Privacy Policy

1. Introduction

Gain AI provides software and services to help dental practices engage with and manage their patient relationships. This includes appointment reminders, patient communication, and other practice management tools. Depending on your relationship with Gain AI, we may collect and process different types of information, including personal data and Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA").

If you do not agree with this Privacy Policy, please do not use our Services.

2. Information We Collect

2.1 Information You Provide to Us

• Account and Profile Information: When a dental practice signs up for our Services, we may collect information such as the practice name, contact name, email address, phone number, and billing information.
• Patient Information: If you are a patient of a dental practice that uses Gain AI, we may collect information provided by your dental practice such as your name, date of birth, contact details, appointment history, and other relevant medical or dental information necessary for engagement or communication.
• Clinical Documentation Data: When using our ambient scribe feature:
  • Voice recordings of patient-practitioner interactions (with appropriate consent)
  • AI-generated clinical notes and transcriptions
  • Practitioner edits and modifications to AI-generated content
  • Timestamps of creation, modification, and verification
  • Metadata associated with clinical documentation sessions
• Communication Records: If you contact us directly (e.g., by email or phone), we may receive and store details such as your name, contact information, and the content of your message.

2.2 Information Collected Automatically

• Log Data: Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include your IP address, browser type, operating system, referring URLs, pages viewed, and timestamps.
• Cookies and Similar Technologies: We use cookies, web beacons, and other tracking technologies to personalize and enhance your experience. You can control cookies through your browser settings; however, disabling cookies may limit your ability to fully use our Services.

2.3 Information from Third Parties

We may receive information about you from third-party service providers, partners, or publicly available sources. For example, if a dental practice uses a third-party scheduling system that integrates with Gain AI, that system may share relevant information to help facilitate patient engagement and communications.

3. How We Use Your Information

We use the information we collect for a variety of purposes, including to:

1. Provide and Maintain the Services: Facilitate appointment scheduling, reminders, clinical documentation, and other patient engagement features.
2. Process Clinical Documentation: For practices using our ambient scribe feature:
   • Convert voice recordings to text transcriptions
   • Generate draft clinical notes using AI technology
   • Store and retrieve clinical documentation as requested by authorized users
   • Maintain audit trails for compliance purposes
3. Communicate with You: Respond to inquiries, provide technical support, and send important administrative or service-related information.
4. Improve and Personalize the Services: Analyze user interactions to better understand how our Services are used and enhance the user experience.
5. Ensure Security and Compliance: Monitor for suspicious or fraudulent activities, protect against threats, and maintain legal and regulatory compliance, including HIPAA compliance when applicable.
6. Marketing and Promotions: If you have opted in, send you marketing communications, promotions, and updates about our products and services. You can opt out of these communications at any time.

Note: We do not use any information collected, directly or through third-party services, to develop, improve, or train generalized AI and/or ML models. Voice recordings and clinical notes are used solely for the specific patient encounter and are not used for model training.

4. Legal Basis for Processing (For Users in the European Economic Area)

If you are located in the European Economic Area ("EEA") or United Kingdom, we process your personal data based on the following legal grounds:

1. Consent: Where you have given clear consent for us to process your personal data for a specific purpose.
2. Contractual Necessity: Processing is necessary to provide you with the Services or perform our contractual obligations to you.
3. Legal Obligations: We may process data to comply with applicable laws and regulations.
4. Legitimate Interests: To fulfill our legitimate business interests, such as improving and securing our Services, provided these interests are not overridden by your data-protection rights.

5. How We Share and Disclose Your Information

We do not sell or rent your personal information. However, we may share or disclose information in the following situations:

1. With Your Dental Practice: We share patient data and related information with the dental practice to facilitate appointments, reminders, clinical documentation, and other patient engagement. For DSOs:
   • Patient data is shared only with the specific practice location treating the patient
   • Corporate DSO access is limited to aggregated, de-identified data unless specific authorization exists
   • Cross-practice data sharing requires explicit patient consent or legitimate treatment purposes
2. Service Providers: We may engage third-party vendors or service providers who help us operate and improve our Services (e.g., hosting providers, payment processors, communication services, analytics providers). These third parties only have access to personal information to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.
3. Business Transactions: Information may be transferred or disclosed as part of any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
4. Legal Requirements: We may disclose your information if required to do so by law, subpoena, or if we believe such action is necessary to comply with legal obligations, protect and defend our rights or property, investigate fraud, or protect the personal safety of users of the Services or the public.

