PRIVACY POLICY

Effective Date April 27, 2022

Last Updated August 12, 2024

Introduction

At ThriveCloud (“we,” “us,” or “our“), we recognize the paramount importance of protecting the privacy and security of your personal information. This Privacy Policy outlines in extensive detail how we collect, use, disclose, and safeguard your information when you use our cloud-based dental software services (“Services“) available through gothrivecloud.com. ThriveCloud is a comprehensive dental practice management solution designed to streamline operations, enhance patient care, and improve overall efficiency for dental professionals. Our platform integrates features such as appointment scheduling, electronic health records (EHR), billing and insurance processing, patient communication portals, treatment planning, analytics, and reporting.

We are dedicated to complying with all applicable federal and state laws, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other state-specific privacy regulations such as the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA).

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this policy, please refrain from using our Services.

Definitions

To ensure clarity and mutual understanding, we provide detailed definitions of key terms used throughout this Privacy Policy

• “Personal Information” Any information that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes, but is not limited to, identifiers such as name, address, email address, phone number, and other similar identifiers.
• “Protected Health Information (PHI)” Individually identifiable health information that is transmitted or maintained in any form or medium, as defined by HIPAA. PHI includes information about an individual’s past, present, or future physical or mental health or condition, the provision of health care to an individual, or payment for health care.
• “Business Associate” A person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity.
• “Covered Entity” A health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
• “Services” The ThriveCloud dental software and any related services we provide through gothrivecloud.com, including but not limited to patient portals and support services.
• “De-identified Information” Information that does not identify an individual and cannot reasonably be used to identify an individual, typically achieved by removing personal identifiers as specified under HIPAA.
• “Cookies” Small text files stored on your device by a website or application to collect standard Internet log information and visitor behavior information, used to enhance user experience and functionality.

About ThriveCloud

ThriveCloud is an innovative, cloud-based dental practice management software designed to meet the complex needs of modern dental practices. Our platform offers a suite of integrated tools that facilitate

• Appointment Scheduling

        Streamlined calendar management with automated reminders.

• Electronic Health Records (EHR) Secure storage and management of patient records, accessible anytime, anywhere.
• Billing and Insurance Processing Efficient handling of billing cycles, insurance claims, and payment processing.
• Patient Communication Portals Secure messaging, appointment confirmations, and patient education resources.
• Treatment Planning Comprehensive tools for creating, presenting, and managing treatment plans.
• Analytics and Reporting Advanced reporting features for practice performance, financials, and patient care metrics.

By leveraging state-of-the-art cloud technology, ThriveCloud ensures that your practice data is securely stored and accessible, facilitating enhanced collaboration among team members and improving patient care outcomes.

Information We Collect

We collect a broad range of information to provide, maintain, and enhance our Services. The categories of information we collect include, but are not limited to:

1. Personal Information

Contact Information

• Full Name First name, middle name, and last name for identification and communication purposes.
• Practice Address Street address, city, state, zip code, and country for billing and correspondence.
• Email Address Personal and professional email addresses for account access, communication, and notifications.
• Telephone Number

        Mobile and work phone numbers for communication and verification.

Identifiers

• Tax Identification Number (TIN)

        For business entities for tax reporting and compliance.

• National Provider Identifier (NPI) For healthcare providers for billing and insurance processing.
• User Credentials Username, password, and security questions for secure account access and authentication.

Financial Information

• Billing Address

        For invoicing, payment verification, and fraud prevention.

• Insurance Information Policy numbers, group numbers, coverage details, and provider contact information for claims processing.
• Payment History Records of payments made, outstanding balances, and transaction history for accounting and dispute resolution.

Professional Information

• Dental License Number For verification of professional credentials and compliance with regulatory requirements.
• Practice Name and Address Details of the dental practice, including contact information and operational locations.

Online Identifiers

• Username and Password

        For secure account access to our Services.

• IP Addresses Collected to enhance security, prevent fraud, and comply with legal obligations.

2. Protected Health Information (PHI)

Medical and Dental Records

• Patient Medical History Comprehensive health information including allergies, chronic conditions, past surgeries, medications, and family medical history.
• Dental Treatment Plans Detailed records of proposed treatments, procedures, and patient consent.
• Diagnostic Images Radiographs (X-rays), CT scans, intraoral images, photographs, and other imaging studies.
• Clinical Notes Progress notes, examination findings, and observations documented by dental professionals.
• Patient Consent Forms

        Records of informed consent for treatments and procedures.

