Privacy Policy

1. Information We Collect

We collect personal and business-related information necessary to provide CRM and marketing services, including:

• Full name
• Email address
• Phone number
• Payment and billing information
• Device location (with your permission)
• Social media account credentials and tokens (with your authorization)
• Lead data including names, emails, phone numbers, social profiles, messages, and activity
• Posts
• Messages
• Call logs
• Communications carried out through the App
• Usage data (pages visited, session times, errors)
• Images & image-derived data (SmileGen). Photos you upload and derived data (e.g., facial landmarks, alignment/segmentation masks, rendering parameters) necessary to generate simulations.
• Health-related information supplied by customers. Where customers choose to upload information that could constitute protected health information (PHI), we process it only as instructed by the customer.

2. How We Use Your Information

We use your information to:

• Operate and provide the BiteBot CRM and marketing platform
• Allow access to and management of leads, contacts, conversations, and tasks
• Facilitate scheduling and publishing of social media posts
• Enable communication with leads via email, SMS, or direct messaging on supported platforms
• Run targeted advertising campaigns on social media platforms (e.g., Facebook and Instagram)
• Track ad performance and engagement
• Improve user experience and platform functionality
• Send account, service, and support notifications
• Process payments and manage subscription plans
• To provide SmileGen simulations (non-downloadable SaaS functionality within your CRM account)
• To maintain quality and safety (detect abuse, prevent misuse, and improve reliability)
• No generalized model training without consent. We do not use Customer Content (including images) to train generalized models or for marketing unless you opt in via a separate written agreement.

3. Sharing Your Information

We do not sell your personal information. We may share data only as follows:

• With trusted service providers who help us provide services (e.g., cloud hosting, email delivery, analytics, payment processing, social media API integrations)
• With social media platforms to publish your content or run your ads, in accordance with their respective terms and policies
• In compliance with law or to respond to legal requests (e.g., subpoenas or court orders)
• In the event of a business transfer, such as a merger, acquisition, or asset sale

4. Data Security

We implement technical and organizational security measures to protect your personal data, including encryption, access controls, and secure authentication. However, no method of electronic storage or transmission over the internet is 100% secure.

4A. HIPAA & Business Associate Terms

When a covered dental practice uses the Services in a manner that involves PHI, we act as a Business Associate and will execute a BAA upon request. We process PHI solely to provide the Services and implement safeguards appropriate to the nature of that data. Outside of such relationships, the Services are not intended for PHI.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. You can request deletion of your data at any time, subject to any legal obligations or backup system delays.

5A. Biometric Information & Retention

If SmileGen processes facial landmarks or geometry, we store biometric identifiers only as needed to provide the simulation. We do not sell biometric information. We delete biometric identifiers (i) within 30 days after your last interaction with the individual image set, (ii) upon verified deletion request, or (iii) as required by applicable law. For information about image retention and deletion, see our Data Retention Policy.

5B. SmileGen Feature - Health Information Practices

Health Information Collected

The SmileGen feature processes the following categories of information that may constitute Protected Health Information (PHI) under HIPAA:

• Facial photographs
• Patient names and contact information (when provided by the dental practice)
• Dental treatment preferences (smile makeover type, shade preference)

How We Process Your Information

Patient photographs are processed by AI services to generate cosmetic smile visualizations. Only images are transmitted to AI processors—no patient names, contact information, or other identifying data is shared with AI service providers.

We do NOT:

• Create or store biometric templates for identification purposes
• Perform facial recognition
• Use patient images for AI model training without explicit consent
• Share patient contact information with AI processors

Data Retention for SmileGen

• Patient transformation data (photos, videos, contact info): 30 days from creation, then automatically deleted
• Practice account information: Duration of subscription plus 30 days
• Financial/transaction records: 7 years as required by law

Third-Party Service Providers

SmileGen uses the following service providers to deliver our services:

Provider	Purpose	Data Shared	Security
Supabase	Database & file storage	All SmileGen data	SOC 2 Type II, BAA in place
HighLevel	CRM notifications (when enabled)	Patient contact info, transformation links	HIPAA add-on enabled, BAA available
Replicate	AI image processing	Images only (no PII)	Processing only, not retained
Vercel	Application hosting	Server logs (no PHI)	SOC 2 Type II

Your HIPAA Rights

If you are a patient whose information was processed through SmileGen, you have the right to:

• Access: Request a copy of your transformation data
• Deletion: Request deletion of your data before the 30-day automatic deletion
• Accounting: Receive an accounting of disclosures of your information
• Amendment: Request correction of inaccurate information
• Restriction: Request restrictions on how your information is used

To exercise these rights, contact the dental practice that created your transformation, or email [email protected].

Breach Notification

In the event of a breach involving protected health information, we will:

• Notify affected dental practices within 72 hours of discovery
• Assist practices with patient notification as required by HIPAA
• Document the breach and remediation steps
• Report to HHS if required (breaches affecting 500+ individuals)

Business Associate Agreements

BiteBot maintains Business Associate Agreements with:

• Supabase (database and storage provider)
• HighLevel (CRM integration, when enabled by practice)

Dental practices may request a BAA with BiteBot by contacting [email protected].

6. Your Rights and Choices

You have the right to:

• Access, update, or delete your personal data
• Withdraw consent for specific uses (e.g., marketing communications)
• Export your CRM data
• Cancel your subscription and close your account

You may exercise these rights by contacting us at [email protected]

7. Use by Businesses

BiteBot is a business-focused tool. You are responsible for ensuring that your use of BiteBot to manage and contact leads complies with applicable data protection laws (e.g., GDPR, CCPA, CAN-SPAM).

If you import or enter lead data into the platform, you are the data controller for that information. We act as a data processor, and you represent that you have appropriate legal grounds to process such data.

8. International Transfers

If you are located outside the United States, your data may be transferred to and processed in the United States or other countries with different data protection standards.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices. Significant changes will be notified to users through the App or via email.

10. Contact Us

For questions or concerns, contact our Privacy Team at: [email protected]