Privacy Policy

Effective date: April 16, 2026 · Last Updated: 11-May-2026

This Privacy Policy is drafted in English. Translations are provided for convenience only; in the event of any inconsistency between the English version and a translation, the English version prevails.

Jurisdictional applicability: This Privacy Policy describes Dentare's data practices globally. Specific sections apply only where the relevant law governs your relationship with us:

Sections §0 (Controller / Processor roles), §7 (International Transfers), §10 (Your Rights), and §11a (Children) apply where the EU GDPR, UK GDPR, Swiss FADP, or a Western Balkans aligned regime (North Macedonia LPDP, Albania, Kosovo, Serbia, Montenegro, Bosnia and Herzegovina) governs your data.
If your clinic operates outside these jurisdictions (e.g. United States, Canada, Australia, Mexico, Brazil, Turkey), those sections describe practices we follow universally as a matter of policy, but the specific statutory framings may not apply to your patient relationships.
The remainder of this Policy applies to all users universally.

Legal Entity: FETOSOFT DOOEL
Address: Goce Delchev 2/32, 1300 Kumanovo, North Macedonia
SaaS Product: Dentare - https://dentare.io

FETOSOFT DOOEL ("we", "us", or "our") operates the Dentare platform and the dentare.io website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Service, including payment processing handled by Lemon Squeezy, integrations with Google services, and WhatsApp messaging via the Meta WhatsApp Business Cloud API. By using the Service, you agree to this Privacy Policy.

0) Our role: when we act as controller, and when as processor

Dentare is a business-to-business service for dental clinics. The personal data flowing through the Service falls into two categories with different legal roles:

Clinic account & billing data — Dentare is the controller. When a dental clinic registers on Dentare, we collect and process data about the clinic and its Authorized Users (the clinic owner, doctors, receptionists, administrators) in order to provide the Service to the clinic. For this data we act as the data controller under the GDPR and equivalent laws. This Privacy Policy explains in detail how we process that data.
Patient data — Dentare is the processor; the clinic is the controller. When a clinic uses the Service to manage its patients (registering them, booking appointments, sending reminders, etc.), the patient personal data is collected and processed on the clinic's behalf, on the clinic's documented instructions, and for the clinic's purposes. For this data the clinic is the data controller and Dentare is the data processor. The processor-side terms are governed by the Dentare Data Processing Addendum, which is incorporated by reference into the agreement between the clinic and Dentare.

Patients with questions about how their data is processed should contact their dental clinic, not Dentare. The clinic, as data controller, is responsible for responding to data-subject requests in respect of patient records. Dentare will assist its clinic customers in fulfilling such requests as required by Article 28 GDPR and the DPA.

1) Information We Collect

a) Personal Data you provide

Data we collect about clinics and their Authorized Users (Dentare = controller):

Clinic owner and Authorized User account data — first name, last name, email, phone, role, login credentials
Billing and tax-residency details — address, city, postal code, country, VAT/tax ID where required by Lemon Squeezy
Support and product communications — content of messages you send us, preferences, in-product feedback, newsletter consent records
Marketing/analytics signals — limited to what is described in §1(b) and §1(c), and only where allowed by your cookie-consent choices
Sales and access requests: when you submit the Request Access or contact form, this is your name, work email, clinic name, country, plan of interest, and any optional phone number or message you choose to add.

Sales and access requests. When you contact us through the Request Access or contact form, we use these details to respond to and follow up on your enquiry and, if you decide to proceed, to set up your clinic. Our lawful basis is your consent (Article 6(1)(a) GDPR), which you give by ticking the consent box on the form; you can withdraw it at any time by contacting us. A confirmation copy is sent to the email address you provide, and your message is delivered through our email sub-processor listed in §6. We keep these request records for up to 12 months after our last contact about the request; if the request leads to a clinic account, the data is then retained under the account retention rules in §8. You can ask us to access or erase this data at any time, as described in §10.

Data we process on behalf of clinics about their patients (Dentare = processor):

Patient identity — name, contact details (email, phone), date of birth, and where applicable a national/personal identification number, all as entered or imported by the clinic
Appointment metadata — bookings, statuses, reminders, no-show records, scheduling notes the clinic writes
Communication records — SMS, email, and WhatsApp messages sent on the clinic's behalf, as described in the dedicated subsections of this Policy
Any additional fields the clinic chooses to populate within the features Dentare makes available to that clinic in its country (see Terms §23 for country-based feature gating). V1 of Dentare does not store clinical records (diagnoses, treatment plans, lab results, X-rays, etc.); the features that would process such data are disabled at this stage of the product.

Where this Policy describes our processing of patient data (e.g. retention, security measures, sub-processor flows), we are describing how we discharge our obligations as a processor on the clinic's behalf. The clinic remains the controller and the relationship is governed by the Dentare Data Processing Addendum.

SMS & Phone Numbers: When a clinic enables SMS notifications, patient phone numbers are used to send appointment confirmations, reminders, and status updates via third-party SMS delivery providers. Phone numbers are stored alongside SMS message records for delivery tracking and audit purposes.

