Healama - Patient Relationship Platform for Dentists

This Privacy Policy describes how Healama, Inc. (“Healama,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when dental practices and their authorized team members use our platform, and when visitors interact with our websites. The Healama platform includes our web applications, AI-assisted features, practice management tools, third-party integrations, and related services (collectively, the “Services”).

When we process protected health information (“PHI”) on behalf of a dental practice that is a HIPAA-covered entity, we do so as a Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA”). Our handling of PHI is governed by the applicable Business Associate Agreement (“BAA”) between Healama and the covered entity.

Account and practice data

When you create an account or manage your practice on Healama, we collect:

Staff information: full name, email address, username, profile image, and assigned role (such as practice owner, practice administrator, clinical staff, or office staff).
Practice information: practice name, address, specialty, National Provider Identifier (NPI), and scheduling preferences.
Team invitations: invitee name, email address, assigned role, and the IP address from which the invitation was sent or accepted.

Patient data and protected health information

Practices enter or import the following patient data into Healama. This data may constitute PHI under HIPAA:

Demographics: patient name, date of birth, email address, and phone number.
Insurance details: member ID, group number, payer name, and payer ID. We do not collect Social Security numbers.
Clinical data: procedures, treatment plans, recall schedules, and appointment history (including data imported from third-party practice management systems).
Patient files: documents uploaded by practice staff, including PDFs, images, DICOM files, and office documents (maximum 10 MB per file), stored in encrypted cloud storage.

Usage and technical data

We automatically collect certain information when you use the Services:

Session data: IP address, browser type, operating system, device type, session start time, and last access time.
Request metadata: HTTP method, request path, response status code, response time, and user agent string.
Feature usage: which platform features are accessed, frequency of use, and interaction patterns.
AI chat data: messages sent to and received from AI-assisted features, including tool calls and their results, used to deliver the service and improve quality.

Cookies and local storage

Healama uses the following cookies and browser storage mechanisms, all of which are essential for the operation of the Services. We do not use third-party advertising or marketing cookies.

Name	Purpose	Type	Duration
access_token	Authentication (JWT)	HttpOnly, Secure, SameSite cookie	30 minutes
refresh_token	Session continuity (JWT)	HttpOnly, Secure, SameSite cookie	12 hours
selected_provider_id	Practice selection	Cookie (readable by client)	Session
healama_last_activity	Idle timeout synchronization across browser tabs	localStorage	Persistent

How we use information

Deliver and operate the platform: patient management, appointment scheduling, AI-assisted workflows, and practice communications.
Verify insurance eligibility at the direction of the practice, using third-party verification services.
Process subscription payments and manage billing through our payment processor.
Send transactional communications: password resets, team invitations, appointment notifications, and system alerts.
Synchronize calendar data when a practice connects external calendar accounts.
Maintain audit logs for security monitoring, incident investigation, and regulatory compliance.
Improve platform performance, reliability, and security through analytics and error tracking.
Comply with applicable legal and regulatory obligations.

Third-party service providers

We share information with the following categories of service providers to deliver the Services. Each provider receives only the data necessary for its function:

Identity and authentication: user credentials, session data, multi-factor authentication status, and role assignments.
Payment processing: customer identifier, subscription status, and billing metadata. Healama does not store full payment card numbers. Our payment processor maintains PCI-DSS compliance independently.
Transactional email: recipient email address, subject line, and message body for password resets, invitations, and notifications.
Connected email: when a practice connects its own email account, we store encrypted OAuth tokens to send email on the practice's behalf.
Calendar synchronization: encrypted OAuth tokens and calendar event data for scheduling synchronization with third-party calendar providers.
Practice management systems: patient demographics, procedures, insurance records, appointments, treatment plans, and recall schedules. Integration credentials are encrypted at rest. Social Security numbers are explicitly excluded from all data transfers.
Insurance eligibility verification: member information, provider NPI, and service dates to verify insurance coverage via third-party clearinghouse providers.
Cloud storage: patient files, practice assets, and support attachments, stored with provider-level path isolation.
Observability and monitoring: request metadata and, when enabled, AI conversation traces for service monitoring and quality improvement.

