Privacy Policy

BondedAI LLC and Bonded Payments Pty Ltd – Privacy Policy

1. Who We Are

BondedAI LLC ("BondedAI", "we", "our", "us") and its Australian subsidiary Bonded Payments Pty Ltd (together, "Bonded") develop payment‑processing software and related services used by dental clinics and their patients. Our Australian office is Level 7, King William St, Adelaide SA 5000, Australia, and our U.S. headquarters is 1100 South Coast Hwy, Laguna Beach CA 92651, USA.

This Policy explains how we collect, use, disclose and protect personal information, including Protected Health Information ("PHI"), across the three main jurisdictions in which we operate or store data:

  • Australia – Privacy Act 1988 (Cth) & Australian Privacy Principles ("APPs")
  • United States – Health Insurance Portability and Accountability Act 1996 ("HIPAA") and relevant State consumer‑privacy laws (e.g. California Consumer Privacy Act "CCPA/CPRA")
  • United Kingdom – UK GDPR and Data Protection Act 2018

Where a section applies only to a particular jurisdiction we label it [AU], [US] or [UK]; otherwise it applies globally.

2. Information We Collect

CategoryExamplesLegal basis / APP principle
Personal identifiersName, postal address, email, phone, date of birth, professionAPP 3; HIPAA §164.502; GDPR Art 6(1)(b) (contract)
Health & treatment dataAppointment details, treatment plans, clinical notes, XRays [AU & US]APP 3–4 (health information); HIPAA PHI; GDPR Art 9(2)(h) (healthcare)
Payment dataTokenised card details, PayTo mandate IDs, Direct‑Debit bank account numbers (masked)PCI‑DSS; APP 11; GDPR Art 6(1)(f) (legitimate interest)
Technical & usage dataIP address, device/browser, cookies, log files, support ticketsAPP 3; GDPR Art 6(1)(f)

We collect information directly from clinics, patients or their authorised representatives, via online forms, APIs, secure file upload and during live onboarding calls.

3. Mobile Applications

Bonded offers two mobile applications: BondedAI (com.bonded.doctor), a practice management app for orthodontic practitioners, and OrthoHub (com.bonded.patientapp), a patient‑facing app for orthodontic patients. Both apps are available on iOS and are subject to this Privacy Policy.

3.1 Data Collected via Mobile Apps

Data typePurposeStorage
Camera & photosCapture clinical photos for treatment records (BondedAI); upload profile or treatment‑related images (OrthoHub)Uploaded to Supabase storage; not stored locally after upload
Push notification tokenDeliver appointment reminders, treatment updates and other transactional notificationsExpo Push Token stored server‑side; associated with user account
Session credentialsAuthenticate and maintain user sessionsStored locally on device using Expo SecureStore (encrypted keychain storage)

3.2 Device Permissions

The apps request only the permissions necessary for their function. Camera access is requested at the time of use and can be revoked at any time in your device settings. Push notification permission is optional; declining will not affect core app functionality.

3.3 Third‑Party SDKs

Our mobile apps integrate the following third‑party services:

  • Supabase – Authentication, database and file storage
  • Expo – Push notifications (Expo Push Service) and over‑the‑air updates (EAS Update)

These services process data in accordance with their own privacy policies. We do not share personal information with third‑party advertisers or analytics providers through the mobile apps.

4. How We Use Information

  • Provide, bill and maintain the payment service
  • Schedule appointments and send transactional messages
  • Verify identity and comply with AML/CTF, HIPAA, PCI‑DSS, APP 11 and GDPR security obligations
  • Detect, prevent and respond to fraud, chargebacks and misuse
  • Improve the website and app through aggregated analytics
  • [US] Conduct HIPAA‑permitted healthcare operations
  • [UK/EU] Where required, rely on consent for marketing (GDPR Art 6(1)(a)); you may withdraw at any time.

We never sell or rent personal information.

5. Legal Grounds for Processing [UK/EU]

  • Contract performance (Art 6(1)(b)) – providing the service
  • Legal obligation (Art 6(1)(c)) – AML/CTF, tax, health‑records legislation
  • Legitimate interests (Art 6(1)(f)) – fraud prevention, service improvement
  • Consent (Art 6(1)(a)) – direct marketing, optional cookies

6. HIPAA Compliance [US]

We operate as a Business Associate to dental providers (Covered Entities). We sign Business Associate Agreements, implement the Security & Privacy Rules and restrict PHI use to HIPAA‑permitted purposes. De‑identified data follows §164.514(b). Breach notifications are issued within 60 days under §164.404.

7. Sharing & International Transfers

We disclose data only to:

  1. Treating dentists and authorised clinic staff
  2. Sub‑processors that provide hosting, identity verification or customer support (AWS Pty Ltd – Sydney; Atlassian Cloud – EU; Google Workspace – US).
    Our sole sub‑processor for hosting is AWS Pty Ltd – Sydney region.
  3. Regulators, courts or law‑enforcement where legally required.

We do not sell personal data for monetary consideration as defined under CPRA.

8. Data Security

  • AES‑256 encryption at rest; TLS 1.2+ in transit
  • Zero‑trust IAM with MFA; least‑privilege role design
  • Annual penetration test; quarterly vulnerability scan
  • [AU] Notifiable Data Breach scheme – OAIC notified within 30 days for eligible breaches
  • [UK] ICO breach notification within 72 hours where required

9. Data Retention

  • Clinical and payment records – 7 years from the date of last transaction or as required by HIPAA/Health Records Acts (whichever is longer)
  • Marketing data – deleted 24 months after last interaction
  • Logs & backups – rotated ≤ 12 months

10. Your Rights

JurisdictionRights
AustraliaAccess & correction (APP 12‑13); complain to OAIC
United States (HIPAA)Access PHI, request amendment, accounting of disclosures
California & other US statesAccess, deletion, opt‑out of "sharing"
United KingdomAccess, rectification, erasure, restriction, data portability, objection, complain to ICO

To exercise any right, email privacy@bondedpayments.com. Identity verification is mandatory.

11. Cookies & Similar Technologies

We use strictly‑necessary cookies for authentication and session management and optional analytics cookies (Google Analytics 4) with IP‑anonymisation. Where required (UK/EEA) we display a cookie banner seeking opt‑in consent.

12. Children

Our services are not directed to individuals under 13. If we learn we have collected personal information from a child without parental consent, we delete it.

13. Third‑Party Links

Our website may link to third‑party sites. We are not responsible for their privacy practices.

14. Updates

We will post any changes on this page and, where material, provide 30 days' notice via email or in‑app banner.

15. Contact

Privacy Officer – Nicholas Duncan

Email: privacy@bondedpayments.com

Phone: +1 (949) 339‑6557

Postal: Level 7, King William St, Adelaide, SA, 5000, Australia

If you are not satisfied with our response you may contact:

© 2025 BondedAI LLC & Bonded Payments Pty Ltd.