Email & Email Addresses: When a clinic sends appointment confirmation emails through Dentare, the patient's email address, the email subject, message content (HTML and plain text), and delivery metadata (delivery status, provider message ID, timestamps) are stored as email message records for delivery tracking, audit, and compliance purposes. Emails are delivered via a third-party transactional email provider (Postmark, operated by ActiveCampaign, LLC). Postmark may process open and click tracking data when enabled by the clinic.

WhatsApp & Phone Numbers: When a clinic enables WhatsApp notifications, patient phone numbers are used to send appointment confirmations and reminders via the Meta WhatsApp Business Cloud API. WhatsApp message records - including the recipient phone number, template name, message type (confirmation or reminder), delivery status (accepted, sent, delivered, read, or failed), Meta message ID (wamid), conversation metadata (conversation ID, type, and pricing model), and timestamps - are stored for delivery tracking, audit, and compliance purposes. Messages are delivered by Meta Platforms, Inc. using pre-approved message templates only. Each clinic maintains its own WhatsApp Business Account (WABA) and credentials; Dentare acts as a technology provider facilitating message delivery on behalf of the clinic.

Payments: We use Lemon Squeezy, LLC as our merchant of record. Card and payment details are processed securely by LemonSqueezy; we do not store full card numbers on our systems.

b) Automatically collected (Usage Data)

IP address, device and browser type/version
Pages visited, timestamps, session duration
Diagnostic and performance data

c) Cookies & Tracking

We use cookies and similar technologies to operate and improve the Service. You can control cookies via your browser settings; some features may not function without them.

Session Cookies – required for login and core functionality
Preference Cookies – remember language and settings
Security Cookies – help prevent fraud and abuse
LemonSqueezy Cookies – enable checkout, tax/VAT handling, and fraud prevention
Google Analytics Cookies – collect usage statistics to improve performance
Kiosk Device Token (kiosk_device_token) – a signed, HTTP-only cookie used to identify registered kiosk devices. Set only when a clinic administrator enables Kiosk Mode on a shared device.

Third-party analytics on clinic public pages

Individual dental clinics may install Google Analytics 4 (GA4) or Google Tag Manager (GTM) on their public booking page at dentare.io/c/<clinic-slug>. These tags are configured by the clinic in their Dentare settings and render only on that public page — never on widgets embedded in third-party websites.

GDPR-applicable clinics (EU, EEA, UK, Switzerland, Western Balkans): tracking does not begin until the visitor accepts the cookie banner on the public page. Google Consent Mode v2 defaults are set to denied for all storage categories.
Non-GDPR clinics: tracking begins on page load.

Where these tags are installed, the clinic acts as the data controller for any data collected through its own analytics installation. Dentare provides the rendering surface and the consent-gating mechanism, but does not access, store, or process the data the clinic's GA4 / GTM property collects. Visitors may opt out via the cookie banner (where applicable) or via browser-level tracking protection.

d) Sign-in Activity & Account Security Data

To protect your account, Dentare automatically logs authentication events each time you sign in or attempt to sign in. The following data is collected:

IP address - the network address from which the sign-in attempt originates.
User-agent string - browser name, version, and operating system (truncated to 256 characters for data minimization).
Device fingerprint - a one-way hash derived from your browser and operating system, used to identify new or unrecognized devices. The original values cannot be reconstructed from the hash.
Event type - whether the sign-in was successful, failed, blocked, or involved two-factor authentication.
Timestamp - date and time of the event.

Lawful basis: Legitimate interest in account security and fraud prevention (GDPR Art. 6(1)(f)).

IP geolocation: When you sign in, Dentare looks up your IP address against a locally stored geolocation database (MaxMind GeoLite2) to determine your approximate city and country. This lookup is performed entirely on our servers - no data is sent to any third-party geolocation service. The resulting city, country, and approximate coordinates are stored alongside the sign-in event record.

Trusted devices: Dentare maintains a list of devices you have successfully signed in from. Each device is identified by a one-way hash (SHA-256) of your browser name, major version, and operating system. The following metadata is stored for each trusted device: device label (e.g. “Chrome on macOS”), last sign-in IP address, last city, last country, and last seen timestamp. You can view and remove trusted devices at any time via Settings → Trusted Devices.

Risk scoring & suspicious sign-in detection: Each successful sign-in is automatically scored for risk based on multiple signals: whether the device is new, whether the IP or country is new, whether the location change is physically implausible (“impossible travel”), recent failed sign-in attempts, unusual sign-in hours, and whether two-factor authentication is enabled. This scoring is performed entirely by automated logic on our servers with no human review. If a sign-in is scored as high or critical risk, a “suspicious sign-in” email is sent with “Was this you?” verification buttons (valid for 72 hours). If you confirm the sign-in was not you, all your active sessions are immediately invalidated. You have the right to contest any automated decision under GDPR Art. 22.

New device notifications: When a sign-in is detected from a device you have not used before and the risk level is not high or critical (in which case a suspicious sign-in email is sent instead), Dentare sends a security notification email to your registered email address. To prevent spam, a maximum of one security email (new device or suspicious sign-in) is sent per 24-hour period. You can opt out of security notification emails via your profile settings; transactional emails (password resets, email confirmations) cannot be disabled.

Active session tracking: Dentare tracks your active browser sessions to allow you to view and manage them. For each session, we store: a one-way hash (SHA-256) of the session identifier, IP address, user-agent string (truncated), device label, approximate city and country (from local IP geolocation), and last activity timestamp. Session records are automatically deleted after 30 days of inactivity via a daily cleanup job. You can view and revoke your active sessions at any time via Settings → Active Sessions.

Account lockout: After 10 consecutive failed sign-in attempts, your account is temporarily locked for 30 minutes as a brute-force protection measure. Additionally, if 3 or more sign-ins scored as critical risk occur within 1 hour, your account is automatically locked as a precautionary measure. You will receive an email with instructions to unlock your account.

Retention: Sign-in event records are automatically deleted after 1 year. Trusted device records are retained while active (last seen within 90 days) and removed when you delete them or upon account deletion. Active session records are deleted after 30 days of inactivity.

Your rights: You can view your sign-in history via Settings → Sign-in Activity, manage trusted devices via Settings → Trusted Devices, view and revoke active sessions via Settings → Active Sessions, and access a security overview via Settings → Security.

f) Shared Device (Kiosk) Security Data

If your clinic enables Kiosk Mode on a shared device, Dentare collects additional data to secure the lock screen and audit access:

Device token - a randomly generated identifier stored as a signed, HTTP-only cookie (kiosk_device_token) to recognize registered kiosk devices.
PIN authentication - staff PINs are hashed using bcrypt before storage. Plain-text PINs are never stored or logged.
Security audit events - each lock, unlock, lockout, and kiosk enable/disable action is logged with the event type, timestamp, acting user ID, target user ID, device identifier, IP address, and a truncated user-agent string (maximum 128 characters). These records do not contain the PIN itself.
Lockout state - failed PIN attempt count, lockout stage, and lockout expiry timestamp are stored per user to enforce progressive lockout protection.

g) Notification Preferences & Consent Audit Trail

SMS and WhatsApp notifications are disabled by default for all patients and require explicit opt-in before any messages are sent. Email notifications are also disabled by default. Clinics are responsible for obtaining and recording patient consent before enabling any notification channel.

When a patient's notification preferences are updated (e.g., SMS, WhatsApp, or Email opt-in or opt-out), Dentare logs the change for consent audit purposes. Each log entry records:

The preference field that was changed (e.g., SMS notifications, WhatsApp notifications)
The previous and new values
The user who made the change (clinic staff member or system)
The timestamp of the change
The source of the change (user interface, API, patient registration, or system)
The IP address of the request

These consent audit logs are retained for the lifetime of the patient record and are accessible to clinic administrators. They are used to demonstrate consent as required by GDPR Art. 7(1). Phone numbers in notification pipeline audit logs are masked (e.g., +389****3456) to minimize personal data exposure.

WhatsApp delivery confirmation (tracking whether a message was successfully delivered to the patient's device) is recorded separately from consent. Delivery confirmation does not constitute or replace patient opt-in consent.

h) Account Owner Email Preferences

Account owners may receive product emails including security recommendations (e.g., enabling two-factor authentication) and feature tips (e.g., Kiosk Mode setup). These emails are sent in the owner's preferred language and are enabled by default under legitimate interest (account security and service improvement, GDPR Art. 6(1)(f)). Owners can opt out at any time via their profile settings. Transactional emails (password resets, email confirmations, account invitations) cannot be disabled as they are necessary for service operation.

2) How We Use Your Data

Provide, operate, and maintain Dentare
Process payments and subscriptions via LemonSqueezy
Customize and improve features, performance, and security
Communicate about updates, changes, and support
Send product and security recommendation emails to account owners (e.g., two-factor authentication setup, feature discovery), delivered in the owner's preferred language and subject to their email preferences
Send SMS notifications on behalf of clinics (appointment confirmations, reminders, and status updates) to patient phone numbers
Send transactional emails on behalf of clinics (appointment confirmations) to patient email addresses, and track delivery status for audit and compliance
Send WhatsApp notifications on behalf of clinics (appointment confirmations and reminders) to patient phone numbers via the Meta WhatsApp Business Cloud API, and track delivery status for audit and compliance
Monitor usage, troubleshoot, and prevent fraud or abuse
Monitor and audit kiosk access events to detect unauthorized access and enforce lock-screen security policies
Comply with legal obligations

3) Use of Google API Services & Google User Data

Dentare integrates with Google services using Google OAuth 2.0 authentication and Google API Services. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

For details on how Google collects and processes your data, see Google's Privacy Policy.

a) Google Sign-In (Identity Only)

When you sign in with Google, Dentare requests only the following identity scopes:

openid - to verify your identity
email - your email address, used for account authentication and communication
profile - your name, used for display within Dentare

Google Sign-In is used solely for authentication. No additional Google data is accessed during login.

b) Optional Google Integrations (Incremental Authorization)

Dentare offers optional features that require additional Google permissions. These permissions are never requested during login. They are requested only when you explicitly activate a specific feature, and you may deny any or all of them without affecting your ability to use Dentare's core functionality.

When you activate an optional feature, Dentare uses Google's incremental authorization mechanism to request only the additional permissions needed for that feature. Previously granted permissions are preserved.

Google Calendar Integration

If you choose to enable appointment synchronization with Google Calendar, Dentare requests:

Google Calendar read/write (googleapis.com/auth/calendar) - to create, update, and delete appointment events in your Google Calendar on your behalf
Calendar list access (googleapis.com/auth/calendar.calendarlist) - to let you choose which calendar Dentare syncs appointments to

Calendar data is used exclusively to synchronize Dentare appointments with your Google Calendar. Calendar data is not used for any other purpose, is not shared with other Dentare users or tenants, and is not used for advertising, analytics, or AI/ML training.

Granular Permissions

Google allows you to grant or deny individual permissions. If you deny a permission that is required for a specific feature, that feature will be unavailable, but all other Dentare functionality will continue to work normally. You may grant denied permissions at any time by re-activating the feature.

c) How We Use Google User Data

Authenticate users securely via Google Sign-In
Display your name and email within the Dentare platform
Synchronize appointments between Dentare and Google Calendar (only if you have granted Calendar permissions)
Display calendar availability within the Dentare platform (only if Calendar sync is enabled)

Google user data is used only to provide or improve user-facing features that are visible and prominent in Dentare's interface. Specifically:

We do not sell, rent, or lease Google user data to third parties.
We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
We do not use Google user data to develop, train, or improve generalized artificial intelligence or machine learning models.
We do not transfer Google user data to third parties unless: (a) it is necessary to provide or improve user-facing features, (b) you provide explicit, affirmative consent, (c) it is necessary for security purposes (e.g., investigating abuse), or (d) it is required to comply with applicable law.
Human review of Google user data is limited to security investigations, compliance with law, or when the user has provided affirmative consent for a specific purpose.

d) Token Storage & Security

When you connect your Google account, Dentare stores the following data securely on our servers:

Your Google account identifier (subject ID)
An OAuth access token (short-lived, used to interact with Google APIs on your behalf)
An OAuth refresh token (if offline access is granted, used to maintain your connection when you are not actively using Dentare)
A record of which Google permissions (scopes) you have granted
The access token expiration timestamp

All tokens are encrypted at rest and stored server-side only. Tokens are never exposed to client browsers, embedded in URLs, or logged in plaintext. Access to stored tokens is restricted to automated systems that require them to perform Google API operations on your behalf.

Offline access (refresh tokens) is requested only when persistent synchronization is needed (e.g., Calendar sync). If you do not activate features requiring offline access, no refresh token is stored.

e) Data Retention & Deletion

Access tokens - retained while your Google account is connected. Automatically refreshed when they expire. Deleted immediately when you disconnect your Google account or when Google revokes your tokens.
Refresh tokens - retained while your Google account is connected and the associated feature (e.g., Calendar sync) is active. Deleted immediately upon disconnection, account deletion, or Google-initiated token revocation.
Granted scopes record - retained while your Google account is connected. Deleted upon disconnection or account deletion.
Cached Google metadata (e.g., calendar list) - retained only while actively needed for feature functionality. Deleted within 30 days of disconnection or account deletion.

f) Cross-Account Protection (Security Events)

Dentare participates in Google's Cross-Account Protection program. This means Google may notify Dentare of security events affecting your Google account. When we receive such notifications, we take the following actions to protect your account:

Sessions revoked: If Google reports that your Google sessions have been revoked (e.g., you changed your Google password or reported a compromised account), Dentare will immediately terminate all of your active Dentare sessions. You will need to sign in again.
Tokens revoked: If Google reports that your OAuth tokens have been revoked, Dentare will immediately delete your stored access and refresh tokens. Features that depend on Google permissions (e.g., Calendar sync) will be suspended until you re-authorize.
Account disabled: If Google reports that your Google account has been disabled, Dentare will delete your stored tokens and deactivate your Dentare account. Contact us at [email protected] to resolve this.

These actions are taken automatically to protect your account security. Security event audit records are retained for up to 3 months and then permanently deleted.

g) Compliance with Google API Services User Data Policy

Dentare's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

4) Payment Processing (LemonSqueezy)

We use Lemon Squeezy, LLC as our merchant of record and payment processor. For details, please review LemonSqueezy's Privacy Policy .

Lemon Squeezy serves a dual role: as Merchant of Record they act as an independent data controller for tax and payment compliance (handling our sales tax, fraud detection, and chargeback procedures); for the operational subscription data we send them (clinic name, plan tier, billing email), they act as our processor under their Data Processing Addendum. See §6 for the sub-processor entry covering the latter role.

4b) Partner Program

If you are invited to and accept participation in the Dentare Partner Program, we additionally process:

Partner identity – legal name, country, address, tax ID, and (where applicable) VAT ID, for contract-performance and tax-compliance purposes.
Financial data – bank account number, IBAN, SWIFT/BIC, or alternative payout identifier (PayPal email, Wise tag), encrypted at rest; used solely to settle your earnings.
Earnings and payout records – amount, currency, tax withheld, tax policy snapshot, payment method, and settlement reference, retained for the duration of the partnership plus the minimum period required by Macedonian tax law.
Terms acceptance snapshot – version accepted, country bundle, locale, timestamp, and the IP address / user-agent used at acceptance, retained as an audit record.

Tax withholding (MK domestic partners): where required by the Law on Personal Income Tax, we withhold personal income tax from gross earnings and remit it to the Public Revenue Office on your behalf. Each payout statement shows gross, withheld, and net amounts.

EU / EEA partners: we do not withhold tax. Where you supply a valid VAT ID, reverse-charge VAT treatment under Article 196 of Council Directive 2006/112/EC is applied. You remain responsible for your own tax reporting.

Lawful basis: Contract (Art. 6(1)(b) GDPR) for the financial data required to fulfil the partnership; Legal Obligation (Art. 6(1)(c)) for tax records; Legitimate Interest (Art. 6(1)(f)) for anti-fraud and audit logging.

5) Legal Bases (GDPR, where applicable)

Contract – to provide the Service you requested
Legitimate Interests – to secure and improve the Service, including sign-in activity tracking, new-device detection, account lockout on repeated failed attempts, kiosk lock-screen security, progressive lockout enforcement, security audit logging, and security/feature recommendation emails to account owners
Consent – for optional Google integrations (e.g., Calendar sync), analytics cookies, SMS notifications, WhatsApp notifications, and transactional email communications to patients, which you may grant or withdraw at any time
Legal Obligation – to meet tax and regulatory requirements

Patient Self-Registration — Country-Based Data Minimization

Dentare offers clinics an optional public QR patient self-registration form, accessible without authentication at a clinic-specific URL. When a prospective patient submits this form, their data is processed under GDPR Art. 6(1)(b) — pre-contractual steps taken at the request of the data subject, and the resulting record is held pending clinic review and approval.

Because this form is accessible to unauthenticated users, Dentare applies data minimization based on the jurisdiction configured for the clinic. Which fields the form collects depends on the clinic's country:

Clinics in the Western Balkans (North Macedonia, Albania, Kosovo, Serbia, Montenegro, Bosnia & Herzegovina): the full form may be offered, including general identity, contact details, emergency contact, insurance details, and — at the clinic's configuration — basic health information such as blood type, allergies, and relevant medical history.
Clinics in the European Union, European Economic Area, United Kingdom, Switzerland, Turkey, Moldova, and other GDPR or GDPR-equivalent jurisdictions: the form is offered in a minimal variant. It collects only identity, contact details, and appointment-request information. Health data (blood type, allergies, medical history), national identifiers (personal numbers), insurance details, and emergency contact information are not collected via the public form in these jurisdictions. Such data, when needed, is collected in-clinic after the care relationship is established, under GDPR Art. 9(2)(h) — provision of health care.
Clinics in the United States: the public QR patient self-registration form is offered in an ultra-minimal variant that collects only the patient's name, email, and phone number. No date of birth, gender, health data, national identifiers, insurance details, emergency contact information, or appointment-context fields are collected via the public form. Dentare does not hold HIPAA Business Associate Agreements with its subprocessors and therefore does not collect Protected Health Information on public, unauthenticated surfaces in US jurisdictions. Clinical features that would process Protected Health Information (such as visits, lab, X-ray, before/after images, offers, payments, fiscalization, guarantees, patient timeline, patient portal, patient API, and CSV import) are not available to US clinics.
Clinics in other countries not explicitly mapped: Dentare applies the same minimal variant as in GDPR jurisdictions by default, as a precautionary measure.

This minimization is enforced automatically by Dentare on the server side — fields restricted by a clinic's jurisdiction cannot be submitted even via direct API calls. The mapping from country to available fields is available in Dentare's internal country feature-gating configuration and may change as regulations evolve or as additional certifications are obtained. See also our Terms & Conditions, Section 21 (Regional Availability & Country-Based Feature Gating).

6) Sharing & Disclosure

Service providers under confidentiality and data protection commitments
Authorities when required by law
Business transfers in the event of a reorganization or merger

Google user data is not shared with any third parties except as described in Section 3(g) (compliance with Google API Services User Data Policy).

Service Providers & Subprocessors

We use the following service providers to operate the Service. Each provider processes personal data only as necessary to provide their specific function and is bound by contractual data protection obligations. The "DPA" links below point to each provider's Data Processing Agreement (or equivalent Article 28 GDPR terms), which governs how that provider processes personal data on our behalf.

EU clinics requiring a controller-processor agreement under GDPR Art. 28 can review and accept Dentare's Data Processing Addendum, which is incorporated by reference into Dentare's Terms of Service and references this Subprocessor list as its single source of truth.

The Constant Company, LLC (Vultr) — Cloud hosting (compute, PostgreSQL, application servers, and object storage of patient-uploaded files). Data residency: Amsterdam, Netherlands. International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor + Module 3: Processor to Processor) (UK IDTA included; Swiss FADP modifications included).
Cloudflare, Inc. (Cloudflare) — DNS, CDN, DDoS protection, bot mitigation, and object storage (Cloudflare R2). Data residency: EU edge nodes + R2 in EU region. International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor + Module 3: Processor to Processor) (UK IDTA included; Swiss FADP modifications included).
ActiveCampaign, LLC (Postmark) — Transactional email delivery (appointment confirmations on behalf of clinics). Data residency: United States. International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor + Module 3: Processor to Processor) (UK IDTA included).
CommPeak Ltd. (CommPeak) — SMS message delivery for appointment reminders (where SMS is enabled). Data residency: Cyprus, EU.
Meta Platforms Ireland Limited (WhatsApp Business) — WhatsApp Business message delivery via template-only messages (where WhatsApp is enabled). Data residency: Ireland + United States (Meta routes through both). International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor + Module 3: Processor to Processor) (UK IDTA included).
Lemon Squeezy, LLC (Lemon Squeezy) — Subscription billing as Merchant of Record (paid plans, invoices, VAT/sales-tax handling). Data residency: United States. International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor + Module 3: Processor to Processor) (UK IDTA included).
Honeybadger Industries LLC (Honeybadger) — Application error monitoring (PII filtered before transmission; no patient data is logged intentionally). Data residency: United States. International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor).
MaxMind, Inc. (MaxMind) — IP-geolocation database (GeoLite2). Lookup runs locally on Dentare servers; no personal data is transmitted to MaxMind. Data residency: United States (no PII transmitted — lookup runs locally). International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor).
Google Ireland Limited (Google) — OAuth authentication, Google Calendar synchronization, Cross-Account Protection (RISC), and Workspace email. Data residency: Multi-region (data localization per Google Workspace tier). International transfer covered by EU Standard Contractual Clauses (Module 2: Controller to Processor + Module 3: Processor to Processor) (UK IDTA included).

7) International Transfers

Dentare's primary application infrastructure is hosted within the European Union. The full list of sub-processors and their data-processing locations is set out in the Service Providers & Subprocessors section above.

Some of those sub-processors are established in the United States or rely on US-based infrastructure (e.g. Postmark for transactional email, Honeybadger for error monitoring, Google for OAuth and Calendar APIs). For any transfer of personal data outside the EU/EEA we rely on the following safeguards as required by Articles 44–46 of the GDPR:

EU-US Data Privacy Framework (EU-US DPF). For sub-processors that are self-certified under the EU-US DPF (and the UK Extension / Swiss-US DPF, where applicable), we rely on the European Commission's adequacy decision of 10 July 2023. We verify a sub-processor's certification on the Data Privacy Framework List before relying on it as the transfer mechanism.
EU Standard Contractual Clauses (SCCs). Where a sub-processor is not DPF-certified, or where DPF coverage does not extend to the specific transfer, we rely on the European Commission's 2021 SCCs (Module 2 controller-to-processor or Module 3 processor-to-processor as applicable), supplemented by additional technical and organizational measures where required following the Schrems II judgment.
UK Addendum and Swiss equivalents. For transfers from the UK, the UK International Data Transfer Addendum (IDTA) supplements the SCCs. For transfers concerning Swiss data, the equivalent Swiss FADP mechanisms apply.

Each sub-processor's Data Processing Agreement linked in the Service Providers & Subprocessors section sets out the specific transfer mechanism that sub-processor relies on.

8) Data Retention

We retain personal data only as long as necessary to provide the Service and comply with legal obligations. Retention differs depending on whether Dentare is acting as a controller or as a processor on a clinic's behalf (see §0).

Data we hold as controller (clinic account data):

Clinic account data - first name, last name, email, phone, role, login credentials: retained for the lifetime of the clinic Account; deleted within 30 days of Account closure, except where a longer retention period is required by law.
Billing and tax records - invoices, payment records, tax-relevant data, and the limited identity information attached to them: retained for the period required by applicable tax and accounting law in North Macedonia (typically 7 years, and up to 10 years for certain document categories). After the legal retention period expires we delete or irreversibly anonymize these records.
Google user data - retained only while your Google account is connected to Dentare; deleted within 30 days of disconnection or account deletion.
Newsletter subscriber data - retained per §11 (locked clause).

Data we process as processor on a clinic's behalf (patient data):

Patient records and appointment data - retained for as long as the clinic instructs us to retain them, by keeping the records in the Service. The clinic, as data controller, is responsible for determining the appropriate retention period under its own legal and professional obligations and may delete patient records at any time through the Service. On termination of the clinic's Account, patient data is handled in accordance with Terms §22a (30-day export window followed by deletion within 90 days unless a legal hold applies).

