Privacy Policy

StoicGuard (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website at stoicguard.com (the “Site”) and use our security scanning, compliance assessment, and monitoring services (collectively, the “Services”).

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Services immediately.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, dental practice name, and state of operation when you register or complete our security questionnaire.
• Practice Information: Website URL, practice management software (e.g., Dentrix, Eaglesoft, Open Dental), and self-reported compliance data including multi-factor authentication status, backup encryption status, Business Associate Agreement status, staff HIPAA training status, and data encryption status.
• Payment Information: Billing details processed securely through Stripe, Inc. We do not store credit card numbers, CVVs, or full payment card data on our servers.
• Communications: Information you provide when contacting us for support, submitting feedback, or corresponding via email.

1.2 Information Collected Automatically

• Technical Scan Data: SSL/TLS certificate status, DNS records (SPF, DKIM, DMARC), security header configurations, IP reputation data, and malware database cross-references for the website URLs you submit for scanning.
• Usage Data: Browser type, operating system, IP address, pages visited, time spent on pages, referring URLs, and clickstream data.
• Local Storage Data: Scan count, scan history, and service tier information stored in your browser's local storage to manage your account and scan limits.

1.3 Information from Third-Party Sources

• SSL Labs (Qualys): Certificate validation and TLS configuration data.
• AbuseIPDB: IP reputation and abuse report data.
• URLhaus (abuse.ch): Malware URL database cross-reference data.
• Cloudflare DNS: DNS record resolution data.
• Certificate Transparency Logs (crt.sh): Public certificate issuance records.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To perform security scans, generate compliance assessments, calculate HIPAA risk scores, and provide remediation recommendations tailored to your practice management software.
• Account Management: To manage your account, track scan usage, process payments, and enforce service tier limits.
• Compliance Scoring: To calculate your Shield Score based on technical scan results and self-reported questionnaire data, and to estimate potential HIPAA fine exposure based on the penalty tiers established in 45 CFR §160.404.
• Service Improvement: To analyze usage patterns, improve scan accuracy, and enhance the user experience.
• Communications: To respond to inquiries, send service-related notifications, and provide security alerts relevant to your practice.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. HIPAA Considerations

Important Notice: StoicGuard performs external security assessments of publicly accessible website infrastructure and collects self-reported compliance information through our questionnaire. We do not access, store, transmit, or process Protected Health Information (“PHI”) or electronic Protected Health Information (“ePHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR Parts 160 and 164.

Our scans analyze publicly available technical configurations (SSL certificates, DNS records, HTTP headers, IP reputation) and do not require access to internal systems, patient records, or clinical data. The compliance questionnaire collects only yes/no operational status information, not patient data.

Because we do not create, receive, maintain, or transmit PHI on behalf of covered entities, StoicGuard does not operate as a Business Associate under HIPAA. However, we voluntarily adhere to security best practices consistent with the HIPAA Security Rule to protect all data we process.

If our service relationship changes such that we would access PHI, we will execute a Business Associate Agreement (“BAA”) prior to any such access and update this Privacy Policy accordingly.

4. Disclosure of Information

We may share your information in the following circumstances:

• Service Providers: We share data with third-party vendors who assist in operating our Services, including Stripe, Inc. (payment processing), Vercel, Inc. (website hosting), Cloudflare, Inc. (DNS and CDN services), Supabase, Inc. (database services), and Clerk, Inc. (authentication services). Each vendor is contractually obligated to protect your data.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Site prior to your information becoming subject to a different privacy policy.
• With Your Consent: We may share information for any other purpose with your explicit consent.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• TLS 1.2/1.3 encryption for all data in transit
• AES-256 encryption for data at rest in our database systems
• Role-based access controls with principle of least privilege
• Regular security assessments and vulnerability scanning of our own infrastructure
• Secure software development practices including code review and dependency auditing

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your information, we will notify you in accordance with applicable law.

6. Cookies and Tracking Technologies

We use the following technologies:

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
• Local Storage: Used to store scan count, scan history, and service tier data locally in your browser to manage your account and enforce scan limits.
• Third-Party Cookies: Our authentication provider (Clerk) and payment processor (Stripe) may set cookies necessary for their services to function.

We do not use advertising cookies or tracking pixels. We do not participate in cross-site behavioral advertising.

7. Data Retention

• Scan Results: Retained for twenty-four (24) months from the date of the scan to provide trend analysis, historical comparison, and compliance tracking.
• Account Information: Retained for the duration of your account and for thirty (30) days following account deletion to allow for reactivation.
• Payment Records: Retained for seven (7) years as required by applicable tax and financial regulations.
• Local Storage Data: Stored in your browser until you clear your browser data or we update our storage schema.

You may request deletion of your data at any time by contacting us at stoicguard.leads@gmail.com. We will process deletion requests within thirty (30) days, except where retention is required by law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request a machine-readable copy of your data.
• Objection: Object to processing of your personal information for certain purposes.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) and the California Privacy Rights Act, including:

• The right to know what personal information is collected, used, shared, or sold
• The right to delete personal information held by us and by extension our service providers
• The right to opt-out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your privacy rights
• The right to correct inaccurate personal information
• The right to limit use and disclosure of sensitive personal information

To exercise these rights, contact us at stoicguard.leads@gmail.com or submit a verifiable consumer request. We will respond within forty-five (45) days.

8.3 Other State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy legislation may have additional rights. We honor all applicable state privacy rights. Contact us at stoicguard.leads@gmail.com to exercise any rights available under your state's law.

9. Children's Privacy

Our Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at stoicguard.leads@gmail.com.

10. International Data Transfers

Our Services are hosted in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States where our servers are located. By using our Services, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

11. Third-Party Links

Our Site may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “Last Updated” date. For material changes that significantly affect your rights, we will provide additional notice via email (if you have provided one) or a prominent notice on our Site at least thirty (30) days before the changes take effect. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

13. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will acknowledge receipt of your request within five (5) business days and provide a substantive response within thirty (30) days, or forty-five (45) days for requests under the CCPA/CPRA.