Legal

Privacy Policy

What we collect, why we collect it, and how we keep patient information protected as a HIPAA Business Associate.

Last updated June 20, 2026

Overview

Notifirm provides appointment reminders, two-way patient messaging, waitlist auto-fill, and billing tools for dental and health practices. This policy explains what information we collect, how we use it, and the choices you have. It covers our website and the Notifirm application.

Plain version: we collect what we need to run the service for your practice, we never sell your data, and we treat patient information as protected health information from the first message to the last.

Our two roles

We wear two hats. For account and billing data about the practices that buy Notifirm, we act as the business that decides how that data is used. For patient information that a practice loads into Notifirm, we act only as a service provider, handling it on the practice's instructions.

Under HIPAA, that second role makes Notifirm a Business Associate. We handle protected health information on behalf of the practice, which is the Covered Entity. See our HIPAA and BAA page for the details.

Information we collect

We collect a few clear categories of information:

  • Account information: your name, work email, practice name, role, and team members you invite.
  • Billing information: your plan and payment status. Card numbers are handled directly by Stripe, our payment processor. We never see or store full card numbers.
  • Patient information: names, phone numbers, email addresses, and appointment details that your practice adds so we can send reminders and route replies. This is protected health information.
  • Usage information: how you use the app, such as pages viewed, features used, device and browser type, and rough location from your IP address.
  • Support information: messages you send us and the contents of those conversations.

How we use information

We use information to:

  • Run the service: send reminders, read and route replies, fill cancelled slots from the waitlist, and record no-show fees.
  • Operate your account: sign you in, manage your team, and handle billing through Stripe.
  • Support you: answer questions and troubleshoot issues.
  • Improve Notifirm: understand which features help and where the product can be calmer.
  • Keep things safe: detect abuse, prevent fraud, and protect the security of the service.

We do not sell personal information, and we do not use patient information for advertising. We only use patient information to provide the service to your practice.

When we share, and our subprocessors

We share information only with the providers that help us run Notifirm, and only as much as they need. The providers that may handle protected health information sign a Business Associate Agreement with us first.

  • Google Cloud: hosting, sign-in, and the database that stores your data. Covered by a BAA.
  • Amazon Web Services (SES): delivery of reminder and notification emails. Covered by a BAA.
  • Telnyx: delivery of two-way SMS messages. Covered by a BAA.
  • Stripe: subscription billing for your practice. Stripe handles your payment details, not patient health information, so no BAA is required.

We may also share information to comply with the law, to enforce our terms, or as part of a merger or acquisition, in which case we will let you know. We never sell your data.

How we protect information

Protected health information is encrypted in transit and at rest. Access to patient data flows through our authenticated application servers, and direct client access to that data is denied by default. We limit who on our team can reach production data, keep audit trails, and review access regularly.

No system is perfectly secure, but security is a first-class part of how Notifirm is built, not an afterthought. Our safeguards are described in more detail on the HIPAA page.

Data retention

We keep account and patient information for as long as your practice has an active account, and for a reasonable period afterward to meet legal, billing, and audit obligations. When you close your account, you can ask us to export or delete your data, and we will do so unless we are required to retain it by law or by our agreement with you.

Your choices and rights

Depending on where you live, you may have the right to access, correct, export, or delete personal information we hold about you. Practices can manage most account data directly in the app.

For patient information, requests from patients are handled through the practice, since the practice controls that data. If a patient contacts us directly, we will route the request to the right practice. To make a request about your own account, email privacy@notifirm.com.

Cookies and analytics

We use a small number of cookies to keep you signed in and to understand how the product is used so we can improve it. We do not use third-party advertising cookies. You can control cookies through your browser settings, though signing in requires a session cookie to work.

Children's privacy

Notifirm is a tool for practices and their staff, and is not directed to children. A practice may add a minor patient's appointment information, which we handle as protected health information on the practice's behalf and never for any other purpose.

Changes to this policy

We may update this policy as Notifirm grows or as the law changes. When we make a meaningful change, we will update the date above and, where appropriate, let you know in the app or by email. Continuing to use Notifirm after an update means you accept the revised policy.

Contacting us

Questions about privacy can go to privacy@notifirm.com. For anything else, visit our contact page.

Questions about this page?

Reach our team at privacy@notifirm.com and we will get back to you within two business days.