1. Information We Collect

1.1 Practice & Account Information

When you create an account or request a demo, we collect information about your dental practice and the individuals who use our Service, including:

Practice name, address, phone number, and NPI
Contact name, email address, and job title
Practice management system (PMS) type and version
Billing and payment information (processed by our payment processor)
Login credentials (passwords are hashed and never stored in plaintext)

1.2 Patient Data (Protected Health Information)

In the course of providing our Service, we process certain patient data on behalf of dental practices, including:

Patient name, date of birth, and member/subscriber ID
Insurance carrier and plan information
Treatment codes (CDT), procedure descriptions, and clinical notes as needed for claims
Claim and remittance data (EOBs, ERAs)

This data constitutes Protected Health Information (“PHI”) under HIPAA. We process PHI solely as a Business Associate on behalf of the dental practice (the Covered Entity), under the terms of a Business Associate Agreement (“BAA”). See Section 3 for details.

1.3 Website Analytics & Usage Data

When you visit our website or use our platform, we automatically collect:

IP address and approximate geographic location
Browser type, device type, and operating system
Pages viewed, time spent, and referral source
Feature usage and interaction patterns within the platform

2. How We Use Your Information

We use the information we collect to:

Provide and operate the Service — process insurance verifications, build and submit claims, manage denials, and post payments on behalf of your practice
Improve our platform — analyze aggregate usage patterns and claim outcomes to enhance AI models, refine denial predictions, and improve the user experience
Communicate with you — send account notifications, service updates, billing receipts, and respond to support requests
Ensure security and compliance — detect and prevent fraud, unauthorized access, and other threats
Meet legal obligations — comply with applicable laws, regulations, and legal processes

We do not use patient health information (PHI) to market products or services, nor do we use PHI for any purpose other than performing our obligations under the BAA.

3. HIPAA Compliance & Protected Health Information

Indent is a HIPAA-compliant platform. We take our obligations as a Business Associate seriously:

Business Associate Agreement (BAA): We execute a BAA with every dental practice before processing any PHI. The BAA governs our use, disclosure, and protection of PHI in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
Encryption: All PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database backups and log files containing PHI are also encrypted.
Access controls: PHI access is limited to authorized personnel on a need-to-know basis. We maintain role-based access controls, audit logs, and multi-factor authentication.
No sale of PHI: We never sell, rent, or trade patient health information under any circumstances.
AI model training: Our AI models are trained on de-identified and aggregated data only. Individual patient records are never used for model training in an identifiable form.
Breach notification: In the unlikely event of a data breach involving PHI, we will notify affected practices in accordance with HIPAA Breach Notification Rule requirements (no later than 60 days after discovery).

We do not sell your personal data or patient data to third parties. We share data only in the following limited circumstances:

Clearinghouses: To transmit claims and receive remittance data on behalf of your practice, as necessary to perform the Service.
Practice Management Systems (PMS): To sync patient, appointment, and claim data between Indent and your PMS (e.g., Open Dental, Dentrix, Eaglesoft).
Infrastructure providers: Our platform is hosted on Amazon Web Services (AWS). AWS operates under a BAA with Indent and is HIPAA-compliant.
Payment processors: Billing and subscription payment data is processed by our payment provider. We do not store full credit card numbers.
Legal requirements: We may disclose information when required by law, regulation, subpoena, court order, or government request, or to protect the rights, safety, or property of Indent, our customers, or the public.
Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy commitments described in this policy.

5. Data Retention & Deletion

We retain your data only for as long as necessary to provide the Service and fulfill the purposes described in this policy:

Account data: Retained for the duration of your subscription and for up to 30 days after account closure to allow for reactivation.
PHI: Retained for the duration of the BAA. Upon termination or expiration of the BAA, we will return or destroy PHI in accordance with the BAA terms, typically within 60 days.
Analytics data: Aggregated and de-identified data may be retained indefinitely for product improvement purposes.
Legal hold: Data may be retained longer if required by law or ongoing legal proceedings.

To request deletion of your data, contact us at privacy@indenthq.com. We will respond within 30 days.

6. Cookies & Tracking Technologies

We use the following cookies and tracking technologies:

Essential cookies: Required for the platform to function (authentication, session management). Cannot be disabled.
Analytics cookies: Help us understand how visitors use our website (e.g., page views, traffic sources). We use privacy-respecting analytics tools.
Preference cookies: Remember your settings and choices (e.g., dashboard layout).

We do not use third-party advertising or retargeting cookies. You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: Request a copy of the personal data we hold about you.
Correction: Request that we update or correct inaccurate personal data.
Deletion: Request that we delete your personal data, subject to legal retention requirements.
Portability: Request a copy of your data in a structured, commonly used format.
Objection: Object to certain processing activities, such as direct marketing.

To exercise any of these rights, contact us at privacy@indenthq.com. We will verify your identity before processing your request and respond within 30 days (or as required by applicable law).

Patient data requests: If you are a patient and wish to access, correct, or delete your health information, please contact your dental practice directly. As a Business Associate, we process PHI at the direction of the dental practice (the Covered Entity).

8. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will promptly delete that information. If you believe we have inadvertently collected such data, please contact us at privacy@indenthq.com.

Note: Patient data for minors processed through our platform is handled under the BAA with the dental practice and is governed by HIPAA, not COPPA.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting the information, and the categories of third parties with whom we share it.
Right to delete: You may request that we delete your personal information, subject to certain exceptions.
Right to opt-out of sale: We do not sell personal information. There is no need to opt out.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@indenthq.com with the subject line “CCPA Request.” We may ask you to verify your identity before fulfilling your request.

Note: PHI governed by HIPAA is exempt from the CCPA. The CCPA applies only to personal information that falls outside of HIPAA's scope.

10. Data Security

We implement industry-standard administrative, technical, and physical safeguards to protect your data, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls and multi-factor authentication
Regular penetration testing and vulnerability assessments
Continuous monitoring and intrusion detection
Employee security training and background checks
SOC 2 Type II audit (in progress)

No method of transmission or storage is 100% secure. If you have reason to believe your account or data has been compromised, please contact us immediately at privacy@indenthq.com.

11. International Data Transfers

Our Service is hosted and operated in the United States. If you access the Service from outside the United States, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. If we make material changes, we will notify you by email or through a prominent notice on our website at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the revised terms.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: privacy@indenthq.com
Mailing address: Incline Labs, LLC, Attn: Privacy Team

We will respond to all inquiries within 30 days.

Privacy Policy

Table of Contents