Privacy Policy
DentEase -- Dental Clinic Management Platform
Effective Date: May 19, 2026 Last Updated: June 11, 2026
1. Introduction
DentEase ("Company," "we," "us," or "our") is committed to protecting the privacy and security of personal data and protected health information processed through our dental clinic management platform (the "Platform"). This Privacy Policy describes how we collect, use, disclose, retain, and protect your information when you use our Services.
This Privacy Policy applies to all users of the Platform, including dental clinic administrators, dentists, clinical staff, and patients. It should be read in conjunction with our Terms and Conditions.
We recognize the sensitive nature of healthcare data and adhere to the highest standards of data protection as required by applicable international, federal, and local regulations.
2. Data Controller and Data Processor Roles
2.1 Clinics as Data Controllers
Dental clinics that subscribe to the Platform act as Data Controllers (as defined under the GDPR) or the equivalent under applicable law. As Data Controllers, Clinics determine the purposes and means of processing Patient Data and are responsible for:
- Establishing a lawful basis for collecting and processing patient information.
- Providing patients with appropriate privacy notices.
- Obtaining patient consent where required by applicable law.
- Responding to data subject access requests.
- Ensuring compliance with applicable healthcare data protection regulations.
2.2 DentEase as Data Processor
DentEase acts as a Data Processor on behalf of Clinics, processing personal data and Patient Data solely in accordance with the Clinic's documented instructions and the terms of any executed Data Processing Agreement (DPA) or Business Associate Agreement (BAA).
2.3 DentEase as Data Controller
DentEase acts as a Data Controller in limited circumstances, including:
- Managing Clinic Administrator and staff account registration.
- Processing subscription and billing information.
- Collecting technical and usage data for Platform operation and improvement.
- Communicating with users about the Platform, service updates, and support.
3. Information We Collect
3.1 Information Provided by Clinic Administrators and Staff
| Data Category | Examples |
|---|---|
| Account Information | Name, username, email address, mobile number, password (hashed) |
| Professional Information | Role (dentist, staff), assigned branches, permissions |
| Profile Data | Avatar/profile image |
3.2 Patient Information (Entered by Clinics)
| Data Category | Examples |
|---|---|
| Identity Data | First name, last name, date of birth |
| Contact Data | Email address, mobile number |
| Clinical Records | Appointment history, treatment notes, procedures performed |
| Dental Records | Odontogram entries (tooth surfaces, conditions, arch type) |
| Medical History | Special conditions, condition categories, medical history notes |
| Financial Records | Invoices, payment records, payment methods, outstanding balances |
| Administrative Data | Assigned branch, patient remarks, account status |
3.3 Information Collected Through Online Booking
When patients use a Clinic's online booking link, we collect:
- Name and contact information provided during the booking process.
- Selected procedure and preferred appointment date/time.
- Any additional information the Clinic has configured for its booking form.
3.4 Technical and Usage Data
| Data Category | Examples |
|---|---|
| Device Information | Browser type and version, operating system, device type |
| Connection Data | IP address, internet service provider |
| Usage Data | Pages visited, features used, session duration, access timestamps |
| Authentication Data | Session tokens, JWT metadata (non-sensitive claims) |
3.5 Data We Do Not Collect
- We do not collect biometric data.
- We do not collect genetic data.
- We do not process credit card numbers directly; payment processing is handled by third-party payment processors.
- We do not collect data from social media profiles unless explicitly provided by the user.
4. How We Use Your Information
4.1 Providing and Operating the Platform
- Authenticating users and managing access through role-based permissions.
- Facilitating appointment scheduling, management, and automated status transitions.
- Maintaining patient dental records, odontograms, and medical histories.
- Generating and managing invoices and tracking payments.
- Delivering notifications related to appointments, tasks, and account activity.
- Processing online appointment bookings.
- Generating analytics and reports for Clinic operations.
- Enabling data exports (appointments, patients, invoices, materials, procedures, staff, payments).
4.2 Platform Improvement and Security
- Monitoring and analyzing usage patterns to improve the Platform.
- Detecting, preventing, and responding to security threats, fraud, and abuse.
