Privacy Policy
Effective Date: April 12, 2026 | Last Revised: April 12, 2026
This Privacy Policy describes how Virello AI Technology Inc., the owner and operator of Taproot ("Taproot," "we," "our," or "us"), treats certain information collected or provided in connection with an end user's ("you" or "your" or "user") use of Taproot's website, apps, or other digital medium owned or operated by Virello AI Technology Inc. This Privacy Policy also applies to any Personal Information collected, stored, or used by us, such as information you provide us through the above mediums, by email, mail, or telephonic communications (collectively, the "Site").
The information provided in this Privacy Policy is designed to inform you of what information we collect, why we collect such information, how we use the information we collect, and the choices we offer, including how to access and update information. By accessing or using our Site, you consent to these Terms and this Privacy Policy, including our collection, use, and disclosure of your Personal Information, as described below. This Privacy Policy is not a contract and does not create any legal rights.
Please read this Privacy Policy carefully.
1. Personal Information We Collect from You
We get most Personal Information directly from you, through the Site, or through third-party applications authorized by you. Personal Information is any information that can be used to identify you. Examples of information we may collect from you include:
Authentication Information: Your name, email address, and profile identifiers provided when you create an account.
Transient Medical Documents: Dental bills, treatment plans, or receipts you upload for analysis. Note on Zero-Retention: Uploaded images, PDFs, and extracted Personal Health Information (PHI) such as your name, date of birth, or health card number are processed in-memory only and are permanently destroyed immediately after the analysis is complete. We do not store these documents.
Intake Form Information: When you initiate the Matching Service by completing the Intake Form, we collect information including your name, email address, geographic location (city and country), the nature of your dental concern or treatment category, your stated priorities (such as treatment quality, cost, or comfort), your willingness to travel for treatment, any additional context you choose to provide in open text fields, and any dental treatment plans, clinical notes, or other documents you choose to share in connection with your Intake Form submission.
This information is used solely for the purpose of facilitating the Matching Service, including researching and contacting potential Matched Clinics on your behalf and delivering a matching recommendation to you.
Taproot retains Intake Form data only for as long as is necessary to fulfill the purposes described in this section and as further described in these Terms, or for such additional period as may be required by applicable law or to resolve any disputes arising from the Matching Service. Requests for deletion of Intake Form data may be submitted to support@taprootdental.com and will be processed within a reasonable time, subject to any legal obligations requiring Taproot to retain certain information for a longer period.
Dental Dollar Audit Documents: When you submit dental invoices, treatment plans, or billing statements for review under the Dental Dollar Audit service, such documents are reviewed by a Taproot contractor acting in their personal capacity as a former dental professional. Unlike documents submitted for AI analysis—which are processed under our Zero-Retention architecture and immediately purged—documents submitted for the Dental Dollar Audit are retained for a limited period to enable the contractor to prepare and deliver their commentary.
Documents submitted for the Dental Dollar Audit are:
- (a) Retained only for as long as is necessary to deliver the audit commentary and for such additional period as may be required by applicable law, after which they are destroyed securely;
- (b) Not used to train any AI model or to generate Market Averages data;
- (c) Accessible only by the Taproot contractor assigned to your audit and by Taproot's administrative staff on a need-to-know basis;
- (d) Not shared with any Matched Clinic or third party without your explicit consent.
You are strongly encouraged to redact all personal identifiers—including your name, date of birth, health card number, insurance member number, and the name and provider number of your treating dentist—from any document submitted for the Dental Dollar Audit before submission. Taproot is not responsible for any personal information you choose to include in submitted documents.
Anonymized Pricing Data: We securely extract and store strictly non-identifiable data points from your uploads (e.g., the dental procedure code, the fee charged, and the province) to aggregate statistical "Market Averages." This data is never linked to your user account or identity.
Usage Data: We collect information about your use of the Services, such as the dates and times of access, user agent and version, type of computer or mobile device, your computer connection, and geographic location (at the provincial level).
You can choose not to provide certain information to us, but it may prevent us from providing our Services to you.
We do not currently respond to Do Not Track browser settings because a uniform technological standard has not yet been developed. This Privacy Policy does not cover data we, or our authorized third-party vendors, collect that cannot be used to identify an individual or pseudonymous data.
2. Personal Information Provided from Other Sources
We may automatically receive and store certain types of Personal Information whenever you visit the Site, such as information from analytics tools on when, how often, and for how long you use the Site. This information may include the name of the domain and host from which you access the Internet and the IP address of the device you are using. We may log and use your IP address to administer the Site, diagnose server problems, analyze trends, and gather broad demographic information for aggregate use.
If you sign in through a third-party authentication provider (such as Google via Clerk), you are authorizing us to collect, store, and use the basic profile information that you agreed the provider would share with us through its API, such as your email address. Your interactions with these providers are governed by their respective privacy policies.
3. How We Use Your Personal Information
We may collect Personal Information in order to deliver our core services; to communicate with you; to perform contractual obligations; to comply with legal obligations; and to help identify and prevent fraud.
Specifically, we may use third-party AI processors, such as Google Cloud Vertex AI (Enterprise Tier) and OpenAI (Enterprise Tier), to analyze your uploaded documents. Under our strict Data Processing Agreements, our AI providers are contractually prohibited from logging your data or using your data to train their models.
We employ a strict separation of concerns: your identity data used for authentication is entirely decoupled from our medical analysis database. We do not use user IDs or foreign keys to link your profile to the anonymized pricing data we aggregate for internal analytics purposes.
In addition to the uses described above, personal information submitted through the Intake Form is used to research, contact, and evaluate potential Matched Clinics on your behalf, to communicate with those clinics regarding your stated needs and priorities, and to deliver a matching recommendation to you as part of the Matching Service. This use is described in further detail in Section 1 of this Privacy Policy.
4. Disclosure of Information
In order to conduct our business and better serve you, we may disclose Personal Information and other information about you or your activities on our Site with:
- Our service providers and vendors, such as secure authentication providers (Clerk), enterprise AI processors, website hosts, and operational support.
- Law enforcement agencies, regulatory bodies, courts, or other public authorities, to comply with our legal and regulatory obligations, to respond to requests from governmental authorities, to protect our rights, to defend against legal claims, or as otherwise required by law.
Matched Clinics:
As a necessary component of the Matching Service, we may share relevant portions of your Intake Form information with one or more Matched Clinics for the purpose of enabling those clinics to assess their suitability for your needs and to facilitate an introduction between you and the Matched Clinic. Information shared with Matched Clinics may include your name, geographic location, dental concern or treatment category, stated priorities, and any relevant clinical documents you have chosen to share.
We do not share your contact information (email address or phone number) with a Matched Clinic without your explicit consent, which we will seek from you prior to making any introduction. We request that Matched Clinics treat your personal information in accordance with applicable privacy legislation and use your information solely for the purpose of the potential clinical relationship. However, Taproot does not guarantee how Matched Clinics handle your information once it has been shared, consistent with the limitations set out in these Terms. We encourage you to review the privacy policies of any Matched Clinic before proceeding with treatment.
You may withdraw your consent to share Intake Form data with a Matched Clinic at any time prior to a match being communicated to you by contacting Taproot at support@taprootdental.com. Taproot will acknowledge receipt of a withdrawal request within two (2) business days and will use commercially reasonable efforts to process such withdrawal within five (5) business days. Withdrawal requests received after Taproot has already shared your information with a Matched Clinic cannot be reversed with respect to information already disclosed.
We do not sell your Personal Information or PHI to any third parties.
5. Retention, Confidentiality, and Security of Personal Information
Taproot processes your transient dental records exclusively on servers located in Canada. These records do not cross borders during the analysis process, ensuring compliance with PIPEDA standards.
We maintain reasonable physical, electronic, and procedural safeguards to guard your information. All data transmitted between your device and our servers is encrypted using industry-standard protocols (HTTPS/TLS 1.2+). Because we employ a Zero-Retention architecture for medical documents, the risk of data breaches regarding your PHI is strictly minimized. However, the Internet is not absolutely secure and, thus, we cannot promise guaranteed security. As applicable, we will comply with notification requirements for a security breach.
6. Children Under The Age of Majority
We do not knowingly collect information from minors, and the Site is intended for individuals who have reached the age of majority in their province or territory. If you are a parent or guardian and believe that your child under the age of majority has provided Personal Information to us without your consent, please notify us. If we become aware that information is or has been submitted by or collected from a minor under the age of majority, we will work to promptly delete this information.
7. Electronic Marketing Communications and Subscriber Data
Taproot may send commercial electronic messages (CEMs) to users who have provided express or implied consent in accordance with Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23. The full framework governing Taproot's CASL compliance, including consent requirements, CEM content standards, and unsubscribe rights and procedures, is set out in Section 19 of these Terms.
