Privacy Policy.

1. Who we are

JUNO REALTY LLC ("Juno," "we," "us," or "our") operates the juno.dental website and the Juno dental practice management platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service.

2. Information we collect

2.1 Information you provide

• Account information: name, email address, practice name, role, and credentials when you create an account or apply through our design partner form.
• Practice data: patient records, treatment histories, insurance information, scheduling data, clinical notes, imaging references, and billing records that you enter or migrate into the Service. This data includes protected health information (PHI) as defined by HIPAA.
• Communications: messages you send us through the application form, support requests, or other channels.
• Payment information: billing details processed by our third-party payment processor. We do not store full credit card numbers on our servers.

2.2 Information collected automatically

• Usage data: pages viewed, features used, session duration, and interaction patterns within the Service.
• Device data: browser type, operating system, device identifiers, IP address, and screen resolution.
• Log data: server logs including timestamps, API calls, and error reports. PHI is stripped from log data before storage in our observability stack.

2.3 Information from third parties

• Migration data: when migrating from another practice management system (Dentrix, Eaglesoft, Open Dental, SoftDent, CareStack), we receive the data you authorize for transfer.
• Insurance clearinghouses: eligibility responses, ERA/EOB data, and claim status updates from Stedi, DentalXChange, and Vyne Dental.
• Imaging systems: image references and metadata from integrated imaging systems (Carestream, DEXIS, Planmeca, Sirona, Vatech, Apteryx). Image data stays on your local systems unless you explicitly configure cloud upload.

3. How we use your information

We use the information we collect to:

• Provide, operate, and maintain the Service, including AI agent processing for scheduling, claims, eligibility, recall, clinical notes, and voice charting
• Process insurance claims, verify eligibility, and manage revenue cycle operations on your behalf
• Improve the Service, including training and improving our AI models (see Section 3.1)
• Communicate with you about your account, respond to support requests, and send service-related notifications
• Detect, prevent, and address security incidents, fraud, and technical issues
• Comply with legal obligations, including HIPAA requirements

3.1 AI model training

4. How we share your information

We do not sell your personal information or PHI. We share information only in the following circumstances:

• Service providers: third-party vendors who assist in operating the Service (cloud hosting via Supabase/Vercel, payment processing, email delivery). Each vendor is bound by a data processing agreement and, where applicable, a Business Associate Agreement (BAA).
• Insurance clearinghouses: to process claims, verify eligibility, and receive remittance data on your behalf, as authorized by you.
• AI service providers: Anthropic (Claude API) for AI-powered features. Anthropic does not retain or train on data sent through their API. A BAA is in place with Anthropic.
• Legal requirements: when required by law, regulation, legal process, or governmental request.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With your consent: in any other circumstance where you explicitly authorize sharing.

5. Data security

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit with mutual authentication
• AES-256 encryption for data at rest
• Row-level security (RLS) at the database level — each practice's data is isolated by PostgreSQL policy, not just application code
• Multi-factor authentication (MFA) for all user accounts
• Role-based access control (RBAC) with five configurable roles
• Immutable audit logging of all data access and modifications
• PHI stripped from application logs before storage in observability systems
• Regular penetration testing and security assessments
• SOC 2 Type II certification in progress; SOC 2-equivalent controls currently in place

6. Data retention

We retain your data as follows:

• Practice/patient data: retained for the duration of your account and for 90 days after account termination, during which you can export all data. After the 90-day window, data is permanently deleted.
• Audit logs: retained for 7 years per HIPAA requirements.
• Usage analytics: retained in aggregate (non-identifiable) form indefinitely; identifiable usage data is deleted after 24 months.
• Application form submissions: retained for 12 months after last contact.

7. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Object to or restrict processing of your data
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us through the support form.

7.1 California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information is collected, to delete personal information, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising your rights. Note: HIPAA-covered health information is exempt from the CCPA.

7.2 HIPAA rights

If you are a patient whose information is stored in Juno, your rights regarding your health information are governed by HIPAA and described in our Notice of Privacy Practices. Please contact your dental practice directly to exercise your HIPAA rights.

8. Cookies and tracking

Our website uses only essential cookies required for the Service to function (session management, authentication). We do not use third-party advertising cookies or cross-site tracking pixels. We do not participate in ad networks or sell data to advertisers.

9. Children's privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13 outside of the context of dental practice management (where such information is provided by a parent, guardian, or the dental practice as part of patient care and is governed by HIPAA). If we become aware that we have collected personal information from a child under 13 outside of this context, we will take steps to delete such information.

10. International data transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers in compliance with applicable data protection laws.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, for active subscribers, by email notification at least 30 days before the changes take effect. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

12. Contact us

If you have questions about this Privacy Policy or our data practices, contact us through the support form.

JUNO REALTY LLC
United States