Dentinotes
Privacy Policy
Version 2026-07-04 · How Dentinotes collects, uses, stores and protects information, consistent with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
1. Who we are and what this covers
Dentinotes is a documentation and administration platform for Australian dental practices. This policy covers the personal information we handle when a practice uses Dentinotes: information about practice team members, and the patient records a practice enters. For patient records, the practice is the health-information holder and we store and process on the practice's behalf.
2. What we collect
Practice and team information — practice name, address, phone and email; team member names, roles, email addresses and password hashes (we never store passwords in readable form).
Patient records entered by the practice — the identifiers, appointments, clinical notes, referral letters, consent records, recalls and messages a practice chooses to record. This is sensitive health information and is handled with the protections described below. We encourage practices to minimise identifying details where they can (see the Terms, clause 3.3).
Technical and audit data — IP addresses (used for rate limiting and abuse prevention), an audit trail of actions taken in the app (who did what, when, for which record), and standard server logs kept by our hosting infrastructure.
What we do not collect — we do not currently collect payment details (Dentinotes is free during beta), we do not run advertising or third-party analytics trackers, and we do not collect information about patients directly: everything about a patient comes from their treating practice.
3. How we collect it
Directly from you when you sign up, edit practice settings or enter records; from your practice's administrator when they invite you as a team member; and automatically, in the case of technical and audit data, when the service is used.
4. How we use information
We use information to provide and secure the service (authentication, tenant isolation, rate limiting, audit), to support you when you contact us, to meet our legal obligations, and — for the text you submit to drafting features — to generate AI drafts as described in section 5. We do not sell personal information, we do not use patient information for marketing, and we do not use your data to train AI models.
5. AI processing
When you use an AI drafting feature (notes, referrals, consent forms), the text needed for the draft is sent to our AI model provider. Before it is sent, patient names recorded against the patient are removed from the text by automated de-identification, and the provider processes the request without using it to train models. The optional dictation feature works differently: it uses your browser's own speech service (for example, Chrome's), which may send audio to the browser vendor, including overseas — the app reminds you not to dictate names or other directly identifying details while the microphone is live.
6. Where data is stored and overseas disclosure
Practice and patient data is stored encrypted in a database located in Sydney, Australia, and the application runs in an Australian region. Three flows involve overseas processing: AI drafting requests (processed by our AI provider in the United States, after de-identification as above); transactional email such as password resets and team invites (delivered by our email provider, which processes the recipient's name and email address); and browser dictation (section 5). We choose providers that offer contractual data-protection commitments, and we send them the minimum each needs.
7. Who we share information with
Only with the service providers that make Dentinotes run — hosting and database infrastructure, email delivery and the AI model provider — each limited to the data described above; and with government agencies, regulators or courts where the law requires it. We do not share personal information with anyone for their marketing.
8. Cookies
Dentinotes uses a single essential session cookie so you stay signed in. It is HTTP-only (not readable by scripts) and is not used for advertising or cross-site tracking. There are no third-party advertising or analytics cookies.
9. Security
Data is encrypted in transit (TLS) and at rest; passwords are stored as salted scrypt hashes; each practice's data is isolated to its own account; sign-in and signup are rate-limited; browsers are sent restrictive security headers; and actions on records are written to a tamper-evident audit trail that practices can export. No system is impenetrable, so we also encourage the data-minimisation practices in the Terms while the product is in beta.
10. Retention, export and deletion
We keep a practice's data while its account is active. Practices can export their complete records from the Compliance page at any time and should do so regularly. When an account is closed, we delete the practice's data from the live database within a reasonable period, after giving the practice the chance to export — noting that statutory record-retention obligations stay with the practice. Audit records may be retained where the law requires.
11. Access, correction and complaints
Practices manage their own records directly in the app and can correct them at any time. Patients seeking access to or correction of their records should contact their treating practice, which holds them. For anything else — access or correction requests about your own account information, privacy questions or complaints — contact us at support@dentinotes.com. We aim to respond within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).
12. Data breaches
If we become aware of a data breach involving your practice's data that is likely to result in serious harm, we will notify the affected practice promptly so both parties can meet their obligations under the Notifiable Data Breaches scheme, and we will notify the OAIC where required.
13. Changes to this policy
We may update this policy as the product develops. Material changes will be notified in the app or by email, and the current version is always published on this page.