Legal

Privacy Policy

Effective Date: May 19, 2026 · smileframe.com

Scope: This Privacy Policy describes how Smileframe, Inc. collects, uses, and protects information through the Smileframe platform. It applies to dental practices and their authorized staff who use Smileframe, and addresses how we handle patient photographs and related consultation data processed on your Practice's behalf.

1. Who We Are

Smileframe, Inc. operates Smileframe, a clinical smile visualization platform for dental and oral surgery practices. When it comes to patient health data processed through Smileframe, we act as a Business Associate (as defined under HIPAA) to the dental practice that is the Covered Entity.

2. What Information We Collect

2.1 Practice and Staff Account Data

When a practice sets up an account, we collect:

Practice name, address, and contact information
Names and email addresses of Authorized Users (doctors, assistants, administrators)
Subscription and billing information (payment processing handled by Stripe; we do not store full card numbers)
Role assignments and access permissions
Login activity and session data

2.2 Patient Consultation Data

Patient data is processed on behalf of the dental practice — not collected for our own purposes. This includes:

Patient photographs submitted for smile simulation (facial imagery)
AI-generated smile visualization outputs
Consultation records including display name or initials (not full patient names by design)
Doctor approval or rejection decisions on generated outputs
Consultation outcome data if recorded by practice staff

Facial imagery note: Patient photographs include biometric facial data. Depending on your practice's location, state-specific biometric privacy laws (such as Illinois BIPA, Texas CUBI, or Washington My Health MY Data Act) may apply. Your Practice is responsible for ensuring applicable disclosures and consents are in place before uploading patient photographs.

2.3 Technical and Usage Data

We automatically collect:

IP addresses and browser/device information for security and session management
Feature usage logs (which tools were used, generation volumes, approval rates)
Error and performance logs
Audit trail data for HIPAA compliance (who accessed what, when)

3. How We Use Information

3.1 Delivering the Service

We use practice and patient data to operate Smileframe: generating smile visualizations, routing doctor review workflows, maintaining audit logs, and delivering outputs to authorized users. Patient photographs are not used for any purpose beyond generating the visualization requested.

3.2 Platform Improvement

We use aggregated, de-identified usage metrics to improve platform performance and reliability. We do not use patient photographs or identifiable patient data to train AI models without explicit written consent from the Practice.

Model training: If your Practice participates in future model fine-tuning programs, this will require a separate, explicit written agreement. Participation is entirely voluntary. No patient data is used in model training without this agreement.

3.3 Communications

We use practice contact information to send service notifications, security alerts, subscription updates, and support responses. We do not send marketing communications without consent.

3.4 Legal and Compliance

We may use and disclose information as required to comply with applicable law, respond to lawful government requests, enforce our Terms of Use, or protect the rights and safety of patients, practices, or the public.

4. Sub-Processors

Smileframe uses the following third-party services to operate the platform. Where patient health data (PHI) is involved, we are required under HIPAA to have a Business Associate Agreement (BAA) with each sub-processor that handles that data.

Sub-Processor	Purpose	Location	BAA Status
Supabase	Database, authentication, and real-time job status (consultation metadata, user accounts — not image files)	United States (AWS us-east-1)	Executed
Cloudflare R2	File storage for patient photographs and AI-generated outputs (images only)	United States	Executed
FAL.ai	AI image generation — Flux Fill model used to produce smile visualizations	United States / EU	Not currently available
Vercel	Application hosting and serverless compute. Patient photos are routed browser-to-R2 directly via presigned URL and do not pass through Vercel compute.	United States	Enterprise-only (not on current plan)
Stripe	Subscription billing and payment processing (practice billing data only — no PHI)	United States	N/A — no PHI
D-ID	Animated video portrait generation (Phase 2 feature, not yet live)	Israel / United States	Available on request

FAL.ai BAA gap: FAL.ai, which processes patient photographs to generate smile visualizations, does not currently offer a HIPAA Business Associate Agreement. For the current pilot phase, your Practice's compliance officer must independently confirm that this use is within the scope of your existing patient consent forms. Before Smileframe expands to multi-practice commercial use, we will either obtain a BAA from FAL.ai or migrate to a self-hosted equivalent. We will notify all active practices before making this change.

