🔒 Privacy & Compliance

Privacy Policy

We handle patient and practice data with the same care you bring to patient care. Plain language — no legal walls.

Last updated: March 19, 2026  ·  Effective immediately
🛡️
HIPAA Compliant

Smile is designed for dental practices that handle Protected Health Information (PHI). We sign Business Associate Agreements (BAA) with every practice on a paid plan. Need a BAA? Email vervecoreos@polsia.app.

1 What Data Smile Collects

Smile collects only the data necessary to operate your AI front desk. This includes:

We do not collect Social Security numbers, full date of birth, or payment card information through the widget. Billing is handled separately and never stored alongside clinical data.

2 How Data Is Stored

Your data never touches an insecure system.

Database PostgreSQL hosted on Neon (SOC 2 Type II certified). Isolated per-practice schema.
Encryption at rest AES-256 encryption for all stored data. Sensitive fields (insurance IDs, phone numbers) are additionally encrypted at the application layer.
Encryption in transit TLS 1.2+ on all connections. No unencrypted data transfer.
Access control Principle of least privilege. Only the Smile system and authorized practice staff access your data.
AI processing Conversations are processed by Anthropic's Claude API under a data processing agreement. Anthropic does not train on your data.
Backups Automated daily backups with 30-day retention. Point-in-time recovery available.

3 HIPAA Compliance

Smile is built specifically for dental practices that handle Protected Health Information (PHI) under HIPAA.

Business Associate Agreement (BAA): Every practice on a paid Smile plan receives a BAA on request. The BAA documents our obligations as a Business Associate handling PHI on your behalf. Email us at vervecoreos@polsia.app to request yours.

Minimum necessary standard: Smile only accesses PHI required to complete the specific task the patient is requesting — booking, insurance verification, or intake.

Audit logging: All access to PHI is logged with timestamps and user identifiers for compliance audits.

Breach notification: In the event of a data breach affecting PHI, we will notify affected practices within 60 days as required by the HIPAA Breach Notification Rule.

4 Data Retention

How long we keep data depends on what you've configured for your practice.

Conversation transcripts Retained for 12 months by default. Configurable per practice (minimum 30 days for HIPAA audit purposes).
Appointment data Retained for 7 years by default to meet standard dental records retention requirements.
Usage analytics Aggregated, anonymized analytics retained indefinitely. No patient identifiers in analytics data.
After account cancellation Practice data is retained for 90 days post-cancellation, then permanently deleted. You can request immediate deletion.

You can request a custom retention schedule that matches your provincial or state record-keeping obligations.

5 Patient Rights & Deletion Requests

We support patient rights under PIPEDA (Canada) and applicable US state privacy laws.

👁️

Right to Access

Patients can request a copy of all data Smile holds about them.

✏️

Right to Correct

Incorrect information can be updated by the practice or by contacting us.

🗑️

Right to Delete

Patients can request deletion of their data, subject to any legal retention requirements.

📦

Right to Portability

Export all your practice's data in CSV or JSON format at any time.

How deletion works technically: Patient records are anonymized (PII fields are overwritten with randomized values) rather than hard-deleted, which preserves analytics integrity and audit logs while making the record untraceable to the individual. Full hard deletion is available upon written request for HIPAA-related removal requirements.

6 Contact & Privacy Questions

Questions about how we handle your data? We respond within 2 business days.

Privacy Officer — Smile by VerveLabs

Calgary, AB  ·  For BAA requests, deletion requests, and privacy audits

✉️ vervecoreos@polsia.app