Privacy Policy

Last updated: April 11, 2026 · Effective: April 11, 2026

Plain-language summary: We collect only what we need to deliver your faxes securely. We do not sell, rent, or trade your personal information. We never read your faxes or use fax content for advertising. All transmissions are encrypted. DDSFAX is designed to support HIPAA compliance.

Contents

  1. Overview
  2. Information We Collect
  3. How We Use Information
  4. Information Sharing
  5. HIPAA & Protected Health Information
  6. Data Security
  7. Data Retention
  8. Your Rights
  9. Children's Privacy
  10. Cookies & Tracking
  11. Changes to This Policy
  12. Contact Us

1. Overview

This Privacy Policy describes how The DDS Company (doing business as "DDSFAX," and referred to as "we," "our," or "us") collects, uses, stores, and discloses information when you use the DDSFAX platform, website, and related services (collectively, the "Service").

DDSFAX is a cloud-based fax service built for dental and medical offices in the United States. We provide unlimited fax sending and receiving through our web-based platform. By creating an account or using the Service, you agree to the practices described in this Privacy Policy and our Terms of Service.

This policy applies to information collected through the DDSFAX website, web application, and any communications between you and DDSFAX (including email and support channels). It does not apply to third-party websites or services linked from our platform.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Practice name and contact person name
  • Email address
  • Password (stored as a salted hash — we never store plaintext passwords)
  • Fax number(s) assigned to your account

Payment Information

Subscription billing is handled by Stripe. Payment details are collected and processed directly by Stripe. DDSFAX does not store credit card numbers. We receive only a limited set of billing metadata from Stripe (such as subscription status, last four digits of your card, and billing address) to display in your account dashboard.

Fax Content

When you send or receive faxes, we temporarily store:

  • The fax document itself (pages, images, attachments) — encrypted at rest
  • Sender and recipient fax numbers
  • Date, time, and duration of transmission
  • Number of pages transmitted
  • Transmission status (delivered, failed, pending)

Fax content is stored only as long as necessary for transmission and your configured retention period. We never read, analyze, or mine the content of your faxes.

Usage Data

We collect anonymized usage metrics including pages visited, features used, and general platform performance data. This data helps us improve the Service and cannot be tied to individual fax content.

Device & Browser Data

When you access the Service, we automatically collect technical information such as your IP address, browser type and version, operating system, device type, screen resolution, and referring URL. This data is used for security monitoring, fraud prevention, and service optimization.

Cookies

We use essential cookies for authentication, security, and preferences. For full details, see our Cookie Policy.

3. How We Use Information

We use the information we collect to:

  • Provide the Service — deliver fax transmissions reliably, maintain your account, and manage your fax numbers
  • Billing — manage your subscription through Stripe, send invoices, and handle billing inquiries
  • Transactional communications — send critical service notifications including delivery confirmations, security alerts, outage notices, and billing receipts
  • Improve the Service — analyze anonymized, aggregated usage patterns to enhance features, reliability, and performance
  • Customer support — respond to your questions and resolve issues when you contact us
  • Legal compliance — meet our obligations under HIPAA, tax law, and other applicable regulations
  • Security — detect, prevent, and respond to fraud, abuse, and security incidents

What we will never do:

We do not sell, rent, or trade your personal information. We never use the content of your faxes for advertising, marketing, or any purpose other than delivering them to the intended recipient. We do not build advertising profiles from your data.

4. Information Sharing

We share your information only with the following categories of service providers, each of which is necessary to operate the Service:

  • Stripe (billing) — Subscription billing is handled by Stripe. Stripe receives only the billing information necessary to manage your subscription. See Stripe's privacy policy.
  • Cloudflare (infrastructure) — Provides our content delivery network (CDN), DDoS protection, and object storage (R2). Cloudflare may receive request metadata (IP address, headers) as part of normal CDN operations. See Cloudflare's privacy policy.
  • Vercel (hosting) — Hosts our web application. Vercel receives request-level data as part of normal hosting operations. See Vercel's privacy policy.
  • Turso (database) — Provides our database infrastructure. Stores account and application data in encrypted form. See Turso's privacy policy.
  • Fax carrier (transmission) — Our carrier-grade fax provider transmits your faxes over the public switched telephone network. The fax carrier is bound by a Business Associate Agreement (BAA) and handles fax data solely to deliver your transmissions.
  • Law enforcement — Only when compelled by valid legal process (subpoena, court order, or warrant). We will notify you of such requests unless we are legally prohibited from doing so.