Vercel hosting note: Vercel hosts the Smileframe web application. Patient photographs are uploaded directly from the browser to Cloudflare R2 via signed URLs and do not pass through Vercel servers. This architectural choice means Vercel does not process PHI in the Smileframe workflow, limiting the HIPAA exposure of not having an Enterprise Vercel plan.

5. Data Retention and Deletion

Data Type	Retention Period	Deletion Method
Patient photographs (original)	7 days from upload	Automatic — R2 lifecycle rules + nightly cron
AI-generated outputs	7 days from generation	Automatic — R2 lifecycle rules + nightly cron
Consultation metadata	Duration of subscription + 30 days	Deleted on subscription termination
Audit logs	Minimum 6 years	Manual deletion on request after retention period
User account data	Duration of active account	Deleted within 30 days of account closure
Billing records	7 years	Retained per financial recordkeeping requirements

6. HIPAA Compliance

Smileframe is designed to support HIPAA compliance for dental practices. As a Business Associate, we:

Execute a Business Associate Agreement with each Practice before processing any PHI
Apply technical safeguards including role-based access control, row-level security on all database tables, and audit logging of all PHI access events
Enforce automatic deletion of PHI (photographs) after 7 days
Route patient photographs through the minimum number of systems necessary
Do not disclose PHI to any party not listed in the BAA or required by law

Your Practice, as the Covered Entity, remains responsible for patient consent, workforce training, and other obligations under the HIPAA Privacy and Security Rules that fall to Covered Entities rather than Business Associates.

7. Data Security

We implement reasonable technical and organizational measures to protect the information we process:

All data in transit is encrypted using TLS 1.2 or higher
All data at rest in Supabase and Cloudflare R2 is encrypted using AES-256
Patient photographs are only accessible via time-limited signed URLs — no permanent public file links are ever issued
Role-based access control limits which users can access patient records and outputs
All access to PHI is logged to a tamper-evident audit log
Supabase row-level security ensures each practice's data is isolated from other practices

No system is perfectly secure. If we become aware of a security incident affecting PHI, we will notify affected Practices as required by the HIPAA Breach Notification Rule (within 60 days of discovery, or sooner if required by applicable state law).

8. State-Specific Privacy Considerations

Depending on your practice's location and your patients' states of residence, additional privacy laws may apply:

Illinois (BIPA): Patient facial photographs may constitute biometric identifiers under the Biometric Information Privacy Act. Illinois-based practices should ensure biometric-specific notice and consent is in place before using Smileframe.
Texas (CUBI): Similar biometric notice and consent obligations may apply for Texas practices.
Washington (My Health MY Data Act): Expanded consumer health data protections apply. Practices serving Washington patients should confirm compliance with their legal counsel.
California (CMIA/CPRA): The Confidentiality of Medical Information Act and California Privacy Rights Act may impose additional obligations.

We do not sell patient data to any third party. We do not share patient data with data brokers, advertisers, or any party not listed in this policy or your BAA.

9. Your Rights as a Practice

As the account holder, your Practice may:

Request a report of all data we hold associated with your Practice's account
Request deletion of your Practice's data (subject to legal retention obligations and the 7-day image lifecycle)
Request a copy of your Business Associate Agreement
Request information about any security incident affecting your Practice's data

Patient rights under HIPAA (such as access to their own records) are the responsibility of your Practice as the Covered Entity. Smileframe will cooperate with your Practice in fulfilling patient rights requests to the extent technically feasible.

10. International Data Transfers

Smileframe's primary infrastructure is located in the United States. FAL.ai, which processes patient photographs for AI generation, may process data in EU-based infrastructure depending on routing. We are monitoring FAL.ai's compliance posture as it relates to international transfers and will update this policy when the picture is clearer.

Practices operating in the EU or serving EU patients should contact us before activating Smileframe, as we do not currently have EU-specific data processing agreements in place.

11. Changes to This Policy

We will notify Practices of material changes to this Privacy Policy via email at least 30 days in advance. The effective date at the top of this document reflects the most recent revision.

12. Contact

For privacy questions, data requests, or to report a concern:

Email: privacy@smileframe.com

Subject line: Privacy Request — [Practice Name]

For security incidents or breach notifications, use the subject line "Security Incident."