Aalto Logo Back

Privacy Policy

Last updated: March 1, 2026

1. Introduction

Aalto Care ("we", "our", or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our dental practice management platform ("Service"). By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

When you register for and use the Service, we may collect the following information:

  • Account Information: first name, last name, email address, phone number, password, and referral code
  • Professional Information: clinic name, practice type, clinic address, professional role (dentist, orthodontist, administrator)
  • Patient Data: patient names, contact information, medical history, treatment records, dental scans, and images (entered by authorized dental professionals)
  • Financial Information: billing details, payment records, and invoice data
  • Communications: messages sent through the platform between dental professionals

2.2 Information Collected Automatically

When you access the Service, we automatically collect:

  • Usage Data: pages visited, features used, actions performed, and timestamps
  • Device Information: browser type, operating system, device type, and screen resolution
  • Log Data: IP address, access times, login/logout events, and error logs
  • Session Data: session duration, idle time, and authentication events (for HIPAA compliance)

3. How We Use Your Information

We use the collected information to:

  • Provide, operate, and maintain the Service
  • Process and manage user accounts and authentication
  • Enable dental professionals to manage patient records, cases, and treatments
  • Facilitate secure communication between dental professionals
  • Generate reports, analytics, and dashboards
  • Process billing and payments
  • Send notifications related to your account, cases, and appointments
  • Improve and personalize the Service
  • Comply with legal obligations and healthcare regulations
  • Detect, prevent, and respond to security incidents

4. Data Sharing & Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • Within Your Organization: with other authorized users at your clinic or practice as permitted by your role and access level
  • Between Dental Professionals: orthodontists and dentists may share case and treatment information through the platform as part of the care workflow
  • Service Providers: with trusted third-party providers who assist in operating the Service (hosting, analytics, payment processing), bound by confidentiality agreements
  • Legal Requirements: when required by law, regulation, legal process, or governmental request
  • Safety & Security: to protect the rights, property, and safety of Aalto Care, our users, and the public
  • Business Transfers: in connection with a merger, acquisition, or sale of assets, with appropriate data protection safeguards

5. HIPAA & Healthcare Data

As a platform handling Protected Health Information (PHI), we adhere to the requirements of the Health Insurance Portability and Accountability Act (HIPAA):

  • We implement administrative, physical, and technical safeguards to protect PHI
  • We enter into Business Associate Agreements (BAAs) with covered entities as required
  • We limit access to PHI to authorized personnel on a need-to-know basis
  • We maintain audit logs of access to and modifications of PHI
  • We implement automatic session timeouts (15 minutes idle, 8 hours maximum) to prevent unauthorized access
  • We provide cross-tab session synchronization to ensure consistent security across browser tabs
  • We perform HIPAA-compliant session clearing upon logout, removing all sensitive data from memory and storage

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: all data transmitted between your browser and our servers is encrypted using TLS/SSL
  • Authentication: secure cookie-based authentication with strong password requirements (minimum 12 characters with mixed case, numbers, and special characters)
  • Access Controls: role-based access control (RBAC) ensuring users only access data appropriate to their role (admin, user, dentist, orthodontist, superadmin)
  • Session Management: automatic session expiration, idle timeout detection, and concurrent session monitoring
  • Audit Trails: comprehensive logging of user activities and data access
  • Request Validation: state validation and request deduplication to prevent data pollution

While we strive to use commercially acceptable means to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. We may also retain certain information as required by applicable healthcare regulations, legal obligations, dispute resolution, and enforcement of agreements. When data is no longer required, it is securely deleted or anonymized.

8. Cookies & Tracking

We use the following types of cookies:

  • Essential Cookies: required for authentication, session management, and security. These cannot be disabled.
  • Functional Cookies: used to remember your preferences (e.g., remembered email on login)
  • Analytics Cookies: used to understand how the Service is used and to improve its performance

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you
  • Correction: request correction of inaccurate or incomplete information
  • Deletion: request deletion of your personal information, subject to legal retention requirements
  • Portability: request your data in a structured, commonly used, machine-readable format
  • Restriction: request restriction of processing in certain circumstances
  • Objection: object to processing of your personal information for certain purposes
  • Withdrawal of Consent: withdraw your consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within a reasonable timeframe as required by applicable law.

10. Children's Privacy

The Service is intended for use by dental professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can take appropriate action.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable data protection laws, including standard contractual clauses and other transfer mechanisms.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Aalto Care - Privacy Team

Email: privacy@aalto.care

Website: https://aalto.care