Privacy Policy
Cao Consulting LLC ("NextGen Practice Solutions," "we," "us," or "our") operates nextgenpractice.org and provides AI-powered practice management services to dental practices. This Privacy Policy describes how we collect, use, and protect information when you use our website, complete a Practice Scan assessment, or engage our services.
By accessing our website or submitting information through any of our forms, you agree to the practices described in this policy.
Information you provide directly. When you complete a Practice Scan, book a demo, or contact us, we may collect:
- Name, email address, and phone number
- Practice name, location, and size
- Practice performance data you enter into assessment forms
- Communication preferences and inquiry details
Information collected automatically. When you visit our website, we automatically collect standard web analytics data including IP address, browser type, pages visited, and referral source. This data is used solely to improve our website and services.
Practice data. If you become a client, we collect practice performance data you connect to our platform through integrations with your practice management software, scheduling tools, and communication systems. This data is used exclusively to deliver the services you've contracted for.
We use the information we collect to:
- Deliver your Practice Scan results and personalized recommendations
- Provide and improve our AI-powered practice management services
- Communicate with you about your account, proposals, and service updates
- Respond to inquiries and provide customer support
- Comply with legal obligations
We do not sell your data. We do not sell, rent, or trade your personal information or practice data to third parties for marketing purposes. Ever.
We do not use your data to train AI models. Practice data you share with us is used exclusively to deliver your contracted services — not to train, fine-tune, or improve AI models for any other client or purpose.
We use the following third-party services to operate our platform. Each is bound by their own privacy policies and, where applicable, our data processing agreements:
- Supabase — Database and authentication infrastructure. Data is stored in US-based servers with encryption at rest and in transit.
- GoHighLevel (GHL) — CRM and communication automation for client practices. Used to manage leads, appointments, and outbound communications on your behalf.
- Vapi — AI voice call infrastructure used by Giselle for inbound and outbound patient calls.
- Vercel — Website hosting and deployment infrastructure.
- Slack — Used to deliver Daily Pulse briefs and practice alerts to authorized practice users.
- Notion — Used for internal operations and, where applicable, client-facing reporting dashboards.
We only share data with third parties to the extent necessary to deliver the services you've requested. We do not authorize these providers to use your data for their own marketing purposes.
All practice data is stored in US-based infrastructure. We implement industry-standard security measures including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls limiting data access to authorized personnel only
- Regular security reviews of our infrastructure and third-party integrations
- Secure credential management — we never store plaintext passwords
In the event of a data breach that affects your personal information, we will notify you within 72 hours of discovery, consistent with applicable law.
Our website uses minimal cookies strictly necessary for site functionality. We do not use third-party advertising cookies or cross-site tracking technologies.
We may use anonymous analytics to understand how visitors use our site. This data is aggregated and cannot be used to identify individual visitors.
You can disable cookies in your browser settings. Doing so will not meaningfully impair your ability to use our website.
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information
- Opt out of marketing communications at any time
- Receive a copy of your data in a portable format
To exercise any of these rights, contact us at privacy@nextgenpractice.org. We will respond within 30 days.
California residents. If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). We do not sell personal information as defined by the CCPA. You may submit a verifiable consumer request to know, delete, or opt out by contacting us at the address above.
To the extent our services involve access to Protected Health Information (PHI) belonging to your patients, we handle such information in accordance with HIPAA requirements, including the Privacy Rule, Security Rule, and Breach Notification Rule.
PHI is used exclusively to deliver the services described in your Service Agreement and BAA. We do not use PHI for any secondary purpose without your explicit authorization.
For more detail on our HIPAA compliance posture, visit nextgenpractice.org/hipaa.
Our services are designed for dental practice owners and operators. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately at privacy@nextgenpractice.org and we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active clients by email.
Your continued use of our website or services after any change constitutes your acceptance of the revised policy.
If you have questions, concerns, or requests related to this Privacy Policy, contact us at: