Privacy Policy

Valid from: 2022-06-01 • Last updated: 2025-08-20

Dentify AB (org. no. 559357-9922), a company registered in Sweden (“Dentify”, “we”, “our”, “us”), operates the following services:

We comply with the EU General Data Protection Regulation (GDPR). Dentify has appointed a Data Protection Officer (DPO) registered with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – “IMY”):

 

  1. Who this Policy applies to

This Policy explains how we process personal data for:

  • Care Recipients using our Patient Apps and services
  • Care Providers (licensed dentists and dental hygienists) using the Portal
  • Visitors to our website and apps
  • Individuals contacting us (e.g., customer service, social channels)
  • Participants in our surveys and marketing activities

 

  1. Roles under GDPR (Controller / Processor)
  • Dentify as Controller: For accounts, authentication, platform operations, bookings, payments we facilitate, security logs, analytics (with consent), marketing (with consent/legitimate interest), customer support, and compliance with legal/financial obligations.
  • Care Provider as Independent Controller: For Consultations and Treatment Services (including clinical records, diagnoses, images, notes), the Care Provider is the independent controller responsible towards Care Recipients for lawful, professional healthcare.
  • Dentify as Processor for Care Providers: Where Dentify hosts or handles clinical data on behalf of Care Providers (e.g., record keeping, teleconsultation data storage/transfer), we act as a processor under GDPR Article 28. A Data Processing Agreement (DPA) applies.

Storage location: Patient records hosted by Dentify for Care Providers are stored within the EU/EEA.

 

  1. Care Provider Professional & Legal Responsibilities

Before joining Dentify, each Care Provider must:

  1. Hold the necessary licence with the Swedish National Board of Health and Welfare (Socialstyrelsen).
  2. Ensure Consultations and Treatment Services are performed in accordance with applicable laws and professional standards.
  3. Ensure compliance with the Swedish Dental Care Act (1985:125), the Patient Safety Act (2010:659), the Patient Data Act (2008:355) and related regulations.
  4. Maintain valid and continuous patient liability insurance and patient injury insurance, as required under the Swedish Patient Injury Act (1996:799).

 

  1. What data we collect and why

4.1 Care Recipients

Data categories: identification data (name, personal identity number where lawful/required, contact details), authentication data (BankID in Sweden and Norway), booking data, payment data, device/IP data, app/portal usage logs, survey responses; health data provided during triage or consultation (including images/screenshots, notes, treatment plans).

Purposes & legal bases:

  • Account creation, secure authentication – GDPR Art. 6(1)(b)
  • Booking, reminders, service delivery – Art. 6(1)(b)
  • Payments, fraud prevention – Art. 6(1)(b), 6(1)(c), 6(1)(f)
  • Customer support and incident handling – Art. 6(1)(b)/(f)
  • Service quality/analytics (with consent) – Art. 6(1)(a); necessary security analytics – Art. 6(1)(f)
  • Special categories (health data):
    • Processed by Care Providers for care – Art. 9(2)(h) (healthcare provision)
    • Processed by Dentify for matching/triage or hosting as processor – Art. 9(2)(a) (explicit consent) and/or Art. 9(2)(h) (when performed under Care Provider’s responsibility)

Retention:

  • Accounts persist until deletion or inactivity per our retention schedule.
  • Unauthenticated accounts deleted 30 days after reminder.
  • Payment/financial records retained per Swedish accounting law.
  • Clinical records retained under Care Provider’s obligations; Dentify retains as processor per Care Provider’s instructions and applicable law.

 

4.2 Care Providers

Data categories: identity and contact data, licensure/credentials, profile (incl. photo), authentication data (BankID in Sweden/Norway), booking/price/transaction data, payout details, usage logs, feedback, accounting/contract data.

Purposes & legal bases:

  • Account creation, identity/credential verification – Art. 6(1)(b)/(f)
  • Displaying professional profile to Care Recipients, matching/booking – Art. 6(1)(b)
  • Payouts, fraud prevention, compliance – Art. 6(1)(b)/(c)/(f)
  • Support, service improvement, analytics with consent – Art. 6(1)(a)/(f)
  • Compliance with legal/financial obligations – Art. 6(1)(c)

Retention: While professional account/contract is active and as required for legal, financial, and audit purposes. Non-required data deleted upon termination per schedule.

 

4.3 Visitors, customer service & marketing

Data categories: contact details, messages, device/IP data, cookie/analytics identifiers, preferences, survey responses.

Purposes & legal bases:

  • Responding to inquiries – Art. 6(1)(f)
  • Improving services and ensuring security – Art. 6(1)(f)
  • Marketing with consent or permitted by law – Art. 6(1)(a)/(f)

Retention: Retained only as long as necessary or required by law.

