← Back to Home
Last updated: March 25, 2026

Privacy Policy

1. Who We Are

NexV Inc. ("NexV," "we," "our," or "us"), a subsidiary of iSimplifyMe, operates the NexV dental practice management platform at app.nexv.ai and the NexV mobile application.

This Privacy Policy explains how we collect, use, store, and protect information when you use our services. By using NexV, you agree to the practices described in this policy.

For privacy inquiries, contact us at ai@isimplifyme.com.

2. Information We Collect

Practice Data

When you register, we collect your practice name, address, phone number, and provider details. We also collect practice configuration data including operatory setup, appointment schedules, fee schedules, and billing records entered during onboarding and ongoing use.

Patient Data

Patient records entered into NexV may include names, dates of birth, contact details, dental charts, treatment plans, clinical notes (SOAP notes), imaging (X-rays, intraoral photos), and appointment history. All patient data is entered and managed by authorized practice staff.

Usage Data

We collect anonymized usage data including login timestamps, feature interactions, and page views. We use Plausible Analytics, which is privacy-focused, does not use cookies, and does not track individuals.

Payment Data

Subscription billing is processed by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe handles all payment data in compliance with PCI DSS Level 1.

Communications Data

When you use NexV's communication features, we process SMS messages (via Amazon SNS), email notifications (via Amazon SES), and AI phone agent call recordings and transcripts (via Amazon Connect). These records are stored to support continuity of patient care.

3. How We Use Information

Service delivery. We use your data to provide, maintain, and operate the NexV platform, including appointment scheduling, patient records, charting, billing, imaging, and communications.

AI processing. NexV's AI-powered features, including the phone agent, clinical decision support, X-ray analysis, clinical scribe, and smile design, process practice and clinical data to deliver assistive recommendations. See Section 4 for details on how AI processing works.

Analytics. Anonymized, aggregated usage data helps us understand how the platform is used and where to improve. We never use identifiable patient data for product analytics.

Communications. We use your contact information to send service notifications, billing alerts, and product updates. You can opt out of non-essential communications at any time.

Legal compliance. We may process data as required to comply with applicable laws, regulations, or valid legal requests, including healthcare reporting obligations.

4. AI and Data Processing

This section is critical to understanding how NexV handles patient data in the context of AI.

All AI processing occurs within NexV's AWS infrastructure. X-rays, clinical images, SOAP notes, and other patient data are processed by Amazon Bedrock and Amazon SageMaker within the same AWS account and region as the practice's data. No patient data is transmitted to external AI provider endpoints — all inference runs within NexV-managed AWS services.

No patient data is used for model training. NexV's AI models are trained exclusively on public datasets. Your patient data is never used to train, fine-tune, or improve any AI model, whether ours or any third party's.

No data leaves your region. AI inference happens in the same AWS region where your practice data resides (us-east-1 for US practices, ap-southeast-2 for AU practices). Data does not cross regional boundaries for AI processing.

AI outputs are decision-support tools only. AI features such as X-ray analysis, clinical scribe, and smile design are designed to assist qualified dental professionals. They do not replace clinical judgment and must be reviewed by a licensed clinician before use in patient care.

Patient consent. Patient consent for AI-assisted analysis is tracked within the platform and is required before clinical data is processed by AI features. Practices may record consent via the patient portal, kiosk, or verbal confirmation documented by staff. Patients may revoke consent for AI processing at any time through their practice.

5. Data Storage and Security

All data is hosted on Amazon Web Services (AWS) infrastructure. We implement the following security measures:

  • Encryption at rest: AES-256 encryption via AWS Key Management Service (KMS) with customer-managed encryption keys and automatic annual key rotation.
  • Encryption in transit: TLS 1.2 or higher for all data transmitted between your browser, our APIs, and AWS services.
  • Access control: Role-based access control with full tenant isolation. Each practice's data is logically separated and inaccessible to other tenants.
  • Authentication: Amazon Cognito with separate user pools for staff and patients. Multi-factor authentication (TOTP) is required for all staff accounts.
  • Audit logging: All data access and administrative actions are logged via AWS CloudTrail.
  • Infrastructure protection: AWS Web Application Firewall (WAF) protects against common exploits. Regular security assessments are conducted.
  • Session management: Authenticated sessions automatically expire after 30 minutes of inactivity. Users are warned before session expiry and must re-authenticate to continue.
  • Data export logging: All data access and export operations are recorded in the audit trail with timestamps, user identity, and scope of data accessed.

6. Data Residency

NexV currently operates in the following region:

  • United States: us-east-1 (Virginia)

Australian data residency (ap-southeast-2, Sydney) is on our infrastructure roadmap. Until the Sydney region is available, Australian practices should be aware that data is hosted in the US region. We will notify all Australian practice administrators when local data residency becomes available.

All practice data, patient records, clinical images, and AI processing remain within the hosting region. Data does not leave the region.

7. Third-Party Services

We share data only with the following service providers, strictly to operate the platform:

  • Stripe — Subscription billing and payment processing. Stripe processes payment data under its own PCI DSS Level 1 certification. No patient data is shared with Stripe.
  • Amazon SNS — SMS appointment reminders and notifications sent on behalf of your practice.
  • Amazon SES — Transactional email delivery for appointment confirmations, billing receipts, and system notifications.
  • Amazon Connect — AI phone agent infrastructure for inbound and outbound patient calls.
  • Plausible Analytics — Privacy-focused, cookie-free website analytics for the nexv.ai marketing site. No personally identifiable information (PII) is collected. No patient data is involved.

