Privacy Policy

Effective Date: November 1, 2025 Last Updated: November 1, 2025

GummyBots, LLC, doing business as ChairPulse (“ChairPulse,” “we,” “us,” or “our”), operates the ChairPulse platform, a dental practice management platform accessible at chairpulse.com (the “Platform”). ChairPulse is a product and brand of GummyBots, LLC, a California limited liability company. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the Platform.

By accessing or using ChairPulse, you agree to this Privacy Policy. If you do not agree, you must discontinue use of the Platform immediately.

1. Information We Collect

1.1 Information You Provide Directly

Account Information: Name, email address, phone number, job title, and role within your dental practice or organization.
Organization and Office Information: Practice name, office locations, addresses, and organizational structure.
Equipment Data: Equipment inventory details, including manufacturer, model, serial numbers, purchase dates, installation dates, warranty information, and room assignments.
Maintenance Records: Maintenance schedules, task completion records, service logs, technician visit notes, and related documentation.
Compliance Data: Compliance setup configurations, task completion records, evidence submissions (photos, documents, signatures, checklists), and regulatory requirement selections.
Standard Operating Procedures (SOPs): SOPs you create, upload, or generate using our AI-assisted tools.
Diagnostic Conversations: Questions, descriptions, photos, and other information you submit through our AI-powered diagnostic chat feature.
Service Provider Information: Contact details for third-party service providers and technicians you add to the Platform.
Billing Information: Payment details processed through our third-party payment processor (Stripe). We do not store full credit card numbers on our servers.
Communications: Information you provide when contacting us for support, feedback, or inquiries.

1.2 Information Collected Automatically

Usage Data: Pages visited, features used, clickstream data, session duration, frequency of use, and interaction patterns.
Device and Browser Information: IP address, browser type, operating system, device identifiers, and screen resolution.
Log Data: Server logs including access times, error logs, and referring URLs.
Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain session state, remember preferences (such as office selection), and improve user experience. See Section 7.3 for details.

1.3 Information Generated by the Platform

AI-Generated Content: Diagnostic reports, equipment troubleshooting suggestions, SOP drafts, compliance recommendations, and maintenance schedule suggestions generated by our AI features.
AI Usage Metrics: Records of AI feature usage, including token counts, model types used, and feature categories, for subscription tier management and billing purposes.
Analytics and Aggregated Data: De-identified, aggregated data derived from your use of the Platform for analytics, product improvement, and benchmarking purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Operating the Platform

Delivering the core features of ChairPulse, including equipment management, maintenance scheduling, compliance tracking, SOP management, and AI-powered diagnostics.
Authenticating users and managing access permissions across offices and roles.
Processing subscription payments and managing billing.
Providing customer support and responding to inquiries.

2.2 AI-Powered Features

Processing your inputs (text, images, equipment data) through third-party AI providers to generate diagnostic reports, troubleshooting suggestions, SOP drafts, compliance recommendations, and equipment metadata enrichment.
Logging AI usage to enforce subscription tier limits and prevent abuse.

2.3 Platform Improvement

Analyzing usage patterns to improve Platform functionality, user experience, and performance.
Creating aggregated, de-identified datasets for benchmarking, analytics, and product development.
Identifying and fixing bugs, errors, and security vulnerabilities.

2.4 Communications

Sending transactional communications, including account verification, billing notices, and system alerts.
Sending maintenance reminders, compliance deadline notifications, and other Platform-related notifications you have configured.
Responding to support requests and feedback.

2.5 Legal and Safety

Complying with applicable laws, regulations, and legal processes.
Enforcing our Terms and Conditions and protecting against fraud, abuse, and security threats.
Protecting the rights, property, and safety of ChairPulse, our users, and the public.

3. Third-Party Service Providers

We share information with the following categories of third-party service providers who process data on our behalf:

3.1 AI and Machine Learning Providers

Our AI-powered features transmit certain user inputs to commercial third-party AI API providers for processing. The following list of AI subprocessors is current as of the Last Updated date of this Privacy Policy. We will update this list as providers are added, changed, or removed. Changes to this subprocessor list that involve a new provider receiving Customer Data constitute a material change to this Privacy Policy and will be communicated in accordance with Section 12 (Changes to This Privacy Policy), including email notification, before the new provider begins processing your data.

Provider	Features	Data Transmitted
Google (Gemini API)	Diagnostic chat, diagnostic reports	Equipment descriptions, symptoms, user questions, uploaded images
OpenAI	SOP generation, SOP chat, document parsing	Equipment details, SOP content, uploaded documents and images
Perplexity	Equipment enrichment, compliance suggestions	Equipment names, models, categories

Important: These third-party AI providers process your data according to their own terms of service and privacy policies. We select providers that offer commercial API terms (not consumer terms) and that commit to not using API inputs for model training. We maintain data processing agreements (DPAs) or equivalent contractual commitments with our subprocessors that include obligations regarding data security, confidentiality, and use restrictions. However, we cannot guarantee how third-party providers handle data once transmitted. We recommend that you do not submit Protected Health Information (PHI), patient data, or other sensitive personal information through any AI-powered feature.

