Privacy Policy
Last updated: July 17, 2026
Soulware Studio LLC ("Soulware," "we," "us") builds software including Dental Scribe and Promethic (our "Services"). This Privacy Policy explains what personal information we collect, why, and what choices you have. It applies to our website, our Services, and anyone who signs up for, administers, or otherwise interacts with an account with us.
If you are a patient of a dental practice that uses Dental Scribe: this Privacy Policy does not apply to your health information — your dental office's own Notice of Privacy Practices governs your health information instead. Soulware acts as your dental office's business associate under a signed Business Associate Agreement, and our systems are designed so that patient health information does not flow through our cloud infrastructure in the ordinary course. See "How Dental Scribe Handles Health Information" below.
Information We Collect
We collect information you provide directly (including through your organization's administrators when they set up or manage an account), and some information automatically as you use our Services.
| Category | Examples |
|---|---|
| Account & identity | Name, email address, office/company name, password (stored as a salted hash by our authentication provider) |
| Business agreement records | Practice legal name, signer name and title, and the date/time and device used to accept an agreement with us (e.g., a Business Associate Agreement) |
| Billing | Billing name and email, subscription status; payment card details are collected and stored by our payment processor (Stripe), not by us |
| Device & usage | Device identifiers, device name, app version, sign-in timestamps, feature usage counts, and (for Dental Scribe) cumulative dictation minutes — never the content of what was dictated |
| Support communications | Messages and attachments you send us by email. Please don't send patient charts or other health information through ordinary email; if we receive it anyway, it's handled under our HIPAA obligations and our Business Associate Agreement with your practice, not this Privacy Policy. |
We do not knowingly collect precise geolocation, biometric identifiers, or (outside of the HIPAA-governed Dental Scribe architecture described below) health information. For Promethic specifically: we do not log your prompt content, input, or output text in production — Promethic's optional debug logging that can capture content for local troubleshooting is opt-in, runs only on your machine, and is never transmitted to our servers.
How We Use Information
- To provide, maintain, and secure our Services, including authenticating your account and enforcing device/session controls;
- To process payments and manage subscriptions;
- To communicate with you — service notices, security alerts, support responses, and, where you've agreed, product updates;
- To maintain records we are legally required to keep, such as executed agreements and billing/audit trails;
- To understand aggregate usage of our Services so we can improve them;
- To improve our products using practice configuration data and de-identified clinical data, as described in "Product Improvement Data" below;
- To comply with law and enforce our agreements.
Product Improvement Data
For Dental Scribe, we may use your practice's catalog configuration data — including procedure mappings, treatment definitions, and any notes or tips added while customizing it — to operate, support, and improve our Services, including building better default catalogs for all customers (governed by our Terms of Service, Section 5). Separately, and not yet active since we haven't built this capability, we may in the future use de-identified health information, with patient and practice identifiers removed under HIPAA's Safe Harbor standard and aggregated across practices, to improve our products (governed by our Business Associate Agreement with your practice, Section 3.13). You may opt out of either use at any time by emailing privacy@soulware.studio, without affecting your access to the Services; opt-out is prospective and doesn't unwind improvements already created before it.
How Dental Scribe Handles Health Information
Dental Scribe is designed so that patient health information (audio, transcripts, chart content) does not flow through Soulware's cloud systems in the ordinary course of using the product. Dictation audio streams directly from the dental office's computer to OpenAI, our subcontracted transcription provider, under a signed Business Associate Agreement with Zero Data Retention; it does not pass through our servers. Our cloud systems handle only account data, device/session records, encrypted practice-management system credentials, non-patient reference data (procedure codes, diagnosis lists), and usage counters.
Health information can still reach us incidentally — for example, if it's pasted into a support email, or visible on screen during a support session the office requested. When that happens, it is protected under our Business Associate Agreement with the office, and we delete it promptly once it's no longer needed for the support purpose it was shared for. A detailed, per-vendor accounting of this architecture is available to our office customers on request.
Who We Share Information With
We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under California law — and more plainly, we do not use advertising trackers or ad pixels on our Services. We share information only with the service providers who help us operate, for the legal/safety reasons below, or with a successor:
- Shared across our products — cloud hosting and database (Fly.io), authentication (Supabase), transactional email (Resend), payment processing (Stripe).
- Dental Scribe — dictation audio streams directly from the dental office's computer to OpenAI for transcription, under a signed Business Associate Agreement with Zero Data Retention; it is not routed through our servers.
- Promethic — when you run a prompt, your input is sent to OpenAI's API for processing (governed by OpenAI's privacy policy); if you opt in to cloud sync, attachments you add to prompts are stored with Tigris (S3-compatible object storage); the Promethic website uses Umami, a privacy-focused analytics tool, to count page visits — it does not use cookies or cross-site tracking and does not support advertising.
- Legal and safety reasons — if required by law, subpoena, or to protect the rights, property, or safety of Soulware, our customers, or others.
- A successor in the event of a merger, acquisition, or sale of assets, subject to this policy or a successor policy.
Data Retention
We keep account information for as long as your account is active, and for a reasonable period after to allow you to reactivate it. Records we are legally required to retain, or that we keep as an audit trail of security-relevant actions — such as the record of an executed Business Associate Agreement, credential-release logs, and billing records — are kept for the period required by law or our own security practices (generally up to six years) even after an account is closed or other account information is deleted. For Promethic specifically: cloud-synced content you delete (prompts and records) is soft-deleted and removed permanently after 30 days. You may ask us to delete other account information at any time; see "Your Choices and Rights" below.
Your Choices and Rights
Where a state privacy law applies to us and to your information, you may have rights to know what personal information we hold about you, to request a copy of it, to correct it, or to request deletion, to appeal a denial of your request, and to designate an authorized agent to act on your behalf (we may ask an agent for proof of authority and may still verify your identity directly). Because we do not currently sell personal information or share it for cross-context behavioral advertising, there is no sale or share to opt out of; if that ever changes, we will describe how to opt out here, including honoring recognized opt-out signals. To exercise any of these rights, email us at privacy@soulware.studio; we will respond within the time required by applicable law.
Security
We use encryption in transit (TLS) and, for our most sensitive stored credentials, encryption at rest, along with access controls, audit logging, and device-approval gates. No system is perfectly secure, but we design for the principle of least data — the best-protected information is information we never receive in the first place.
Children's Privacy
Our Services are business software intended for use by adults on behalf of a company or practice. We do not knowingly collect personal information from children.
International Users
Our Services are operated from the United States, and information we collect is processed and stored in the United States.
Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version here with a new "Last updated" date; if a change is material, we will make reasonable efforts to notify account holders directly.
Contact Us
Questions about this policy or your information: privacy@soulware.studio.