Appointment Information

• Scheduled Appointments Dates, times, and provider details for upcoming appointments managed through our scheduling system.
• Treatment Dates

        Historical records of treatments and procedures performed.

• Procedure Details Specific information about dental procedures, materials used, and outcomes.
• Cancellation and No-Show Records History of appointment attendance, cancellations, and rescheduling.

Prescription Information

• Medications Prescribed Names of medications, including prescription and over-the-counter drugs.
• Dosage and Frequency

        Instructions for medication use, refills, and administration.

• Prescription History

        Records of past prescriptions, refills, and medication adherence.

Insurance Claims

• Claim Numbers Identification numbers for insurance claims processed through our platform.
• Explanation of Benefits (EOBs) Details provided by insurers regarding coverage, payments, and patient responsibilities.
• Pre-Authorization Details Information on procedures requiring prior approval from insurance providers.

Patient Communication

• Messages Communications between patients and providers via our secure messaging system.
• Feedback and Reviews Patient satisfaction surveys, testimonials, and feedback submitted through the platform.
• Appointment Reminders

        Automated notifications sent via email, SMS, or phone calls.

3. Usage Data

Technical Information

• Internet Protocol (IP) Address Used to identify your device’s internet connection, enhance security, and prevent fraudulent activities.
• Browser Type and Version Information about the browser you are using to optimize our Services for compatibility and performance.
• Operating System and Platform Details about your device’s operating system to improve user experience and support.
• Screen Resolution and Settings For optimizing the display of our Services and user interface.

Log Information

• Access Times and Dates Timestamps of when you access our Services for audit trails and security monitoring.
• Pages Viewed Records of pages, features, and modules accessed within our software to understand usage patterns.
• Error Reports and Performance Data Information about system crashes, errors, and performance metrics to enhance software stability and reliability.
• Session Duration Length of time spent using our Services to assess engagement and resource allocation.

4. Cookies and Similar Technologies

We use cookies, web beacons, pixel tags, and other tracking technologies to enhance your experience, provide personalized services, and gather information about how you use our Services.

Types of Cookies and Technologies

• Session Cookies Temporary cookies that are erased when you close your browser, used to maintain session state and security.
• Persistent Cookies Remain on your device for a set period or until deleted, used for remembering login details, user preferences, and facilitating faster access.

Information Collected via Cookies

• Authentication Data

        To keep you logged in securely and prevent unauthorized access.

• Preferences Language settings, theme selections, and other customizations to personalize your experience.
• Security Tokens To protect against fraudulent activities and enhance the security of our platform.

How We Collect Information

We collect information through various methods to provide and improve our Services, ensure compliance, and enhance user experience.

Directly from You

• Account Creation Information provided when you register for an account on gothrivecloud.com, including during onboarding processes.
• Forms and Surveys Data collected through forms you fill out, such as practice setup forms, feedback surveys, support requests, and contact inquiries.
• Communications Records of emails, phone calls, chats, or other communications with our support team, sales representatives, or account managers.
• Uploads and Submissions Files, documents, images, and other content you upload to our Services, including patient records, diagnostic images, and insurance documents.
• Transactional Activities Information collected during transactions, such as purchases, subscription renewals, and service upgrades.
• Event Participation Information provided when you participate in webinars, training sessions, conferences, or other events hosted or sponsored by ThriveCloud.

Automatically

• Through Our Services Data collected as you interact with our software, including system logs generated during usage.
• Cookies and Tracking Technologies Information gathered through cookies and similar technologies about your device information and preferences.
• Application Data Information about how you use our applications, including crash reports, performance data, and diagnostic information.
• Email Interactions Data on how you interact with our emails, including open rates, click-through rates, and content engagement.
• Security Monitoring Automated systems that monitor for suspicious activities, unauthorized access attempts, and other security-related events.

From Third Parties

• Service Providers Information from vendors who assist us with payment processing, analytics, customer support, hosting services, and other operational needs.
• Insurance Companies Information regarding coverage, claims, benefits, eligibility, and payment statuses obtained through our insurance processing features.
• Third-Party Integrations Data received from third-party applications or services you choose to integrate with our platform, such as imaging software, phone VoIP, or financial systems.

How We Use Your Information

We use the collected information for various purposes to provide, maintain, and enhance our Services, ensure compliance with legal obligations, and improve user experience.