5.1. Service Providers List

The following third-party services and/or vendors are used to assist in handling protected health information (PHI):

1. Microsoft Azure: Infrastructure as a Service

6. Data Retention

We retain your personal data only for as long as is necessary to provide the Services to you or to the dental practice, comply with legal obligations, resolve disputes, and enforce our agreements. The exact duration depends on the nature of the data and legal or contractual requirements.

Clinical Documentation Retention: Clinical notes and related documentation created through our ambient scribe feature are retained in accordance with applicable state dental record retention requirements, which typically range from 5-10 years. Voice recordings may be:

• Deleted immediately after transcription (if configured by the practice)
• Retained for a specified period for quality assurance or compliance purposes
• Subject to the practice's retention policy settings

7. Data Security

We take the security of your personal data seriously and implement physical, technical, and administrative safeguards to protect it. These measures are designed to protect against unauthorized access, alteration, disclosure, or destruction of your personal data.

Clinical Documentation Security: For our ambient scribe feature, we implement additional security measures including:

• End-to-end encryption for voice recordings during transmission
• Encryption at rest for all clinical documentation
• Role-based access controls with practitioner-level permissions
• Comprehensive audit logging of all access and modifications
• Secure deletion protocols for voice recordings when requested

However, no method of online data transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

8. Multi-Entity and DSO Data Management

For Dental Service Organizations (DSOs) and multi-practice entities using our Services:

1. Data Segregation: Each practice location's data is logically segregated with strict access controls. Patient data, including clinical notes, is accessible only to authorized personnel at the treating practice location.
2. Hierarchical Access Controls:
   • Practice Level: Full access to patient data for that specific location
   • Practitioner Level: Access limited to patients under their care
   • Corporate Level: Access to aggregated, de-identified data for business operations
   • Administrative Level: Role-based access for specific administrative functions
3. Cross-Practice Coordination: When patients receive care at multiple locations within a DSO, data sharing is facilitated only with appropriate consent and for continuity of care purposes.
4. Compliance Monitoring: DSO administrators can access compliance reports and usage analytics without accessing individual patient PHI, supporting corporate oversight while maintaining privacy.
5. Data Portability: Individual practices within a DSO can export their data independently, ensuring data ownership clarity and supporting practice transitions.

9. HIPAA Compliance

We acknowledge that we may be acting as a Business Associate under HIPAA when providing our Services to dental practices. In such cases, we enter into Business Associate Agreements ("BAAs") with our dental practice customers to ensure that PHI is used and disclosed solely for permitted purposes as outlined under HIPAA. We implement appropriate administrative, technical, and physical safeguards to protect PHI in accordance with HIPAA requirements.

10. Children's Privacy

Our Services are not directed at individuals under the age of 13 (or the equivalent minimum age depending on the jurisdiction). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will make reasonable efforts to delete such data from our records.

11. International Data Transfers

Gain AI is headquartered in the United States. If you use our Services from outside the United States, your personal information may be transferred to, stored, or processed in the United States or other countries where we or our service providers operate. We take steps to ensure an adequate level of protection when transferring personal data outside of its country of origin, for example by using model contractual clauses or relying on recognized legal adequacy frameworks.

12. Your Data Protection Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data, such as:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal or contractual obligations.
• Restriction: Restrict processing of your personal data under certain circumstances.
• Objection: Object to the processing of your personal data based on legitimate interests.
• Data Portability: Request the transfer of your personal data to another organization or yourself.

To exercise these rights, please contact us using the information in the "Contact Us" section below. We will respond to requests in accordance with applicable data protection laws.

13. Third-Party Links and Services

Our Services may contain links to third-party websites or services. This Privacy Policy does not apply to third-party services and we are not responsible for the practices of such third parties. We encourage you to review the privacy policies of those third parties to understand their information practices.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by posting a prominent notice on our Services or emailing you at the email address associated with your account (if applicable). Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have any questions, concerns, or feedback about this Privacy Policy or our practices, please contact us at:

We will do our best to respond to your inquiries in a timely and effective manner.