Legal

Privacy Policy

Effective date: April 1, 2026

1. Who We Are

Lumera Dental (“Lumera,” “we,” “us,” or “our”) operates a dental laboratory and a software portal used by dental practices and their staff (collectively, “Clinicians”) to submit cases, exchange files and scans, track production, review billing, and communicate with our lab team. This Privacy Policy explains how we handle personal information and, where applicable, Protected Health Information (“PHI”) when you interact with our website at lumeradental.com, our portal, our emails, and our laboratory services (collectively, the “Services”).

In the course of providing dental laboratory services, Lumera acts as a Business Associate under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) to dental practices that are Covered Entities. Our handling of PHI is governed by our Business Associate Agreement (“BAA”) with each such Clinician and by the HIPAA Privacy and Security Rules.

2. Scope

This Policy covers information collected through:

  • our marketing website, including the contact and signup forms;
  • the Lumera clinician portal (sign-in, case submission, messaging, files, billing);
  • integrations with intraoral scanner platforms you choose to connect (e.g., iTero, 3Shape, Straumann);
  • email and other communications with our team.

It does not cover third-party websites or services we link to but do not control, including the scanner manufacturers’ portals.

3. Information We Collect

3.1 Information you provide

  • Account & contact details: name, professional role, clinic name, email address, phone number, mailing/shipping address, and login credentials.
  • Case submissions and Protected Health Information: patient identifiers (such as first/last name or chart number), tooth numbers, prescriptions, shade and material selections, clinical notes, intraoral scans, photographs, design files, and other dental records uploaded for the purpose of fabricating a restoration.
  • Communications: messages, comments, and attachments you and your staff exchange with our lab team inside the portal or by email.
  • Billing information: invoice records, payment status, and limited payment metadata. Card numbers and bank details are handled directly by our payment processor — Lumera does not store full card numbers.

3.2 Information collected automatically

  • Device and log data: IP address, browser type and version, operating system, referring page, pages viewed, and timestamps. These are used to operate the Services and detect abuse.
  • Cookies and similar technologies: see Section 7.
  • Diagnostic data: sanitized error reports and performance traces from our error-monitoring tooling. We scrub identifiers (emails, invoice IDs, tracking numbers, internal record IDs) before transmission and we do not ship application console logs to third parties.

3.3 Information from third parties

  • Connected scanner platforms: when you connect your scanner account to Lumera, the platform shares case files and metadata necessary to fulfill your order.
  • Shipping carriers: tracking events for outbound packages.

4. Protected Health Information (HIPAA Notice)

When PHI is provided to us by or on behalf of a dental practice that is a Covered Entity, Lumera acts as a Business Associate. We use and disclose PHI only as permitted by our BAA and by HIPAA, which generally means:

  • to fabricate and deliver the restoration or laboratory work requested;
  • to communicate with the submitting Clinician about the case;
  • to bill for our services and maintain required records;
  • as required by law, including in response to valid legal process; and
  • for the proper management and administration of Lumera, consistent with HIPAA.

We do not sell PHI. We do not use or disclose PHI for marketing. We do not use PHI to train generic machine-learning models. We apply the “minimum necessary” standard: access to PHI is restricted to personnel and subprocessors who need it to perform their function.

If you are a patient and would like to exercise rights with respect to your PHI (access, amendment, accounting of disclosures), please contact your dental practice — they are the Covered Entity and the appropriate point of contact under HIPAA. We will support your practice in responding to your request.

5. How We Use Information

We use the information described above to:

  • create and secure Clinician accounts and authenticate users;
  • accept, design, fabricate, and ship dental restorations and related products;
  • communicate with you about cases, shipments, scheduling, and support;
  • process invoices, payments, refunds, and related accounting records;
  • operate, maintain, monitor, and improve the security and performance of the Services;
  • detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity;
  • comply with our legal, tax, and regulatory obligations; and
  • with your consent, send product updates and marketing communications you can opt out of at any time.

6. How We Share Information

We do not sell personal information or PHI. We share information only with vetted service providers that need it to deliver the Services on our behalf, with other parties at your direction (for example, the recipient of a shipment), or as required by law.

Categories of recipients with whom we may share information include:

  • cloud hosting and database providers;
  • file and object storage providers used for scans, design files, and PDFs;
  • transactional email delivery provider;
  • payment processor (card and bank details are handled directly by the processor — Lumera does not store full card numbers);
  • shipping carriers and shipping-label providers;
  • realtime messaging provider (used only for non-PHI channel notifications);
  • error-monitoring and operational-telemetry provider (data is scrubbed of identifiers before transmission).

Where any such provider may process PHI on our behalf, it is bound by a HIPAA Business Associate Agreement or is configured so PHI does not reach it. We do not publicly list specific vendor names; an authorized Clinician, auditor, or regulator may request our current subprocessor list under appropriate confidentiality obligations.

