← SmileFlow
Security overview · Reviewed 2026-07-10

Designed to reduce exposure, not hide it behind slogans.

This page describes safeguards visible in the current product. It is not a certification, penetration-test report or claim of compliance with every healthcare privacy regime.

Data minimization

Smile images are processed within the request and are not written to a SmileFlow database or file store. Lead submissions contain only the contact fields, consent state and compact analysis context needed for clinic follow-up.

Input and abuse controls

  • Image uploads are required to identify as images and are limited to 8 MB.
  • Analysis and lead endpoints use per-IP rate limits.
  • Clinic analysis volume is subject to a daily limit.
  • Lead payloads are validated and bounded before email delivery.
  • Embedded widgets check the requesting host against the clinic configuration.

Clinical-safety boundaries

The model prompt and patient-facing report state that the result is orientational, not a diagnosis. Recommendations require a licensed dentist, in-person examination and appropriate imaging. The product is designed to avoid alarming or judgmental output.

External providers

Google's Gemini API processes submitted images, Resend delivers emails, Stripe processes checkout and the deployment platform handles web delivery. Their controls and service terms form part of the overall security posture. Clinics should review those dependencies when assessing regulatory suitability.

Reporting a concern

Please send suspected vulnerabilities or security concerns to contact@getsmileflow.com. Include the affected URL, reproduction steps and impact. Do not include real patient data in a report.