With respect to the privacy of subscriber data specifically:
- (a) Email addresses and other subscriber information collected through opt-in mechanisms on the Site are stored securely and used solely for the purpose of delivering communications to which you have consented and for internal analytics to improve our communications.
- (b) Taproot does not sell, rent, or trade subscriber information to any third party for their independent marketing purposes.
- (c) Subscriber data is subject to the same access, correction, and deletion rights described in this Privacy Policy. To exercise these rights with respect to your subscriber information, please contact us at support@taprootdental.com.
- (d) Unsubscribing from commercial electronic messages does not affect Taproot's retention of your subscriber information for record-keeping purposes, which Taproot retains only for as long as is necessary to fulfill its CASL compliance obligations.
8. Viewing and Amending Information
Taproot is located in Canada. The Personal Information we collect is processed in Canada.
If you no longer wish to receive communications from us or wish to delete your account, please contact us. We reserve the right to verify the identity of any person making a request to opt-out or to delete or modify Personal Information, including requests for deletion of Intake Form data. Taproot may require the requestor to confirm identifying information consistent with what was submitted through the Intake Form before processing any deletion request relating to that data.
If you wish to request deletion of personal information submitted through the Intake Form, you may do so by contacting us at support@taprootdental.com. Taproot will process such requests within a reasonable time, subject to any legal obligations requiring Taproot to retain certain information for a longer period. Please note that deletion requests received after Taproot has already shared your Intake Form information with a Matched Clinic cannot be reversed with respect to information already disclosed to that clinic. For full details of how Intake Form data is collected, used, and retained, please see Section 1 of this Privacy Policy.
Because we do not store your historical dental uploads or PHI, we cannot provide you with past records of your analysis sessions.
9. International Users and Cross-Border Data Transfers
Taproot is operated from Canada. All backend processing of personal information occurs on servers located in Canada, in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy statutes.
(a) Users Outside Canada. If you are accessing the Site from outside Canada, your personal information will be transferred to and processed in Canada. By using the Site, you consent to the transfer of your personal information to Canada and acknowledge that Canadian privacy laws, while robust, may differ from the privacy laws of your jurisdiction.
(b) International Matched Clinics. In the event that Taproot recommends a Matched Clinic located outside Canada—including in connection with dental tourism services—personal information shared with that Matched Clinic will be subject to the privacy laws of the jurisdiction in which that Matched Clinic operates. Taproot will inform you prior to sharing your information with an international Matched Clinic and will seek your explicit consent to such cross-border transfer. Taproot does not guarantee the privacy practices of any Matched Clinic, consistent with the limitations set out in these Terms.
(c) United States Users. If you are a resident of California, you may have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including: (i) the right to know what personal information Taproot collects, uses, and discloses; (ii) the right to request deletion of your personal information; and (iii) the right to opt out of the sale of your personal information. Taproot does not sell personal information. To exercise your rights under California law, please contact us at support@taprootdental.com. Please note that deletion requests received after Taproot has already shared your information with a Matched Clinic cannot be reversed with respect to information already disclosed to that clinic, consistent with the withdrawal limitations set out in these Terms.
(d) Other US States. Residents of other US states with comprehensive privacy laws—including Virginia, Colorado, Connecticut, and Texas—may have similar rights under applicable state law. To inquire about your rights, please contact us at support@taprootdental.com.
10. Language / Langue
This Privacy Policy has been drafted in English at the request of the parties. Les parties ont expressément demandé que la présente politique de confidentialité et tous les documents connexes soient rédigés en anglais.
Until a French-language version of this Privacy Policy is available, Quebec residents who wish to use the Services are invited to contact Taproot at support@taprootdental.com to request information in French, including information about how their personal data is collected, used, and protected. By using the Services, Quebec residents who choose to proceed acknowledge that they have requested and agreed to receive this Privacy Policy in English.
11. Contact Us
If you have any questions or concerns about our Privacy Policy, please contact us at support@taprootdental.com.
12. Changes and Updates to the Privacy Policy
This Privacy Policy applies to all relevant information collected by or provided to us or our authorized third-party vendors or partners as of the Effective Date. When we make any material changes to this Privacy Policy, we will update the Effective Date and may inform you by email to the address associated with your account. We will treat your continued use of this Site or our services following such notice as your acceptance of the changes.