3.2 Infrastructure and Hosting

Supabase: Database hosting, authentication, file storage, and serverless functions. Data is stored in the United States.
Vercel / CDN Providers: Frontend hosting and content delivery.

3.3 Payment Processing

Stripe: Payment processing and subscription management. Stripe collects and processes payment information in accordance with Stripe’s Privacy Policy. We do not have access to your full payment card details.

3.4 Analytics

We may use analytics tools to understand Platform usage. These tools collect anonymized or pseudonymized usage data.

3.5 Other Disclosures

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your information may be transferred as part of that transaction. We will notify you at least thirty (30) days before any such transfer takes effect. If you do not wish your data to be transferred, you may terminate your account and export your Customer Data during the notice period (see our Terms and Conditions for details).

4. HIPAA Disclaimer and Data Protection

4.1 How We Protect Your Data

While ChairPulse is not HIPAA-compliant, we take the security of your practice data seriously. We implement commercially reasonable security measures to protect the equipment data, maintenance records, compliance tracking, and operational information you store in the Platform. These measures are described in detail in Section 6 (Data Security) and include encryption, role-based access controls, row-level security, and regular monitoring.

4.2 HIPAA Non-Compliance

ChairPulse is not a HIPAA-compliant platform. The Platform is designed for dental practice equipment management, maintenance scheduling, compliance tracking, and operational workflows — not for storing or transmitting patient health records.

We do not enter into Business Associate Agreements (BAAs).
We do not represent or warrant that the Platform meets HIPAA security, privacy, or breach notification requirements.
You must not submit, upload, or transmit any PHI, patient records, patient names, treatment information, or other individually identifiable health information through the Platform, including through diagnostic chat, SOP content, compliance evidence, or any other feature.
If you inadvertently submit PHI through the Platform, you are solely responsible for any resulting HIPAA violations or data breaches.

If your practice requires HIPAA-compliant tools for managing patient information, you must use separate, HIPAA-compliant systems for that purpose. ChairPulse is designed to complement — not replace — your patient management systems.

5. Data Ownership and Retention

5.1 Your Data

You retain ownership of all data you submit to the Platform (“Customer Data”). We do not claim ownership of your Customer Data. We use your Customer Data solely to provide and improve the Platform as described in this Privacy Policy.

5.2 Aggregated and De-Identified Data

We may create aggregated, de-identified, or anonymized data from your Customer Data. We apply industry-standard de-identification methods consistent with applicable regulations (including the CCPA/CPRA de-identification standards) to ensure that such data cannot reasonably be used to identify you, your organization, or any individual. We maintain administrative and technical safeguards to prevent re-identification. We may use this aggregated data for lawful business purposes, including analytics, product development, and benchmarking.

5.3 AI-Generated Content

AI-generated outputs (diagnostic reports, SOP drafts, compliance suggestions, etc.) produced through your use of the Platform are part of your Customer Data. However, we make no claim of intellectual property ownership over AI-generated outputs, and you acknowledge that similar outputs may be generated for other users.

5.4 Data Retention

We retain your Customer Data for as long as your account is active or as needed to provide the Platform.
Upon account termination, we will make your Customer Data available for export for sixty (60) days. After this period, we will delete your Customer Data from our active systems, except that we may retain limited data for up to three (3) years following termination solely for the following specific purposes: (a) compliance with applicable legal or regulatory retention requirements; (b) resolution of pending disputes or claims; and (c) fraud prevention. Data retained under these exceptions will be securely stored with access restricted to authorized personnel for the stated purposes only.
AI usage logs and aggregated analytics data may be retained indefinitely in de-identified form.
Backup copies may persist in our systems for up to ninety (90) days following deletion from active systems.

6. Data Security

We implement commercially reasonable administrative, technical, and physical security measures to protect your information. These measures currently include, but are not limited to:

Encryption of data in transit (TLS/SSL) and at rest.
Role-based access controls with per-office scoping.
Row-level security policies at the database level.
Authentication via industry-standard protocols.
Regular security monitoring and vulnerability assessments.

Our specific security implementations may evolve over time as we adopt improved technologies and practices, but we will maintain a level of protection that is at least commercially reasonable for the type of data processed.

