Back to home

Privacy Policy

Last updated: March 24, 2026

Synthesis Benefits ("we," "us," or "our") is committed to protecting the privacy of our users and their patients. This Privacy Policy explains how we collect, use, store, and protect information when you use the Synthesis Benefits platform and related services (the "Service").

For information specific to Protected Health Information (PHI) under HIPAA, please also review our HIPAA Compliance Notice and Business Associate Agreement.

1. Information We Collect

1.1 Account Information

When you register for or use the Service, we collect:

  • Name and email address of authorized practice users
  • Practice name, address, and contact information
  • Role and job function within the practice
  • Phone number (if provided)

1.2 Practice and Patient Data

In the course of providing the Service, we process data from your practice management system and insurance interactions, which may include:

  • Patient names, dates of birth, and contact information
  • Insurance plan details, member IDs, and coverage information
  • Appointment schedules and treatment history
  • Claims data, procedure codes, and billing information
  • Insurance eligibility and verification results

Patient data is processed solely on behalf of your practice. We act as a Business Associate under HIPAA, and this data is governed by the Business Associate Agreement (BAA) between your practice and Synthesis Benefits.

1.3 Usage Data

We automatically collect information about how you interact with the Service, including:

  • Pages visited and features used
  • Browser type, device information, and IP address
  • Session duration and interaction patterns
  • Error logs and performance data

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — process insurance verifications, track benefits, manage claims, and deliver practice analytics.
  • Improve the Service — analyze usage patterns to enhance features and fix issues.
  • Communicate with you — send service-related notifications, security alerts, and support responses.
  • Ensure security — detect and prevent fraud, unauthorized access, and abuse.
  • Comply with legal obligations — meet requirements under HIPAA, state privacy laws, and other applicable regulations.

We do not sell your data. We do not sell, rent, or trade personal information or patient data to third parties for marketing or advertising purposes.

3. How We Share Your Information

We share information only in the following circumstances:

  • With your practice — practice administrators can access data associated with their practice account.
  • Service providers — we use third-party providers for hosting, email delivery, and infrastructure. These providers are contractually bound to protect your data and process it only as directed.
  • Insurance clearinghouses — to perform eligibility checks and claims operations on behalf of your practice, with appropriate agreements in place.
  • Legal requirements — we may disclose information if required by law, subpoena, or valid legal process.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, your data would be transferred subject to the same privacy protections.

4. Data Security

We implement technical, administrative, and physical safeguards to protect your information:

  • Encryption at rest: Sensitive fields (patient names, dates of birth, phone numbers, email addresses) are encrypted using AES-256-GCM with per-field unique initialization vectors.
  • Encryption in transit: All data transmitted to and from the Service is encrypted using TLS 1.2 or higher.
  • Access controls: Role-based access ensures users only see data relevant to their function.
  • Authentication: Secure session management with JWT tokens (15-minute expiry, database-validated) and automatic session expiration.
  • Audit logging: All access to sensitive data is logged for compliance and security review.
  • Infrastructure: Hosted on dedicated servers with firewall protection and restricted network access.

5. Data Retention

We retain your data for the following periods:

  • Account data: Retained for the duration of your subscription plus 90 days after termination.
  • Patient and practice data: Retained for the duration of your subscription. Upon termination, you may request a data export within 30 days. Data is deleted within 90 days of termination.
  • Usage data: Retained in aggregated, anonymized form for up to 24 months for service improvement purposes.
  • Audit logs: Retained for 6 years as required by HIPAA regulations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Request deletion of your personal information, subject to legal retention requirements.
  • Export: Request a machine-readable export of your data.
  • Restriction: Request that we limit processing of your data in certain circumstances.

For patient data, these rights are exercised through your dental practice as the Covered Entity under HIPAA. Please contact your dental provider directly for patient data requests.

To exercise your rights as a practice user, contact us at contact@synthesisbenefits.com.

7. Cookies and Tracking

The Service uses essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Usage analytics are collected server-side and do not involve third-party tracking scripts.

8. Children's Privacy

The Service is intended for use by dental practice professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. Patient data for minors is processed under the authority of the dental practice and governed by the BAA and HIPAA.

9. State-Specific Disclosures

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To submit a request, contact us at the email below.

Massachusetts (Chapter 93H)

Synthesis Benefits is organized in Wyoming. In compliance with Massachusetts General Laws Chapter 93H, we maintain a comprehensive written information security program (WISP) and will notify affected Massachusetts residents and the Massachusetts Attorney General's Office in the event of a data breach involving personal information, as required by law.

Other States

We comply with applicable state privacy laws, including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with consumer privacy legislation. Contact us to exercise any rights provided by your state's laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through the Service at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at:

Synthesis Benefits
Email: contact@synthesisbenefits.com