Legal
Privacy Policy
How Acurio and the Kryptic Chrome Extension collect, use, and protect your data
Effective: June 1, 2025 Last Updated: June 1, 2025 Applies To: Kryptic Chrome Extension & Acurio Platform
Google API Limited Use Disclosure
Kryptic's use of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including its Limited Use requirements.
Specifically: data obtained via Google APIs is used only to provide or improve user-facing features that are prominent in the Kryptic extension's user interface. This data is not used for serving ads, for determining creditworthiness, for lending purposes, or for any purpose unrelated to the extension's core credential management functionality. This data is not transferred to third parties, sold, or used to build user profiles outside of the service. Human access to this data is restricted to security and support use cases as described in this policy.
See Section 15 — Google API Limited Use for the full disclosure within this policy.
01
Overview
Acurio, Inc. ("Acurio," "we," "us," or "our") operates the Acurio dental practice platform and the Kryptic Chrome Extension. This Privacy Policy explains what information we collect, why we collect it, how it is used, and your rights regarding that information.
Kryptic is a browser-based credential management tool built specifically for dental teams. It allows practice administrators to securely store and control access to sensitive portals — including insurance portals, clearinghouses, vendor systems, and payment platforms — without exposing underlying passwords to staff.
Core design principle
Kryptic is designed around least-privilege access: staff can authenticate to portals without ever seeing or storing the credential. Only designated administrators can create, edit, or revoke access. This design minimizes the sensitive data exposed at every layer of the system.
02
Scope & Applicability
This policy applies to:
The Kryptic Chrome Extension available in the Chrome Web Store
The Acurio web application at acurio.io and associated subdomains
Any APIs or backend services operated by Acurio that support the above
This policy does not govern third-party websites or portals that Kryptic may inject credentials into. Those services have their own privacy policies, and your interactions with them are subject to those terms.
03
Chrome Extension Permissions
Kryptic requests the following browser permissions. Each permission is requested only where necessary to deliver core functionality.
storage
Used to cache encrypted session tokens and extension settings locally on the device. No credential data or passwords are written to local browser storage — all vault data lives on Acurio's encrypted servers.
activeTab
Required to detect when a user navigates to a portal that has a stored credential, and to inject masked login data into the appropriate form fields. The extension reads only the URL and relevant form elements — it does not read page content, text, or form values outside of the login injection flow.
scripting
Enables the extension to insert credential values into form fields on matched portal pages during the login flow. This action is triggered only when the user explicitly initiates a login from the Kryptic interface.
identity
Used to authenticate the user's Acurio account via secure OAuth flow. This verifies that the staff member has a valid session and the appropriate role-based permission to access a given credential.
Host permissions (matched URLs)
Kryptic only activates on URLs explicitly configured by a practice administrator as credential-matched portals. The extension does not run on arbitrary websites, does not track browsing history, and does not execute on pages unrelated to configured portals.
What Kryptic does not do
Kryptic does not read your general browsing activity, does not capture keystrokes, does not monitor page content outside of configured portals, and does not transmit any data from third-party sites back to Acurio servers.
04
Data We Collect
Data Category
What It Includes
Purpose
Account Information
Name, work email address, practice name, role (admin or staff)
Create and manage your Acurio account; enforce role-based access control
Encrypted Credentials
Portal usernames and encrypted passwords stored in the vault. Passwords are never stored or transmitted in plaintext — they are encrypted before leaving the client.
Enable controlled, masked credential access for authorized staff
Credential Access Logs
Timestamp, user identity, portal matched, and action taken (viewed, used, attempted)
Immutable audit trail for compliance, accountability, and breach detection
Session & Authentication Data
Encrypted session tokens, device type, browser version, IP address
Authenticate users, maintain secure sessions, and detect anomalous access
Extension Usage Events
Feature interactions (e.g., credential matched, login initiated), error events
Improve extension performance, diagnose issues, and monitor reliability
Practice Configuration
Portal URLs configured by admins, assigned roles, location/group structure
Route credential access to the correct portals and enforce location-level permissions
Data Category
What It Includes
Purpose
Account Information
Name, work email address, practice name, role (admin or staff)
Create and manage your Acurio account; enforce role-based access control
Encrypted Credentials
Portal usernames and encrypted passwords stored in the vault. Passwords are never stored or transmitted in plaintext — they are encrypted before leaving the client.
