Privacy Policy

1. Information We Collect

Account and Practice Information

When a dental practice signs up for Mission Valley, we collect information about the practice and the individuals who manage the account. This includes:

• Practice name, address, phone number, and website
• Account owner name, email address, and job title
• Practice Management System (PMS) credentials used for integration
• Billing information (processed by our payment processor; we do not store full card numbers)
• NPI numbers and other professional identifiers you provide

Call Recordings and Transcripts

Our AI receptionist answers calls on behalf of your practice. When a patient calls, we collect:

• Audio recordings of the call (subject to applicable state call recording disclosure laws)
• Automatically generated transcripts of the conversation
• Caller phone number and call metadata (duration, timestamp, direction)
• Information the caller provides during the call, which may include patient name, date of birth, insurance information, reason for visit, and appointment preferences

Information collected during patient calls may constitute Protected Health Information (PHI) under HIPAA. See Section 5 for details on how we handle PHI.

Appointment and Patient Data

To book and manage appointments, we interact with your Practice Management System. This may involve reading and writing:

• Patient demographic records (name, contact information, date of birth)
• Appointment schedules and provider availability
• Insurance carrier and plan information
• Treatment notes or procedure codes, to the minimum extent necessary for scheduling

Usage Data

We collect information about how your practice team interacts with the Mission Valley dashboard. This includes page views, feature usage events, session duration, and error logs. We use this data to improve the product and diagnose issues. We do not sell usage data or use it for advertising.

2. How We Use Information

Service Delivery

We use the information above to operate the Mission Valley platform: answering calls, booking appointments, routing messages, generating summaries, and syncing data with your PMS. Without this data, the service cannot function.

Product Improvement

We use aggregated and de-identified usage data to improve our AI models and platform features. We may analyze call transcripts in de-identified form to improve speech recognition and intent detection. We do not use identifiable PHI to train shared AI models without explicit written consent.

Customer Support

Our support team may access account data, call recordings, and transcripts when you submit a support request or when we proactively investigate a reported issue. Access is logged and limited to authorized personnel.

Communications

We use your contact information to send transactional emails (account setup, billing receipts, security alerts) and product communications (release notes, tips). You can opt out of non-transactional communications at any time via the unsubscribe link in any email.

3. How We Share Information

We do not sell your data or your patients' data. We share data only in the following limited circumstances:

Subprocessors with BAAs

We use a small number of third-party services to operate the platform. Any subprocessor that may handle PHI is required to sign a Business Associate Agreement (BAA) with us before accessing that data. Our current BAA-covered subprocessors include:

• Amazon Web Services (AWS): cloud infrastructure, data storage, and compute. All data is stored in AWS US-East regions.
• Clerk: identity and authentication management for platform accounts.

We maintain an up-to-date subprocessor list. If we add a subprocessor that will handle PHI, we will notify affected customers at least 30 days in advance.

Legal Requirements

We may disclose information if required by law, court order, or government authority, or to protect the rights, property, or safety of Mission Valley, our customers, or others. We will notify you of such requests where legally permitted to do so.

Business Transfers

If Mission Valley is acquired, merges with another company, or transfers substantially all of its assets, your data may be transferred as part of that transaction. We will notify you before your data is transferred and subject to a different privacy policy.

4. Data Retention

We retain data for different periods depending on the type of data and applicable legal requirements:

• Audit logs: retained for 6 years from creation, consistent with HIPAA's minimum retention requirements for PHI-related documentation.
• Call recordings and transcripts: retained for 1 year by default. Customers may configure shorter retention periods in their account settings. Recordings may also be deleted on request, subject to any legal hold obligations.
• Appointment and patient data synced from your PMS: retained while your account is active. Upon account termination, this data is deleted within 90 days unless you request an earlier deletion or data export.
• Account and billing records: retained for 7 years for tax and financial compliance purposes.
• Usage logs: retained for 12 months for debugging and security purposes, then deleted.

5. HIPAA Compliance

Mission Valley is designed to operate as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) for covered dental practices.

Business Associate Agreements

We provide a signed Business Associate Agreement (BAA) to all customers subject to HIPAA. The BAA is included as part of our standard customer agreement. If you have not received a BAA or need a copy, contact us at privacy@missionvalley.co.

PHI Handling

We handle Protected Health Information (PHI) consistent with the HIPAA Privacy Rule and Security Rule. This includes:

• Limiting access to PHI to authorized personnel on a need-to-know basis
• Logging all access to PHI-containing systems
• Not using or disclosing PHI for purposes beyond those specified in our BAA
• Reporting any breach of unsecured PHI to affected customers within 60 days of discovery, consistent with HIPAA's Breach Notification Rule

Encryption

All PHI stored in Mission Valley systems is encrypted at rest using AES-256. All data transmitted between your browser, the Mission Valley platform, and our subprocessors is encrypted in transit using TLS 1.2 or higher. Database backups are also encrypted.

6. Cookies and Tracking

Our marketing website (missionvalley.co) uses minimal tracking:

• Essential cookies: required for the platform to function, including authentication session cookies. These cannot be disabled.
• Analytics: if configured by us, we use a privacy-respecting analytics tool to understand aggregate visitor behavior (pages visited, referral source, browser type). We do not use Google Analytics by default and do not build individual visitor profiles.

We do not use advertising cookies, retargeting pixels, or third-party tracking networks on our marketing website or within the platform.

7. Your Rights

As a Mission Valley customer or an individual whose data we hold, you have the following rights:

• Access: request a copy of the personal data we hold about you or your practice.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data. Note that some data must be retained to comply with legal obligations (see Section 4).
• Data portability: request an export of your practice's data in a machine-readable format (CSV or JSON).
• Restriction: in certain circumstances, request that we restrict processing of your data while a dispute is resolved.

For patient rights under HIPAA (access to PHI, amendment requests, accounting of disclosures), patients should contact their dental practice directly. Mission Valley will cooperate with the practice to fulfill those requests.

To exercise any of the above rights, email privacy@missionvalley.co. We will respond within 30 days.

8. Security

We implement technical and organizational safeguards appropriate to the sensitivity of the data we handle. These include:

• AES-256 encryption at rest and TLS 1.2+ in transit
• Role-based access control with multi-factor authentication required for internal systems
• Continuous monitoring and intrusion detection on our cloud infrastructure
• Annual security reviews and vulnerability assessments
• Employee security training and background checks

Despite these measures, no system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@missionvalley.co.

9. Children's Privacy

The Mission Valley platform is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 through our marketing website or customer accounts. If you believe a child under 13 has provided personal information directly to us, please contact us and we will promptly delete it. Note that dental practices may collect information about minor patients as part of their normal operations; that data is governed by the practice's own HIPAA obligations.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by posting a notice in the Mission Valley dashboard at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions, BAA requests, or to exercise your rights, contact our privacy team: