Coco
Legal

Privacy Policy

This Privacy Policy describes how Coco Technologies, LLC ("Coco," "we," "us") collects, uses, discloses, and protects information in connection with the Coco platform and related services.

Effective DateApril 27, 2026
Last UpdatedApril 27, 2026
Version1.0

1. Scope and applicability

This Privacy Policy applies to information processed by Coco Technologies, LLC ("Coco") in connection with the Coco platform, including our web application, mobile applications, and supporting websites (collectively, the "Service").

Coco is a business-to-business platform delivered to dental and orthodontic practices ("Practices"). It is not directed to consumers in their personal capacity. Most individuals whose information appears in the Service are either (a) Practice staff with authorized accounts, or (b) patients of a Practice whose information is entered into the Service by that Practice.

2. HIPAA and our role

When a Practice uses Coco to handle Protected Health Information ("PHI") as defined under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Coco acts as a Business Associate of that Practice. The Practice is the Covered Entity and remains the data controller of PHI.

Coco enters into a Business Associate Agreement ("BAA") with each Practice. The BAA, together with the Practice's own Notice of Privacy Practices, governs how PHI is created, received, maintained, and transmitted on the Practice's behalf.

Patients of a Practice If you are a patient of a Practice that uses Coco and have questions about your health information, please contact your Practice directly. Your Practice — not Coco — is the appropriate point of contact for access requests, corrections, and disclosure questions concerning your PHI.

3. Information we collect

3.1 Information from Practice staff

When a member of a Practice creates or uses an account, we collect:

  • Name, work email address, role, and Practice affiliation
  • Authentication credentials and multi-factor authentication tokens
  • Device, browser, and IP information for security and audit purposes
  • Activity logs (logins, actions performed within the Service, timestamps)

3.2 Information about patients (entered by Practices)

Practices use Coco to manage patient consultations, treatment proposals, and follow-up. Patient information processed through the Service may include:

  • Demographic and contact information (name, date of birth, address, phone, email)
  • Responsible party and guardian information for minor patients
  • Insurance and benefits information
  • Clinical information entered by the Practice (e.g., treatment plans, clinical notes that the Practice elects to associate with a Coco case)
  • Treatment proposal contents, payment plan selections, and signed agreements
  • Communications between the Practice and the patient that occur through the Service (e.g., follow-up text or email)

3.3 Information from automated processing

The Service generates and stores:

  • Audit log entries for financial, contractual, and clinical-adjacent actions
  • Decision and override records, including reason codes
  • AI interaction transcripts where Coco Assist or Coco's patient-facing AI features are used

3.4 Information you provide directly to Coco

If you contact Coco (for example, by emailing support or filling out a form on our website), we collect the information you provide, including your name, email, and the contents of your message.

4. How we use information

Coco uses information for the following purposes:

  • Service delivery. To operate, maintain, and provide features of the Service to Practices and authorized users.
  • Treatment workflows. To present treatment proposals, generate payment plan options governed by deterministic practice-defined rules, route digital agreements for signature, and execute structured patient follow-up on behalf of the Practice.
  • AI assistance. To power Coco Assist (an internal coaching layer for treatment coordinators) and patient-facing AI features authorized by the Practice. AI features operate within practice-defined boundaries and never finalize financial outcomes autonomously.
  • Security and integrity. To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our terms.
  • Auditability. To maintain immutable audit trails of meaningful actions, as required by Practices and applicable regulations.
  • Compliance. To comply with legal obligations and respond to lawful requests.
  • Communication. To respond to inquiries and notify Practice administrators of material changes to the Service.

We do not sell personal information. We do not use PHI to train general-purpose AI models. We do not use Practice or patient data for cross-Practice advertising.

5. When we share information

We share information only in the following circumstances:

  • With the Practice. Patient information is shared with — and remains accessible to — the Practice that authorized its collection.
  • Subprocessors. We use a limited set of vendors to deliver the Service, including cloud infrastructure (Microsoft Azure), payment processors, electronic signature providers, communications providers (SMS and email), and AI inference providers. These subprocessors are bound by written agreements that include appropriate confidentiality and, where applicable, HIPAA-aligned safeguards.
  • Legal process. We may disclose information if required by law, subpoena, or other valid legal process, or when we believe disclosure is necessary to protect rights, safety, or property.
  • Corporate transactions. In the event of a merger, acquisition, financing, or sale of assets, information may be transferred to the successor entity, subject to this Privacy Policy and applicable BAAs.

6. Payment information

When a Practice or patient submits payment, card and bank information is collected and processed by a PCI-DSS compliant third-party payment processor. Coco does not store full payment card numbers on its own systems. We retain transaction metadata (such as the last four digits of the card, transaction amount, status, and timestamps) to support the financial audit trail.

7. Data security

Coco implements administrative, physical, and technical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include:

  • Encryption of data in transit and at rest
  • Role-based access control across Provider, Treatment Coordinator, Office Manager, Organization Admin, and Super Admin tiers
  • Multi-factor authentication for staff accounts
  • Logical tenant- and location-level data partitioning
  • Continuous logging and monitoring of administrative and security events
  • Regular vulnerability and security assessments

No method of transmission or storage is perfectly secure. We work to protect information but cannot guarantee absolute security.

8. Retention

Coco retains information for as long as a Practice's account is active and for such additional periods as required to (i) meet contractual obligations to the Practice, (ii) comply with legal, regulatory, or audit requirements, and (iii) resolve disputes. Audit log entries and other records required for the integrity of financial and clinical-adjacent activity are retained on an extended schedule.

Upon termination of a Practice's agreement and at the Practice's request, Coco will provide a structured export of the Practice's data, after which Coco will delete or de-identify Practice information in accordance with applicable law and the BAA.

9. Your rights

9.1 If you are a patient

Because Coco processes patient information on behalf of the Practice, requests to access, correct, restrict, or delete patient information should be directed to the Practice. The Practice will work with Coco as needed to fulfill your request consistent with HIPAA and applicable law.

9.2 If you are Practice staff

You may request to access, correct, or delete account information directly tied to your individual user account by contacting your Practice administrator or Coco.

9.3 State privacy rights

Some U.S. state privacy laws (such as the California Consumer Privacy Act, as amended) provide additional rights to residents. To the extent these laws apply to information processed by Coco outside of its role as a Business Associate, we honor applicable rights to know, delete, correct, and limit the use of personal information. To exercise these rights, contact us at the address below.

10. Children's privacy

Coco is not directed to children, and we do not knowingly collect information from children for our own purposes. Information about pediatric patients is entered into the Service by Practices in the course of providing care, and is treated as PHI under the Practice's BAA. Practices are responsible for any consents required from parents or legal guardians for the treatment of minor patients.

11. International users

Coco is operated from the United States, and all data is processed and stored in U.S. Azure regions designated for the Practice. The Service is intended for use by U.S.-based Practices. If you access the Service from outside the United States, you do so at your own initiative and are responsible for compliance with local laws.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page will reflect the most recent revision. For material changes, we will provide notice through the Service or by email to Practice administrators.

13. Contact us

For questions about this Privacy Policy or our data practices:

Coco Technologies, LLC 420 N Oak Street
Hinsdale, IL 60521
United States

hello@cocointel.com