Provision of Services

• Account Management To create, authenticate, and manage your user account, including password resets, security measures, and user preferences.
• Service Delivery To provide the functionalities of our software, such as appointment scheduling, EHR management, billing, insurance processing, patient communication, and reporting tools.
• Electronic Health Records (EHR) To securely store, manage, and enable access to patient health information, treatment plans, clinical notes, and diagnostic data.
• Treatment Planning To facilitate the creation, presentation, and management of customized treatment plans for patients, including visual aids and educational materials.
• Patient Communication To enable secure messaging, appointment confirmations, reminders, and patient education through our patient portal and communication tools.
• Transaction Processing To process payments, invoices, refunds, manage billing cycles, and resolve billing disputes through our billing and insurance modules.
• Customization and Personalization To personalize your experience by tailoring content, features, and resources to your preferences, specialty, and practice needs.
• Third-Party Integrations To facilitate integrations with third-party services you choose to connect with, such as digital imaging software, phone VoIP, financial systems, or insurance providers.

Communication

• Administrative Messages To inform you about changes to our Services, terms and conditions, Privacy Policy, security updates, or system maintenance notices.
• Marketing Communications To send newsletters, promotional materials, special offers, and information about new products or services, subject to your communication preferences and applicable laws.
• Customer Support and Service To respond to your inquiries, troubleshoot issues, provide technical assistance, and improve customer service interactions.
• Feedback and Surveys To solicit your opinions, feedback, and suggestions to improve our Services, including user experience surveys, beta testing programs, and product development input.
• Event Invitations To invite you to participate in webinars, training sessions, conferences, or other events relevant to your professional interests.

Compliance and Legal Obligations

• Regulatory Compliance To comply with federal, state, and local laws, regulations, court orders, and lawful requests from governmental authorities, including healthcare regulations and data protection laws.
• HIPAA Compliance To ensure the confidentiality, integrity, and security of PHI as required by HIPAA and other healthcare regulations, including adherence to the Privacy Rule, Security Rule, and Breach Notification Rule.
• Audit and Reporting To conduct internal audits, compliance assessments, fraud monitoring, and reporting to regulatory agencies as required.
• Legal Proceedings To establish, exercise, or defend our legal rights in the event of disputes, litigation, or governmental investigations.

Analytics and Research

• Service Improvement To analyze usage trends, user behavior, and feedback to enhance the functionality, performance, and user experience of our Services.
• Product Development To develop new features, products, and services based on user feedback, market research, and technological advancements.
• Statistical Analysis To perform data analytics, business intelligence, market analysis, and strategic planning for operational efficiency and competitive positioning.
• Quality Assurance To monitor and improve the quality of our Services, including error detection, system performance, and user satisfaction.

Security

• Fraud Prevention and Detection To detect, prevent, and respond to fraud, unauthorized activities, security breaches, and other potentially harmful activities.
• Risk Management To monitor and mitigate security risks, including data breaches, cyber-attacks, identity theft, and other security incidents.
• Access Controls and Authentication To manage user access, authentication, and authorization, ensuring that only authorized individuals can access sensitive data and functionalities.
• Security Monitoring To use automated systems and manual reviews to monitor for suspicious activities, enforce security policies, and protect the integrity of our platform.

Sharing and Disclosure of Information

We may share your information under the following circumstances, ensuring that appropriate safeguards and contractual obligations are in place to protect your privacy and comply with applicable laws.

With Service Providers

• Third-Party Vendors Companies that provide services on our behalf, such as cloud hosting providers, payment processors, customer support platforms, email service providers, and data storage services.
• Contractual Obligations Service providers are bound by confidentiality agreements, Business Associate Agreements (BAAs) where applicable, and are prohibited from using your information for any purpose other than providing services to us.
• Data Protection Measures We require service providers to implement appropriate security measures to protect your information in accordance with this Privacy Policy and applicable laws.

With Business Partners

• Integration Partners Companies that integrate with our Services to enhance functionality, such as imaging software providers, VoIP, and financial systems.
• Joint Marketing Activities Partners with whom we collaborate on marketing or promotional efforts, events, or co-branded services, subject to your consent where required.