- Maintaining audit logs for compliance and security purposes.
- Performing system maintenance, troubleshooting, and technical support.
4.3 Communications
- Sending service-related notifications (e.g., appointment reminders, system updates).
- Responding to support requests and inquiries.
- Providing subscription and billing notifications.
4.4 Legal and Regulatory Compliance
- Complying with applicable laws, regulations, and legal processes.
- Responding to lawful requests from governmental authorities.
- Enforcing our Terms and Conditions and protecting our legal rights.
5. Legal Basis for Processing
We process personal data on the following legal bases, as applicable under the GDPR and equivalent legislation:
| Legal Basis | Application |
|---|---|
| Performance of a Contract (Art. 6(1)(b) GDPR) | Processing necessary to provide the Platform and Services to Clinics and their Authorized Users. |
| Legal Obligation (Art. 6(1)(c) GDPR) | Processing required to comply with healthcare record retention laws, tax obligations, and regulatory reporting requirements. |
| Legitimate Interest (Art. 6(1)(f) GDPR) | Platform security, fraud prevention, service improvement, and aggregated analytics. We conduct balancing tests to ensure our interests do not override the rights of data subjects. |
| Consent (Art. 6(1)(a) GDPR) | Where explicitly obtained for optional processing activities, such as marketing communications. Consent may be withdrawn at any time. |
5.1 Special Categories of Data
Patient clinical and medical history data constitutes special category data under Article 9 of the GDPR. This data is processed under the following exceptions:
- Article 9(2)(h): Processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems, on the basis of applicable law or a contract with a health professional.
- Explicit consent obtained by the Clinic as Data Controller, where required.
6. Data Sharing and Disclosure
6.1 Sharing Within the Clinic
Patient Data is accessible to Authorized Users within the Clinic based on their assigned roles and permissions:
- Dentists: Full access to patient records, appointments, invoicing, and clinical data within their Clinic.
- Staff: Access as determined by the permissions assigned by the Clinic Administrator (e.g., patient management, appointment scheduling, invoicing).
- Patients: Access to their own account information and, where enabled, their appointment and booking history.
6.2 Third-Party Service Providers
We may share data with third-party service providers who assist us in operating the Platform, including:
| Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure | Hosting and data storage | All Platform data (encrypted) |
| Payment Processors | Subscription billing | Billing information (not Patient Data) |
| Email/Notification Services | Transactional communications | Email addresses, notification content |
| Analytics Providers | Platform usage analytics | Anonymized and aggregated usage data only |
All third-party service providers are bound by data processing agreements that require them to protect data in accordance with applicable law and to process data only as instructed.
6.3 Legal Disclosure
We may disclose personal data where required by law, regulation, or legal process, including:
- In response to valid court orders, subpoenas, or government requests.
- To comply with mandatory reporting obligations under healthcare regulations.
- To protect the rights, safety, or property of DentEase, our users, or the public.
- In connection with an investigation of suspected fraud, security breach, or illegal activity.
6.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity. We will provide notice before personal data becomes subject to a different privacy policy.
6.5 Data We Never Sell
We do not sell, rent, or trade personal data or Patient Data to third parties for their marketing or commercial purposes. This commitment applies regardless of jurisdiction.
7. International Data Transfers
7.1 Transfer Mechanisms
Where personal data is transferred outside the country of origin, we ensure adequate protections are in place through one or more of the following mechanisms:
- Adequacy Decisions: Transfers to countries recognized by the European Commission or relevant authority as providing an adequate level of data protection.
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses binding the data importer to protect personal data (Commission Implementing Decision (EU) 2021/914).
- Binding Corporate Rules (BCRs): Where applicable, internal policies approved by supervisory authorities.
- Supplementary Measures: Technical (encryption, pseudonymization), organizational (access controls, data minimization), and contractual measures as recommended by the European Data Protection Board (EDPB Recommendations 01/2020).
7.2 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for cross-border data transfers to evaluate:
- The legal framework of the receiving country, including government access to data.
- The effectiveness of the transfer mechanism and supplementary measures.
- The nature and sensitivity of the data being transferred.
