Privacy Policy

UpDental is a product of UpGPT Inc. (“UpDental,” “we,” “us,” or “our”), a software-as-a-service dental practice management platform. This Privacy Policy explains how we collect, use, disclose, and protect information when dental practices (“Covered Entities”) and their authorized users access our services. Because UpDental processes Protected Health Information (PHI) on behalf of dental practices, we operate as a HIPAA Business Associate and comply fully with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

By accessing or using UpDental, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

1. Information We Collect

We collect two broad categories of information: (a) information about dental practices and their staff who use our platform, and (b) patient health information entered by those practices.

1.1 Practice & User Account Information

• Practice name, NPI number, Tax ID, and business contact information
• Authorized user names, email addresses, roles, and login credentials
• Billing and subscription information (credit card details handled by our PCI-compliant payment processor)
• System usage logs, IP addresses, browser/device type, and feature interaction data
• Support requests and communications you send to us

1.2 Patient Health Information (PHI)

When dental practices use UpDental to manage their operations, they enter patient data into our system. This constitutes Protected Health Information under HIPAA and may include:

• Full legal name, date of birth, gender, and Social Security Number (where provided)
• Home address, phone numbers, and email addresses
• Dental and medical history, diagnoses, treatment plans, clinical notes, and radiographic images
• Appointment history, procedure codes (CDT), and clinical charting data
• Insurance carrier information, policy numbers, group numbers, and subscriber details
• EOBs, remittance advice, claim histories, and prior authorization records
• Payment history and account balances
• Emergency contacts and referral information

We receive and store this information solely at the direction of and on behalf of the dental practice. The practice remains the custodian of its patients’ PHI.

2. How We Use Your Information

2.1 Practice Operations

• Providing and operating the UpDental practice management platform
• Enabling scheduling, charting, treatment planning, and clinical documentation
• Managing patient check-in, forms, and digital communications
• Generating and distributing patient statements and reminders

2.2 Billing & Revenue Cycle Management

• Generating and transmitting EDI 837 insurance claims
• Processing and reconciling EDI 835 electronic remittance advice
• Verifying insurance eligibility and benefits in real time
• Managing claim denials, appeals, and resubmissions
• Posting payments and managing accounts receivable

2.3 Service Improvement

• Analyzing aggregated, de-identified usage data to improve platform features
• Diagnosing technical issues and monitoring system performance
• Providing customer support and responding to inquiries

2.4 Legal & Compliance

• Complying with applicable law, regulation, and legal process
• Enforcing our agreements and protecting the rights of UpDental and its users
• Preventing fraud, misuse, or unauthorized access to our systems

3. HIPAA Compliance

Our HIPAA program includes all three regulatory safeguard categories:

• Technical Safeguards: AES-256-GCM encryption at rest, TLS 1.3 in transit, unique user identification, automatic session timeouts, and comprehensive audit logs of all PHI access.
• Administrative Safeguards: Designated Privacy Officer, workforce HIPAA training, access management policies, risk analysis and management program, and incident response procedures.
• Physical Safeguards: SOC 2 Type II certified data centers, physical access controls, workstation security policies, and device and media controls.

We use PHI only as permitted by the BAA and HIPAA — for treatment, payment, and healthcare operations on behalf of the Covered Entity, or as otherwise required by law.

4. Data Sharing & Disclosures

We never sell patient data or practice data to any third party. We disclose information only in the following circumstances:

4.1 Covered Dental Practices

PHI is accessible only to the dental practice that entered it, and to users that practice has authorized on its account. Multi-location groups can configure cross-location access in accordance with their internal policies.

4.2 Clearinghouses & Payers

To process insurance claims and eligibility verifications, we transmit PHI to HIPAA-compliant clearinghouses and insurance carriers as directed by the practice. These transmissions are covered by data exchange agreements and are limited to the minimum necessary information.

4.3 Subcontractors & Service Providers

We engage subcontractors (e.g., cloud infrastructure providers, email delivery services) who may have incidental access to PHI in the course of providing their services. All subcontractors who handle PHI are required to sign Business Associate Agreements and implement appropriate safeguards.

4.4 Legal Requirements

We may disclose information when required by law, court order, or government authority, or when necessary to protect against fraud, unauthorized access, or threats to the safety of persons.

5. Patient Rights

Under HIPAA, patients whose PHI is stored in UpDental have certain rights. These rights are exercised through the dental practice (the Covered Entity), which UpDental supports with the necessary technical capabilities:

Patients wishing to exercise these rights should contact their dental practice directly. UpDental will support the practice in fulfilling valid patient requests within HIPAA-mandated timeframes.

6. Security

We implement a comprehensive security program designed to protect the confidentiality, integrity, and availability of all information in our systems, including PHI. Key controls include:

• Encryption at rest: All PHI and sensitive data is encrypted using AES-256-GCM.
• Encryption in transit: All data transmitted between users and UpDental servers is protected by TLS 1.3.
• Access controls: Role-based access control (RBAC) ensures users access only the data their role requires. Multi-factor authentication is supported and encouraged.
• Audit logging: Every access to or modification of PHI is logged with timestamp, user identity, and action taken. Logs are tamper-evident and retained for six years.
• Vulnerability management: We conduct regular penetration testing and vulnerability assessments. Critical issues are remediated within 72 hours.
• SOC 2 Type II: Our infrastructure and processes are independently audited annually against SOC 2 Trust Service Criteria (Security, Availability, Confidentiality).
• Incident response: We maintain a documented breach response program including containment, investigation, notification, and post-incident review procedures.

Despite these measures, no system is completely secure. If you believe your account or data has been compromised, contact us immediately at security@updental.com.

7. Data Retention

We retain practice and patient data for the duration of the subscription and for a period following termination as required by law or as set forth in our Business Associate Agreement. Specifically:

• PHI: Retained for the minimum period required by applicable state dental records laws (typically 7–10 years), unless the practice requests earlier deletion to the extent permitted by law.
• BAAs and compliance documentation: Retained for 6 years from date of creation or last effective date, per 45 CFR § 164.316(b)(2).
• Audit logs: Retained for 6 years.
• Account and billing records: Retained for 7 years following account closure for tax and financial compliance.
• De-identified data: Aggregated, de-identified analytics data may be retained indefinitely.

Upon practice request following account termination, we will provide a complete export of practice data in a standard format within 30 days. Data is securely deleted from production systems within 90 days of the end of the retention period, unless a legal hold applies.

8. Cookies & Tracking Technologies

Our public marketing website uses cookies and similar technologies for session management, analytics (page views, conversion events), and user experience improvement. The UpDental application itself uses only session cookies required for authentication and security. We do not use advertising tracking cookies within the clinical application. You may control cookie settings through your browser; disabling essential cookies may impair application functionality.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page and provide notice through the UpDental application or by email to the primary contact of record practices. Your continued use of UpDental after the effective date of any changes constitutes your acceptance of the revised policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or your rights, please contact:

If you are a dental patient seeking to exercise your HIPAA rights, please contact your dental practice directly. We are unable to accept or process patient requests made directly to UpDental, as we act only at the direction of the Covered Entity.