Privacy Policy

Account Information

When you register for Cavitech AI, we collect your full name, email address, professional credentials, practice or organisation name, and any other details you provide during onboarding. This information is necessary to create and maintain your account, verify your identity as a licensed dental professional, and scope your access within your organisation.

Patient Data

Patient data is uploaded and managed solely by you, the dental professional. This may include patient names, dates of birth, medical and dental history, dental X-ray images (panoramic, periapical, bitewing, and CBCT volumes), intraoral photographs, and any clinical notes or records you associate with a patient. You remain the data controller for all patient data; Cavitech AI processes this data on your behalf as a data processor.

AI-Generated Data

When you submit dental images for analysis, our platform generates AI-produced outputs including detected teeth with FDI numbering, pathology detections and confidence scores, annotated images with bounding boxes and overlays, clinical findings and suggested diagnoses, treatment plan recommendations, and SOAP notes generated from voice transcriptions via our Ambient Scribe feature. These outputs are stored as part of the patient record within your account.

Usage Data

We automatically collect technical data about how you interact with the platform. This includes your IP address, browser type and version, device information, operating system, pages viewed, features used, session duration, referral source, and interaction patterns such as the number of analyses performed. We also collect browser fingerprint data for rate-limiting purposes in our demo environment.

Communication Data

When you contact us for support, submit feedback, or communicate with us through any channel, we collect the content of those communications along with associated metadata such as timestamps and the email address you used to reach us.

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Cavitech AI platform, including running dental X-ray analyses, generating clinical reports, and delivering AI-assisted findings.
• To authenticate your identity, manage your session, and enforce organisation-level access controls so that patient data remains isolated to authorised users within your practice.
• To process voice recordings through our Ambient Scribe feature, transcribing clinical consultations and generating structured SOAP notes for your patient records.
• To generate and deliver treatment plan recommendations, insurance pre-authorisation documentation, and clinical correspondence based on approved findings.
• To send you transactional communications such as appointment reminders, recall notices, daily preparation emails, and system notifications related to your use of the platform.
• To monitor platform performance, diagnose technical issues, and improve the reliability and speed of our services through aggregated, anonymised usage analytics.
• To enforce our acceptable use policies, detect abuse, apply rate limiting, and maintain the security and integrity of the platform.
• To comply with applicable legal obligations, respond to lawful requests from authorities, and establish, exercise, or defend legal claims.

We do not use your patient data, X-ray images, or clinical records to train, fine-tune, or improve any machine learning or AI models. Your data is used solely to deliver the services you have requested.

Cavitech AI uses a modern, distributed infrastructure designed for security, performance, and data isolation. Your data is stored and processed across the following systems:

Database

All structured data, including user accounts, patient records, conversation histories, findings, treatment plans, and scheduling information, is stored in a Convex database. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Each organisation's data is logically isolated through per-tenant scoping, ensuring that no practice can access another practice's records.

File Storage

Uploaded files, including dental X-ray images, CBCT volumes, intraoral photographs, and generated annotated images, are stored in Cloudflare R2 object storage. All files are encrypted at rest and served over encrypted connections. Access to stored files is controlled through authenticated, time-limited URLs tied to your session.

AI Processing

Computationally intensive AI inference, including dental image analysis models for teeth detection, pathology detection, and bone segmentation, runs on a private Railway server. This server is not publicly accessible and communicates only with our application backend over encrypted channels. CBCT projection and TMJ assessment processing runs on dedicated GPU infrastructure via RunPod serverless endpoints.

Encryption Standards

All data at rest is encrypted using AES-256, the industry standard for protecting sensitive healthcare information. All data in transit between your browser, our servers, and our infrastructure providers is encrypted using TLS 1.3. Per-tenant isolation ensures that database queries, file access, and AI processing results are always scoped to your organisation.

We do not sell, rent, or trade your personal information or patient data to any third party under any circumstances.

We share data with third parties only to the extent strictly necessary to provide the Cavitech AI service:

• Convex provides our primary database infrastructure. Patient records and application data are stored in Convex and are subject to their data processing agreements.
• Cloudflare provides R2 object storage for uploaded files and images, as well as CDN and security services for the platform.
• Railway hosts our private AI inference server for dental image analysis. Images are transmitted to this server for processing and are not retained after analysis is complete.
• Groq processes audio recordings for our Ambient Scribe transcription feature. Audio data is sent to Groq's Whisper API for speech-to-text conversion. Groq does not retain audio data after processing.
• OpenRouter routes requests to large language models for our conversational AI features, including clinical chat, treatment plan generation, and SOAP note synthesis. Conversation content is transmitted to the selected model provider via OpenRouter. We select providers that do not use input data for model training.
• RunPod provides GPU serverless infrastructure for CBCT 3D projection and TMJ video/audio assessment processing. Data is processed ephemerally and not retained after job completion.

We may also disclose your information if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Cavitech AI, our users, or the public.

In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you via email or prominent notice on the platform before your data is transferred and becomes subject to a different privacy policy.

We retain your data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account Information: Your account data is retained for the duration of your active account. If you close your account or request deletion, we will delete your account information within 12 months of closure, except where we are required to retain certain records for legal or regulatory compliance.
• Patient Data: Upon account closure or deletion request, you will have a 30-day export window during which you can download all patient records, X-ray images, reports, and associated data. After this 30-day period, all patient data will be permanently and irreversibly deleted from our systems, including all backups.
• Usage Data: Anonymised and aggregated usage data is retained for up to 24 months for platform analytics and performance monitoring purposes. This data cannot be used to identify individual users or patients.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you, including a summary of how it is being processed.
• Right to Rectification: You may request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to Erasure: You may request the deletion of your personal data, subject to any legal obligations that require us to retain certain information.
• Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances, such as while we verify its accuracy.
• Right to Data Portability: You may request a machine-readable copy of the personal data you have provided to us, which you can transfer to another service provider.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant supervisory authority if you believe your data is being processed unlawfully.

For South African users: Your rights are protected under the Protection of Personal Information Act, 2013 (POPIA). You may lodge a complaint with the Information Regulator of South Africa.

For users in the European Economic Area: Your rights are protected under the General Data Protection Regulation (GDPR). You may lodge a complaint with your local Data Protection Authority.

For users in the United Kingdom: Your rights are protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You may lodge a complaint with the Information Commissioner's Office (ICO).

To exercise any of these rights, please contact our Information Officer at privacy@cavitech-ai.com. We will respond to your request within 30 days or within the timeframe required by applicable law.

We implement comprehensive technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction:

• Encryption at Rest: All stored data, including patient records, uploaded images, and generated reports, is encrypted using AES-256 encryption.
• Encryption in Transit: All communications between your browser and our servers, and between our internal services, are encrypted using TLS 1.3.
• Session Authentication: User sessions are managed through secure, HTTP-only session cookies with a 14-day sliding expiration window. Sessions are validated on every request.
• CSRF Protection: All state-changing requests are protected against Cross-Site Request Forgery attacks through token-based validation enforced by our middleware.
• Organisation-Scoped Isolation: All database queries and file access are scoped to your organisation. No user can access data belonging to another organisation, even through direct API calls.
• Rate Limiting: API endpoints are protected by rate limiting to prevent abuse and denial-of-service attacks. Rate limiting is enforced through Redis-backed counters with per-user and per-endpoint thresholds.

We regularly review and update our security practices to address emerging threats. While no system can guarantee absolute security, we are committed to maintaining protections that meet or exceed industry standards for healthcare data.