No patient data leaves NexV's AWS infrastructure for AI processing. All AI inference — including X-ray analysis, clinical scribe, smile design, and phone agent NLU — is performed by Amazon Bedrock and Amazon SageMaker within NexV's own AWS accounts. Patient data is not transmitted to any external AI provider endpoint.

Each service provider is bound by contractual obligations to protect your data. We do not permit service providers to use your data for their own purposes.

8. HIPAA ComplianceUS

NexV acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) for practices operating in the United States.

Business Associate Agreement (BAA). We execute a BAA with each practice prior to processing protected health information (PHI). To request a BAA, contact ai@isimplifyme.com.

PHI safeguards. Our platform implements administrative, physical, and technical safeguards required under HIPAA, including access controls, audit trails, encryption at rest and in transit, workforce training, and incident response procedures.

Minimum necessary standard. NexV accesses, uses, and discloses PHI only to the minimum extent necessary to provide the service. Support staff access patient data only when required to resolve a specific support request initiated by the practice.

Breach notification. In the event of a breach of unsecured PHI, NexV will notify the affected practice without unreasonable delay and no later than 60 days after discovery, as required under 45 CFR 164.410. We will cooperate with the practice in meeting its notification obligations to affected individuals and the Department of Health and Human Services.

9. Australian Privacy PrinciplesAU

For practices operating in Australia, NexV complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

APP compliance summary:

  • APP 1 (Open and transparent management): This policy describes how we manage personal information. Our practices are open and documented.
  • APP 2 (Anonymity and pseudonymity): Where practicable, individuals may interact with NexV without identifying themselves. Clinical record-keeping requires identification by law.
  • APP 3 (Collection): We collect personal information only when it is reasonably necessary for dental practice management and directly related to our functions.
  • APP 4 (Unsolicited information): If we receive personal information we did not solicit and determine we could not have collected it under APP 3, we will destroy or de-identify it.
  • APP 5 (Notification): At or before the time of collection, we take reasonable steps to notify individuals of the purposes of collection, as described in this policy.
  • APP 6 (Use and disclosure): We use and disclose personal information only for the primary purpose of collection (dental practice management) or a directly related secondary purpose the individual would reasonably expect.
  • APP 7 (Direct marketing): We do not use patient personal information for direct marketing. Practice administrators receive service communications only.
  • APP 8 (Cross-border disclosure): Australian practice data is currently hosted on AWS infrastructure in the United States (us-east-1, Virginia). This constitutes a cross-border disclosure. NexV ensures that data transferred overseas is subject to equivalent protections through contractual arrangements with AWS that require compliance with the APPs. Australian data residency (ap-southeast-2) is planned, and practices will be notified when local hosting becomes available.
  • APP 9 (Government identifiers): We do not adopt, use, or disclose government identifiers (e.g., Medicare numbers) except as permitted by law.
  • APP 10 (Quality): We take reasonable steps to ensure personal information is accurate, up-to-date, and complete. Practices can update records at any time through the platform.
  • APP 11 (Security): We protect personal information from misuse, interference, loss, and unauthorized access through the measures described in Section 5.
  • APP 12 (Access): Individuals may request access to their personal information held by us. Contact your dental practice, who can facilitate access through the NexV platform.
  • APP 13 (Correction): Individuals may request correction of inaccurate personal information. Contact your dental practice to request corrections.

Notifiable Data Breaches. NexV complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If we become aware of an eligible data breach involving personal information of Australian individuals, we will notify the affected practice and the Office of the Australian Information Commissioner (OAIC) within 72 hours.

Complaints. If you believe NexV has breached the APPs, you may lodge a complaint with us at ai@isimplifyme.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the OAIC at oaic.gov.au.

10. Data Retention

Practice data and patient records are retained for the duration of your active subscription.

Upon account cancellation, all data is retained for 90 days to allow for data export. After 90 days, data is permanently and irrecoverably deleted upon request. You may request early deletion by contacting ai@isimplifyme.com.

Audit logs are retained for 7 years to satisfy regulatory and compliance requirements.

Certain data may be retained longer if required by applicable law (e.g., healthcare record retention mandates in your jurisdiction).

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you or your practice.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your data, subject to legal retention requirements.
  • Data portability: Export all practice data and patient records in CSV format at any time through the platform or by contacting us.
  • Complaint: Lodge a complaint about our data handling practices.

Patients: If you are a patient of a dental practice that uses NexV, contact your dental practice directly to exercise your rights. The practice is the data controller for your clinical records.

Practices: Contact ai@isimplifyme.com for access, correction, deletion, or export requests. We will respond within 30 days.

12. Cookies

NexV does not use tracking cookies.

Our analytics provider, Plausible, is entirely cookie-free and does not track individual users or collect PII.

The NexV application (app.nexv.ai) uses session storage (not cookies) for authentication tokens. No advertising cookies, tracking pixels, or third-party marketing cookies are used anywhere on our platform.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law.

We will notify practice administrators of material changes via email at least 30 days before they take effect. Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact

For privacy inquiries, data requests, or questions about this policy:

NexV Inc.
A subsidiary of iSimplifyMe
Email: ai@isimplifyme.com
Web: nexv.ai