Enable controlled, masked credential access for authorized staff
Credential Access Logs
Timestamp, user identity, portal matched, and action taken (viewed, used, attempted)
Immutable audit trail for compliance, accountability, and breach detection
Session & Authentication Data
Encrypted session tokens, device type, browser version, IP address
Authenticate users, maintain secure sessions, and detect anomalous access
Extension Usage Events
Feature interactions (e.g., credential matched, login initiated), error events
Improve extension performance, diagnose issues, and monitor reliability
Practice Configuration
Portal URLs configured by admins, assigned roles, location/group structure
Route credential access to the correct portals and enforce location-level permissions
05
Data We Do Not Collect
The following data is explicitly never collected by Acurio or the Kryptic extension:
Patient health information (PHI), patient names, diagnoses, or clinical records
General browsing history, visited URLs outside of configured portals, or web activity outside the extension's matched host scope
Keystrokes, clipboard contents, or screen captures
Plaintext passwords at any point — passwords are encrypted client-side before transmission
Personal financial information of practice staff
Device contacts, photos, or files
Location data (GPS or network-based)
06
How We Use Data
Data collected through the Acurio platform and Kryptic extension is used solely for the following purposes:
Service delivery
Authenticating users, enforcing role-based access policies, injecting masked credentials into configured portals, and providing practice administrators with credential management capabilities.
Security and fraud prevention
Detecting unauthorized access attempts, generating immutable audit logs, alerting administrators to unusual activity, and protecting the integrity of the credential vault.
Product improvement
Analyzing aggregated, de-identified usage events to identify performance issues, prioritize features, and improve reliability of the extension and platform.
Customer support
Diagnosing and resolving reported issues using session and error log data. Support staff access only the minimum data necessary to resolve a reported incident.
Customer Legal and compliance obligations
Retaining audit logs and account records as required by applicable law or as necessary to respond to lawful requests from regulatory authorities.
No sale of data
Acurio does not sell, rent, or license your personal data or your practice's data to any third party. Your data is not used for advertising, profiling, or any purpose outside of the services described in this policy.
07
Data Sharing
We do not share your data with third parties except in the following limited circumstances:
Subprocessors and infrastructure providers
We use trusted cloud infrastructure and security vendors (such as cloud hosting, encrypted database, and authentication providers) to operate the Acurio platform. These subprocessors are contractually bound to process data only as directed by Acurio, to maintain equivalent security standards, and not to use data for their own purposes. A current list of subprocessors is available upon request.
Legal requirements
We may disclose data if required by law, subpoena, court order, or other governmental request, or if we believe in good faith that such disclosure is necessary to protect the safety of any person, prevent fraud, or defend against legal claims.
Business transfers
In the event of a merger, acquisition, or sale of all or a portion of Acurio's assets, user data may be transferred as part of that transaction. We will notify affected users prior to data being transferred and subject to a different privacy policy.
With your consent
We will share data with third parties in any other circumstance only with your explicit consent.
08
Retention & Deletion
Data Type
Retention Period
Account & Profile Data
Retained while account is active. Deleted within 30 days of account closure, unless retention is required by law.
Encrypted Credentials
Retained until deleted by a practice administrator or upon account closure. Admins may delete individual credentials at any time.
Credential Access Logs
Retained for a minimum of 12 months to support audit and compliance requirements. Extended retention available on request for regulated organizations.
Session Tokens
Expire automatically after inactivity (configurable by practice admin). Invalidated immediately upon logout or role revocation.
Usage & Error Events
Aggregated and de-identified after 90 days. Raw event logs deleted after 90 days.
Data Type
Retention Period
Account & Profile Data
Retained while account is active. Deleted within 30 days of account closure, unless retention is required by law.
Encrypted Credentials
Retained until deleted by a practice administrator or upon account closure. Admins may delete individual credentials at any time.
Credential Access Logs
Retained for a minimum of 12 months to support audit and compliance requirements. Extended retention available on request for regulated organizations.
Session Tokens
Expire automatically after inactivity (configurable by practice admin). Invalidated immediately upon logout or role revocation.
Usage & Error Events
Aggregated and de-identified after 90 days. Raw event logs deleted after 90 days.
09
Security
Acurio is designed with security as a core architectural requirement, not an add-on. The following controls are applied across the platform and Kryptic extension:
Encryption at rest and in transit: All credential data is encrypted using AES-256 at rest. All communications between the extension, the Acurio platform, and third-party portals occur exclusively over TLS 1.2 or higher.
