Privacy Policy

Comet is operated by Hoshiyomi Innovation, based in Thailand. When we say "we", "us", or "our", we mean Hoshiyomi Innovation. If you have any questions about this policy, contact us at privacy@hoshiyomi.io.

We collect only what is necessary to provide the Service:

Account data — your email address and password (hashed), collected when you register. If you sign in with a third-party provider (e.g. Google), we receive only the email and display name that provider shares.

Patient records — names, ages, and clinical notes you enter for your patients. This data is yours; we store it on your behalf.

Images — X-ray images and photographs you upload to patient profiles. These are stored in a private object storage bucket and are never publicly accessible.

Usage data — basic server logs (IP address, browser type, pages visited, timestamps) collected automatically. We do not currently run third-party analytics.

We use your data solely to:

• Provide and operate the Service
• Authenticate your account and keep it secure
• Send essential service emails (e.g. password reset, billing receipts)
• Diagnose errors and improve performance

We do not sell your data, use it for advertising, or share it with third parties for their own purposes.

Patient records and images you upload belong to you. We act as a data processor on your behalf. We do not access, analyse, or use patient data for any purpose beyond storing and serving it to your account.

You are the data controller for your patients' personal data. You are responsible for obtaining valid consent from patients before uploading their data and for complying with any applicable health data regulations (PDPA, GDPR, HIPAA, etc.) in your jurisdiction.

Data is stored using Supabase, a hosted database and storage platform. Your account data is protected by row-level security — no other user can query or access your records. Images are stored in a private bucket and accessed only through short-lived signed URLs that expire after one hour.

All data is transmitted over HTTPS. Passwords are never stored in plain text. We take reasonable technical measures to protect against unauthorised access, though no system is completely secure.

We retain your account and patient data for as long as your account is active.

If you delete your account, we will delete your personal data and all associated patient records and images within 30 days, except where retention is required by law.

Anonymised usage logs may be retained for up to 12 months for operational purposes.

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict certain processing

To exercise any of these rights, email us at privacy@hoshiyomi.io. We will respond within 30 days.

When paid plans are introduced, payment processing will be handled by a third-party provider (e.g. Stripe). We will not store your full card details. The payment provider's own privacy policy will apply to billing data. We will update this policy before billing is introduced.

Comet uses only essential cookies required for authentication (session token) and security (CSRF protection). We do not use tracking cookies or advertising cookies. No cookie consent banner is shown because we do not set any non-essential cookies.

Comet is intended for use by dental professionals and students aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, contact us and we will delete the account promptly.

We may update this policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the change takes effect. The "last updated" date at the top of this page always reflects the most recent revision.

For privacy-related questions or requests, contact privacy@hoshiyomi.io.