Privacy Policy

Last updated: May 2026

Who This Policy Applies To

Smile PreVue is a strictly business-to-business (B2B) software platform sold to licensed dental practices, dental students, and dental residents. This Privacy Policy describes how we handle information about three groups of people:

  • Clinic users (owners, providers, nurses, office admins) who hold an account with us
  • Patientswhose photos and case information a clinic uploads to Smile PreVue. We process this data on the clinic's behalf as a Business Associate under HIPAA; the clinic remains the Covered Entity and primary data controller
  • Visitors to our public marketing website (smile prevue.com) who have not signed up

Smile PreVue is not sold to, marketed to, or intended for individual consumers, patients, or anyone under the age of 18. See "Children's Privacy" below.

Information We Collect

We collect the minimum information needed to operate the platform. We organize the categories below by data subject so it is clear who the information is about and how it flows.

From clinic users (you)

  • Account information: name, email address, password (hashed by our identity provider), role within the clinic, profile photo (optional)
  • Practice information: clinic name, address, phone, website, business hours, EIN and license number (optional), branding (logo)
  • Authentication signals: sign-in timestamps, IP address at sign-in, multi-factor enrollment status, the opaque user identifier issued by our identity provider
  • Usage data: pages viewed inside the application, features used, and aggregate counts of simulations and patient records created
  • Billing information: subscription plan, billing email, and the last four digits of the card on file. We do not store full card numbers; payment data is held by our PCI-compliant payment processor under their own controls
  • Support communications: emails or messages you send us, and our responses

About patients (uploaded by your clinic)

Patient information is protected health information (PHI) under HIPAA. Smile PreVue processes it solely on the clinic's instructions. We collect only what is needed to generate, store, and share simulations:

  • Patient first name and (optional) last name
  • An auto-generated patient identifier (e.g. SP-00001)
  • Optional: external patient ID supplied by your practice management software, email address, phone number
  • Photographs uploaded for simulation, the AI-generated preview, and any post-procedure photos uploaded later
  • Treatment type, shade selection, and clinical notes entered by the provider
  • HIPAA consent records, including digital signature, document version, and timestamp

We do not collect medical history, insurance details, or diagnostic information beyond what the provider chooses to record in their notes field.

From marketing-website visitors

  • Standard server-side request data (IP address, user agent, referring URL) for security and abuse prevention
  • Cookies and aggregate analytics on which pages were viewed (see Cookies & Tracking)
  • Information you voluntarily submit through forms (name, email, message)

We do not sell personal information, and we do not share personal data with third parties for their own marketing purposes.

How We Use Your Information

We use information for the following defined purposes only:

  • Operate the platform: authenticate users, provision clinic workspaces, run AI smile simulations, and deliver share links to patients on the clinic's instruction
  • Provide customer support: respond to questions, troubleshoot issues, recover access
  • Bill and account-manage: process subscriptions, send receipts, handle plan changes, cancellations, and refund requests
  • Send transactional communications: email verification, password resets, security alerts, billing notices, and one-way SMS share links the clinic initiates
  • Improve the platform: aggregate, B2B-level usage analytics so we know which features matter. Patient photos and PHI are never used for analytics
  • Maintain security and integrity: detect abuse, prevent fraud, enforce our Terms, comply with our BAA obligations
  • Meet legal obligations: respond to lawful requests, maintain HIPAA-required audit logs, comply with tax and accounting laws

We do not use patient photos to train AI models. Our AI processing provider has contractually agreed in our BAA that customer data is not used to improve their general models and is not human-reviewed except in narrow abuse-flagged cases.

HIPAA Compliance

Smile PreVue operates as a Business Associate under HIPAA. We maintain Business Associate Agreements (BAAs) with our cloud infrastructure and AI processing providers that cover all services used to handle protected health information (PHI). Patient photos are processed exclusively through BAA-covered infrastructure. Under that data governance, your data is not used to train AI models and is not reviewed by humans outside narrow abuse-flagged cases.