We do not share your data with any other third parties. We do not sell, rent, or trade your personal information to advertisers, data brokers, or any other entity.

5. HIPAA & Protected Health Information

DDSFAX operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We are not a healthcare provider and do not provide medical advice or treatment.

Because faxes sent through our platform may contain Protected Health Information (PHI), we have implemented safeguards designed to support HIPAA compliance:

  • We execute Business Associate Agreements (BAAs) with covered entities upon request
  • All PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access to PHI is strictly limited to automated systems required for fax transmission
  • We maintain detailed audit logs of all system access to PHI
  • Our workforce receives annual HIPAA security and privacy training
  • We have a designated HIPAA Privacy Officer reachable at hipaa@ddsfax.com

For more details, see our HIPAA Compliance page and Business Associate Agreement.

6. Data Security

We implement administrative, technical, and physical safeguards to protect your information:

  • Encryption in transit: All data transmitted to and from DDSFAX is encrypted using TLS 1.2 or higher. We enforce HTTPS on every connection.
  • Encryption at rest: All stored data — including fax documents, account information, and database records — is encrypted using AES-256.
  • Access controls: Role-based access control (RBAC) with multi-factor authentication for all administrative and infrastructure access. The principle of least privilege is enforced across all systems.
  • Monitoring: Continuous intrusion detection, automated alerting, and security event logging across all infrastructure.
  • Incident response: Documented incident response plan with breach notification procedures that comply with the HIPAA Breach Notification Rule and applicable state breach notification laws.

No system can guarantee absolute security. If you become aware of any unauthorized access to your account, contact us immediately at support@ddsfax.com.

7. Data Retention

We retain your data for the following periods:

  • Fax content: Stored for 90 days after transmission, then permanently deleted. You may delete faxes earlier from your dashboard at any time.
  • Transmission logs: Metadata (sender, recipient, timestamp, status) is retained for 7 years to meet HIPAA audit requirements. Fax content is not included in these logs.
  • Account data: Retained while your account is active and for 30 days after account closure to allow for reactivation.
  • Billing records: Retained for 7 years as required by applicable tax law.

After the applicable retention period expires, data is permanently and irreversibly deleted from all systems, including backups.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate information through your account settings or by contacting us.
  • Deletion: Request deletion of your account and associated personal data.
  • Data portability: Request an export of your fax history and account data in a machine-readable format.
  • Opt out of marketing: Unsubscribe from non-essential communications at any time. Transactional messages (security alerts, billing, service notices) are not affected.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include the right to know what personal information we collect and how it is used, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information.

European Economic Area (GDPR)

If you are located in the European Economic Area, you may have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. While DDSFAX primarily serves U.S.-based dental and medical offices, we honor data subject rights for any individual whose data we hold.

To exercise any of these rights, contact us at privacy@ddsfax.com. We will respond within 30 days (or sooner if required by applicable law).

9. Children's Privacy

DDSFAX is a business tool designed for dental and medical offices. The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us at privacy@ddsfax.com.

10. Cookies & Tracking

We use only essential cookies required for the Service to function:

  • Session authentication (keeping you logged in)
  • Security tokens (CSRF protection)
  • User preferences (theme, language)

We do not use advertising cookies, tracking pixels, or third-party analytics that identify individual users. For a complete list of cookies and local storage items we use, see our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. Non-material changes (such as formatting or clarifying language) may be made without advance notice. The "Last updated" date at the top of this page always reflects the most recent revision.

Your continued use of the Service after any changes become effective constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, you can reach us through any of the following:

See also: Terms of Service · Cookie Policy · HIPAA Compliance · Contact Us