Xadia

Privacy Policy

Last updated: January 2025

HIPAA Compliant Platform

Xadia is designed and operated to comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA). We maintain appropriate administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

Business Associate Agreements (BAA) are available upon request for covered entities and business associates.

International Users

Xadia's compliance framework is based on U.S. HIPAA requirements. Users accessing this service from outside the United States are responsible for ensuring their use complies with applicable local, regional, and national data protection laws, including but not limited to GDPR (European Union), PIPEDA (Canada), LGPD (Brazil), and other applicable regulations.

By using Xadia, you acknowledge that you have reviewed and understand your jurisdiction's requirements regarding healthcare data privacy.

1. Introduction

Xadia ("we," "our," or "us") is committed to protecting the privacy of our users and their patients. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our smile simulation platform.

2. Information We Collect

Account Information

When you register for an account, we collect:

  • Name and professional credentials
  • Email address
  • Clinic name and contact information
  • Billing information

Patient Data (Protected Health Information)

When you use our Service to create smile simulations, you may upload patient photographs. This data is treated as Protected Health Information (PHI) under HIPAA. We process this data solely to provide the Service and do not use it for any other purpose. Patient photographs are:

  • Encrypted at rest and in transit using AES-256 encryption
  • Stored in HIPAA-compliant data centers
  • Never used for AI training or model improvement
  • Automatically deleted according to your retention settings

Usage Data

We automatically collect information about how you interact with our Service, including:

  • Pages visited and features used
  • Time and date of visits
  • Device and browser information
  • IP address

3. How We Use Your Information

We use collected information to:

  • Provide and maintain our Service
  • Process transactions and send related information
  • Send administrative information and updates
  • Respond to inquiries and provide customer support
  • Improve and optimize our Service
  • Ensure security and prevent fraud

4. HIPAA Compliance & Security Measures

We implement comprehensive administrative, physical, and technical safeguards required under HIPAA to protect Protected Health Information:

Technical Safeguards

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Multi-factor authentication
  • Role-based access controls
  • Automatic session timeouts

Physical Safeguards

  • SOC 2 Type II certified data centers
  • Geographic data redundancy
  • 24/7 security monitoring
  • Controlled facility access

Administrative Safeguards

  • Employee security training
  • Access audit logging
  • Incident response procedures
  • Business continuity planning
  • Regular security assessments

5. Data Retention

We retain account information for as long as your account is active. Patient photographs and simulation data are retained according to your account settings and applicable legal requirements. Upon account termination, PHI is securely deleted within 30 days unless retention is required by law.

6. Data Sharing

We do not sell your personal information. We may share information with:

  • Service providers who assist in operating our platform (under BAA where applicable)
  • Legal authorities when required by law
  • Business partners with your consent

All third-party service providers who may access PHI are required to sign Business Associate Agreements and comply with HIPAA requirements.

7. Your Rights

Depending on your location, you may have rights to:

  • Access your personal information
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data
  • Opt out of certain data processing

To exercise these rights, please contact us at privacy@xadia.io

8. Breach Notification

In the event of a data breach affecting PHI, we will notify affected users and relevant authorities in accordance with HIPAA breach notification requirements (within 60 days of discovery) and any applicable state laws that may require faster notification.

9. AI-Generated Content Disclosure

Our smile simulation feature uses artificial intelligence to generate visual representations of potential dental outcomes. These simulations are for illustrative and consultation purposes only and do not constitute medical advice, diagnosis, or guarantee of treatment outcomes. Dental professionals remain responsible for all clinical decisions.

10. Children's Privacy

Our Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. Patient photographs of minors may only be uploaded by licensed dental professionals with proper parental/guardian consent.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and sending an email notification for significant changes.

12. Contact Us

For privacy-related inquiries or to request a Business Associate Agreement:

Email: privacy@xadia.io

HIPAA/BAA Requests: compliance@xadia.io

Xadia, Inc.
Attn: Privacy Officer
United States