Privacy Policy

1. Overview

Virtutools Inc. ("Virtutools," "we," "us," or "our") operates DentaHub, a software-as-a-service platform that automates insurance pre-determination (Pre-D) workflow tracking for dental practices using Dentrix practice management software.

This Privacy Policy explains how we collect, use, store, and protect information in connection with the DentaHub platform, our website at dentahub.ca, and our related services. By accessing or using DentaHub, you agree to the practices described in this policy.

2. Who We Are

Virtutools Inc. is the legal entity that owns and operates DentaHub. We are incorporated in Canada and operate in both Canada and the United States.

Canadian Office (Primary)

Virtutools Inc.
6D - 7398 Yonge St., Thornhill, ON L4J 8J2, Canada
Email: info@virtutools.com

United States Office

Virtutools Inc.
3101 Ocean Park Blvd., Suite 100, Santa Monica, CA 90405, USA
Email: info@virtutools.com

3. Data We Collect

We collect two categories of data: information about dental clinic staff and administrators who use DentaHub (Platform Users), and patient-related data that is synced from the clinic's Dentrix system (Patient Data).

3.1 Platform User Data (Clinic Staff & Administrators)

• Name and email address (for login and notifications)
• Role and clinic affiliation
• Login timestamps and activity logs
• Notification preferences
• IP address and browser type (for security logging)

3.2 Patient Data (Synced from Dentrix)

DentaHub syncs the following patient information automatically from your clinic's Dentrix database via our C# Windows service (DentrixDBReader):

• Patient first and last name
• Dental procedure codes and descriptions (ADA codes)
• Treatment plan status (planned, scheduled, completed)
• Insurance pre-determination claim status and dates
• Insurance carrier name and group name
• Treating provider name
• Tooth numbers and procedure dates
• Billed amounts for pre-authorization tracking

We do not collect Social Insurance Numbers, Social Security Numbers, credit card numbers, full date of birth, or clinical notes.

3.3 Website Visitor Data

• IP address and general geographic location
• Pages visited and time spent on dentahub.ca
• Browser type, operating system, referring URL
• Demo request form submissions (name, email, clinic size)
• Cookie and analytics data (see Section 13)

4. How We Use Data

Platform User Data

• Authenticate users and provide secure access to DentaHub
• Send daily digest emails, escalation alerts, and weekly summaries
• Provide customer support and respond to inquiries
• Improve platform features and performance
• Maintain security logs and audit trails
• Send service announcements and policy updates

Patient Data

• Display treatment workflow status to authorized clinic staff
• Match insurance pre-determination claims to patient records
• Generate AI-powered follow-up priority scores
• Send automated patient booking emails when insurance approves treatment (only when configured by the clinic)
• Generate weekly cohort reports and conversion analytics for the clinic
• Trigger workflow notifications for overdue cases

We do not sell patient data, use patient data for advertising, or share patient data with any third party except as described in Section 6.

5. Our Role as a Data Processor

Under Canadian privacy law (PIPEDA and PHIPA) and US law (HIPAA), DentaHub acts as a data processor (or "service provider" / "business associate" in US terminology). The dental clinic is the data controller — they determine the purpose and means of processing patient data.

This means:

• We only process patient data as directed by the dental clinic's configuration of DentaHub
• We do not use patient data for our own independent purposes
• We assist the clinic in fulfilling patient rights requests (access, correction, deletion)
• We notify clinics of any data breaches affecting patient data promptly (see Section 12)
• We delete or return patient data upon termination of the clinic's subscription

Clinics signing up for DentaHub agree to our Terms of Service, which includes data processing obligations consistent with PIPEDA, PHIPA, and HIPAA.

6. Third-Party Sub-Processors

We engage the following sub-processors to deliver the DentaHub service. Each has been selected for their data security standards and has appropriate contractual protections in place:

We do not share patient data with any advertising networks, data brokers, or marketing platforms. We may disclose information where required by law or valid legal process, in which case we will notify the affected clinic to the extent permitted by law.

7. Data Storage & Security

All DentaHub application and patient data is stored on Linode (Akamai) servers located in the United States. We implement the following technical and organizational security measures:

• All data encrypted in transit using TLS 1.2 or higher (HTTPS)
• Data at rest encrypted using AES-256 equivalent database encryption
• PostgreSQL database protected within a private Docker network — not exposed to the public internet
• Bearer token authentication required for all API communications between clinic PCs and our servers
• Role-based access control — clinic staff can only see their own clinic's data
• Automated daily database backups with point-in-time recovery
• Server access restricted to SSH key authentication only (no password login)
• Audit logs maintained for all status changes and data access events

While we employ industry-standard security measures, no internet transmission or storage system is 100% secure. In the event of a breach, we will follow the notification procedures in Section 12.

