This Privacy Policy is prepared by DentinCloud ("Company", "we", "us") in accordance with the EU General Data Protection Regulation (GDPR). As data controller, you may contact us at: [email protected]

DentinCloud is a cloud-based practice management SaaS platform for dental clinics. All data processed through the platform is governed by this policy.

a) Account and Clinic Data

• Full name, email address, phone number
• Clinic name, address, tax identification
• Username and encrypted password
• Subscription and billing information (card numbers are never stored; processed via payment provider)

b) Platform Usage Data

• IP address, browser type, device information
• Session duration, click and navigation data
• Error logs and performance metrics

c) Patient Data (Processed on Behalf of Clinics)

Clinics may enter patient data (name, appointment history, treatment records, dental charts, etc.) into the platform. For this data, DentinCloud acts as a "data processor"; the clinic is the "data controller". The clinic is responsible for GDPR compliance obligations regarding patient data.

d) Processing Purposes

• Providing and maintaining the service
• Subscription and billing management
• Security and fraud prevention
• Product improvement and debugging
• Compliance with legal obligations
• Marketing communications (with explicit consent)

• Performance of a contract: Data necessary to deliver the service
• Legitimate interests: Platform security, debugging, analytics
• Legal obligation: Tax, accounting, and regulatory requirements
• Consent: Marketing emails and optional features

• Active account data: For the duration of the subscription
• Deleted account data: 90 days after deletion (backup purge period)
• Billing and payment records: 10 years (applicable commercial law)
• Log and security records: 1 year
• Marketing consent: Until consent is withdrawn

Your data may be shared only with the following third parties to deliver the service:

• Payment providers (e.g., iyzico, Stripe) — solely for payment processing
• Infrastructure providers (e.g., AWS, Hetzner) — hosting and processing
• Email / SMS providers — notification delivery
• Analytics tools — anonymised usage data only

Transfers outside the EU/EEA are governed by GDPR Article 46 Standard Contractual Clauses (SCCs).

• All data is encrypted at rest using AES-256
• All communications are secured with TLS 1.2+
• Access is managed on a least-privilege basis
• Regular security testing and independent audits
• In the event of a breach, notification within 72 hours as required by GDPR Article 33

You have the right to:

• Know whether your personal data is being processed
• Access your data and obtain a copy (data portability)
• Request correction of inaccurate or incomplete data
• Request erasure of your data (“right to be forgotten”)
• Restrict processing
• Withdraw consent at any time (for consent-based processing)
• Object to processing and automated decision-making

Submit requests to [email protected]. Requests are answered within 1 month as required by GDPR. Unresolved complaints may be referred to the relevant EU supervisory authority.

DentinCloud uses the following cookie categories:

• Strictly necessary cookies: Session management and security (no consent required)
• Analytics cookies: Anonymous usage statistics (consent required)
• Marketing cookies: Retargeting (consent required)

You may manage cookie preferences via your browser settings or our cookie preference panel.

DentinCloud implements reasonable technical and organisational security measures; however, no system is 100% secure. Except as required by applicable mandatory law, the Company shall not be liable for any damages — direct or indirect — arising from cyber attacks, unauthorised access, data breaches, exposure of passwords or patient information, system outages, or third-party security incidents.

The User is solely responsible for user-side security measures, including strong password practices, preventing unauthorised access, and device security. DentinCloud accepts no liability for damages arising from negligence on the User's side.

This policy is for informational purposes only and does not create any special legal duty beyond what is required by applicable law.

This policy may be updated from time to time. Material changes will be communicated via email or in-platform notification. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

For GDPR requests: [email protected]