Privacy Policy

Effective Date: April 9, 2026

1. Introduction

This Privacy Policy ("Policy") has been created to demonstrate Tuuthfairy, Inc.'s ("Tuuthfairy," "we," "us," or "our") firm commitment to privacy and to outline how we collect, use, disclose, and protect any personal and other data you provide or we collect while visiting our website (the "Site") or when using any Tuuthfairy APIs, websites, applications, and online services (the "Services").

Tuuthfairy primarily provides services to businesses. Our Services are designed for business-to-business (B2B) use, specifically for software companies that serve dental practices.

Scope of This Policy

This Policy applies to:

  • Our website and online services
  • Our API services
  • All data collection and processing activities related to the Services

This Policy does NOT apply to:

  • Third-party websites or services that you may access from our Site or Services
  • Third-party data collection and use practices that differ materially from this Policy

Agreement to Terms

By using the Site or Services, you agree to the terms in this Privacy Policy. If you do not agree with the practices described in this Policy, you are not authorized to provide us with your or any other person's personal information or otherwise interact with or use the Site or Services.

If you are agreeing to these terms on behalf of a company or other legal entity, you confirm that you have the authority to agree to these terms on behalf of such entity, and that such entity is subject to these terms and conditions.

This Privacy Policy is incorporated into and forms part of our Terms of Service. Unless otherwise defined herein, capitalized terms have the meanings provided in the Terms of Service.

Relationship to Other Agreements

Protected Health Information (PHI): Any information that we collect that constitutes PHI as defined by the Health Insurance Portability and Accountability Act (HIPAA) is subject to HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, and shall be governed by our Business Associate Agreement ("BAA") with each customer, which is incorporated by reference in its entirety into this Policy.

2. Information We Collect

We collect various types of information in connection with the Services we provide. This information may be collected directly from you, automatically through your use of our Services, or from third parties.

2.1 Information from Our Customers

When registering to use the Services or managing your account, you may provide:

  • Account Information: Contact information (name, company name, email address, phone number)
  • User Credentials: Usernames and authentication information
  • Organization Details: Company information and organizational structure
  • API Credentials: API keys and authentication tokens
  • Connection Credentials: Third-party connection credentials that you provide to us

If you do not provide the requested information, you may not be able to access or use certain features of the Site or Services.

2.2 Protected Health Information We Process

As a HIPAA Business Associate, we process PHI on behalf of our customers in connection with the Services. This may include:

  • Patient Information: Demographic and identifying information
  • Insurance and Coverage Information: Insurance plan details and eligibility data
  • Dental Services Information: Information related to dental procedures and treatment
  • Provider Information: Healthcare provider identifiers and practice details

Important: We process this PHI solely as a service provider on behalf of our customers (who are typically Covered Entities or their business associates under HIPAA). The use and disclosure of this information is governed by our Business Associate Agreement with each customer.

2.3 Technical Information

We collect information about how you use the Services for operational, security, and analytical purposes. This information may include:

  • API Request Data: Information about API requests, including request parameters, timestamps, and response data
  • Log Data: Technical logs that may include IP addresses, request identifiers, and system events
  • Usage Patterns: Information about how the Services are used to improve functionality and performance

All information described in Sections 2.1, 2.2, and 2.3 that we collect, including all other data and information we collect or that is collected on our behalf from you or your users, is collectively referred to as "Customer Data."

3. How We Use Information

We use Customer Data to provide the Services and to conduct our business operations. Specifically, we use information for the following purposes:

Service Delivery

  • Provide and operate our API services
  • Facilitate communication with third-party service partners
  • Maintain and service your account
  • Provide customer support and respond to inquiries

Authentication and Access Control

  • Verify user identity and authenticate access to the Services
  • Manage API keys and authentication tokens
  • Maintain session security

Service Improvement and Analytics

  • Analyze usage and measure effectiveness of our Services
  • Understand how Services are being used to improve functionality
  • Develop new features and offerings

Security and Fraud Prevention

  • Detect, prevent, and address fraudulent, deceptive, or illegal activity
  • Identify and address security threats and technical issues
  • Protect against harm to the rights, property, or safety of Tuuthfairy, our users, customers, and the public
  • Monitor and enhance our security measures
  • Comply with legal obligations, regulations, and regulatory requirements
  • Establish, exercise, or defend legal claims
  • Fulfill contractual obligations
  • Conduct business operations and administrative functions

We process Customer Data only as necessary to provide the Services and pursue our legitimate business interests as described above.

