Toothsome, Inc. — Effective Date: January 1, 2026 · Last Updated: January 5, 2026
1. Introduction
Toothsome, Inc. ("Toothsome," "we," "us," or "our") is committed to protecting the privacy of individuals who use our platform and services. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website, mobile applications, and related services (collectively, the "Platform").
This Privacy Policy applies to employees who receive dental benefits through our Platform ("Members"), employers who sponsor dental benefit programs ("Employers"), and dental providers who participate in our network ("Providers").
By using our Platform, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
We collect information you provide directly to us, including:
Account Information: Name, email address, phone number, mailing address, and password when you create an account.
Employment Information: Employer name, employee ID, hire date, and benefit eligibility information (for Members).
Provider Information: Practice name, address, NPI number, state license number, and tax identification number (for Providers).
Transaction Information: Receipts, invoices, payment amounts, dates of service, and procedure codes submitted for reimbursement.
Communications: Messages, emails, and other communications you send to us.
2.2 Information We Collect Automatically
When you use our Platform, we automatically collect:
Device Information: Device type, operating system, browser type, and unique device identifiers.
Usage Information: Pages visited, features used, time spent on the Platform, and interaction patterns.
Location Information: General location based on IP address.
2.3 Information from Third Parties
We may receive information from:
Employers: Employee roster information, benefit amounts, and eligibility data.
Payment Processors: Transaction confirmations and payment status.
3. How We Use Your Information
We use the information we collect to:
Provide Services: Process reimbursements, verify eligibility, and facilitate transactions between Members, Employers, and Providers.
Communicate: Send account notifications, transaction confirmations, and respond to inquiries.
Improve Our Platform: Analyze usage patterns, troubleshoot issues, and enhance user experience.
Comply with Legal Obligations: Meet regulatory requirements, respond to legal requests, and enforce our agreements.
Prevent Fraud: Detect and prevent fraudulent activity, abuse, and security incidents.
4. How We Share Your Information
4.1 With Your Employer
We share transaction summaries and reimbursement amounts with your Employer for payroll processing and benefit administration. We do not share clinical details or specific procedure information with Employers.
4.2 With Service Providers
We share information with service providers who assist us in operating our Platform:
Amazon Web Services (AWS): Cloud infrastructure and data storage. AWS processes and stores data on our behalf. We maintain a Business Associate Agreement with AWS as required by HIPAA.
Google Workspace: Business email, document storage, and collaboration tools. We maintain a Business Associate Agreement with Google as required by HIPAA.
Stripe: Payment processing for invoices and administration fees. Stripe processes payment information only; Stripe does not access health information or clinical data.
SendGrid: Email delivery services. Our emails are designed to contain no protected health information; emails use generic language and do not include clinical details.
For service providers who access protected health information, we maintain Business Associate Agreements as required by HIPAA. For service providers who only process operational data such as payments, no Business Associate Agreement is required.
4.3 With Providers
We share Member eligibility status and Toothsome ID with Providers to verify benefit coverage. We do not share detailed personal information with Providers beyond what is necessary for eligibility verification.
4.4 For Legal Purposes
We may disclose information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
4.5 Business Transfers
If Toothsome is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your information.
5. Protected Health Information
Certain information we collect may constitute Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). We handle PHI in accordance with HIPAA requirements and our Business Associate Agreements with Employers and Providers.
5.1 Your Rights Regarding PHI
You have the right to:
Access: Request a copy of your PHI that we maintain.
Amendment: Request correction of PHI you believe is inaccurate or incomplete.
Accounting of Disclosures: Request a list of certain disclosures we have made of your PHI.
Restriction: Request restrictions on how we use or disclose your PHI.
Confidential Communications: Request that we communicate with you in a specific manner or at a specific location.
To exercise these rights, contact us at privacy@toothsome.io.
5.2 Minimum Necessary Standard
We apply the minimum necessary standard when using or disclosing PHI, meaning we limit the PHI used or disclosed to the minimum amount necessary to accomplish the intended purpose.
6. Data Security
We implement appropriate technical and organizational measures to protect your information, including:
Encryption: Data is encrypted in transit using TLS and at rest using AES-256 encryption.
Access Controls: Access to personal information is limited to authorized personnel who need it to perform their job functions.
Monitoring: We monitor our systems for security incidents and unauthorized access.
Training: Our team receives regular training on privacy and security practices.
While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.
7. Data Retention
We retain your information for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy. Specifically:
Account Information: Retained for the duration of your account and for six (6) years after account closure.
Transaction Records: Retained for seven (7) years to comply with tax and regulatory requirements.
Communications: Retained for three (3) years or as required by law.
When information is no longer needed, we securely delete or anonymize it.
8. Your Choices
8.1 Account Information
You can update your account information by logging into your account or contacting us at support@toothsome.io.
8.2 Communications
You can opt out of promotional communications by following the unsubscribe instructions in our emails. You cannot opt out of transactional communications related to your account or benefit administration.
8.3 Cookies
Most web browsers are set to accept cookies by default. You can usually modify your browser settings to decline cookies, but this may affect your ability to use certain features of our Platform.
9. Children's Privacy
Our Platform is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information.
10. State-Specific Rights
10.1 California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:
Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Opt-Out: You can opt out of the sale of your personal information. We do not sell personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at privacy@toothsome.io.
10.2 Texas Residents
If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act, including the right to access, correct, delete, and obtain a copy of your personal data. To exercise these rights, contact us at privacy@toothsome.io.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our Platform prior to the effective date of the changes. Your continued use of our Platform after the effective date constitutes your acceptance of the updated Privacy Policy.
12. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
Toothsome, Inc.
3550 N Lakeline Blvd, Unit 170, PMB 1022
Leander, TX 78641
Email: privacy@toothsome.io
For HIPAA-related inquiries or to exercise your rights regarding Protected Health Information, please contact our Privacy Officer at privacy@toothsome.io.
Document Version: 2.0 · Last Updated: January 5, 2026