Last updated: May 13, 2026 • Effective: May 13, 2026
Dental Spaces LLC (“Ayla,” “we,” “us,” “our”) is a California limited liability company located at 1240 S Westlake Blvd Ste 127, Westlake Village, CA 91361. We operate the Ayla dental practice management platform, including the web application, patient portal, online booking, intake forms, electronic communications, insurance claims processing, ERA review, billing, AI-assisted charting and voice features, and all related services (collectively, the “Platform”).
This Privacy Policy applies to two distinct groups:
(a) Dental Practices (“Subscribers”): Dental practices and their staff who subscribe to the Platform as business customers. You are a HIPAA Covered Entity or Business Associate using our Platform to manage your practice.
(b) Patients (“End Users”): Individuals whose information is processed through the Platform via the patient portal, online booking, intake forms, or communications sent by a dental practice using Ayla.
Important Notice to Patients: Ayla operates as a HIPAA Business Associate — not a Covered Entity. The dental practice using Ayla is primarily responsible for your health information rights under HIPAA. For a copy of the applicable Notice of Privacy Practices, please contact your dental provider directly. This Policy describes how Ayla handles data as a technology platform on behalf of dental practices.
This Policy does not cover third-party websites linked from the Platform. This Policy is governed by and should be read alongside our Business Associate Agreement (for Subscribers) and our Terms of Service.
A. Protected Health Information (PHI) — Patient Data Processed on Behalf of Practices
When a dental practice uses Ayla, we process the following categories of information about their patients as a HIPAA Business Associate:
• Identifiers: full name, date of birth, gender, address, phone number, email address, Social Security Number (when provided for insurance), patient account number, medical record number
• Health and clinical information: health history, allergies, medications, dental charting, periodontal records, treatment plans, clinical notes, diagnoses, procedure codes, X-rays and diagnostic images, clinical photographs
• Insurance and financial: insurance carrier, policy number, subscriber information, group number, claims data, ERA payment information, billing records, payment history, credit card data (tokenized via Stripe)
• Consent and forms: signed intake forms, HIPAA authorizations, treatment consents, financial agreements
• Communications: appointment reminders, recall notices, SMS and email logs, patient portal messages
B. Subscriber and Staff Information
For dental practices and their staff who use the Platform directly:
• Account information: name, email address, job title, role, login credentials (passwords are hashed using bcrypt and never stored in plain text)
• Practice identifiers: practice name, address, phone number, NPI number, Tax ID (EIN), DEA number (where applicable), state license numbers
• Billing: Stripe customer ID, subscription plan, payment method (tokenized), invoices
• Usage and audit: login timestamps, IP addresses, actions performed within the platform (required for HIPAA audit logging)
C. Technical and Automatically Collected Information
We automatically collect:
• Log data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of access, session duration
• Device information: device type, screen resolution, time zone
• Cookies and similar technologies: session cookies (required for authentication), preference cookies. We do not use third-party advertising cookies or behavioral tracking cookies.
D. AI and Voice Features
The Platform includes AI-assisted features (including voice charting, AI co-pilot, and automated eligibility processing) powered by Google Vertex AI (Gemini) under a signed HIPAA Business Associate Agreement with Google Cloud. Voice interactions may be transcribed and processed to generate clinical notes. Audio is not retained beyond the active session unless required for a specific feature with explicit consent. You may opt out of AI-assisted features through Platform settings.
We use the information described above solely to provide, maintain, and improve the Platform. Specific uses include:
• Delivering core Platform functionality: scheduling, charting, treatment planning, billing, insurance claims, ERA processing, patient portal access
• Sending appointment reminders, confirmations, recalls, and intake form requests via SMS and email on behalf of dental practices
• Processing insurance eligibility verifications and claims via Stedi (our EDI clearinghouse)
• Processing payments via Stripe
• Powering AI features including voice charting, automated suggestions, and eligibility interpretation
• Maintaining HIPAA-required audit logs of all access to protected health information
• Providing customer support and responding to inquiries
• Detecting and preventing fraud, unauthorized access, and security incidents
• Complying with applicable legal obligations
• Analyzing aggregated, de-identified usage data to improve Platform features (no PHI is used for this purpose without explicit authorization)
We do not use PHI to train AI models, conduct marketing to patients, or sell data to third parties for any purpose.
We do not sell, rent, or trade protected health information or personal data. Ever.