Other disclosures

We may disclose information in the following circumstances:

To comply with a valid legal process, such as a subpoena, court order, or government request.
To protect the rights, safety, or property of Healama, our users, or the public.
In connection with a merger, acquisition, or sale of assets, in which case we will notify affected practices.
To professional advisors (legal counsel, accountants, auditors) under confidentiality obligations.

We do not sell personal information or protected health information.

HIPAA and protected health information

Healama is designed to comply with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. When we process PHI on behalf of a covered entity:

We enter into a Business Associate Agreement (BAA) that defines permitted uses and disclosures of PHI.
We implement administrative, technical, and physical safeguards as required by the HIPAA Security Rule.
We apply the minimum necessary standard, accessing only the PHI needed to perform our services.
We maintain audit logs of PHI access and modifications for a minimum of seven (7) years, in compliance with HIPAA record retention requirements.
We will notify affected covered entities without unreasonable delay in the event of a breach of unsecured PHI, as required by the HIPAA Breach Notification Rule.

To request a BAA or report a potential security incident, contact us at privacy@healama.com.

Data security

We implement multiple layers of security to protect your information:

Authentication: JSON Web Tokens (JWT) stored in HTTP-only, Secure, SameSite cookies that cannot be accessed by client-side scripts.
Session management: compliant with NIST SP 800-63B at Authenticator Assurance Level 2 (AAL2), including a 30-minute idle timeout and a 12-hour absolute session timeout.
Encryption at rest: sensitive credentials, OAuth tokens, and integration keys are encrypted using symmetric encryption before storage.
Token security: password reset and team invitation tokens use 384 bits of cryptographic randomness and are stored as SHA-256 hashes. Raw tokens are never persisted.
Encryption in transit: all connections use TLS/SSL, including connections to the database and third-party services.
Access control: role-based access control with practice-level data isolation. Each practice's data is segregated by a unique provider identifier.
Audit logging: all access to individual patient records and all data mutations are automatically logged with timestamps, user identification, and IP addresses.

No system is completely secure. We encourage practices to use strong, unique passwords, enable multi-factor authentication, and review team access regularly.

Data retention

Audit logs: retained for seven (7) years, with automated daily cleanup of expired records. This exceeds the six-year HIPAA minimum.
Password reset tokens: expire after one (1) hour and are purged within 30 days.
Team invitation tokens: expire after 72 hours.
User sessions: managed by the identity provider with configurable absolute timeouts.
Patient data: retained for as long as the practice maintains an active account. Practices control when patient records are created, modified, or deleted.
Account data: retained for the duration of the subscription and a reasonable wind-down period, after which it may be deleted in accordance with applicable law.

Your rights and choices

Access: you may request a copy of the personal data we hold about you.
Correction: you may request correction of inaccurate or incomplete information.
Deletion: you may request deletion of your account and associated data, subject to HIPAA and other legal retention requirements.
Cookie control: you may configure your browser to block or delete cookies. Note that blocking authentication cookies will prevent you from using the Services.
Email preferences: transactional emails (password resets, security alerts) are required for service operation. If we send marketing communications, they will include an unsubscribe option.
Data portability: practices may export their patient data from the platform.

To exercise any of these rights, contact us at privacy@healama.com.

Children's privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information directly from children. Patient data for minors is entered into the platform by authorized practice staff for treatment purposes, not by minors themselves.

State-specific privacy rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

Residents of other states with consumer privacy laws may have similar rights. To the extent that personal information is governed by HIPAA as part of a designated record set, it may be exempt from certain state privacy law requirements.

To submit a privacy rights request, contact us at privacy@healama.com.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. If we make material changes, we will notify you by email or through an in-app notice before the changes take effect. We will also update the “Last updated” date at the top of this page. Your continued use of the Services after the effective date of a revised policy constitutes acceptance of the changes.

Contact us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, contact us at:

Email: privacy@healama.com
Support: support@healama.com