempt from certain CCPA/CPRA requirements to the extent it is subject to HIPAA protections.

8. Breach Notification

In the event of a breach of unsecured Protected Health Information, we will:

Notify affected individuals without unreasonable delay, and no later than 60 days after discovery of the breach, or sooner if required by applicable state law
Provide notification by first-class mail to the last known address of affected individuals, or by email if the individual has agreed to electronic notice
Provide a description of the breach, the types of information involved, steps we are taking in response, and steps you can take to protect yourself
Notify the U.S. Department of Health and Human Services as required by federal law
Notify applicable state regulatory authorities as required by state law
If contact information is insufficient to reach affected individuals, provide substitute notice through a conspicuous posting on our website or through other appropriate means

9. Use by Minors

The Service is intended for use by adults (age 18 and older). A parent or legal guardian may use the Service to submit a second opinion request on behalf of a minor child. In such cases, the parent or guardian is responsible for the submission and is considered the user for purposes of this policy. We do not knowingly allow minors to create accounts or submit requests directly.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the Service or by email. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your rights, please contact our designated Privacy Officer:

DentSecond
Privacy Officer
Email: privacy@dentsecond.com