Patient data is encrypted at rest using AES-256 encryption and in transit via TLS 1.2 or higher. All user actions are recorded in an immutable audit log. Consent records are maintained per patient and per consent type, and simulations are gated on active consent when required by the clinic.

Data Storage & Security

Patient photos are stored on BAA-covered cloud storage with AES-256 encryption at rest. Access to images is controlled through time-limited signed URLs. Each clinic's data is isolated through row-level filtering in the database.

User authentication runs on a BAA-covered identity provider with support for multi-factor authentication (MFA).

Third-Party Service Providers

We use vetted third-party providers to operate Smile PreVue. Anything that touches protected health information (PHI) is covered by a Business Associate Agreement (BAA). Other providers handle non-PHI functions only and never receive patient-identifying content.

  • Cloud infrastructure and AI processing: BAA in place, covers PHI. Used for compute, database, image storage, authentication, and AI smile simulation.
  • Subscription billing: Receives no patient data — only clinic-level account and payment information.
  • Transactional email and SMS: Message bodies do not contain patient-identifying content.
  • App store receipt validation (iOS): Receives no patient data.
  • Analytics: B2B-level usage signals only. No patient information is sent to any analytics provider.

A current list of named subprocessors is available on request: privacy@smileprevue.com.

SMS Program

Smile PreVue offers a one-way SMS feature that lets dental providers send patients a secure link to view their AI-generated smile simulation after an in-office consultation. Messages are sent by the dental practice through Smile PreVue's SMS delivery infrastructure.

  • Consent. Before any SMS is sent, the dental provider must affirmatively confirm in the Smile PreVue dashboard that the patient has authorized this specific message and has been informed of standard message and data rate notices and STOP-to-opt-out terms. The confirmation is recorded in our audit log with timestamp, provider identity, and patient identifier, creating a verifiable consent record.
  • Single message per share. Each share is a single, transactional SMS containing a time-limited link. Smile PreVue does not run recurring messaging campaigns, list-based broadcasts, or marketing SMS.
  • Link expiry. Share links expire after three days. Patients can request a new link from their dental practice.
  • Opt-out. Reply STOP at any time to unsubscribe. Reply HELP for help. Smile PreVue suppresses any future sends to a number that has replied STOP.
  • Message and data rates. Standard message and data rates from your mobile carrier may apply. Smile PreVue does not charge patients for these messages.
  • SMS content.The message contains the patient's first name, the treatment type, the clinic name, a clear simulated-preview disclaimer, and the time-limited share URL. No diagnostic information, photos, or other PHI is sent over SMS.

Cookies & Tracking

Smile PreVue uses essential, functional cookies for authentication and session management. We also use Google Analytics 4 and Google Ads to understand how clinics discover and use our platform and to reach other dental professionals who might benefit from it. IP anonymization is enabled.

Analytics data is limited to B2B signals: which pages are viewed, which features are used, and B2B-level identifiers (role, subscription plan, account type, and an opaque user ID). No patient-identifying information— no patient names, photos, simulation IDs, share tokens, or phone numbers — is ever sent to Google Analytics or Google Ads. Patient photos and simulation data flow exclusively between our backend, our BAA-covered AI processing infrastructure, and authorized users on the clinic's dashboard.

Data Retention & Deletion

Your clinic owns all patient data stored in Smile PreVue. We hold that data only as long as needed to provide the service or comply with legal obligations.

