Privacy Policy

1. Overview

Treeply ("we," "our," or "us") provides an AI-powered review reply platform for dental and medical practices. This Privacy Policy explains what information we collect when you use Treeply, how we use it, and how we protect it.

By using Treeply, you agree to the collection and use of your information as described in this policy. If you do not agree, please do not use the service.

Treeply's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. Information We Collect

Account Information

When you create an account, we collect:

• Your name and email address
• A password (stored as a one-way hash — we never store your plaintext password)
• Your practice or business name

Google OAuth Data

When you connect your Google account through our OAuth integration, we request access to:

• Basic profile information — your name, email address, and profile photo, used to identify your account
• Google Business Profile — your practice's business location, name, and associated Google reviews (via the Google My Business / Business Profile API)
• Google reviews — the text, ratings, and reviewer names from reviews left on your Google Business Profile

We request only the minimum permissions required to deliver the service. We do not request access to your Gmail, Google Drive, Google Calendar, Google Ads, or any other Google services.

Usage Data

We collect information about how you interact with Treeply, including:

• Pages visited and features used
• AI-generated replies you accept, edit, or discard
• Timestamps of actions within the platform
• Browser type, operating system, and IP address (for security and analytics)

3. How We Use Your Data

We use the information we collect solely to provide, maintain, and improve the Treeply service. Specifically:

• To identify your practice — we use your Google Business Profile data to connect your Treeply account to the correct dental or medical practice
• To import your reviews — we retrieve your Google reviews so you can manage and respond to them from within Treeply
• To generate AI reply suggestions — review text is sent to our AI provider to produce draft responses. We do not include patient names or any personal health information in these prompts (see Section 7)
• To show demo previews — prospective users may see anonymized examples of how Treeply generates replies for a practice
• To communicate with you — we send transactional emails (password resets, billing receipts, product updates). We do not send unsolicited marketing email without your explicit opt-in
• To prevent fraud and abuse — usage data helps us identify and address misuse
• To improve the product — aggregated, anonymized usage patterns inform product decisions

4. Google API Services

Treeply's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

• Google account identity (name, email) to authenticate your Treeply account
• Google Business Profile locations associated with your Google account
• Google reviews (text, rating, reviewer display name, reply status) for those locations

What we do not access

• Your Gmail inbox or sent mail
• Google Drive files or documents
• Google Calendar events
• Google Ads account data
• YouTube account data
• Any other Google service not listed above

OAuth token storage

Google OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before being stored in our database. Tokens are used only to fetch reviews and business profile data on your behalf, and only when you have an active Treeply subscription or trial.

Revoking access

You can revoke Treeply's access to your Google account at any time by visiting Google Account Permissions. Revoking access will disconnect your Google Business Profile from Treeply. You can also request full data deletion by contacting us at privacy@treeply.co.

5. Data Storage & Security

Treeply stores data in a PostgreSQL database hosted on Neon (US region). Application servers are hosted on Render.

Security measures

• Encryption in transit — all connections use TLS 1.2 or higher. Our application is only accessible over HTTPS
• Encryption at rest — OAuth tokens are encrypted with AES-256-GCM before storage
• Password hashing — passwords are hashed using bcrypt. We never store plaintext passwords
• Parameterized queries — all database queries use parameterized statements to prevent SQL injection
• Access controls — production database access is restricted to application servers. No direct public access is permitted
• Session management — authentication uses signed JWTs with expiration. Sessions are invalidated on logout

Data retention

We retain your account data and review history for as long as your account is active. If you delete your account, we remove your personal information and associated data within 30 days, except where retention is required for legal or fraud prevention purposes.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We do not share your data with advertisers or data brokers.

We share data only with the following categories of service providers, solely to operate the platform:

• AI inference — review text is sent to an AI provider (OpenAI or compatible) to generate reply suggestions. This data is not used to train their models under our service agreement
• Database hosting — Neon hosts our PostgreSQL database in the US
• Application hosting — Render hosts our web servers in the US
• Email delivery — transactional emails are sent via Postmark
• Payment processing — Stripe processes subscription payments. Treeply does not store credit card numbers

Each of these providers is bound by their own data processing agreements. We do not authorize them to use your data for any purpose other than providing their services to us.

Legal disclosures

We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our legal rights, prevent fraud, or protect the safety of our users.

Business transfers

If Treeply is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your data is subject to a materially different privacy policy.

7. Healthcare Information & HIPAA

Treeply is a review management tool. We process Google reviews left by patients, which are publicly visible information posted on Google Maps by patients voluntarily. This content is not protected health information (PHI) under HIPAA.

Treeply does not integrate with your practice management software (e.g., Dentrix, Eaglesoft, Curve Dental, Epic) and has no access to your electronic health records (EHR) or any other clinical systems.

Responding to reviews — your responsibility

When responding to patient reviews, do not include protected health information in your replies, even if a reviewer mentions clinical details. This is your responsibility as a HIPAA-covered entity. Treeply's AI suggestions are designed to be generic and professional, avoiding any reference to specific medical details.

If you are unsure about HIPAA compliance requirements for responding to online reviews, consult your compliance officer or legal counsel.

8. Your Rights & Data Deletion

You have the following rights regarding your personal data:

• Access — you can request a copy of the personal data we hold about you
• Correction — you can update incorrect or incomplete information in your account settings
• Deletion — you can request deletion of your account and associated data. We will process deletion requests within 30 days
• Portability — you can request an export of your data in a machine-readable format
• Revocation — you can revoke Google OAuth access at any time via Google Account Permissions
• Objection — you can object to certain uses of your data by contacting us

How to request data deletion

To delete your account and all associated data:

1. Log in to your Treeply account and use the account deletion option in settings, or
2. Email privacy@treeply.co with the subject line "Data Deletion Request" and the email address associated with your account

We will confirm deletion within 30 days. Some data may be retained longer where required by law (e.g., billing records for tax compliance).

9. Cookies & Tracking

Treeply uses the following types of cookies and local storage:

• Authentication cookies — a signed JWT stored in a cookie or localStorage to keep you logged in. This is required for the service to function
• Session storage — temporary browser storage used to manage UI state within a single browsing session. This is cleared when you close your browser tab
• Analytics — we may use privacy-respecting analytics to understand aggregate usage patterns (e.g., which features are used most). We do not use Google Analytics. Any analytics data is aggregated and does not identify individual users

We do not use advertising cookies, third-party tracking pixels, or behavioral targeting technologies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a notice on the Treeply dashboard before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of Treeply after changes become effective constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us: