Skip to content
SedationLog

DRAFT -- ATTORNEY REVIEW REQUIRED

This page is a starting template only. It has NOT been reviewed by an attorney and MUST NOT be relied on as a legal document until it has been. Replace with attorney-approved language before public launch, then set PUBLIC_LEGAL_REVIEWED=true in Amplify to hide this banner.

Privacy Policy

Effective TBD -- update before launch

1. What this policy covers

This Privacy Policy describes how Clarity (operator of SedationLog, "we", "us") collects, uses, and shares information about visitors to sedationlog.com and customers of the SedationLog service. Protected Health Information (PHI) submitted to the SedationLog service by a customer practice is governed by our Business Associate Agreement at /legal/baa and is NOT subject to this Privacy Policy.

2. Information we collect

From visitors to sedationlog.com

  • IP address, browser type, pages visited, referrer, and similar standard web-server log data.
  • Cookie-based session identifiers for anti-abuse and (where you opt in) lightweight analytics.

From customers signing up for the Service

  • Name, email address, password (stored as a salted hash), practice name.
  • Billing information processed through our payment provider.
  • Authentication metadata: last login, session activity, IP history.

From the Service itself

  • Diagnostic + audit logs of API requests against the customer's tenant. PHI is NOT logged. Logs are retained for six years as required by HIPAA.

3. How we use information

We use the information described above to: provide and improve the Service; bill customers and process payments; respond to support requests; comply with legal obligations; and detect and prevent abuse. We do NOT use PHI to train models, sell to third parties, or for any purpose outside our role as a Business Associate of the customer practice.

4. Sharing

We share information with sub-processors strictly to operate the Service. The current sub-processor list lives at /legal/baa#sub-processors and is updated when it changes. We do not sell personal information.

5. Data retention

  • Marketing-site analytics: 13 months maximum.
  • Customer account records: retained while the account is active + 90 days post-cancellation.
  • Signed sedation PDFs: retained for 7 years under S3 Object Lock per HIPAA + state board requirements.
  • Audit logs of PHI access: retained for 6 years per HIPAA.

6. Your rights

Customers can request export, correction, or deletion of their account information at any time by emailing privacy@sedationlog.com. Patients whose PHI is in a customer's tenant must direct such requests to the customer practice, which is the HIPAA-defined Covered Entity.

7. Security

Data is encrypted at rest (AWS RDS encryption, S3 SSE) and in transit (TLS 1.2+). Detailed security practices, including our incident response posture, are documented in the BAA.

8. Children's privacy

SedationLog is intended for use by licensed dental professionals. We do not knowingly collect personal information directly from individuals under 18. PHI about pediatric patients of customer practices is handled under the customer's HIPAA authority.

9. Changes to this policy

Material changes will be emailed to account holders at least thirty (30) days before they take effect.

10. Contact

Privacy questions: privacy@sedationlog.com.