Effective Date: December 20, 2025
1. Introduction:
SmileForge Inc. ("we," "our," or "us") is committed to protecting the privacy and security of our users and their patients. This Privacy Policy explains how we collect, use, disclosure, and safeguard your information when you use the SmileForge platform (the "Service").
We operate as a Business Associate (as defined under HIPAA) to our clients (Covered Entities).
2. Information We Collect:
2.1 Clinician & Account Information
When you register for an account, we collect:
Identity Data: Name, email address, professional license number (if applicable).
Practice Data: Clinic name, physical address, logo, and billing information (processed securely via our payment provider, Polar.sh/Stripe).
Device Data: To enforce our security limits, we collect device identifiers, IP addresses, and browser fingerprints.
2.2 Patient Data (Protected Health Information - PHI)
To provide our core services, you upload patient data including:
Images: Intraoral and facial photographs.
Clinical Specs: Tooth shade, stump shade, material preferences, and morphology notes.
Identifiers: Patient initials, Chart IDs, or Names (as entered by you).
Important: We strongly recommend using Internal Chart IDs (e.g., "PT-4921") rather than full names to maximize anonymity. We do not collect Patient Social Security Numbers, Insurance IDs, or home addresses.
3. How We Use Your Information:
We use the collected data for specific, limited purposes:
Service Delivery: To generate AI simulations and PDF prescriptions.
Security Enforcement: To prevent account sharing via our "Peer-to-Peer" verification system and device fingerprinting.
Communication: To send transactional emails (security codes, invoices) and optional marketing updates (which you can opt-out of).
AI Inference: Patient photos are processed by our AI models solely to generate the requested output.
AI Training Policy (The "Zero-Training" Guarantee)
We understand the sensitivity of clinical data.
Your Data is NOT the Product: Patient images sent to SmileForge are NOT used to train our public foundation models.
Ephemeral Processing: Inference is performed in a stateless container. Once the simulation is generated and saved to your secure bucket, the raw processing data is discarded from the AI engine.
4. Data Sharing & Disclosure:
We do not sell, rent, or trade user data. We only share data in the following strict scenarios:
Dental Laboratories: When you click "Export PDF" or "Send to Lab," the specific clinical data for that case is shared with the laboratory you selected.
Service Providers (Sub-processors): We use trusted third-party vendors to host our infrastructure. All vendors are vetted for SOC 2 and HIPAA compliance.
Hosting & AI: Google Cloud Platform (GCP).
Database: Supabase Enterprise.
Email/SMS: Resend / Twilio.
Legal Requirements: If required by law, court order, or government regulation.
5. Data Retention & Deletion:
Active Accounts: We retain case files (Images/PDFs) for the duration of your active subscription to allow for clinical record keeping and patient follow-up.
Deletion Requests: You may delete individual cases instantly via your Dashboard. These deletions are permanent and cannot be undone.
Account Termination: Upon closing your account, all PHI associated with your workspace will be permanently deleted from our servers within 30 days, in accordance with our data destruction policy.
6. Your Rights & Choices:
Access: You have the right to request a copy of the data we hold about you.
Correction: You may update your practice details via the Settings page (subject to our 24-hour security verification delay).
Cookies: We use essential cookies for authentication and security (Session Tokens). We may use analytical cookies to understand app usage, which you can disable in your browser.
7. Security Measures:
We implement industry-leading security measures to protect your data, including:
AES-256 Encryption at rest and TLS 1.3 in transit.
Row-Level Security (RLS) databases.
2-Factor Authentication enforcement via P2P verification.