Client-side encryption: Passwords are encrypted on the device before being transmitted to Acurio servers. Acurio never receives or stores plaintext passwords.
Role-based access control (RBAC): Access to credentials is scoped by role and location. Staff cannot view, copy, or export the underlying password — only initiate a masked login.
Immutable audit logging: Every credential access event is logged and tamper-proof. Logs cannot be modified or deleted by practice administrators.
Practice-level tenant isolation: Each practice's data is isolated at the infrastructure level. One practice cannot access another's credentials or logs under any circumstances.
Minimal host permissions: The extension only activates on URLs explicitly configured by a practice administrator. It does not operate as a general-purpose extension on arbitrary websites.
Despite these measures, no system is completely impenetrable. We encourage practices to follow security best practices including strong password hygiene for Acurio accounts, regular access reviews, and prompt revocation of departed employees.
10
Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
Access: Request a copy of the personal data Acurio holds about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Portability: Request an export of your data in a structured, machine-readable format.
Objection / Restriction: Object to or request restriction of certain processing activities.
Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at the address in Section 14. We will respond within 30 days. We do not charge a fee for reasonable requests and will not discriminate against you for exercising your rights.
If you are a staff member at a dental practice using Acurio, note that your practice administrator (as the data controller for practice-specific data) may also have the ability to fulfill certain requests on your behalf within the Acurio dashboard.
11
HIPAA & Healthcare Data
Important clarification
Kryptic and the Acurio platform do not store, process, or transmit patient Protected Health Information (PHI). The platform manages operational credentials (insurance portals, vendor systems, banking) — not clinical records or patient data.
Kryptic is a credential management tool, not a clinical records system. However, because Kryptic is used within dental practice workflows that may be subject to HIPAA, Acurio is prepared to enter into a Business Associate Agreement (BAA) with covered entities upon request.
Practices that require a BAA should contact us at [email protected].
12
Children's Privacy
The Acurio platform and Kryptic extension are designed exclusively for use by dental practice staff and administrators. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided information to us, contact us immediately at [email protected] and we will delete the information promptly.
13
Policy Changes
We may update this Privacy Policy from time to time as the platform evolves or as legal requirements change. When we make material changes, we will:
Update the "Last Updated" date at the top of this page
Notify practice administrators via email at least 14 days before material changes take effect
In some cases, require re-acknowledgment of the updated policy before continued use
Continued use of the Kryptic extension or Acurio platform after an updated policy takes effect constitutes acceptance of the new terms.
14
Contact Us
If you have questions about this Privacy Policy, want to exercise a data right, or need to report a security concern, please reach out through one of the channels below.
Business Associate Agreement
14
Google API Limited Use Disclosure
Required statement
Kryptic's use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
In compliance with Google's Limited Use policy, Acurio makes the following binding commitments regarding data obtained through Google APIs:
Permitted uses only
Data received from Google APIs is used solely to provide and improve the Kryptic extension's user-facing features — specifically, authenticating users to the Acurio platform via Google OAuth and enabling authorized access to the credential vault. No data obtained from Google APIs is used for any secondary purpose.
No transfer to third parties
Data obtained from Google APIs is not transferred, sold, shared, or disclosed to any third party, except as necessary to provide the Kryptic extension's core functionality (e.g., passing an authentication token to Acurio's own backend servers for session validation) or as required by law. Acurio does not use Google API data to benefit other products or services.
No use for advertising or profiling
Data obtained from Google APIs is never used to serve advertisements, target users for marketing, build behavioral profiles, determine creditworthiness, or for any purpose unrelated to authenticating the user within the Kryptic extension.
No sale of data
Data obtained from Google APIs is not sold under any circumstances.
Human access restrictions
Human access to data obtained from Google APIs is restricted to the following circumstances:
Providing or improving user-facing features where the user has given explicit permission
Security purposes — detecting, preventing, or investigating abuse, security incidents, or technical errors
Complying with applicable laws or valid legal process
In all cases, access is limited to the minimum data necessary and is subject to Acurio's internal access controls and audit logging.
Scope of Google API data used by Kryptic
The Kryptic extension uses the Chrome Identity API (chrome.identity) solely to authenticate users to the Acurio platform via secure OAuth. The extension requests only the minimum OAuth scopes necessary for authentication. No Google user data beyond the authenticated identity token (email address and Google account ID used to verify the Acurio account) is accessed, stored, or transmitted.
Questions about this disclosure? Contact [email protected]. This section was last reviewed and updated on April 17, 2026.