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

6.1 Security Incident Notification

In the event of a confirmed security incident involving unauthorized access to or unauthorized acquisition of your personal information (“Security Incident”), we will:

Notify affected users without unreasonable delay and no later than seventy-two (72) hours after confirming the Security Incident, via email to the account address on file and through a notice within the Platform.
Provide, to the extent known at the time of notification: (a) a description of the nature of the Security Incident; (b) the categories of data affected; (c) the steps we are taking to investigate and remediate the incident; and (d) contact information for inquiries.
Provide any additional notifications required by applicable law, including the California data breach notification statute (Cal. Civ. Code § 1798.82).

Notification of a Security Incident does not constitute an admission of fault, liability, or wrongdoing by ChairPulse. Our notification obligations are subject to applicable law enforcement requests to delay notification. Additional terms regarding Security Incidents are set forth in Section 13.4 of our Terms and Conditions.

7. Your Rights and Choices

7.1 Account Information

You may update, correct, or delete your account information at any time through the Platform’s settings. To request full account deletion, contact us at hello@chairpulse.com.

7.2 Communications

You may opt out of non-essential communications by adjusting your notification preferences in the Platform. You cannot opt out of transactional communications necessary for the operation of your account (such as billing and security alerts).

7.3 Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Strictly Necessary: Required for the Platform to function, including session authentication, office selection persistence, and security tokens. These cannot be disabled without impairing core functionality.
Functional: Remember your preferences and settings (such as display options and notification preferences) to provide a personalized experience.
Analytics: Help us understand how users interact with the Platform, which features are most used, and where users encounter issues. These collect anonymized or pseudonymized usage data.

We do not use advertising or cross-site tracking cookies. You can control non-essential cookies through your browser settings. Disabling strictly necessary cookies may impair Platform functionality.

Do Not Track Signals. Some browsers transmit “Do Not Track” (DNT) signals. Because there is no industry-wide standard for how companies should respond to DNT signals, we do not currently alter our data collection or use practices in response to DNT signals. We do not track users across third-party websites and therefore do not respond to DNT signals. If a uniform standard for responding to DNT signals is adopted, we will revisit this policy.

7.4 Data Export

You may request an export of your Customer Data at any time by contacting us at hello@chairpulse.com. We will provide your data in a commonly used, machine-readable format within thirty (30) days of your request.

8. California Privacy Rights

Whether or not ChairPulse is currently subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), we are committed to providing California residents with the following privacy rights as a matter of good practice. If we become subject to the CCPA/CPRA based on applicable thresholds, these commitments will constitute our compliance with those laws.

8.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information:

Category	Examples
Identifiers	Name, email address, IP address, account ID
Commercial Information	Subscription tier, billing history, purchase records
Internet/Electronic Activity	Usage data, log data, device information, browsing history within the Platform
Professional/Employment Information	Job title, role, office assignments
Geolocation Data	Approximate location derived from IP address
Inferences	Usage patterns, feature preferences

8.2 Your California Rights

You have the right to:

Know what personal information we collect, use, disclose, and sell.
Delete your personal information, subject to certain exceptions.
Correct inaccurate personal information.
Opt Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under the CPRA beyond what is necessary to provide the Platform.
Opt Out of Automated Decision-Making: The Platform’s AI features generate recommendations (such as compliance suggestions, maintenance schedules, and diagnostic assessments) that are presented as informational starting points for your review — they do not automatically make decisions that produce legal or similarly significant effects on you. All AI Output requires your independent review and action before implementation. If you believe any automated processing produces legal or similarly significant effects, you may contact us to request human review of that processing.

8.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: hello@chairpulse.com
Mail: GummyBots, LLC, 3057 Mariposa Dr, Burlingame, CA 94010
Subject Line: “California Privacy Rights Request”

We will verify your identity before processing your request. We will respond to your request within forty-five (45) days. If we need additional time, we will notify you of the extension (up to an additional forty-five days).

8.4 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization and identity verification before processing the request.

9. Children’s Privacy

ChairPulse is a business-to-business platform designed for dental practice professionals. The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

10. International Data Transfers

The Platform is designed for dental practices operating within the United States and is hosted and operated in the United States. All data is stored and processed within the United States.

If you access the Platform from outside the United States, you understand and agree that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Platform from outside the United States, you consent to this transfer. We make no representation that the Platform is appropriate or compliant with the laws of any jurisdiction outside the United States.

11. Third-Party Links

The Platform may contain links to third-party websites, services, or resources (including AI-generated citations and references). We are not responsible for the privacy practices, content, or security of any third-party sites. We encourage you to review the privacy policies of any third-party services you access.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting a notice on the Platform.
Sending an email to the address associated with your account.
Updating the “Last Updated” date at the top of this Policy.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Platform.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at:

ChairPulse (a product of GummyBots, LLC) 3057 Mariposa Dr, Burlingame, CA 94010 Email: hello@chairpulse.com Website: chairpulse.com