We share information only in the following circumstances:
A. Service Providers with Business Associate Agreements (BAAs)
The following vendors handle PHI and have executed BAAs with us in accordance with 45 CFR § 164.308:
• Amazon Web Services (AWS) — cloud infrastructure, encrypted database hosting, file storage (US regions only)
• Google Cloud / Vertex AI — AI processing (Gemini), Speech-to-Text, Translation (BAA signed May 8, 2026; covers 139+ GCP services)
• Stedi — insurance eligibility verification and claims clearinghouse (EDI 270/271, 837, 835)
• Stripe — payment processing (also PCI DSS Level 1 certified)
B. Service Providers (Operational Data, No PHI)
• Twilio — SMS delivery (phone numbers and message text; no clinical data transmitted)
• Google Workspace — transactional email delivery (confirmation emails, notifications)
C. Dental Practices
Patient information is accessible to the dental practice that collected it. Practices control and are responsible for the use of patient data within the Platform.
D. Insurance Companies and Clearinghouses
We transmit claims and eligibility requests to insurance payers on behalf of dental practices, as authorized by patients through treatment consent and financial agreements with their practice.
E. Legal Requirements
We may disclose information when required by law, subpoena, court order, or governmental authority; to protect the rights, property, or safety of Ayla, its users, or the public; or in connection with legal proceedings.
F. Business Transfers
In the event of a merger, acquisition, or sale of substantially all assets, user information may be transferred. We will notify affected parties and ensure the acquiring entity is bound by equivalent data protection obligations, including execution of BAAs where required by HIPAA.
Ayla operates as a HIPAA Business Associate under 45 CFR Parts 160 and 164. Our obligations include:
Administrative Safeguards: Designated Security and Privacy Officer; workforce training; risk analysis and risk management program; access management policies; contingency and disaster recovery planning.
Physical Safeguards: All infrastructure is hosted on AWS with physical access controls managed by AWS. No PHI is stored on physical premises of Dental Spaces LLC.
Technical Safeguards: TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest; multi-factor authentication (TOTP); role-based access controls; automatic session timeout after inactivity; comprehensive audit logs capturing all PHI access events with user, timestamp, IP address, and action type.
Breach Notification: In the event of a breach of unsecured PHI, we will notify the affected Covered Entity (dental practice) without unreasonable delay and no later than 60 days after discovery, as required by 45 CFR § 164.410. Practices are responsible for notifying affected patients and HHS as required by 45 CFR § 164.404.
Minimum Necessary Standard: We access PHI only to the extent necessary to perform our contracted services. Internal access is limited to staff with a documented business need.
Patient Rights Support: We support dental practices in fulfilling patient rights requests under HIPAA, including rights of access, amendment, accounting of disclosures, and restriction requests, through tools available in the Platform.
A. California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
California residents have the following rights with respect to personal information that is not PHI governed by HIPAA (such as staff account information and practice contact data):
• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and third parties with whom we share it.
• Right to Delete: Request deletion of personal information we hold about you, subject to exceptions (e.g., information necessary to provide services, comply with legal obligations, or complete transactions).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information only as necessary to provide the Platform.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a CCPA/CPRA request, contact us at privacy@ayladental.com or by mail at the address below. We will verify your identity before responding. We will respond within 45 days, with one 45-day extension if necessary.
B. California Confidentiality of Medical Information Act (CMIA)
Patient medical information processed through the Platform is subject to the California CMIA (Cal. Civ. Code § 56 et seq.), which provides protections in addition to HIPAA. We do not disclose medical information for employment purposes, marketing, or any purpose not authorized by the patient or required by law. California patients may contact their dental provider to exercise rights under the CMIA.
C. Shine the Light (Cal. Civ. Code § 1798.83)
California residents may request information about personal information disclosed to third parties for direct marketing purposes. We do not disclose personal information for direct marketing purposes.
SMS Communications
Dental practices using Ayla may send text messages to patients for: appointment reminders and confirmations, recall notifications, intake form requests, billing notifications, and other practice-related communications. By providing a mobile phone number to a dental practice and consenting during intake or online booking, you agree to receive these messages. Message frequency varies by practice. Standard message and data rates may apply.
To opt out: Reply STOP to any text message. You will receive one confirmation message and no further messages from that practice. Reply HELP for support or contact the practice directly.
Opt-out applies per practice. If you are a patient of multiple practices using Ayla, you must opt out separately for each.
Consent to receive SMS messages is never a condition of receiving dental care or using the patient portal. Full SMS Terms are available at ayladental.com/sms-tos.
Email Communications
Dental practices may send email for appointment reminders, recall notices, forms, and billing. To opt out of marketing emails, click “Unsubscribe” in any email. Transactional emails (appointment confirmations, form links, payment receipts) cannot be fully suppressed as they are required for your care. All emails include the sending practice's name and contact information in compliance with CAN-SPAM.