We may also share information:

  • with your dental practice or its authorized personnel for cases submitted under that practice;
  • with professional advisors (lawyers, accountants, auditors) under confidentiality obligations;
  • in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and to this Policy continuing to apply to personal information and PHI;
  • when required by law, subpoena, court order, or other valid legal process, or to protect the rights, safety, or property of Lumera, our users, or the public.

7. Cookies and Similar Technologies

We use a small number of cookies, grouped into two categories:

  • Strictly necessary cookies. Used to sign you in, keep you signed in, protect against forgery, and remember portal preferences that make the product work — for example, your active clinic when you belong to more than one, whether the sidebar is collapsed, and which case statuses you have selected. The Services will not function correctly without these.
  • Optional cookies. Used to understand aggregate usage of the marketing site so we can improve it. These are not set unless you accept them through our cookie banner. We currently do not deploy advertising cookies or cross-site tracking.

You can change your choice at any time by clearing the lumera_cookie_consent cookie in your browser, after which the banner will reappear. Most browsers also let you block or delete cookies through their settings.

8. Data Retention

We keep personal information and PHI only for as long as needed for the purposes described in this Policy and to meet our legal, accounting, tax, and regulatory obligations. Typical retention windows:

  • Case records and clinical files: for the duration of the Clinician’s relationship with Lumera and thereafter as required by applicable dental, healthcare, and tax recordkeeping rules.
  • Billing and payment records: retained as required by applicable tax and accounting law (typically at least seven years in the United States).
  • Account records: retained while the account is active and for a reasonable period after deactivation to support reactivation, dispute resolution, and audit.
  • Diagnostic and security logs: retained for a short window (typically 30–90 days) and then deleted or aggregated.

When data is no longer needed, we delete it or de-identify it in a manner consistent with HIPAA and applicable law.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information and PHI, including:

  • encryption in transit (TLS) for all network traffic to the portal and APIs;
  • encryption at rest for the database and for files stored in our object storage;
  • role-based access controls and the principle of least privilege;
  • signed, short-lived URLs for downloads of clinical files and invoices;
  • scrubbing of identifiers from application error reports and operational logs;
  • rate limiting, audit trails, and incident-response procedures;
  • vendor due diligence, including HIPAA Business Associate Agreements where a vendor may process PHI on our behalf.

No system is perfectly secure. If we become aware of a breach of unsecured PHI, we will notify the affected Covered Entity in accordance with HIPAA and applicable state breach-notification law.

10. Your Rights and Choices

Depending on where you live and your relationship with us, you may have rights to access, correct, delete, port, or restrict processing of personal information about you, and to object to certain processing. For PHI held under our role as a Business Associate, requests should generally be directed to your dental practice (the Covered Entity), and we will support them in responding.

10.1 U.S. state residents (including California)

Residents of California, Colorado, Connecticut, Virginia, Utah, and other states with comparable privacy laws may have the right to: confirm whether we process personal information about them; access that information; correct inaccuracies; delete it; obtain a portable copy; and opt out of certain processing. We do not sell personal information and we do not engage in cross-context behavioral advertising. PHI is exempt from the consumer-privacy statutes to the extent it is already protected by HIPAA.

10.2 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, you have rights of access, rectification, erasure, restriction, portability, and objection under the GDPR and equivalent laws. Where we rely on consent, you can withdraw it at any time. You also have the right to lodge a complaint with your local data protection authority. The legal bases on which we rely include: performance of a contract (operating the Services), legitimate interests (improving and securing the Services), legal obligation (tax, accounting, healthcare law), and consent (optional cookies and marketing).

10.3 How to exercise rights

Submit requests through our contact channels listed in Section 14. We will verify your identity before acting on a request and respond within the timeframes required by applicable law. You may also designate an authorized agent to submit a request on your behalf.

11. International Data Transfers

Lumera is based in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our subprocessors operate. Where required, we rely on appropriate transfer mechanisms (such as the European Commission’s Standard Contractual Clauses) and we apply the safeguards described in Section 9.

12. Children’s Privacy

The Services are intended for use by dental professionals and their staff. We do not direct the Services to children under 13 and we do not knowingly collect personal information from children other than as part of PHI submitted by a Clinician for treatment purposes, which is governed by our BAA with that Clinician. If you believe a child has provided us personal information outside of that clinical context, please contact us and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the effective date above and, where the changes are material, we will provide additional notice (for example, by email or an in-portal banner). Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact

For privacy-related questions or to exercise your rights, contact us:

If you are a patient with questions about your PHI, please first contact the dental practice that submitted your case; they are the Covered Entity under HIPAA and the appropriate point of contact for rights of access, amendment, and accounting of disclosures.

© 2026 Lumera Dental. All rights reserved.