8. Data Retention

• Active subscription: Patient data is retained for as long as the clinic's subscription is active and for a period of 90 days after termination to allow for data export requests.
• After termination: Upon written request, we will delete or anonymize all patient data within 30 days of subscription termination.
• Platform user accounts: Retained for the duration of the subscription plus 12 months, then deleted.
• Audit logs: Retained for 7 years to comply with healthcare record-keeping obligations.
• Website visitor data: Anonymized after 26 months per Google Analytics default settings.

9. Canadian Privacy Law — PIPEDA & PHIPA

Virtutools Inc. is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) for all personal information we collect and process as a data controller (i.e., our own website visitors and platform users).

For Ontario-based dental clinics, patient health information is governed by the Personal Health Information Protection Act (PHIPA). DentaHub's role as an agent of the clinic means:

• We collect only the minimum personal health information required for workflow tracking purposes
• We do not use personal health information for purposes beyond those specified by the clinic
• We maintain appropriate administrative, technical, and physical safeguards
• We are available to assist clinics in responding to patient access and correction requests
• We will notify clinics of any privacy breach involving personal health information within 72 hours of discovery

Under PIPEDA, individuals may contact us to request access to their personal information or to withdraw consent. See Section 11 for how to exercise these rights.

10. US Clinics — HIPAA Compliance

For dental practices located in the United States, DentaHub functions as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Our server infrastructure is located in the United States (Linode / Akamai).

US-based clinic customers are required to execute a Business Associate Agreement (BAA) with Virtutools Inc. before using DentaHub. The BAA governs our obligations with respect to Protected Health Information (PHI) and is available upon request by contacting info@virtutools.com.

As a Business Associate, we commit to:

• Using and disclosing PHI only as permitted by the BAA and HIPAA
• Implementing the administrative, physical, and technical safeguards required by the HIPAA Security Rule
• Reporting breaches of unsecured PHI to the covered entity (dental clinic) without unreasonable delay and no later than 60 days after discovery
• Ensuring that any sub-processors who access PHI are bound by equivalent HIPAA obligations
• Making our practices available to HHS for audit purposes as required

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

For All Users (Canada & US)

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Withdrawal of consent: Withdraw consent to our processing (where consent is the legal basis)
• Complaint: Lodge a complaint with a relevant privacy authority

For Patients

If you are a patient whose data has been synced to DentaHub by your dental clinic, your primary point of contact is the dental clinic (the data controller). Please contact your clinic directly for access, correction, or deletion requests. We will cooperate with the clinic in fulfilling these requests.

How to Exercise Your Rights

Submit a written request to info@virtutools.com with the subject line "Privacy Request." We will respond within 30 days. We may need to verify your identity before processing the request.

Canadian residents may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or 1-800-282-1376 with any concerns.

12. Breach Notification

In the event of a security breach that poses a real risk of significant harm to individuals, we will:

• Notify affected dental clinics (as data controllers) within 72 hours of confirming the breach
• Provide details of the nature of the breach, the data involved, and the steps being taken to contain it
• Cooperate with the clinic in notifying affected patients as required under PIPEDA, PHIPA, or HIPAA
• Report to the Office of the Privacy Commissioner of Canada as required under PIPEDA
• For US clinics, notify the covered entity no later than 60 days after discovery as required under HIPAA's Breach Notification Rule
• Maintain a breach log available to regulators upon request

13. Cookies & Analytics

Our website (dentahub.ca) uses the following cookies and tracking technologies:

• Essential cookies: Required for login sessions and CSRF protection within the DentaHub application. Cannot be disabled.
• Analytics cookies (Google Analytics): We use Google Analytics (G-EJ9XP14J9F) to understand how visitors use our public website. This data is anonymized and does not include patient information. You may opt out via Google's opt-out tool.

We do not use advertising cookies, retargeting pixels, or sell cookie data to any third party.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Notify clinic administrators by email at least 30 days before the change takes effect
• Post a notice on the DentaHub application dashboard

Continued use of DentaHub after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For any privacy-related questions, requests, or concerns, please contact us:

Also see our Terms of Service for the full agreement governing use of DentaHub.