← Back
Privacy Policy

Privacy Policy

Effective Date: December 21, 2025Last Updated: December 21, 2025

Introduction

Esthetix is a product of DentRoots, Inc., a Delaware corporation ("DentRoots," "we," "us," or "our"). DentRoots is committed to protecting the privacy and security of your Protected Health Information (PHI) and personal data. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit the Esthetix website or use the Esthetix dental photo management platform (the "Service").

As a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we are required to maintain the privacy and security of your PHI in accordance with federal and state regulations. This Privacy Policy incorporates our obligations under HIPAA and describes your rights regarding your information.

By using the Esthetix Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

1.1 Protected Health Information (PHI)

We collect and process the following types of PHI when you use our Service:

Patient Information

  • Patient Names: Full names of dental patients for case identification
  • Patient Demographics: Age, gender, and other demographic information you choose to include
  • Dental Images: Before-and-after photos, X-rays, and other clinical images
  • Case Descriptions: Clinical notes, treatment procedures, and case details
  • EXIF Metadata: Date, time, and device information automatically extracted from uploaded images

Provider Information

  • Dentist/Practice Information: Your name, practice name, email address, and professional credentials
  • Account Information: User ID, authentication credentials, and account preferences
  • Compliance Information: Information relevant to lawful data handling and applicable regulatory obligations

1.2 Automatically Collected Information

When you access our Service, we automatically collect:

Session and Authentication Data

  • Session Cookies: Authentication tokens to maintain your logged-in state
  • Activity Cookies: Tracking of user activity for automatic logout after inactivity
  • IP Address: For security monitoring and rate limiting
  • User Agent: Browser and device information for compatibility
  • Timestamp Data: Login times, PHI access times, and modification timestamps

1.3 Payment Information

  • Subscription Data: Collected and processed by our payment processor
  • Billing Information: Managed by our payment processor; we only store:
    • Payment processor customer ID
    • Subscription status (active/inactive)
    • Current billing period end date

We do NOT collect, store, or have access to your credit card numbers or full payment details.

1.4 Cookies and Tracking Technologies

We use essential cookies and similar technologies that are necessary to operate the website and the Service. These technologies may be used to:

  • Authenticate users and maintain secure sessions
  • Protect the Service, detect misuse, and support security controls
  • Remember user interface and workflow preferences

We do NOT use advertising or marketing tracking cookies.

2. How We Use Your Information

2.1 To Provide the Service

We use your information to:

  • Authenticate users and maintain secure sessions
  • Store, retrieve, organize, and present dental photo information
  • Provide workflow features needed to upload, manage, and access case files
  • Provide search, photo management, and workflow functionality
  • Support account administration, billing, and customer support
  • Operate, maintain, and improve the website and the Service

2.2 To Ensure HIPAA Compliance

We use PHI to:

  • Implement access controls and verify authorized access to PHI
  • Maintain audit logs and other security records
  • Protect the confidentiality, integrity, and availability of data
  • Meet contractual, regulatory, and legal obligations applicable to the Service

2.3 To Maintain Security

We use information to:

  • Detect and prevent unauthorized access
  • Implement rate limiting to prevent brute force attacks
  • Monitor for security anomalies and breaches
  • Conduct security audits and compliance reviews

3. How We Share Your Information

3.1 Service Providers and Contractors

We may share information with service providers and contractors that help us operate, secure, support, and improve the website and the Service. These may include providers that assist with hosting, authentication, payment processing, communications, customer support, and legal or regulatory compliance.

  • We require service providers to use appropriate safeguards for the information they handle and to process it only for permitted purposes.
  • Where required, we use contractual protections such as Business Associate Agreements or other data-protection terms.
  • Payment processors receive the billing and account information needed to process subscriptions, but we do not store full payment card numbers.
  • We may also disclose information when required by law, legal process, or to protect rights, safety, security, or the integrity of the Service.

