PRIVACY POLICY

Privacy Policy

Effective Date: April 5, 2026

Introduction

This Privacy Policy explains how DDSVPN (operated by THE DDS COMPANY, "we", "us", "our") collects, uses, and protects information when you use our VPN tunnel management service.

What We Collect

We collect the following information:

  • Account Information: Your name, email address, practice name, and role (dentist, hygienist, front desk, admin, etc.).
  • Authentication Data: IP addresses during login, session tokens (encrypted), magic link tokens (single-use, expires in 15 minutes).
  • Connection Metadata: Tunnel connection timestamps, bytes transferred (upload/download totals), device type (macOS, Windows), assigned VPN IP address, last handshake timestamp.
  • Billing Information: Processed by Stripe. We do not store credit card numbers.

What We Do NOT Collect

We do not collect or have access to:

  • Protected Health Information (PHI) or patient records
  • Clinical data, treatment plans, or dental charts
  • Financial information or payment card data (handled by Stripe)
  • The content of network traffic flowing through VPN tunnels
  • Browsing history or DNS queries made through the tunnel
  • Imaging files, X-rays, or radiographs

How We Use Your Data

  • Authentication: To verify your identity and manage your session.
  • Tunnel Provisioning: To generate WireGuard configuration files and assign IP addresses.
  • Usage Analytics: To monitor tunnel health, connection uptime, and bandwidth usage (displayed in your dashboard).
  • Support: To help you troubleshoot connection issues.
  • Billing: To process payments and send invoices.
  • Security: To detect unauthorized access attempts and abuse.

Data Storage and Security

Your data is stored on US-based infrastructure:

  • API: Hosted on Fly.io (US East region, SOC 2 compliant)
  • Database: PostgreSQL on Supabase (encrypted at rest with AES-256)
  • Web Application: Cloudflare Pages (global edge network)

All data in transit is encrypted with TLS 1.3. VPN tunnels use WireGuard's ChaCha20-Poly1305 encryption.

Data Sharing

We do not sell your data. We share data only with:

  • Payment Processor: Stripe (for billing)
  • Email Provider: Resend (for sending magic link emails)
  • Infrastructure Providers: Fly.io, Supabase, Cloudflare (all under Data Processing Agreements)

Data Retention

  • Account Data: Retained while your account is active.
  • Connection Logs: Retained for 90 days, then deleted.
  • Audit Logs: Retained for 1 year for compliance purposes.
  • Deleted Accounts: All personal data deleted within 30 days of account closure.

Your Rights

You have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Request data portability (we'll provide a JSON export)
  • Opt out of marketing emails (we don't send marketing emails)

To exercise these rights, email privacy@ddsvpn.com.

HIPAA

DDSVPN operates as a network conduit and does not create, receive, maintain, or transmit Protected Health Information. We are not a Covered Entity under HIPAA. However, because many of our customers are Covered Entities (dental practices), we offer Business Associate Agreements upon request and voluntarily maintain HIPAA-aligned security practices.

Children's Privacy

DDSVPN is a business service. We do not knowingly collect information from anyone under 18 years of age.

Changes to This Policy

We will notify you by email if we make material changes to this policy. Continued use of DDSVPN after notification constitutes acceptance of the updated policy.

Contact

For privacy inquiries, email privacy@ddsvpn.com or write to:

THE DDS COMPANY
Greenville, SC
United States