4. How We Share Information

We share Customer Data with third parties only as described in this section. We do not sell, rent, or trade Customer Data with third parties for their own promotional purposes.

4.1 Service Providers and Business Partners

We work with third-party service providers and business partners that help us deliver the Services. These parties may have access to Customer Data only to provide services to us or to you on our behalf, and we do not permit them to use your information for their own purposes outside of providing those services.

Third-Party Service Partners: We share data with third-party partners as necessary to provide our core Services.

Infrastructure and Technology Providers: We use third-party providers for cloud hosting, data storage, user authentication, session management, and system monitoring.

Service providers are contractually obligated to protect Customer Data and use it only for the purposes for which it was disclosed. Service providers and subcontractors who have access to PHI are required to execute Business Associate Agreements and comply with HIPAA requirements.

4.2 Customer-Directed Sharing

Webhook Integrations: Customers may configure webhook endpoints to receive notifications about service requests and other events. Data shared through webhooks is controlled and directed by the customer.

We may use or disclose Customer Data if required to do so by law or if we believe in good faith that such use or disclosure is necessary to:

  • Comply with legal obligations, court orders, legal processes, or regulatory requirements
  • Enforce our agreements, policies, or terms of service
  • Protect and defend our rights, property, or safety, or the rights, property, or safety of our users or the public
  • Investigate and prevent fraud, security threats, or technical issues

4.4 Business Transfers

In connection with any merger, sale of company assets, financing, acquisition, or other transaction involving the transfer of all or a portion of our business to another company, Customer Data may be transferred to the successor entity. You authorize such transfer of Customer Data pursuant to such an occurrence. We will notify you via email or prominent notice on our Site of any such change in ownership or control of Customer Data.

5. Data Security

We take the security of your information seriously and implement reasonable administrative, technical, and physical safeguards designed to protect Customer Data from unauthorized access, use, disclosure, alteration, or destruction.

Security Measures

Our security measures include:

Encryption:

  • Encryption in transit using TLS/HTTPS for all data transmission
  • Encryption at rest for sensitive credentials and authentication information

Access Controls:

  • Multi-factor authentication options
  • API key authentication with hashed secrets
  • JWT (JSON Web Token) based authentication
  • Role-based access controls
  • Strict CORS (Cross-Origin Resource Sharing) policies

Technical Safeguards:

  • Password hashing using industry-standard algorithms
  • Request logging and monitoring in production environments
  • Regular security assessments and vulnerability testing

Infrastructure Security:

  • Secure cloud infrastructure with industry-leading providers
  • Network segmentation and firewall protections
  • Incident response procedures
  • Regular security updates and patches

Security Limitations

While we strive to use commercially reasonable measures to protect your information, no security system is completely secure. We cannot guarantee the absolute security of Customer Data. Website and internet security technology changes rapidly, and any security system may be compromised. You acknowledge that:

  • You transmit information to us at your own risk
  • Unauthorized entry, hardware or software failure, and other factors may compromise security
  • We are not responsible for unauthorized, illegal, or criminal activity by third parties

If you believe your account security has been compromised, please contact us immediately at privacy@tuuthfairy.com.

6. Rights and Choices

6.1 Customer Account Rights

As a customer, you have the following rights regarding your account information:

  • Access: You can access your account information through your customer portal
  • Management: You can manage API keys, webhook configurations, connection credentials, and other account settings

6.2 Data Retention and Deletion

We retain Customer Data while your account is active or as needed to provide Services to you. Data retention and deletion are governed by the terms of your contract with Tuuthfairy. Upon contract termination or account closure, Customer Data will be handled in accordance with your contractual agreements, including any applicable Business Associate Agreement.