7.3 Data Localization
Where required by applicable law (e.g., certain healthcare data residency requirements), we support data localization and will process and store data within the designated jurisdiction.
8. Data Retention
8.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Patient Clinical Records | Duration of Clinic subscription + minimum period required by applicable healthcare record retention law (typically 7-10 years from last treatment; longer for pediatric records as required by jurisdiction) |
| Account Data (Staff/Dentist) | Duration of Clinic subscription + 90 days post-termination |
| Billing and Financial Records | As required by applicable tax and commercial law (typically 5-7 years) |
| Technical/Usage Logs | 12 months from collection, unless required for ongoing security investigation |
| Audit Logs | 30 days from creation, after which they are automatically purged (Clinics are responsible for exporting records they must retain longer) |
| Online Booking Data | Incorporated into Patient Records upon appointment creation; standalone booking data retained for 90 days |
8.2 Retention Principles
- We retain data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.
- Where multiple retention periods apply, the longest applicable period governs.
- Data is securely deleted or irreversibly anonymized at the end of the applicable retention period.
8.3 Post-Termination Data Handling
Upon termination of a Clinic's subscription:
- The Clinic will have a minimum of 30 days to export all data using the Platform's export functionality.
- Following the export period, data will be retained only as required by applicable healthcare record retention laws.
- After all applicable retention periods have expired, data will be permanently and securely deleted using industry-standard data destruction methods (e.g., cryptographic erasure, NIST SP 800-88 compliant sanitization).
- A certificate of data destruction will be provided upon request.
9. Data Security
9.1 Technical Safeguards
- Encryption in Transit: All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher.
- Encryption at Rest: All stored data is encrypted using AES-256 encryption.
- Access Controls: Role-based access control (RBAC) ensures users can only access data appropriate to their role and permissions.
- Authentication: Secure session-based authentication using JSON Web Tokens (JWT) with access and refresh token mechanisms.
- Database Security: MongoDB access is restricted to authenticated connections with encrypted communication channels.
9.2 Organizational Safeguards
- Staff with access to personal data are bound by confidentiality obligations.
- Regular security awareness training is conducted for all personnel.
- Data protection policies and procedures are reviewed and updated regularly.
- Vendor security assessments are conducted before engaging third-party service providers.
9.3 Operational Safeguards
- Regular automated backups with encryption and geographic redundancy.
- Vulnerability scanning and penetration testing conducted on a regular schedule.
- Incident response plan maintained and tested periodically.
- Change management procedures for all Platform updates.
9.4 Security Incident Response
In the event of a security incident:
- We activate our incident response plan immediately upon detection.
- The incident is contained and investigated.
- Affected Clinics are notified within 72 hours (or sooner if required by applicable law).
- Supervisory authorities are notified as required by applicable regulations.
- A post-incident review is conducted, and corrective measures are implemented.
- A detailed incident report is made available to affected Clinics upon request.
10. Your Rights
10.1 Rights Under the GDPR (EEA/UK)
If you are located in the EEA or UK, you have the following rights under the GDPR:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | Request deletion of your personal data, subject to applicable legal retention obligations. |
| Right to Restriction (Art. 18) | Request restriction of processing in certain circumstances. |
| Right to Data Portability (Art. 20) | Receive your personal data in a structured, commonly used, and machine-readable format. |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing purposes. |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. |
| Right Regarding Automated Decisions (Art. 22) | Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. |
10.2 Rights Under HIPAA (United States)
For individuals whose data is subject to HIPAA, you have the right to:
- Access and obtain a copy of your PHI maintained by the Clinic.
- Request amendments to your PHI.
- Receive an accounting of disclosures of your PHI.
- Request restrictions on certain uses and disclosures of your PHI.
- Request confidential communications.
- File a complaint with the Clinic, DentEase, or the U.S. Department of Health and Human Services (HHS) if you believe your privacy rights have been violated.
Note: These rights are exercised through the Clinic (as the Covered Entity). DentEase, as a Business Associate, will assist the Clinic in fulfilling these requests.
