Legal

Privacy Policy

Last updated: February 14, 2026

PatientPayments LLC ("PatientPayments," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, website, and services (collectively, the "Service").

This policy applies to dental practice staff ("Practice Users"), patients who interact with the Service through payment links, membership sign-up pages, or text messages ("Patients"), and visitors to our website ("Visitors").

1. Information We Collect

1.1 Information Provided by Practice Users

  • Account information: name, email address, phone number, practice name, and practice address
  • Billing information: payment method details for platform subscription fees (processed by Stripe)
  • Team member information: names and email addresses of staff members invited to the platform

1.2 Patient Information

When dental practices use PatientPayments to manage patient billing, the following patient information may be processed:

  • Identity information: name, date of birth, email address, phone number, and mailing address
  • Payment information: payment card data is collected and processed entirely by Stripe; PatientPayments does not store, access, or transmit card numbers
  • Billing information: balances, payment history, payment plan details, and membership enrollment
  • Communication data: SMS text message content and metadata when the Practice uses the two-way texting feature

1.3 Automatically Collected Information

  • Usage data: pages visited, features used, actions taken within the platform
  • Device data: browser type, operating system, IP address, and device identifiers
  • Cookies: we use essential cookies to maintain session state and preferences

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process patient payments and manage billing on behalf of Practices
  • Facilitate SMS text messaging between Practices and their patients
  • Send transactional notifications (payment confirmations, receipts, billing alerts)
  • Provide customer support to Practice Users
  • Monitor and improve the security, performance, and reliability of the Service
  • Comply with legal obligations, including HIPAA and financial regulations
  • Detect and prevent fraud, abuse, and unauthorized access

3. SMS and Text Messaging Data

When Practices use PatientPayments to send text messages to patients:

  • Message content and metadata are stored to provide the messaging feature and maintain conversation history
  • Patient phone numbers are used solely to deliver messages on behalf of the Practice
  • We do not sell, share, or use patient phone numbers or message content for marketing purposes
  • We do not share phone numbers or SMS data with third parties except as necessary to deliver messages (e.g., our messaging provider, Twilio)
  • Opt-out requests (e.g., "STOP") are processed immediately and the patient's number is added to a suppression list

For full details, see our SMS Consent & Messaging Policy.

4. Payment Data

All payment card information is collected and processed by Stripe, our PCI Level 1 certified payment processor. PatientPayments does not receive, store, or have access to full card numbers. Payment processing is governed by Stripe's Privacy Policy.

5. HIPAA Compliance

PatientPayments processes certain Protected Health Information (PHI) on behalf of dental practices. We operate as a Business Associate under HIPAA and:

  • Enter into a Business Associate Agreement (BAA) with each Practice
  • Implement administrative, physical, and technical safeguards to protect PHI
  • Encrypt PHI at rest and in transit
  • Restrict access to PHI to authorized personnel on a need-to-know basis
  • Report any security incidents or breaches as required by HIPAA

6. How We Share Information

We do not sell personal information. We share information only in the following circumstances:

  • Service providers: we use third-party providers to operate the Service, including Stripe (payments), Twilio (SMS messaging), and Microsoft Azure (cloud hosting). These providers are contractually obligated to protect your data.
  • Practice-patient relationship: patient data entered by a Practice is accessible to that Practice and its authorized staff within the platform
  • Legal requirements: we may disclose information if required by law, subpoena, court order, or government regulation
  • Business transfers: in the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction
  • With your consent: we may share information when you have given explicit consent

7. Data Security

We implement industry-standard security measures to protect your information:

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row-level security in our database ensuring tenant data isolation
  • Regular security assessments and monitoring
  • Role-based access controls for staff members
  • Secure cloud infrastructure hosted on Microsoft Azure

While we take reasonable measures to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain information for as long as necessary to provide the Service and comply with legal obligations:

  • Account data: retained while the account is active and for a reasonable period after termination
  • Patient data: retained per the Practice's instructions and applicable record retention laws
  • Transaction records: retained for at least 7 years as required by financial regulations
  • SMS messages: retained for the duration of the Practice's subscription and for a reasonable period thereafter

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate personal information
  • Deletion: request deletion of your personal information, subject to legal retention requirements
  • Opt-out of SMS: text STOP to any message to opt out of text communications

Patients should contact their dental practice directly regarding access, correction, or deletion of data the Practice has entered into the platform. Practices may contact us for data requests.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. Patient records for minors are managed by the dental practice and the minor's parent or guardian. We do not knowingly collect personal information directly from children.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify Practice Users of material changes by email or through the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: