Book Demo

Privacy Policy

Implanr > Privacy Policy

1. Who We Are

This Privacy Policy describes how Implanr (“we”, “us”) collects, uses, stores, shares, and protects your information when you use the Implanr mobile application, web application, or any related services (the “Service”).

We are the Data Fiduciary under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) for personal data we determine the purpose and means of processing. Where we process Protected Health Information (“PHI”) on behalf of a dental college or clinic, that organisation is the controller and we act as a data processor.

Grievance Officer: admin@implanr.com
General Contact: info@implanr.com
Security Incidents: admin@implanr.com

2. Scope

This policy applies to the Implanr iOS, Android, and web applications, all Implanr APIs, dashboards, websites, and email communications.

It covers two workspace types:

  • Dental College
  • Dental Clinic

It does not apply to third-party services that integrate with Implanr (Google, Microsoft, Apple SSO, Stripe, App Store, Play Store), each of which has its own privacy policy.

3. Roles & Responsibilities

Dental College / Clinic

Data Controller / Fiduciary for staff, student, and patient records they create. Responsible for obtaining valid patient consent.

Implanr

Data Processor when handling PHI; Data Fiduciary for the account profile we create for you.

End User (You)

Data Principal whose rights this policy describes.

4. What We Collect

4.1 Information You Give Us Directly

Account & Identity
  • Name
  • Prefix
  • Email address
  • Mobile number (E.164)
  • Hashed password
  • Profile photo
  • Role
  • Qualifications
Workspace Information
  • College/clinic name
  • Registration number
  • State
  • Seats
  • Billing address
Clinical Content
  • Diagnostic notes
  • Intra-oral photos
  • Radiographs
  • Treatment plans
  • Implant brand/system/size
  • Surgical reports
  • Prosthesis details
  • Audit overrides
  • PDF case reports

May include patient-identified PHI.

Uploaded Attachments
  • PDFs
  • Images
  • Documents

Text may be automatically extracted from PDFs to power AI search.

Communications
  • Chat messages
  • Forum posts
  • Support tickets
  • Feedback
Payment Data
  • Billing contact
  • GSTIN
  • Payment method tokens

Card numbers and UPI IDs are processed by Stripe and are never stored on our servers.

4.2 Information We Collect Automatically

  • Device and usage data
  • Crash logs
  • Screen-view events
  • Click events
Authentication Telemetry
  • Login attempts
  • Sessions
  • Auto logout events
  • IP addresses
  • Device fingerprint
Audit Logs (HIPAA-Aligned)

Records of every:

  • PHI view
  • Edit
  • Export
  • PDF download
  • Role change
  • Safety override

Retention: Minimum 6 years

Cookies & Local Storage

Used for:

  • Session management
  • CSRF protection
  • Theme preferences
  • Last-active timestamp

See our Cookie Notice for details.

4.3 Information From Third Parties

SSO Providers (Google/Microsoft/Apple)
  • Name
  • Email
  • Profile photo

Only according to permissions you approve.

OTP Providers
  • Delivery status
Email & Push Providers
  • Delivery telemetry
  • Device tokens
Information We Do NOT Collect
  • Biometrics (Aadhaar, fingerprint, face) for authentication
  • Background GPS location
  • Contacts, SMS, or call logs

We never sell your data to anyone.

5. How We Use Your Information

We use your information to:

  • Provide and maintain the Service (accounts, cases, PDFs)
  • Deliver clinical decision support (bridge/cantilever detection, biological safety, AI explanations)
  • Authentication and security (password hashing, OTP, 15-minute auto-logout, brute-force protection, audit logs)
  • Customer support and bug investigation
  • Improve services through aggregated, de-identified analytics
  • Meet legal and regulatory obligations (subpoenas, tax filing, medical record retention)
  • Billing, payments, and GST invoicing
  • Marketing communications (only with your consent; you may opt out at any time)
AI Usage Notice

We do not use Clinical Content (PHI) to train any general-purpose AI model.

AI features are stateless calls to OpenAI, Anthropic, or Google with no training opt-in.

6. Sharing & Sub-Processors

Within your workspace, access to data is governed by role-based permissions.

Workspace data is fully tenant-scoped, meaning:

  • A clinic cannot access a college’s data.
  • A college cannot access a clinic’s data.
Our Sub-Processors
  • MongoDB (managed database)
  • S3-compatible object storage (attachments and images)
  • Google Workspace SMTP (transactional email)
  • Twilio Verify / MSG91 (mobile OTP)
  • Stripe (payments and subscriptions)
  • OpenAI / Anthropic / Google via Emergent Universal LLM integration (AI prompts, anonymised where possible)
  • Apple APNs and Google FCM (push notifications)
  • Sentry (crash and error monitoring)
  • Expo Application Services (mobile builds and OTA delivery)

We may also disclose information:

  • When required by law
  • During mergers or acquisitions (with notice)
  • As fully anonymised, aggregated statistics

We never share:

  • Plaintext passwords
  • Card numbers
  • Patient PHI with advertisers or data brokers

7. International Transfers

Implanr operates from India.

If you access the Service from outside India, your data may be transferred to and processed on servers in India or our operating region.

Where required, we use Standard Contractual Clauses or equivalent safeguards under DPDP Section 16 and GDPR.

8. AI Processing of Your Data

Implanr uses third-party LLM providers through the Emergent Universal LLM integration to power:

  • Ask Implanr
  • Implant recommendations
  • Explainable suggestions
Safeguards
  • Only the minimum necessary context is sent
  • LLM providers contractually agree not to train on our prompts
  • Prompts are deleted within 30 days
  • AI suggestions are clinical decision support only and not a substitute for professional judgment

You may disable AI features through:

Settings → AI Features → Off

9. Data Retention

Data TypeRetention
Active account & profileWhile active
Clinical content & case PDFsCustomer medical record policy; default 10 years (India) and minimum 6 years where HIPAA applies
Audit logsMinimum 6 years
Authentication telemetry18 months
Crash logs/device telemetry90 days
Backups35-day rolling encrypted backups
Deleted account residual dataAnonymised within 90 days; backup copies expire within 35 days thereafter

10. Security Measures

We implement industry-standard safeguards including:

  • TLS 1.2+ in transit
  • AES-256 encryption at rest
  • Role-based access controls
  • Least-privilege permissions
  • MFA for engineering staff
  • 15-minute inactivity auto-logout
  • Audit logging of PHI access/export/override events
  • Android screen-capture blocking
  • iOS app-switcher blur protection
  • Quarterly third-party penetration tests
  • Annual internal security reviews (target SOC 2 Type II)
  • Encrypted region-redundant backups
  • CERT-In incident reporting compliance

No system is completely secure.

Report vulnerabilities to: admin@implanr.com

11. Your Rights as a Data Principal

Under the DPDP Act 2023 (and GDPR/HIPAA where applicable), you may:

Access Your Data

Settings → Account → Download My Data

Correct Information

Settings → Profile → Edit

or contact your workspace administrator.

Erase Your Data

Settings → Account → Delete Account

(90-day soft delete; immediate hard delete available on request)

Withdraw Consent

Settings → Privacy → Manage Consents

or email: admin@implanr.com

Data Portability

Settings → Account → Export Data (JSON)

Nominate a Representative

Settings → Account → Nominee

Grievance Redressal

Email: admin@implanr.com

We respond within 15 working days.

Patients should first contact the college or clinic that maintains their records.

You may also lodge a complaint with the Data Protection Board of India.

12. Children’s Privacy

Implanr is intended for:

  • Licensed dental professionals
  • Students enrolled in accredited PG/UG programmes
  • Clinic staff

We do not knowingly collect personal data from individuals under 18.

Patient records may include information about minor patients where parental or lawful guardian consent has been obtained by the treating dentist.

Obtaining such consent is the responsibility of the customer under DPDP Section 9.

13. Cookies

The web application uses:

  • Session cookies (HttpOnly, Secure, SameSite=Strict)
  • CSRF token cookies
  • Local storage for theme preferences and inactivity tracking

We do not use:

  • Third-party advertising cookies
  • Retargeting pixels
  • Social media tracking cookies

See our Cookie Notice for more details.

14. Changes to This Policy

We may update this Privacy Policy periodically.

Material changes will be communicated at least 30 days in advance through:

  • In-app notifications
  • Email communications
  • Updated effective dates

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact

Grievance Officer / Data Protection Officer

admin@implanr.com

Privacy Queries

admin@implanr.com

Security Incidents

admin@implanr.com

We respond to verified requests within 15 working days, in accordance with DPDP requirements.