10.3 Rights Under the Data Privacy Act (Philippines)
Under the Data Privacy Act of 2012 (RA 10173), data subjects in the Philippines have the right to:
- Be informed of the collection and processing of personal data.
- Access their personal data.
- Object to processing of personal data.
- Request erasure or blocking of personal data.
- Rectify inaccurate personal data.
- Obtain personal data in an electronic or structured format (data portability).
- File a complaint with the National Privacy Commission (NPC).
- Claim damages for violations of the Act.
10.4 Rights Under Other Jurisdictions
We respect and facilitate data subject rights under all applicable data protection laws, including but not limited to:
- Canada (PIPEDA): Right to access, correct, and challenge compliance.
- Australia (Privacy Act 1988): Right to access, correct, and complain to the Office of the Australian Information Commissioner (OAIC).
- Japan (APPI): Right to disclosure, correction, cessation of use, and complaints to the Personal Information Protection Commission (PPC).
- California (CCPA/CPRA): Right to know, delete, correct, opt-out of sale/sharing, and non-discrimination.
- Brazil (LGPD): Right to confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent.
10.5 How to Exercise Your Rights
- Patients: Please contact your dental Clinic directly, as they are the Data Controller of your health information. The Clinic will coordinate with DentEase as necessary.
- Clinic Administrators and Staff: Contact us directly using the information in Section 16.
- We will respond to verified requests within 30 days (or such shorter period as required by applicable law). Complex requests may require an extension of up to 60 additional days, with prior notification.
- We do not charge a fee for processing reasonable requests, except where permitted by applicable law (e.g., manifestly unfounded or excessive requests).
11. Cookies and Tracking Technologies
11.1 Types of Cookies Used
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security | Session / persistent (as needed for login) |
| Functional | User preferences, locale settings, UI state | Persistent (up to 12 months) |
| Analytics | Aggregated usage statistics and Platform performance | Persistent (up to 12 months) |
11.2 Cookie Consent
- Strictly necessary cookies are used without consent, as they are essential for Platform operation.
- Functional and analytics cookies are used based on your preferences, which you may manage through the Platform's cookie settings.
- We do not use advertising or third-party tracking cookies.
11.3 How to Control Cookies
You may control cookies through:
- The Platform's cookie preference settings (where available).
- Your browser settings (note: disabling essential cookies may impair Platform functionality).
12. Children's Privacy
- The Platform is designed for use by dental professionals and adult patients. We do not knowingly collect personal data directly from children under the age of 18 (or the applicable age of majority).
- Where Clinics enter Patient Data for minors, the Clinic is responsible for:
- Obtaining verifiable parental or guardian consent as required by applicable law.
- Complying with the Children's Online Privacy Protection Act (COPPA) for patients under 13 in the United States.
- Complying with GDPR Article 8 for children in the EEA, where the applicable member state age of consent for data processing applies.
- Complying with equivalent provisions under other applicable laws.
- DentEase processes minor patient data solely on the instructions of the Clinic and in accordance with the applicable Data Processing Agreement or Business Associate Agreement.
13. Automated Decision-Making and Profiling
13.1 Automated Processing
The Platform uses automated processing in the following limited contexts:
- Appointment Status Transitions: Appointments are automatically updated (e.g., marked as completed) based on configured time thresholds and clinic schedules. These are administrative actions that do not involve profiling or produce legal effects on individuals.
- Notification Generation: Automated notifications are generated based on appointment schedules, task assignments, and system events.
- Subscription Management: Subscription status changes (e.g., trial expiration, plan renewals) are processed automatically.
13.2 No Profiling for Clinical Decisions
We do not use automated decision-making or profiling for:
- Clinical treatment decisions.
- Patient risk assessments or diagnoses.
- Determining access to healthcare services.
- Any decision that produces legal or similarly significant effects on individuals.
14. Data Portability and Interoperability
14.1 Data Export
Clinics may export their data at any time through the Platform's export functionality. Supported export formats include structured data files suitable for import into other systems.
