Smile Konnect Privacy
We built Smile Konnect so Canadian dental teams can coordinate care without compromising privacy. This policy describes what personal information we collect, how we use it, and the safeguards that keep clinics compliant with PHIPA.
Last updated: November 17, 2025
We only collect data needed to deliver secure messaging, onboarding, and compliance tooling.
Names, roles, clinic affiliations, contact details, MFA preferences, and audit metadata captured during authentication workflows.
Secure chat transcripts, file uploads, images, activation notes, and change logs generated inside Smile Konnect features.
Browser fingerprints, IP addresses, device IDs, and MFA trust decisions that help detect fraud and meet PHIPA safeguards.
We process PHI strictly within the patient\'s circle of care and to maintain the safety of the platform.
Dentists and clinic staff use PHI to manage activation workflows, review patient intake history, and follow up on secure messages.
AuditLoggingInterceptor, Consent domains, and Export controls all rely on system metadata to evidence PHIPA, HIPAA, and RCDSO compliance.
Aggregated, de-identified metrics help us understand feature adoption (e.g., video consults vs. secure chat). We do not sell PHI or share it for advertising.
Retention policies balance regulatory minimums with patient choice.
We follow the longer of PHIPA or RCDSO retention requirements. Clinic-specific retention rules can be configured per export type.
When legal retention allows, we delete or anonymize PHI within 30 days of clinic confirmation. Backups roll off after 35 days.
We never sell PHI. Limited sharing occurs only to deliver the services or satisfy legal requirements.
Email, SMS, and push notification providers process limited PHI (names, appointment context) to deliver patient outreach. Each provider signs PHIPA/HIPAA agreements and undergoes security reviews.
We may disclose PHI when required by law, court order, or to report privacy breaches to the Office of the Information and Privacy Commissioner of Ontario (IPC).
If a clinic connects Smile Konnect to other systems (e.g., PMS, analytics), the clinic remains responsible for configuring those integrations and honouring PHI obligations.
Security is embedded in every layer of Smile Konnect.
Data in transit uses TLS 1.3 while data at rest is encrypted with AES-256. Keys are rotated with backend/scripts/generate-encryption-keys.js and stored outside the repo.
RBAC in the NestJS API restricts endpoints by role. Multi-factor authentication, device trust, and throttling guard patient accounts.
Real-time alerts flag suspicious exports, mass downloads, or login anomalies. Incidents trigger a documented response plan and notification workflow.
We help clinics honour PHIPA patient rights quickly and transparently.
Patients may request a digital export of their records through their clinic. Smile Konnect provides the Export Center tooling so clinics can respond within statutory timelines.
Patients can pause chat threads, revoke specific consents, or close their account. Clinics remain responsible for legal retention minimums.
Contact privacy@smilekonnect.ca with the clinic name, your contact details, and a description of the concern. We acknowledge requests within two business days.
For PHIPA escalations you can also contact the Information and Privacy Commissioner of Ontario.