We may retain certain information after contract termination as required to:

  • Comply with legal, regulatory, tax, or accounting requirements
  • Resolve disputes and enforce agreements

For questions about data retention or deletion, please contact us at privacy@tuuthfairy.com.

7. HIPAA Business Associate Status

Tuuthfairy acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) to our customers, who are typically Covered Entities or other Business Associates.

Our HIPAA Obligations

PHI Governance: All Protected Health Information (PHI) that we collect or process is subject to HIPAA, the HITECH Act, and our Business Associate Agreement (BAA) with each customer. Our BAA is incorporated by reference into this Privacy Policy.

HIPAA Safeguards: We implement administrative, technical, and physical safeguards designed to comply with the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) and HIPAA Security Rule (45 CFR Part 164, Subpart C) in our handling of PHI. We maintain policies and procedures intended to meet HIPAA requirements for the protection of PHI.

Permitted Uses: We use and disclose PHI only as permitted by our Business Associate Agreement and as required or permitted under HIPAA. We have implemented controls designed to ensure we do not use or disclose PHI in any manner that would violate the HIPAA Privacy Rule if done by a Covered Entity.

Breach Notification: We maintain procedures designed to detect, report, and respond to security incidents and breaches of unsecured PHI consistent with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414).

Subcontractor Compliance: All service providers and subcontractors who have access to PHI on our behalf are required to execute Business Associate Agreements and implement appropriate safeguards to protect PHI.

De-Identification: We may de-identify PHI in accordance with HIPAA standards (45 CFR § 164.514) for use in analytics, research, and service improvement. Once de-identified in accordance with HIPAA requirements, such information is no longer considered PHI and is not subject to HIPAA restrictions.

8. California Privacy Rights (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Tuuthfairy acts as a "service provider" when processing data on behalf of our customers. We do not sell or share personal information as defined by CCPA/CPRA. California residents with questions about their privacy rights should contact us at privacy@tuuthfairy.com.

9. Tracking Technologies

We may use cookies and similar tracking technologies in connection with our Services and website.

How We Use Tracking Technologies

We may use tracking technologies for purposes such as:

  • Authentication and session management
  • Security and fraud prevention
  • Website functionality
  • Service improvement and analytics

Limited Third-Party Tracking

We do not use tracking technologies for:

  • Third-party advertising
  • Cross-site behavioral tracking for marketing purposes

Managing Your Preferences

Most web browsers allow you to manage your cookie preferences through browser settings. Please note that disabling certain tracking technologies may affect your ability to use some features of our Services.

10. International Data Transfers

Our Services are hosted in the United States and intended solely for use by customers located in the United States. We do not transfer Customer Data outside of the United States. If you access our Services from outside the United States, you do so at your own risk and acknowledge that your information will be processed and stored in the United States subject to U.S. laws.

11. Changes to This Privacy Policy

We reserve the right to update, change, or modify this Privacy Policy at any time. Any changes will be effective immediately upon posting on this Site.

Notification of Changes

Material Changes: If we make material changes to this Privacy Policy that significantly affect how we collect, use, or disclose Customer Data, we will:

  • Update the "Effective Date" at the top of this Policy
  • Notify you via email (to the email address associated with your account)
  • Provide prominent notice on our Site or through our Services

Non-Material Changes: For minor or administrative changes, we will update the Policy and the "Effective Date" without additional notice.

Your Responsibility

It is your responsibility to review this Privacy Policy periodically to ensure you understand our current practices. Your continued use of our Services after any changes indicates your acceptance of the updated Privacy Policy.

We encourage you to check this page regularly for updates.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Tuuthfairy, Inc. 100 S Ellsworth Ave Ste 100 San Mateo, CA 94401

Email: privacy@tuuthfairy.com

For privacy-related inquiries or to exercise any of your rights under this Policy, please contact us using the information above.

13. Additional State-Specific Rights

Residents of certain U.S. states may have additional privacy rights under applicable state privacy laws. If you are a resident of a state with comprehensive privacy legislation and wish to exercise any rights under your state's privacy law, please contact us at privacy@tuuthfairy.com. We will respond to your request in accordance with applicable law.