Available exports include:
- Patient records
- Appointment history
- Invoice and payment records
- Procedure records
- Material inventory
- Staff records
14.2 Healthcare Interoperability Standards
We are committed to supporting healthcare data interoperability and work toward alignment with recognized standards, including:
- HL7 FHIR (Fast Healthcare Interoperability Resources): For structured clinical data exchange where applicable.
- ICD-10 / ICD-11: For classification coding compatibility in clinical records.
- ISO 27799:2016: Information security management in health, supplementing ISO/IEC 27001.
15. Changes to This Privacy Policy
- We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law.
- Material changes will be communicated at least 30 days in advance via:
- A prominent notice within the Platform.
- Email notification to Clinic Administrators.
- The "Last Updated" date at the top of this document will be revised accordingly.
- Continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy.
- Previous versions of this Privacy Policy are available upon request.
16. Contact Information
Data Protection Inquiries
For questions, concerns, or requests regarding this Privacy Policy or our data protection practices:
DentEase Molawan Road, Patag, Kauswagan, Cagayan de Oro City, Mindanao, Philippines 9000 Email: dentease.business@gmail.com General Support: dentease.business@gmail.com
Data Protection Officer
For matters requiring the attention of our Data Protection Officer (DPO):
Email: dentease.business@gmail.com
Supervisory Authorities
If you are not satisfied with our response to your inquiry or complaint, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction, including but not limited to:
- Philippines: National Privacy Commission (NPC) -- https://www.privacy.gov.ph
- EEA: Your local Data Protection Authority (DPA) as listed at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- United Kingdom: Information Commissioner's Office (ICO) -- https://ico.org.uk
- United States: U.S. Department of Health and Human Services (HHS), Office for Civil Rights -- https://www.hhs.gov/ocr
- Canada: Office of the Privacy Commissioner of Canada (OPC) -- https://www.priv.gc.ca
- Australia: Office of the Australian Information Commissioner (OAIC) -- https://www.oaic.gov.au
- Japan: Personal Information Protection Commission (PPC) -- https://www.ppc.go.jp
17. Jurisdiction-Specific Disclosures
17.1 California Residents (CCPA/CPRA)
In the preceding 12 months:
- Categories of personal information collected: Identifiers, professional/employment information, internet/electronic activity, health information (as entered by Clinics).
- Business purpose for collection: Providing the Platform and Services, security, and legal compliance.
- Sale of personal information: We do not sell personal information as defined under the CCPA/CPRA.
- Sharing for cross-context behavioral advertising: We do not share personal information for cross-context behavioral advertising.
California residents may exercise their rights under the CCPA/CPRA by contacting us at dentease.business@gmail.com.
17.2 Philippines Residents
In accordance with the Data Privacy Act of 2012:
- Our registration with the National Privacy Commission is maintained as required.
- We comply with the mandatory breach notification requirements under NPC Circular 16-03.
- Data subjects may file complaints directly with the NPC as provided under Section 16 of RA 10173.
17.3 Brazil Residents (LGPD)
- We appoint a Data Protection Officer (Encarregado) reachable at dentease.business@gmail.com.
- Processing is based on the legal bases outlined in Article 7 and Article 11 of the LGPD.
- International data transfers follow the provisions of Articles 33-36 of the LGPD.
18. Compliance Framework Summary
DentEase maintains its privacy and data protection program in alignment with the following standards and regulations:
| Standard / Regulation | Scope |
|---|---|
| HIPAA (United States) | Protected Health Information |
| GDPR (EU/EEA) | Personal data of EEA residents |
| UK GDPR / DPA 2018 | Personal data of UK residents |
| Data Privacy Act 2012 (Philippines) | Personal data of Philippine residents |
| PIPEDA (Canada) | Personal data in commercial activities |
| Privacy Act 1988 (Australia) | Personal data under APPs |
| APPI (Japan) | Personal information of Japanese residents |
| CCPA/CPRA (California) | Personal information of California consumers |
| LGPD (Brazil) | Personal data of individuals in Brazil |
| ISO/IEC 27001 | Information security management (alignment) |
| ISO 27799:2016 | Health informatics security (alignment) |
| NIST Cybersecurity Framework | Security controls and risk management (alignment) |
By using the DentEase platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.