Privacy Policy - Facebook Lead Ads Integration

Last Updated: 18 martie 2026

1. Introduction

PatientPath ("we", "our", or "us") provides a Facebook Lead Ads integration that allows dental clinics to automatically receive and manage patient leads submitted through Facebook Lead Ad forms. This Privacy Policy explains how we collect, use, and protect data obtained through our Facebook Lead Ads integration.

2. Information We Collect

2.1 From Facebook Users (Lead Submitters)

When someone submits a lead through a Facebook Lead Ad form connected to our platform, we collect:

  • Contact Information: Name, email address, phone number
  • Custom Form Responses: Any additional questions answered in the lead form
  • Attribution Data: Facebook Ad ID, Campaign ID, Form ID, timestamp
  • Technical Data: Lead submission timestamp, Facebook Page ID

2.2 From Clinic Staff (App Users)

When clinic staff connects their Facebook Page to PatientPath, we collect:

  • Facebook Profile Data: Name, email address, Facebook User ID
  • Page Data: Facebook Page ID, Page name, Page access token (encrypted)
  • Ad Account Data: Ad Account ID, Ad Account name
  • Permission Grants: Scopes granted during OAuth authorization

3. How We Use the Information

3.1 Lead Data Usage

Lead information submitted through Facebook forms is used to:

  • Automatically create lead records in the clinic's CRM
  • Assign leads to the correct clinic location based on which Facebook Page received the lead
  • Enable clinic staff to follow up with potential patients
  • Provide AI-powered lead prioritization and insights
  • Track lead conversion and campaign performance

3.2 Facebook Access Token Usage

Facebook Page access tokens are used to:

  • Subscribe to webhook notifications for new leads
  • Retrieve full lead details via Facebook Graph API
  • Maintain active webhook subscriptions
  • Access Page-level engagement metrics (if authorized)

4. Data Sharing and Disclosure

We do NOT sell, rent, or trade lead data to third parties. Lead data is shared only with:

  • The Clinic: Lead data is accessible only to the clinic that owns the connected Facebook Page
  • Authorized Staff: Only clinic staff with proper access permissions can view lead data
  • Service Providers: Secure cloud hosting providers (encrypted data at rest and in transit)
  • Legal Requirements: If required by law or to protect our rights

5. Data Security

We implement industry-standard security measures:

  • Encryption: All Facebook access tokens are encrypted using AES-256 encryption
  • HTTPS: All data transmission uses TLS/SSL encryption
  • Access Controls: Role-based access control (RBAC) limits who can access lead data
  • Multi-Tenant Isolation: Each clinic's data is isolated using Row-Level Security (RLS)
  • Audit Logs: All access to lead data is logged for security auditing

6. Data Retention

  • Lead Data: Retained as long as the clinic maintains an active subscription
  • Facebook Tokens: Stored until the clinic disconnects their Facebook Page or the token expires
  • Webhook Logs: Retained for 90 days for debugging purposes
  • After Account Deletion: All data is permanently deleted within 30 days

7. Your Rights (Lead Submitters)

If you submitted a lead through a Facebook form, you have the right to:

  • Access: Request a copy of your data by contacting the clinic directly
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (see Data Deletion page)
  • Opt-Out: Unsubscribe from marketing communications

8. Your Rights (Clinic Staff)

Clinic staff who connect Facebook Pages have the right to:

  • Disconnect: Disconnect Facebook Page at any time from the dashboard
  • Revoke Access: Revoke app permissions from Facebook settings
  • Data Export: Export all lead data in CSV format
  • Account Deletion: Request complete account and data deletion

9. Facebook Platform Compliance

Our Facebook Lead Ads integration complies with:

  • Facebook Platform Terms
  • Facebook Platform Policy
  • Meta Business Tools Terms
  • Facebook Lead Ads Terms

10. GDPR Compliance (EU Users)

For users in the European Union:

  • Legal Basis: Legitimate interest (lead follow-up) and consent (form submission)
  • Data Controller: The clinic is the data controller; PatientPath is the data processor
  • Data Processing Agreement: Available upon request
  • Cross-Border Transfers: Data is stored in EU-compliant data centers

11. Children's Privacy

Our Facebook Lead Ads integration is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify clinic administrators of significant changes via email and update the "Last Updated" date at the top of this page.

13. Contact Us

For questions about this Privacy Policy or our data practices:

Note for Lead Submitters: If you submitted your information through a Facebook Lead Ad form and want to request deletion or access to your data, please visit our Data Deletion page for instructions.