Legal

Privacy Policy

Last updated: May 2026

1. Introduction

Welcome to Nvert.ai, operated by Nvert AI LLC, a California limited liability company (“Nvert,” “we,” “us,” or “our”). We respect your privacy and are committed to protecting it through compliance with this policy.

This Privacy Policy describes the types of information we may collect from you or that you may provide when you visit our website (nvert.ai), use the Nvert Doctor Portal (drportal.nvert.ai), or use our digital surgical guide design services, and our practices for collecting, using, maintaining, protecting, and disclosing that information.

By accessing or using our services, you agree to this Privacy Policy. If you do not agree, please do not use our services.

2. Information We Collect

We collect the following categories of information to provide and improve our services:

  • Contact Information: Name, email address, mobile phone number, and practice mailing address of dental practitioners and clinical staff.
  • Professional Information: Dental practice name, NPI number, state of licensure, and professional credentials.
  • Protected Health Information (PHI): De-identified or encrypted patient DICOM/STL scans and anatomical data transmitted under our Business Associate Agreement (BAA) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).
  • Account Data: Login credentials, multi-factor authentication status, subscription tier, and billing information.
  • Usage Data: IP address, browser type and version, device information, pages visited, and usage patterns.
  • SMS Consent Records: When you consent to receive SMS messages, we record your phone number, the exact consent language presented, your IP address, browser user agent, and the timestamp of consent.

3. How We Use Your Information

The data we collect is used strictly for the following purposes:

  • Providing, maintaining, and improving our digital surgical guide design services.
  • Performing anatomical segmentation, AI-assisted planning, and CAD design.
  • Communicating with you about your account, cases, and service updates via email and SMS.
  • Sending transactional SMS messages including verification codes, case status notifications, and account alerts.
  • Processing payments and managing subscriptions.
  • Complying with legal obligations, including HIPAA and state healthcare regulations.
  • Enforcing our Terms of Service and protecting our rights.

We do not, and will never, sell your personal data or your patients’ PHI to third parties.

4. SMS Communications

By providing your mobile phone number and expressly consenting during account registration, you agree to receive automated SMS (text) messages from Nvert AI LLC at the phone number provided. These messages include:

  • Verification codes for account registration and authentication.
  • Case status updates (e.g., “Your surgical plan is ready for review”).
  • Account notifications (e.g., subscription changes, security alerts).

Message frequency varies based on your account activity. Message and data rates may apply. Your carrier’s standard messaging rates apply.

Opt-Out: You may opt out of SMS messages at any time by replying STOP to any message. After opting out, you will receive one final confirmation message. You may also revoke consent by contacting us at support@nvert.ai.

Help: Reply HELP to any message for support information, or contact us at support@nvert.ai.

Consent to receive SMS messages is not a condition of purchasing any goods or services. SMS messages are sent via Twilio, our third-party messaging provider.

5. Third-Party Service Providers

We share information with the following third-party service providers, solely as necessary to operate our services. Where required, we maintain Business Associate Agreements (BAAs) with each provider that handles PHI:

  • Amazon Web Services (AWS): Cloud infrastructure, data storage (S3), and email delivery (SES). All data stored within the United States. BAA in place.
  • Twilio: SMS messaging services for verification codes and account notifications. BAA in place.
  • Stripe: Payment processing and subscription billing. No PHI is transmitted to Stripe — only anonymized identifiers and billing amounts.
  • Calendly: Callback consultation scheduling. BAA in place.
  • Relu: 3D surgical plan viewing and visualization SDK. BAA in place.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. HIPAA Compliance

Nvert AI LLC operates as a Business Associate under HIPAA (45 CFR Parts 160, 162, and 164) when processing Protected Health Information (PHI) on behalf of dental practitioners (Covered Entities). Our obligations include:

  • Processing PHI only as permitted by our Business Associate Agreement (BAA) with your practice.
  • Implementing administrative, physical, and technical safeguards including AES-256 encryption at rest, TLS 1.3 encryption in transit, and HSTS headers.
  • Maintaining immutable audit logs of all PHI access events.
  • Reporting any breach of unsecured PHI within 60 days of discovery.
  • Ensuring all subcontractors with access to PHI execute their own BAAs.
  • Never placing PHI in audit logs, URLs, analytics, or payment systems.

For California practitioners, we also comply with the Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code §56).

A signed BAA is required before your practice may upload any patient data to the Nvert platform. Contact support@nvert.ai to request a BAA.

7. Data Security

We have implemented measures designed to secure your personal information and PHI from accidental loss and from unauthorized access, use, alteration, and disclosure. These measures include:

  • AES-256 encryption for all data stored at rest on AWS S3 and database volumes.
  • TLS 1.3 minimum for all data in transit, with HSTS headers enforced.
  • Cache-Control: no-store headers on all responses containing PHI.
  • Mandatory multi-factor authentication (MFA/TOTP) for all portal accounts.
  • 15-minute idle session timeout with automatic JWT expiry.
  • Row-Level Security (RLS) ensuring doctors can only access their own data.
  • Pre-signed URLs with 5-minute expiry for all file downloads.

While we strive to use commercially acceptable means to protect your personal information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain information for the following periods:

  • SMS consent records: 5 years minimum (TCPA compliance).
  • Case files and PHI: 7 years (HIPAA minimum retention), then securely destroyed.
  • Audit logs: 7 years (immutable, append-only).
  • Account information: Until account deletion is requested, plus any legally required retention period.
  • Billing and transaction records: 7 years (tax and legal compliance).

When data is no longer needed, we securely delete it. PHI files are hard-deleted from storage (not soft-deleted) and an audit log entry is recorded.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (Cal. Civ. Code §1798.100–199) provide you with the following rights:

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the preceding 12 months, including the sources, purposes, and third parties with whom it was shared.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., data required for HIPAA compliance, ongoing contractual obligations, or legal proceedings).
  • Right to Opt-Out of Sale or Sharing: We do not sell or share (as defined under CCPA/CPRA) your personal information. We honor “Do Not Sell or Share My Personal Information” browser signals.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information, including phone numbers and health-related data.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

How to exercise your rights: Submit a verifiable request by emailing support@nvert.ai. We will verify your identity using your account credentials and respond within 45 days. You may also designate an authorized agent via notarized written authorization.

Note: Deletion requests do not apply to PHI that we are required to retain under HIPAA.

10. Children’s Privacy

Our services are designed for licensed dental professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a person under 18, we will promptly delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the platform prior to the change becoming effective. The “Last updated” date at the top of this page indicates when this policy was last revised. Your continued use of our services after any changes constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

For questions or concerns about this Privacy Policy, to exercise your privacy rights, or to request a Business Associate Agreement, please contact us:

Nvert AI LLC
27220 Woodrose Ct
Murrieta, CA 92562
Email: support@nvert.ai