We maintain a comprehensive information security program designed to protect against unauthorized access, use, disclosure, alteration, or destruction of personal information and PHI. Safeguards include:
• TLS 1.2+ encryption for all data transmitted to and from the Platform
• AES-256 encryption for all data at rest in our databases and file storage
• Bcrypt password hashing with salting; passwords are never stored in recoverable form
• Multi-factor authentication (TOTP-based) required for all staff accounts
• Role-based access controls limiting data access to authorized personnel only
• Automatic session timeout after inactivity
• Comprehensive audit logging of all PHI access, including user identity, timestamp, IP address, and action
• Regular security assessments and vulnerability testing
• Encrypted automated daily backups retained per HIPAA requirements
• All data hosted in AWS US regions; no international data transfers of PHI
No system can guarantee absolute security. If you believe your account has been compromised, contact support@ayladental.com immediately.
Patient Health Records: Retained in accordance with HIPAA and applicable state law. Under California Health and Safety Code § 123111, dental records must be retained for a minimum of 7 years from the date of the last entry. For minor patients, records are retained until the patient reaches age 19 (age of majority for medical records in California), or 7 years from the last entry, whichever is longer.
Practice and Staff Account Data: Retained for the duration of the subscription and for a minimum of 3 years after termination, unless deletion is requested and permitted by applicable law.
Audit Logs: Retained for a minimum of 6 years as required by HIPAA.
Billing Records: Retained for 7 years for tax and accounting purposes.
Upon practice subscription termination, we provide a data export period of 30 days during which practices may export all patient records. After this period, data is securely deleted per our data destruction policy, subject to any legal hold or retention obligations.
As a Business Associate, we support dental practices in facilitating the following patient rights under 45 CFR §§ 164.520–164.528:
• Right to Access: Request copies of your dental records (45 CFR § 164.524). Contact your dental provider directly.
• Right to Amend: Request corrections to inaccurate or incomplete information (45 CFR § 164.526).
• Right to an Accounting of Disclosures: Request a list of disclosures of your PHI made for purposes other than treatment, payment, and healthcare operations (45 CFR § 164.528).
• Right to Request Restrictions: Request restrictions on how your PHI is used or disclosed (45 CFR § 164.522).
• Right to Confidential Communications: Request that communications be sent to you via a specific method or address.
• Right to File a Complaint: You may file a complaint with your dental provider, with us at privacy@ayladental.com, or directly with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr. We will not retaliate against you for filing a complaint.
The Ayla Platform is used by dental practices to treat patients of all ages, including minors. Minor patients' protected health information is handled with the same HIPAA safeguards as adult information. Parents or legal guardians may access minor patients' records through the dental practice.
The Platform is not directed at children under 13 for independent use. Parents or guardians provide consent for minors during the intake process. We do not knowingly collect personal information from children under 13 for the Platform's own purposes outside of the clinical context governed by HIPAA.
If you believe a minor's information has been improperly collected outside the clinical context, contact us at privacy@ayladental.com.
We use only strictly necessary cookies for Platform operation:
• Session cookies: Required for authentication and maintaining your login session. Automatically deleted when you close your browser.
• Preference cookies: Store non-sensitive UI preferences (e.g., display settings). Persist until cleared.
We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that share data with third parties. We do not use pixel tags, web beacons, or fingerprinting technologies for tracking users across other websites.
The Platform includes AI-powered features including voice charting, automated eligibility interpretation, AI co-pilot suggestions, and clinical note generation. These features are powered by Google Vertex AI (Gemini) under a HIPAA BAA.
Important limitations: AI-generated suggestions are assistive tools only. All clinical decisions — including charting, treatment planning, and diagnoses — are made exclusively by licensed dental professionals. Ayla AI features do not make autonomous clinical or billing decisions.
Data use for AI: We do not use PHI to train, fine-tune, or improve AI models without explicit, documented authorization from the Covered Entity. AI processing of PHI occurs solely in real-time for the purpose of generating the requested output.
You may opt out of AI-assisted features through your practice's account settings or by contacting support@ayladental.com.
All PHI and personal data is stored and processed exclusively within the United States on AWS infrastructure. We do not transfer PHI to servers, vendors, or personnel outside the United States. Non-PHI operational data (e.g., support tickets) may in limited circumstances be accessed by personnel in other jurisdictions under appropriate contractual safeguards.
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify dental practices of material changes via email to the practice's account email address at least 30 days before the changes take effect. For non-material changes, we will update the “Last updated” date.
Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy. If you do not agree to material changes, you may terminate your subscription per the Terms of Service.
For privacy inquiries, data requests, breach reports, or complaints:
Privacy Officer, Dental Spaces LLC
1240 S Westlake Blvd Ste 127
Westlake Village, CA 91361
privacy@ayladental.com
support@ayladental.com
ayladental.com
For HIPAA complaints: U.S. Department of Health and Human Services, Office for Civil Rights
hhs.gov/ocr/complaints • 1-800-368-1019
Dental Spaces LLC d/b/a Ayla
1240 S Westlake Blvd Ste 127, Westlake Village, CA 91361
privacy@ayladental.com • ayladental.com
Powered by Ayla • Dental Spaces LLC