For Legal Reasons

• Compliance with Laws and Regulations To comply with legal obligations, subpoenas, court orders, or other legal processes, including responding to lawful requests from public authorities.
• Protection of Rights and Safety To protect and defend the rights, property, or safety of ThriveCloud, our users, employees, or others, including enforcing our agreements, policies, and terms of use.
• Law Enforcement and Government Requests In response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

In Business Transactions

• Mergers, Acquisitions, or Sales If ThriveCloud is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your information may be transferred as part of that transaction.
• Due Diligence To potential investors, partners, or acquirers under strict confidentiality agreements during the evaluation process for corporate transactions.

With Affiliates and Subsidiaries

• Corporate Group We may share information with our affiliates and subsidiaries for purposes consistent with this Privacy Policy, such as shared services, corporate governance, and internal administrative purposes.

With Your Consent

• Authorized Disclosure When you explicitly consent to or direct us to share your information with third parties, such as when you authorize third-party applications or services to access your account.

Data Security

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction. Our security program is designed to safeguard the confidentiality, integrity, and availability of personal information and PHI.

Technical Safeguards

• Encryption We use industry-standard encryption protocols (e.g., SSL/TLS) to protect data during transmission.
• Access Controls Implementing role-based access control (RBAC), multi-factor authentication (MFA), strong password policies, and session management to limit access to sensitive data.
• Network Security Utilizing firewalls, secure socket layers (SSL), and regular network monitoring.
• Regular Security Assessments Conducting code reviews and security audits to identify and remediate potential threats and vulnerabilities.
• Data Backup and Recovery Implementing regular data backups, redundancy, and disaster recovery plans to ensure data availability and integrity.

Administrative Safeguards

• Policies and Procedures Maintaining comprehensive data protection policies, including information security policies, acceptable use policies, and disaster recovery plans.
• Employee Training and Awareness Providing training on data privacy, security best practices, HIPAA compliance, and regulatory requirements to all employees and contractors.
• Background Checks and Access Management Performing background screenings on employees and contractors with access to sensitive information, and managing access rights based on job responsibilities.
• Audit Trails and Monitoring Monitoring and logging user activities, system access, and data usage to detect unauthorized access or misuse of data, maintaining detailed audit logs for compliance and investigations.
• Vendor and Third-Party Risk Management Assessing and monitoring the security practices of third-party service providers, requiring adherence to our security standards, and conducting regular audits and assessments.

Physical Safeguards

• Equipment and Device Security

        Securing servers, workstations, and removable media.

• Secure Disposal and Destruction Following secure methods for disposing of or destroying physical media containing personal information, such as shredding, degaussing, or certified destruction services, in compliance with legal and regulatory requirements.

Incident Response and Breach Notification

• Incident Response Plan Maintaining a detailed incident response plan to address and manage security incidents promptly and effectively, including roles, responsibilities, and communication protocols.
• Breach Notification In the event of a data breach involving personal information or PHI, we will notify affected individuals, regulatory authorities, and other required parties in accordance with applicable laws and regulations, such as HIPAA’s Breach Notification Rule.
• Continuous Monitoring and Improvement Employing real-time monitoring tools, security information and event management systems to detect suspicious activities and respond to threats swiftly, continuously improving our security posture.

Data Retention

We retain your information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Our data retention practices are designed to:

• Legal and Regulatory Compliance Comply with applicable laws, regulations, and legal obligations that mandate certain records be kept for specific periods, such as medical records retention laws, tax laws, and accounting requirements.
• Business and Operational Needs Retain data for legitimate business interests, such as audit, compliance, fraud prevention, dispute resolution, enforcing our agreements, and improving our Services.
• Deletion and Destruction Implement secure deletion methods, including data erasure, anonymization, and physical destruction, when information is no longer needed for legal or business purposes.
• Account Closure and Deactivation Upon termination or deactivation of your account, we may retain your information for a reasonable period to facilitate reactivation, comply with legal obligations, or as required by law.

Data Minimization

We adhere to the principle of data minimization by collecting and processing only the personal information necessary for the purposes outlined in this Privacy Policy. We regularly review our data collection and retention practices to ensure they are aligned with legal requirements and best practices.

User Rights

We respect your rights regarding your personal information and provide mechanisms to exercise these rights, subject to applicable laws and regulations.

Access

• Right to Know You have the right to request confirmation of whether we are processing your personal information and to access that information.
• Request Details You may request details about the categories and specific pieces of personal information we have collected about you, the sources of the information, the purposes for collection, and the categories of third parties with whom we share the information.

Correction

• Right to Rectify You have the right to request correction of inaccurate or incomplete personal information.
• Update Information You can update certain personal information directly through your account settings on gothrivecloud.com or by contacting our support team.

