Privacy Policy — Bluffline
Book a demo
Home Privacy Policy

Privacy Policy

This Privacy Policy explains what information Bluffline LLC collects, how we use and protect it, who we share it with, and the rights patients and customers have over their data.

Last updated: May 8, 2026

1. Who We Are

Bluffline LLC ("Bluffline," "we," "us," "our") is a software company based in Utah, United States. We provide an AI SMS receptionist platform to dental practices. This Privacy Policy applies to information we collect through getbluffline.com, our customer dashboard, and the SMS conversations we power on behalf of participating dental practices.

This policy covers two groups:

  • Customers: dental practices and their staff who subscribe to Bluffline.
  • Patients: individuals who text a Bluffline-powered phone number provided by a participating dental practice.

2. Information We Collect

Information patients provide

When a patient of a participating dental practice texts a Bluffline-powered phone number, we receive and store:

  • Phone numbers — the mobile number the message is sent from.
  • Names — first and last name as recorded in the practice's intake or as the patient provides it during a conversation.
  • Appointment details — the type of visit, date, time, provider, and any scheduling preferences the patient shares.
  • Message content — the SMS messages sent and received in the conversation thread.
  • Consent records — the date, time, and method by which the patient opted in to receive SMS messages from the practice.

Information customers provide

When a dental practice signs up, we collect business contact information (practice name, address, billing email, phone number), the names and email addresses of staff users, calendar configuration, and payment details (processed by our payment processor; we do not store full card numbers).

Information collected automatically

We collect limited technical information when you use our website or dashboard, including IP address, browser type, device type, pages viewed, timestamps, and cookies used to keep you logged in and to measure aggregate usage. We do not use cross-site advertising trackers.

3. How We Use Information

We use the information described above to provide SMS scheduling services to participating dental practices and their patients. Specifically, we use it to:

  • Route SMS messages between patients and the AI assistant on behalf of the dental practice.
  • Schedule, reschedule, confirm, and cancel appointments on the practice's calendar.
  • Send appointment reminders, recall reminders, and replies to patient questions, in accordance with our SMS Messaging Policy.
  • Operate, maintain, debug, and secure the Bluffline platform.
  • Communicate with our customers about their account, billing, and product updates.
  • Comply with legal obligations and enforce our Terms of Service.

We do not use patient phone numbers, names, or message content for advertising. We do not sell, rent, or trade personal information.

4. Sharing & Third-Party Processors

We share information only as needed to deliver the service, and only with the following categories of recipients:

The participating dental practice

The practice that gave the patient the phone number is the covered entity and the controller of patient data. The practice's authorized staff can view the message thread, the appointment record, and the consent record for their own patients in the Bluffline dashboard.

Service providers (sub-processors)

Bluffline relies on a small number of vetted third-party processors that handle data on our behalf under written contracts. We disclose them transparently:

ProcessorPurposeData shared
Twilio, Inc. Delivers and receives SMS messages between patients and the practice's phone number. Phone numbers, message content, timestamps, delivery status.
Anthropic, PBC Powers the AI assistant ("Riley") that drafts replies. Inputs are processed under Anthropic's commercial terms and are not used to train models. Message content, conversation context, practice configuration.
Google LLC Calendar integration (Google Calendar) and email delivery (Gmail / Workspace) for confirmations and notifications. Appointment details, patient name, email address, calendar events.
Cloud hosting & database Provides the secure infrastructure where Bluffline runs. Data is encrypted at rest. All platform data, encrypted.
Payment processor Processes monthly subscription payments from customer practices. Customer (practice) billing information. Patient data is never shared with our payment processor.

Legal disclosures

We may disclose information if required by valid legal process (such as a subpoena or court order), to comply with applicable law, to protect the rights, property, or safety of Bluffline or others, or in connection with a merger, acquisition, or sale of assets — in which case we will notify customers and continue to honor this policy.

5. How We Protect Data

We use industry-standard administrative, technical, and physical safeguards to protect data:

  • Encryption in transit using TLS 1.2+ on all connections to our website, dashboard, and APIs.
  • Encryption at rest for our databases and message logs.
  • Access controls — staff access to patient data is limited by role, logged, and reviewed.
  • Business Associate Agreements (BAAs) with sub-processors that handle protected health information.
  • Audit logging of staff actions inside the dashboard, including who viewed which message thread and when.
  • Regular backups with point-in-time recovery.

SMS itself is not an encrypted channel. We configure the AI assistant to keep messages limited to scheduling logistics and avoid sharing detailed clinical information by text. No security program can guarantee perfect protection; we will notify affected customers and individuals as required by law in the event of a breach.

6. Data Retention

We retain information only as long as needed to provide the service, comply with our legal obligations, resolve disputes, and enforce our agreements:

  • Active patient message threads & appointment records: retained for the duration of the practice's subscription, plus up to 7 years after the last interaction, consistent with typical dental record-keeping requirements. The practice may instruct us to delete sooner.
  • Consent records: retained for as long as the patient is opted in, plus 4 years after opt-out, to demonstrate that messages were sent with valid consent.
  • Opt-out records (STOP list): retained indefinitely so we never contact a number that has opted out.
  • Customer (practice) account data: retained for the life of the account, plus up to 12 months after cancellation. After that period, data is deleted or anonymized, except for billing records required by tax law.
  • Website analytics & logs: retained for up to 24 months.

A patient or customer may request earlier deletion as described in the next section.

7. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete your information, subject to legal record-keeping requirements that apply to dental practices.
  • Opt out of SMS messages at any time by replying STOP, as described in our SMS Messaging Policy.
  • Object to or restrict certain processing activities.
  • Receive a portable copy of the information you provided in a structured, machine-readable format.

Patients should generally direct access and deletion requests to their dental practice, which is the controller of the underlying patient record. If the practice asks Bluffline to fulfill the request, we will do so within 30 days. Customers can manage their account data directly in the dashboard or by emailing us. We will not retaliate against any individual for exercising these rights.

8. HIPAA Compliance

Each participating dental practice is the covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Bluffline acts as a Business Associate under a signed Business Associate Agreement (BAA) with the practice. Our BAA describes the safeguards we maintain, the permitted uses and disclosures of protected health information (PHI), breach-notification obligations, and the return or destruction of PHI on termination.

Our sub-processors that handle PHI on our behalf — including Twilio, Anthropic, and Google — operate under their own BAAs with Bluffline.

9. Children's Privacy

Bluffline's services are not directed to children under 13. We do not knowingly collect information from children under 13 without verifiable parental consent. Where a parent or guardian provides consent for a minor patient to receive appointment-related SMS, those messages are sent to the parent's or guardian's phone number, not the child's. If you believe a child has provided us with personal information without consent, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will notify customers by email and post a notice on our website at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

11. Contact

For privacy questions, data access requests, or to file a complaint, contact us at:

Privacy & data requests

Bluffline LLC · Utah, United States

[email protected]