Legal

Privacy Policy

Effective: May 10, 2026

OneExpert ("OneExpert," "we," "us") provides AI-assisted dental credentialing software. This policy explains what information we collect, why, how we use and share it, and your rights. If your information is Protected Health Information (PHI) under HIPAA, our handling is also governed by the Business Associate Agreement (BAA) executed with your practice.

1. Scope

This policy applies to oneexpert.ai, related subdomains, our web application, our APIs, and any communications from us. It does not apply to third-party sites we link to.

2. Information we collect

2.1 Information you provide

  • Account data: name, business email, phone, role, practice name and address.
  • Provider credentialing data: dental license, NPI Type 1 and Type 2, DEA registration, malpractice insurance, CV, references, board certifications, government identifiers, CAQH ProView credentials, and any documents you upload to complete enrollment.
  • Billing data (limited): we use a third-party payment processor; we receive transaction metadata, not full card numbers.
  • Communications: support requests, demo bookings, and form submissions.

2.2 Information collected automatically

  • Device, browser, IP address, approximate location (city-level), referring URL, and timestamps.
  • Application usage events for security, abuse detection, performance, and product improvement.
  • Cookies and similar technologies — see Section 8.

2.3 Information from third parties

We may receive data from public payer directories, primary source verification services, and credentialing data providers strictly to complete enrollment requested by you.

3. How we use information

  • To deliver, operate, and improve the credentialing service.
  • To submit applications and respond to payer inquiries on your behalf.
  • To track re-credentialing windows and document expirations.
  • To prevent fraud, abuse, and unauthorized access.
  • To comply with legal obligations (including HIPAA and applicable state law).
  • To send service updates, security notices, and — with consent — marketing communications.

4. Lawful bases (where applicable)

Where required (for example, for users in jurisdictions covered by the GDPR or UK GDPR), we rely on: (a) performance of a contract, (b) compliance with a legal obligation, (c) our legitimate interests in operating and securing the service, and (d) consent (which you may withdraw at any time).

5. PHI and HIPAA

When we process Protected Health Information on behalf of a Covered Entity, OneExpert acts as a Business Associate under HIPAA. Use and disclosure of PHI is governed by the BAA we execute with your practice. We will not sell PHI, will use it only for permitted purposes, and will provide breach notification as required by law and the BAA.

6. Sharing of information

We do not sell personal information. We share information only as described below:

  • Service providers and subprocessors who help us operate the service (hosting, analytics, communications, AI inference, payment processing). See our Subprocessors page.
  • Insurance payers, networks, and verification entities to complete enrollment you have requested.
  • Legal and safety: to comply with subpoenas, court orders, lawful requests, or to protect rights, property, or safety.
  • Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continued protection of your information.
  • With your direction or consent.

7. International data transfers

We process data primarily in the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. and other jurisdictions where our subprocessors operate, subject to appropriate safeguards.

8. Cookies and analytics

We use first-party and limited third-party cookies for authentication, security, preferences, and analytics. You can control cookies through your browser. Disabling cookies may impair the functionality of the service. We use Google Analytics 4 with IP anonymization where supported.

9. Data retention

We retain personal information for as long as we have an account or contract with you, plus the period required to comply with our legal, audit, and tax obligations. Credentialing files may be retained longer where payer or state law requires record-keeping. On request, and consistent with our legal obligations, we will delete or de-identify personal information.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, SOC 2-aligned operating practices, multi-factor authentication for privileged access, and an incident response program. No system is impenetrable; if you believe your account is compromised, contact security@oneexpert.ai.

11. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your information; to object to certain processing; and to withdraw consent. California residents have specific rights under the California Consumer Privacy Act (CCPA / CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of "sales" and "sharing." OneExpert does not sell personal information and does not share it for cross-context behavioral advertising. To exercise rights, email legal@oneexpert.ai. We will verify your identity before responding.

12. Children

OneExpert is intended for businesses and is not directed to children under 16. We do not knowingly collect personal information from children.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the service or by email to account administrators. The "Effective" date above will reflect the most recent version.

14. Contact

OneExpert · Attn: Privacy · legal@oneexpert.ai.