Deletion

• Right to Delete You may request that we delete your personal information, subject to certain exceptions such as compliance with legal obligations, contractual requirements, or legitimate business purposes.
• Process Upon verification of your request, we will delete your information from our active systems and inform third parties where required, unless an exception applies.

Portability

• Right to Transfer You have the right to receive your personal information in a structured, commonly used, and machine-readable format.
• Data Transfer You may request that we transmit this data directly to another entity where technically feasible and legally permissible.

Objection

• Right to Object You may object to the processing of your personal information based on legitimate interests, public interest, or direct marketing purposes.
• Processing Suspension We will cease processing unless we have compelling legitimate grounds or for the establishment, exercise, or defense of legal claims.

Restriction

• Right to Restrict You can request that we limit the processing of your personal information under certain circumstances, such as when contesting the accuracy of the data or objecting to our processing.

Opt-Out

• Marketing Communications You may opt-out of receiving promotional emails and marketing communications by following the unsubscribe instructions included in these emails or through your account settings.
• Do Not Sell or Share My Personal Information While we do not sell personal information, you have the right to direct us not to sell or share your personal information should our practices change.

Automated Decision-Making

• Right to Not Be Subject to Automated Decisions You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect you.

Appeals and Complaints

• Right to Appeal If we deny your request, you have the right to appeal our decision in accordance with applicable laws.
• Lodge a Complaint You may lodge a complaint with a supervisory authority or regulatory agency if you believe your rights have been violated.

California Residents’ Rights

Under the CCPA and CPRA, California residents have specific rights regarding their personal information.

Right to Know

• Categories and Specific Pieces Request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
• Sources Obtain information about the categories of sources from which personal information is collected.
• Purposes Understand the business or commercial purposes for collecting, selling, or sharing personal information.
• Third Parties Learn about categories of third parties to whom we disclose personal information.

Right to Delete

• Deletion Requests Request that we delete personal information we have collected from you, subject to certain exceptions outlined in the CCPA and CPRA.

Right to Opt-Out of Sale or Sharing

• Do Not Sell or Share Opt-out of the sale or sharing of your personal information with third parties for cross-context behavioral advertising or other purposes.

Right to Correct

• Inaccurate Information Request the correction of inaccurate personal information we maintain about you.

Right to Limit Use of Sensitive Personal Information

• Usage Limitation Limit the use and disclosure of sensitive personal information to purposes necessary to provide the Services, such as billing, authentication, or legal compliance.

Non-Discrimination

• Equal Service We will not discriminate against you for exercising your privacy rights. This includes not denying you Services, charging different prices or rates, providing a different level or quality of Services, or suggesting that you may receive a different price or quality.

Submitting Requests

To exercise your rights, you or your authorized agent may contact us through the following methods

• Online Form: Visit mythrivecloud.com/contact to submit a request.
• Email: Send an email to [email protected] with details of your request.
• Phone: Call us toll-free at 1-800-916-2230.

Verification Process

To protect your privacy and maintain security, we take steps to verify your identity before granting access or fulfilling requests.

• Personal Identifiers We may ask for information such as your name, email address, account ID, recent transaction history, or other details to verify your identity.
• Authorized Agents If you use an authorized agent to submit a request, we require written permission signed by you and may verify your identity directly.
• Government Identification In certain cases, we may request a copy of a government-issued ID for verification purposes.

Response Timeframe

• Acknowledgment

        We will acknowledge receipt of your request within 10 business days.

• Substantive Response We aim to respond to verified requests within 45 calendar days. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.
• Format of Response Responses will be provided in writing, either electronically (e.g., via email or secure portal) or by mail, depending on your preference.

Limitations

Please note that certain laws may exempt specific information from disclosure or deletion requests. In such cases, we will inform you of the specific legal exemption and the reasons for our decision. We may decline requests that are unreasonable, excessive, or prohibited by law.

Other State-Specific Rights

Residents of other states may have additional rights under their respective privacy laws.

Virginia Consumer Data Protection Act (VCDPA)

• Access and Portability Right to confirm whether we process your personal data and to access such data in a portable format.
• Correction

        Right to correct inaccuracies in your personal data.

• Deletion

        Right to delete personal data provided by or obtained about you.

• Opt-Out Right to opt-out of the processing of personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects.
• Appeal

        Right to appeal our decision regarding a rights request within a reasonable period.