Banto Privacy Policy

Last Updated: January 13, 2026

This Privacy Policy explains how Banto LLC ("Banto," "we," "us," or "our") collects, uses, discloses, and protects information when you use our platform, websites, applications, software, APIs, and related services (collectively, the "Services").

This Policy applies to both Providers (healthcare clinics and their staff) and Patients (individuals receiving treatment information and making payments through Banto).

By using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

1. Information We Collect

1.1 Information You Provide Directly

From Providers:

  • Business information (clinic name, EIN, business address, contact details)
  • Provider credentials (medical licenses, NPI numbers)
  • Bank account and payment information
  • Treatment plans, pricing, and service descriptions
  • Patient data entered into the platform (see Section 1.2)

From Patients:

  • Personal identifiers (name, date of birth, email, phone number, address)
  • Payment information (credit/debit card details, bank account information)
  • Financing application data (income, employment, SSN or partial SSN for credit checks)
  • Appointment and scheduling preferences
  • Communications with your Provider through Banto

1.2 Protected Health Information (PHI)

Banto processes Protected Health Information on behalf of Providers, including but not limited to:

  • Medical diagnoses and treatment plans
  • Health history relevant to care
  • Clinical notes and treatment outcomes
  • Billing and insurance information related to care

Critical Distinction:

  • Banto acts as a Business Associate under HIPAA when processing PHI on behalf of Providers
  • Your Provider is the Covered Entity that determines what PHI is collected and how it's used
  • Banto does not make independent decisions about your medical data

1.3 Information Collected Automatically

Technical Data:

  • IP address, browser type, device identifiers
  • Operating system, screen resolution
  • Cookies and similar tracking technologies
  • Pages viewed, links clicked, time spent on platform
  • Referring/exit pages and URLs

Transaction Data:

  • Payment amounts, dates, and status
  • Failed transactions and chargebacks
  • Financing approvals/denials (from third-party lenders)

1.4 Information from Third Parties

We receive data from:

  • Payment Processors (Stripe, etc.): transaction status, fraud alerts, chargeback notifications
  • Financing Partners: credit decisions, loan terms, repayment status
  • Identity Verification Services: to prevent fraud and comply with KYC/AML requirements
  • Providers: all patient data entered into Banto comes from your healthcare provider

2. How We Use Your Information

2.1 To Provide the Services

  • Display treatment plans and pricing to Patients
  • Process payments, deposits, and installment plans
  • Facilitate appointment scheduling and reminders
  • Enable Provider-Patient communications
  • Generate invoices and payment confirmations

2.2 For Business Operations

  • Maintain and improve platform functionality
  • Detect and prevent fraud, chargebacks, and unauthorized access
  • Provide customer support
  • Analyze usage patterns (aggregated, de-identified data only)
  • Develop new features and services

2.3 For Compliance and Legal Obligations

  • Comply with HIPAA, state privacy laws, and financial regulations
  • Respond to subpoenas, court orders, or law enforcement requests
  • Enforce our Terms of Service
  • Protect rights, property, and safety of Banto, users, and the public
  • Conduct audits and investigations

2.4 For Communications

  • Send transactional emails (payment confirmations, appointment reminders)
  • Notify you of account or service changes
  • Respond to your inquiries
  • We do not send marketing emails without explicit consent

2.5 What We Do NOT Do With Your Data

  • We do not sell patient data to third parties
  • We do not use PHI for marketing or advertising
  • We do not share data with insurers or employers without authorization
  • We do not make medical decisions based on your data

3. How We Share Your Information

3.1 Service Providers

We share data with third parties who perform services on our behalf:

Payment Processors (e.g., Stripe):

  • Payment card details and transaction data
  • Necessary for processing payments and preventing fraud

Financing Partners (e.g., consumer lenders):

  • Credit application data (income, employment, SSN)
  • Only when you apply for financing

Cloud Infrastructure (e.g., AWS, Google Cloud):

  • Data storage and platform hosting
  • Subject to strict security and confidentiality agreements

Identity Verification Services:

  • To comply with anti-money laundering (AML) and know-your-customer (KYC) requirements

Analytics Providers:

  • Aggregated, de-identified usage data only
  • No PHI or personally identifiable information

All service providers are contractually bound to protect your data and use it only for specified purposes.

3.2 With Your Provider

  • Providers have full access to data entered for their patients
  • Providers control how PHI is used and retained
  • Banto processes PHI solely on behalf of the Provider under HIPAA Business Associate Agreements

3.3 Legal Requirements

We may disclose information when required by law:

  • Subpoenas, court orders, or government investigations
  • To prevent fraud or protect against legal liability
  • To enforce our Terms of Service
  • In emergencies involving imminent harm

3.4 Business Transfers

If Banto is acquired, merges, or undergoes bankruptcy:

  • Your information may be transferred to the successor entity
  • The successor must honor this Privacy Policy unless you consent to changes

3.5 With Your Consent

We may share information in ways not described here if you explicitly authorize it.

4. HIPAA Compliance

4.1 Business Associate Role

For Providers subject to HIPAA, Banto acts as a Business Associate under 45 CFR § 164.502(e).

This means:

  • We process PHI only as instructed by the Provider (Covered Entity)
  • We maintain a signed Business Associate Agreement (BAA) with each Provider
  • We implement administrative, physical, and technical safeguards to protect PHI
  • We report breaches to Providers as required by law

4.2 Patient Rights Under HIPAA

Your HIPAA rights (access, amendment, accounting of disclosures) are exercised through your Provider, not Banto.

If you have questions about how your PHI is used, contact your Provider directly.

4.3 Minimum Necessary Standard

Banto limits access to PHI to the minimum necessary to perform our services.