3.2 Prohibited Disclosures

We do NOT:

  • Sell PHI or personal information to third parties
  • Use PHI for advertising purposes
  • Share PHI with service providers without appropriate contractual safeguards

4. Data Security Measures

We implement administrative, technical, and organizational safeguards designed to protect PHI and other personal data in accordance with applicable law and our contractual obligations. No method of transmission or storage is completely secure, but we use safeguards designed to reduce risk and protect the confidentiality, integrity, and availability of data.

4.1 Technical Safeguards

  • User authentication and access control measures
  • Encryption in transit and at rest
  • Session security and automatic timeout controls
  • Logging, monitoring, and security review processes
  • Backup and recovery measures designed to support service continuity

4.2 Administrative and Operational Safeguards

  • Role-based permissions and limited access practices
  • Vendor review and contractual safeguards where appropriate
  • Policies and procedures for retention, deletion, and incident response
  • Operational processes designed to support lawful handling of regulated data

5. Data Retention and Deletion

5.1 PHI Retention

  • Active Cases: Retained as long as your account is active
  • Deleted Cases: Removed from active systems within 30 days, subject to backup cycles, legal obligations, and security retention requirements
  • Audit Logs: Retained for 7 years (HIPAA requirement: 6 years minimum)

5.2 Account Deletion

When you delete your account:

  1. All PHI (cases, images, patient data) is removed from active systems within 30 days, subject to backup cycles and legal retention requirements
  2. Your user profile is anonymized and marked as deleted
  3. Audit logs are retained for 7 years (regulatory requirement)
  4. Billing and account records may be retained as required for legal, tax, accounting, fraud prevention, or dispute resolution purposes

6. Your Privacy Rights (HIPAA Rights)

Under HIPAA, you have the following rights regarding your PHI:

6.1 Right to Access

You have the right to access and download all your PHI stored in the Service. Contact us at privacy@esthetix.app to request a copy. Response time: Within 30 days of request.

6.2 Right to Amend

You have the right to request corrections to inaccurate or incomplete PHI. Edit cases directly within the application or contact us for assistance.

6.3 Right to Notification of Breach

You have the right to be notified within 60 days of the discovery of a breach affecting your unsecured PHI.

7. Children's Privacy

The website and the Service are intended for use by authorized dental professionals and practice staff, not by children. We do not knowingly collect personal information directly from children through the website or the Service.

8. International Data Transfers

We store and process data in regions relevant to the customer or user location and in accordance with applicable legal and regulatory requirements. Where cross-border processing or transfers are necessary to operate the website or the Service, provide support, maintain security, or comply with law, we use safeguards we consider appropriate under the circumstances.

9. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes to our practices, legal requirements, or Service features. When we make material changes:

  1. Notification: We will notify you via email or prominent notice in the application
  2. Effective Date: Changes become effective 30 days after notification
  3. Continued Use: Your continued use of the Service after the effective date constitutes acceptance of the updated policy

10. State-Specific Privacy Rights

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under California privacy law with respect to personal information we collect that is not otherwise exempt under HIPAA or other applicable law.

  • Right to Know: Request information about categories of personal information collected, used, and disclosed
  • Right to Delete: Request deletion of applicable personal information (subject to legal and operational exceptions)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Access: Request access to applicable personal information we maintain about you
  • Right to Opt-Out of Sale or Sharing: We do NOT sell or share personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising applicable privacy rights

To exercise applicable rights, contact us at privacy@esthetix.app.

11. Contact Information

Privacy Questions

For privacy-related questions or concerns:

  • Email: privacy@esthetix.app

HIPAA Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

We will NOT retaliate against you for filing a complaint.

12. Consent and Acknowledgment

By creating an Esthetix account or using the Service, you:

  • Acknowledge that you have read and understood this Privacy Policy
  • Consent to the collection, use, and disclosure of PHI as described herein
  • Understand your HIPAA privacy rights
  • Acknowledge our use of essential cookies and similar technologies as described above

If you do NOT agree to this Privacy Policy, you must NOT use the Esthetix Service.

Last Reviewed: December 21, 2025
Privacy Policy Version: 1.0
Operator: DentRoots, Inc., a Delaware corporation
Contact: contact@esthetix.app