Operational / security data (held by Dentare for the integrity of the Service):

SMS message records - message metadata (recipient number, delivery status, cost, timestamps) is retained for 12 months from the send date for audit, billing, and compliance purposes; automatically deleted thereafter. Inbound webhook payloads (delivery receipts from SMS providers) are deleted within 7 days of processing.
Email message records - message metadata (recipient email address, subject, delivery status, provider message ID, timestamps) and message content (HTML and plain text) are retained for 12 months from the send date for audit and compliance purposes; automatically deleted thereafter via a daily cleanup job. Inbound webhook payloads (delivery status events from Postmark) are deleted within 7 days of processing.
WhatsApp message records - message metadata (recipient phone number, template name, message type, delivery status, Meta message ID, conversation metadata, timestamps) is retained for 12 months from the send date for audit, billing, and compliance purposes; automatically deleted thereafter. Inbound webhook payloads (status updates from Meta) are deleted within 7 days of processing.
Usage/analytics data - retained in aggregated, anonymized form; raw logs are deleted within 90 days.
Notification consent audit logs - records of notification preference changes (field changed, previous/new value, acting user, timestamp, source, IP address) are retained for the lifetime of the patient record for GDPR consent demonstration purposes; deleted upon patient record deletion or account closure.
Sign-in activity events - sign-in attempt records (IP address, truncated user-agent, device hash, event type, geolocation, risk score, timestamp) are retained for 1 year from creation; automatically deleted thereafter via a daily cleanup job.
Trusted device records - device hash, label, last IP, last city/country, and timestamps are retained while the device is active (seen within 90 days); removed on user request or account deletion.
Active session records - session hash, IP, user-agent, device label, city/country, and last activity timestamp are retained for 30 days of inactivity; automatically deleted thereafter via a daily cleanup job.
Security audit events (kiosk lock/unlock, lockouts, device registration) - retained for 1 year from creation; automatically deleted thereafter via a daily cleanup job.
Kiosk device records - retained while the device is registered; deleted when a clinic administrator disables kiosk mode or upon account deletion.

8b) MCP Integrations (Claude, ChatGPT, and other AI assistants)

Dentare runs an MCP (Model Context Protocol) server at mcp.dentare.io that lets AI assistants such as Anthropic's Claude or OpenAI's ChatGPT search the public Dentare clinic directory and create booking requests on a patient's behalf when the patient explicitly connects them. We act as the controller for data collected during the consent flow itself; data the AI assistant subsequently submits in a booking request is processed under the same lawful bases and roles described elsewhere in this Policy (controller for our own SaaS metadata, processor for the data the receiving clinic ultimately controls).

Authentication and consent. Patients do not need a Dentare account to use an AI assistant connector. To create a booking through one, you grant Dentare permission via OAuth using a verified contact: depending on the active verification channel, we send a 6-digit code to your email (default), to your phone via SMS, or to your phone via WhatsApp. After you submit the code, we show a consent screen identifying the AI assistant requesting access. Once you approve, we issue a token the AI assistant uses to call our public booking API on your behalf for up to 30 days, after which it must be re-issued.

What the AI assistant sees and does not see. The AI assistant (Anthropic Inc., OpenAI Inc., etc.) sees the text of your conversation, including the clinic and service you ask about. It does NOT receive your verified contact (email or phone) from us; the booking server uses your verified identifier server-side and never returns it in tool responses. The AI assistant also does not see any data Dentare or the receiving clinic stores about you beyond what is necessary to complete the request you initiated.

Sub-processors. When you use a Dentare connector inside an AI assistant, Anthropic Inc. or OpenAI Inc. acts as a relay-only processor for the messages between you and Dentare. They do not retain your booking data; they only forward your requests and our responses. Their privacy practices are governed by their respective terms. The MCP verification channel itself reuses existing sub-processors disclosed elsewhere in this Policy: ActiveCampaign, LLC (Postmark) for the email channel, CommPeak for the SMS channel, and Meta Platforms, Inc. for the WhatsApp channel. No new sub-processors are introduced by the MCP integration.

Revoking access. You can disconnect Dentare from any AI assistant at any time through that assistant's settings (Claude: Settings → Connectors; ChatGPT: Settings → Apps). Revoking immediately invalidates the OAuth token; no further bookings can be created on your behalf until you reconnect.

Data retention specific to the MCP flow. Phone-verification sessions (the encrypted phone number plus consent timestamp) are retained for as long as you have an active OAuth token bound to them, plus 30 days. OAuth access and refresh tokens are deleted on expiry or revocation. SMS verification codes are stored only as bcrypt digests and wiped on successful verification. None of this data is shared with the receiving AI assistant.

9) Security

We use technical and organizational measures to protect personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest.
Access controls limiting employee access to personal data on a need-to-know basis.
Secure storage of OAuth tokens (encrypted, server-side only; never exposed to client browsers).
Regular security reviews and monitoring for unauthorized access.
HMAC-SHA256 signature verification on all inbound WhatsApp webhooks from Meta to prevent unauthorized or forged status updates.
Kiosk PINs hashed with bcrypt; plain-text PINs are never stored, logged, or transmitted in server responses.
Progressive lockout on repeated failed PIN attempts (configurable durations up to 24 hours), with email alerts sent to the clinic owner at critical lockout stages.
Rate limiting on kiosk authentication endpoints to mitigate brute-force attacks.
Automatic account lockout after 10 consecutive failed sign-in attempts (unlocks after 30 minutes or via email).
Automatic account lockout when 3 or more critical-risk sign-ins are detected within 1 hour.
New-device detection and email notification when a sign-in occurs from an unrecognized browser or device.
Automated risk scoring on every sign-in using device trust, IP geolocation, impossible travel detection, and behavioral signals - performed entirely on-server with no third-party services.
Suspicious sign-in emails with signed verification tokens allowing users to confirm or deny sign-in attempts.
Active session tracking and user-accessible session management (view and revoke).
Trusted device management allowing users to review and remove recognized devices.
Sign-in activity logging for audit and anomaly detection (IP address, truncated user-agent, device hash, geolocation, risk score).
User-agent strings in security audit logs truncated for data minimization (128 characters for kiosk events, 256 characters for sign-in events).

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us at [email protected].

10) Your Rights

Depending on your jurisdiction (the GDPR, the UK GDPR, the Swiss FADP, or equivalent laws), you have the following rights in relation to personal data we process:

Right of access — to obtain confirmation of whether we process your personal data and, if so, a copy of that data (GDPR Art. 15).
Right to rectification — to have inaccurate or incomplete personal data corrected (Art. 16).
Right to erasure ("right to be forgotten") — to have your personal data deleted in the circumstances set out in Art. 17.
Right to restriction of processing — to have processing limited in the circumstances set out in Art. 18.
Right to data portability — to receive a machine-readable copy of personal data you provided to us, and to have it transmitted to another controller where technically feasible (Art. 20).
Right to object — to processing based on our legitimate interests, including profiling, and to direct marketing (Art. 21).
Rights related to automated decision-making — including the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22). The only automated decisioning Dentare performs is the security risk score on sign-in described in §2; you may contest that scoring as described there.
Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint with a supervisory authority — in the EU/EEA, with the data-protection authority of your country of residence; in North Macedonia, with the Personal Data Protection Agency (Агенција за заштита на лични податоци).

How to exercise your rights — and which entity to contact

Because Dentare acts in two roles (see §0), the entity that handles a rights request depends on whose data is involved:

If you are a clinic owner, Authorized User, newsletter subscriber, or other person whose data Dentare processes as a controller: contact us directly at [email protected]. We will respond within the timeframe required by applicable law (within one month under the GDPR, extendable by two further months for complex requests, with an interim acknowledgment).
If you are a patient of a Dentare clinic and want to exercise rights in relation to your patient record: contact your dental clinic directly. The clinic is the data controller for your patient data; Dentare cannot act on a patient rights request without the clinic's instruction. If you contact us instead, we will redirect you to the clinic and notify the clinic of your request without delay. Dentare assists clinics in responding to such requests in line with our obligations as a processor under Article 28 GDPR and the Dentare Data Processing Addendum.

Google Data Revocation & Deletion

You can revoke Dentare's access to your Google data at any time by either method:

Within Dentare: Go to Settings → Connected Accounts and disconnect your Google account. This immediately deletes all stored tokens and scope records from Dentare's systems.
Via Google: Visit your Google Account permissions page and remove Dentare. Google will notify Dentare via Cross-Account Protection, and we will delete your tokens automatically.

Upon revocation, Dentare will stop accessing your Google data. Previously synced calendar events that were created by Dentare will remain in your Google Calendar unless you delete them manually. Cached Google metadata stored within Dentare will be deleted within 30 days of revocation.

If you delete your Dentare account entirely, all associated Google user data (tokens, scope records, cached metadata) is permanently deleted from our systems within 30 days.

11) Newsletter Subscriptions

If you subscribe to the Dentare newsletter, we collect your email address, locale preference, the timestamp of your consent, the IP address and user-agent of the device used to subscribe, and the version of the consent text you agreed to. This information is collected solely to deliver the newsletter, demonstrate verifiable consent under GDPR Article 7, and protect against fraudulent signups. The lawful basis for this processing is your explicit consent (Article 6(1)(a)). We retain newsletter subscription data for as long as you remain subscribed, plus a short audit window after unsubscription. You may unsubscribe at any time using the link in every newsletter email or by contacting us. Unsubscription does not affect the lawfulness of processing carried out before withdrawal.

Newsletter delivery is processed by our email service provider Postmark (ActiveCampaign LLC, USA). Postmark may store delivery metadata (bounces, complaints, opens, clicks) which we use to maintain list hygiene and deliverability. We do not share newsletter subscriber data with any third party beyond what is required for delivery.

11a) Children

The Service is a B2B tool for dental clinics and is not directed to children. Dentare does not knowingly collect personal data directly from children. Dentare's marketing site, sign-up flow, and authenticated app are intended for clinic owners and staff acting in a professional capacity.

Patient records managed by clinics through the Service may include children (paediatric dental patients). In every such case the patient data is collected by the clinic, not by Dentare, and the clinic is the controller for that data. The clinic is responsible for obtaining any consent, parental authorization, or other lawful basis required under its national law to process a child's personal data, including under GDPR Art. 8 where the GDPR applies. If you believe Dentare has inadvertently received personal data of a child outside this clinic-managed context, please contact us at [email protected] so we can investigate and delete the data if appropriate.

12) Contact

For privacy questions or deletion requests, contact: [email protected]
FETOSOFT DOOEL, Goce Delchev 2/32, 1300 Kumanovo, North Macedonia