 

  1. Authentication (BankID)

BankID is used in Sweden and Norway for secure identification of Care Recipients and Care Providers. Outside these countries, alternative lawful identification methods may apply.

 

  1. Cookies and Similar Technologies

We use cookies and similar technologies to provide secure and efficient services.

Categories:

  • Strictly necessary – security, authentication, booking, payment
  • Functional – user preferences (language, settings)
  • Analytics – usage statistics (with IP anonymisation)
  • Advertising – remarketing and ad performance

Management: Strictly necessary cookies cannot be disabled. Consent is required for all other categories. Refusing cookies may limit functionality.

Cookie Table – Dentify AB

Cookie / Service

Provider

Purpose

Type

Retention / Expiry

Data shared outside EU/EEA

Dentify session cookie

Dentify AB

Keeps you logged in, booking/payment security

Strictly necessary

Session

No

Dentify preferences

Dentify AB

User settings (language, preferences)

Functional

6–12 months

No

BankID session token

BankID (SE/NO)

Secure authentication

Strictly necessary

Session

No

Stripe cookies/tokens

Stripe, Inc.

Payment, fraud prevention

Strictly necessary/Functional

Up to 12 months

Yes (USA) – SCCs

Google Analytics (_ga, _gid)

Google LLC

Usage statistics (with IP anonymisation)

Analytics

14 months

Yes (USA) – SCCs + safeguards

Meta Pixel

Meta Platforms, Inc.

Remarketing, ad performance

Advertising

Up to 90 days

Yes (USA) – SCCs

Hotjar

Hotjar Ltd.

User behaviour analytics

Analytics

12 months

No (EU only)

Third-country transfers: Certain providers (Google, Stripe, Meta) may transfer limited data outside EU/EEA. Standard Contractual Clauses (SCCs) and supplementary safeguards are applied. Patient records are never transferred outside EU/EEA.

 

  1. Sharing your data

We do not sell personal data. We may share personal data with:

  • Processors (hosting, cloud, payment, support, analytics) under GDPR Art. 28 agreements and safeguards
  • Banks/Payment providers for payments and authentication (BankID in Sweden/Norway only)
  • Authorities when required by law or court order

When acting as processor for a Care Provider, Dentify processes/discloses data only on documented instructions from the Care Provider.

 

  1. International transfers

Where personal data is transferred outside the EU/EEA, we apply:

  • European Commission adequacy decisions; and/or
  • Standard Contractual Clauses (SCCs), plus supplementary measures where required

Patient records hosted by Dentify for Care Providers are always stored within the EU/EEA.

 

  1. Security

We implement appropriate technical and organisational measures, including: encryption in transit and at rest (where applicable), access controls, logging, least-privilege principles, staff training, incident response procedures, and supplier due diligence.

 

  1. Your rights

You have rights under GDPR, including:

  • Access, rectification, erasure
  • Restriction and objection (incl. to marketing/legitimate interests)
  • Data portability
  • The right not to be subject to automated decisions with legal/similarly significant effects

Exercising rights: [email protected]
Complaints: IMY (Sweden) or your local supervisory authority
Direct marketing: You may unsubscribe via message links or request an ad block by emailing [email protected].

 

  1. Data breach notification

In the event of a personal data breach, Dentify will notify the competent supervisory authority and affected individuals without undue delay, where required by GDPR.

 

  1. Data minimisation & accuracy

We collect only data necessary for the stated purposes and ensure data is kept accurate and up to date. Users are encouraged to keep their information current.

 

  1. Children’s privacy

Our services are intended for individuals aged 18+. We do not knowingly collect data from children under 18.

 

  1. Third-party links

Our websites and apps may contain links to third-party sites or services. Dentify is not responsible for their privacy practices.

 

  1. Contact & DPO

 

  1. Updates to this Policy

We may update this Policy. Material changes will be communicated at least 30 days in advance via email, SMS, in-app notification, or publication on https://dentifyapp.se.

 

  1. Service-specific notes
  • Matching & triage: Where health information is used beyond what is necessary for platform operation, Dentify relies on explicit consent (Art. 9(2)(a)), unless processing occurs under the Care Provider’s healthcare responsibility (Art. 9(2)(h)). Consent may be withdrawn at any time (without affecting prior lawful processing).
  • Clinical records: Care Providers are controllers; Dentify acts as processor when hosting/handling such data under a DPA. Dentify personnel access is restricted to what is strictly necessary for security, maintenance, and support.
  • Financial records: Billing and payment records are retained in line with Swedish accounting law and legal retention obligations.