  • Active clinic accounts: patient records, simulations, and images are retained for the life of the account, or until your clinic deletes them
  • Patient-record deletion: a clinic owner or admin may delete an individual patient record from inside the dashboard at any time. Associated simulations, post-procedure photos, share tokens, and consent records are deleted with the patient
  • Account termination: when a clinic closes their account or asks us to delete it, we permanently delete all patient data, simulations, photos, and consent records within 30 days. Backups roll off within 60 days
  • Audit logs: HIPAA requires a minimum 6-year retention of audit logs that record who accessed what PHI and when. These logs continue to exist after deletion of the underlying records, but they reference patient IDs only, not patient identities
  • Billing records: subscription and invoice records are retained for the period required by tax and accounting laws (typically 7 years), separately from PHI
  • Share links: time-limited share links expire after 3 days; the underlying patient data is not deleted along with the link
  • Inactive trials: accounts that never activated a paid subscription and have been inactive for 12+ months may be deleted after 30 days' email notice

To request deletion of a clinic account or specific records, contact hello@smileprevue.com from the email address on file. We confirm and complete deletion within 30 days.

Your Rights as a Clinic User

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you and your clinic
  • Correct inaccurate information through your clinic settings or by contacting us
  • Delete your account and associated personal information, subject to the retention rules above
  • Port your data — receive an export in a structured, machine-readable format
  • Object to or restrict certain processing
  • Opt out of "sale" or "sharing" of personal information under California law. We do not sell or share personal information for cross-context behavioral advertising
  • Withdraw consent at any time where we rely on consent as the legal basis for processing
  • Lodge a complaint with a supervisory authority (e.g. your state attorney general, the EU/UK ICO equivalent)

To exercise any of these rights, email privacy@smileprevue.com from the address on file. We respond within 30 days and will not retaliate against you for exercising your rights.

Patient Rights Under HIPAA

Smile PreVue acts as a Business Associate; the dental clinic is the Covered Entity that holds the direct relationship with the patient. Under HIPAA, patients have rights to access, amend, and request restriction of their PHI.

Patients should direct any request about their health information to the dental clinic that treated them, not to Smile PreVue. The clinic can use the Smile PreVue dashboard to fulfill access, amendment, and deletion requests. We support clinics in meeting these obligations and respond to any clinic-initiated request within HIPAA timelines.

If a patient cannot reach their clinic and contacts us directly, we will route the request to the clinic of record and acknowledge receipt to the patient.

Data Breach Notification

We follow HIPAA Breach Notification Rule timelines. If we discover a breach of unsecured PHI, we notify the affected clinic without unreasonable delay and in no case later than 60 days from discovery, with the specific information required under 45 CFR §164.410. The clinic, as the Covered Entity, is then responsible for notifying affected individuals.

For non-PHI security incidents that affect clinic-user accounts (e.g. credential stuffing detected on your account), we notify the affected user by email and may force a password reset and re-enrollment in MFA.

International Data Transfers

Smile PreVue is operated from the United States. Our infrastructure and AI processing are hosted in U.S. data centers. If you access the platform from outside the U.S., you understand and consent that your information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction. We currently sell only to U.S. dental practices.

Children's Privacy

Smile PreVue is a strictly business-to-business platform. The service is sold to and used by licensed dental professionals and dental students/residents over the age of 18. The platform is not designed for, marketed to, or directed at children, and we do not knowingly permit children to create accounts.

If we discover that an account has been created by someone under 18, we will terminate that account, delete all associated information, and refund any payment made. If you are a parent or guardian who believes a child has created an account, contact privacy@smileprevue.com and we will act promptly.

About patient photos that may include minors: dental clinics may legitimately treat pediatric patients and upload their photos as part of treatment. In those cases the child is not a Smile PreVue user — the data is PHI processed on the clinic's behalf under HIPAA and the clinic's own parental-consent procedures. We do not collect any information directly from minor patients, do not allow minors to log in, and do not market to minors.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. The "Last updated" date at the top of this page reflects when the most recent version took effect. Material changes will be communicated by email to active clinic-user accounts and via an in-app notice at least 14 days before they take effect, except where a shorter notice period is required by law. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

Contact Information

For privacy questions, data-rights requests, or breach notifications, contact our privacy team at privacy@smileprevue.com. For general support, write to hello@smileprevue.com.

Yikes Dude LLC
Austin, TX