4.4 Breach Notification

In the event of a data breach involving PHI:

  • We will notify affected Providers within 72 hours of discovery
  • Providers are responsible for notifying patients as required by HIPAA
  • We will cooperate with breach investigations and remediation

5. Data Security

5.1 Technical Safeguards

We implement industry-standard security measures, including:

  • Encryption in transit: TLS 1.2+ for all data transmission
  • Encryption at rest: AES-256 encryption for stored data
  • Access controls: Role-based access, multi-factor authentication (MFA)
  • Network security: Firewalls, intrusion detection systems, DDoS protection
  • Secure payment handling: PCI-DSS compliant tokenization (no full card numbers stored)

5.2 Administrative Safeguards

  • Regular security training for employees
  • Background checks for personnel with PHI access
  • Incident response and disaster recovery plans
  • Third-party security audits and penetration testing

5.3 Physical Safeguards

  • Data centers with 24/7 surveillance, biometric access controls
  • Redundant power and environmental controls
  • Geographic data replication for disaster recovery

5.4 Limitations

No system is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security.

You are responsible for:

  • Protecting your account credentials
  • Using strong, unique passwords
  • Enabling MFA if available
  • Logging out of shared devices

Report suspected unauthorized access immediately to security@usebanto.com.

6. Data Retention and Deletion

6.1 How Long We Keep Data

Patient Data (PHI):

  • Retained as long as required by your Provider
  • Providers must specify retention periods in accordance with state medical record laws (typically 5–10 years)

Payment Data:

  • Transaction records retained for 7 years (IRS and state tax requirements)
  • Full payment card details are never stored (tokenized by payment processors)

Technical Logs:

  • Retained for 90 days unless needed for fraud investigation or legal compliance

Anonymized Analytics:

  • Retained indefinitely (cannot be re-identified)

6.2 Deletion Requests

For Patients:

  • Contact your Provider to request deletion of your medical records
  • Banto will delete data upon Provider instruction, subject to legal retention obligations
  • Some data (transaction records) must be retained for tax/regulatory compliance

For Providers:

  • Upon account termination, you have 30 days to retrieve all patient data
  • After 30 days, data may be permanently deleted unless legally required to retain

6.3 What Happens When You Delete Your Account

  • Active access to the platform is immediately revoked
  • Transactional and compliance data is retained per legal requirements
  • Marketing preferences are honored (you will not receive further emails)
  • Anonymized data may remain in aggregated analytics

7. Your Privacy Rights

7.1 Access and Portability

Patients:

  • Request a copy of your data by contacting your Provider
  • Providers control PHI access under HIPAA

Providers:

  • Export patient data via platform tools or API
  • Banto provides data in machine-readable formats (CSV, JSON)

7.2 Correction and Amendment

  • Request corrections to inaccurate data through your Provider
  • Banto will update data upon Provider instruction

7.3 Deletion (Right to Be Forgotten)

  • Request deletion subject to legal and contractual retention requirements
  • Some data (e.g., tax records) cannot be deleted

7.4 Opt-Out of Marketing

  • We do not send marketing emails by default
  • If you receive marketing emails, click "unsubscribe" or email privacy@usebanto.com

7.5 Do Not Track Signals

Our platform does not respond to "Do Not Track" browser signals.

7.6 State-Specific Rights

California Residents (CCPA/CPRA):

  • Right to know what data is collected
  • Right to delete (subject to exceptions)
  • Right to opt-out of "sales" (we do not sell data)
  • Right to non-discrimination for exercising privacy rights

Virginia, Colorado, Connecticut, Utah Residents:

  • Similar rights to access, delete, and opt-out

To exercise these rights, email team@usebanto.com.

We will respond within 45 days and verify your identity before processing requests.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Strictly Necessary:

  • Session management, authentication
  • Cannot be disabled without breaking core functionality

Functional:

  • Remember preferences (language, timezone)
  • Improve user experience

Analytics:

  • Understand how users interact with the platform
  • Aggregated, de-identified data only

We do not use advertising or tracking cookies.

8.2 Managing Cookies

You can:

  • Block cookies via browser settings
  • Use privacy-focused browsers or extensions
  • Note that blocking cookies may impair functionality

9. Third-Party Links

The Services may contain links to third-party websites (e.g., financing partners).

We are not responsible for the privacy practices of third parties. Review their privacy policies before providing data.

10. Children's Privacy

Banto does not knowingly collect data from children under 13 without parental consent.

If we discover we have collected data from a child under 13 without verification of parental consent, we will delete it immediately.

Minors aged 13–17:

  • May use the Services with parental consent for medical treatment
  • Parental authorization required for payment and financing

11. International Data Transfers

Banto is based in the United States. Data may be transferred to and processed in the U.S. or other countries where our service providers operate.

If you are located outside the U.S.:

  • Your data may be subject to U.S. laws (less restrictive than GDPR)
  • We use Standard Contractual Clauses (SCCs) where required
  • By using the Services, you consent to international data transfers

For EU/UK residents:

  • We comply with GDPR where applicable
  • Contact team@usebanto.com for data transfer inquiries

12. Changes to This Privacy Policy

We may update this Policy at any time by posting a revised version at usebanto.com/privacy.

Material changes will be communicated via:

  • Email notification (to address on file)
  • In-app notification
  • Prominent notice on the website

Continued use of the Services after changes constitutes acceptance.

We will not make retroactive changes that reduce your privacy rights without explicit consent.

13. Contact Us

For privacy questions or to exercise your rights:

Banto LLC
Email: team@usebanto.com
Address: [Your Registered Address]

For HIPAA-related inquiries:
Contact your Provider directly

By using Banto, you acknowledge that you have read, understood, and agree to this Privacy Policy.