Privacy Policy
BondedAI LLC and Bonded Payments Pty Ltd – Privacy Policy
1 Who We Are
BondedAI LLC ("BondedAI", "we", "our", "us") and its Australian subsidiary Bonded Payments Pty Ltd (together, "Bonded") develop payment‑processing software and related services used by dental clinics and their patients. Our Australian office is Level 7, King William St, Adelaide SA 5000, Australia, and our U.S. headquarters is 1100 South Coast Hwy, Laguna Beach CA 92651, USA.
This Policy explains how we collect, use, disclose and protect personal information, including Protected Health Information ("PHI"), across the three main jurisdictions in which we operate or store data:
Australia – Privacy Act 1988 (Cth) & Australian Privacy Principles ("APPs")
United States – Health Insurance Portability and Accountability Act 1996 ("HIPAA") and relevant State consumer‑privacy laws (e.g. California Consumer Privacy Act "CCPA/CPRA")
United Kingdom – UK GDPR and Data Protection Act 2018
Where a section applies only to a particular jurisdiction we label it [AU], [US] or [UK]; otherwise it applies globally.
2 Information We Collect
Category | Examples | Legal basis / APP principle |
Personal identifiers | Name, postal address, email, phone, date of birth, profession | APP 3; HIPAA §164.502; GDPR Art 6(1)(b) (contract) |
Health & treatment data | Appointment details, treatment plans, clinical notes, XRays [AU & US] | APP 3–4 (health information); HIPAA PHI; GDPR Art 9(2)(h) (healthcare) |
Payment data | Tokenised card details, PayTo mandate IDs, Direct‑Debit bank account numbers (masked) | PCI‑DSS; APP 11; GDPR Art 6(1)(f) (legitimate interest) |
Technical & usage data | IP address, device/browser, cookies, log files, support tickets | APP 3; GDPR Art 6(1)(f) |
We collect information directly from clinics, patients or their authorised representatives, via online forms, APIs, secure file upload and during live onboarding calls.
3 How We Use Information
Provide, bill and maintain the payment service
Schedule appointments and send transactional messages
Verify identity and comply with AML/CTF, HIPAA, PCI‑DSS, APP 11 and GDPR security obligations
Detect, prevent and respond to fraud, chargebacks and misuse
Improve the website and app through aggregated analytics
[US] Conduct HIPAA‑permitted healthcare operations
[UK/EU] Where required, rely on consent for marketing (GDPR Art 6(1)(a)); you may withdraw at any time.
We never sell or rent personal information.
4 Legal Grounds for Processing [UK/EU]
Contract performance (Art 6(1)(b)) – providing the service
Legal obligation (Art 6(1)(c)) – AML/CTF, tax, health‑records legislation
Legitimate interests (Art 6(1)(f)) – fraud prevention, service improvement
Consent (Art 6(1)(a)) – direct marketing, optional cookies
5 HIPAA Compliance [US]
We operate as a Business Associate to dental providers (Covered Entities). We sign Business Associate Agreements, implement the Security & Privacy Rules and restrict PHI use to HIPAA‑permitted purposes. De‑identified data follows §164.514(b). Breach notifications are issued within 60 days under §164.404.
6 Sharing & International Transfers
We disclose data only to:
Treating dentists and authorised clinic staff
Sub‑processors that provide hosting, identity verification or customer support (AWS Pty Ltd – Sydney; Atlassian Cloud – EU; Google Workspace – US).
Our sole sub‑processor for hosting is AWS Pty Ltd – Sydney region.Regulators, courts or law‑enforcement where legally required.
We do not sell personal data for monetary consideration as defined under CPRA.
7 Data Security
AES‑256 encryption at rest; TLS 1.2+ in transit
Zero‑trust IAM with MFA; least‑privilege role design
Annual penetration test; quarterly vulnerability scan
[AU] Notifiable Data Breach scheme – OAIC notified within 30 days for eligible breaches
[UK] ICO breach notification within 72 hours where required
8 Data Retention
Clinical and payment records – 7 years from the date of last transaction or as required by HIPAA/Health Records Acts (whichever is longer)
Marketing data – deleted 24 months after last interaction
Logs & backups – rotated ≤ 12 months
9 Your Rights
Jurisdiction | Rights |
Australia | Access & correction (APP 12‑13); complain to OAIC |
United States (HIPAA) | Access PHI, request amendment, accounting of disclosures |
California & other US states | Access, deletion, opt‑out of “sharing” |
United Kingdom | Access, rectification, erasure, restriction, data portability, objection, complain to ICO |
To exercise any right, email privacy@bondedpayments.com. Identity verification is mandatory.
10 Cookies & Similar Technologies
We use strictly‑necessary cookies for authentication and session management and optional analytics cookies (Google Analytics 4) with IP‑anonymisation. Where required (UK/EEA) we display a cookie banner seeking opt‑in consent.
11 Children
Our services are not directed to individuals under 13. If we learn we have collected personal information from a child without parental consent, we delete it.
12 Third‑Party Links
Our website may link to third‑party sites. We are not responsible for their privacy practices.
13 Updates
We will post any changes on this page and, where material, provide 30 days’ notice via email or in‑app banner.
14 Contact
Privacy Officer – Nicholas Duncan
Email: privacy@bondedpayments.com
Phone: +1 (949) 339‑6557
Postal: Level 7, King William St, Adelaide, SA, 5000, Australia
If you are not satisfied with our response you may contact:
• OAIC (Australia) – oaic.gov.au
• UK ICO – ico.org.uk
• US HHS Office for Civil Rights – hhs.gov/ocr