Last updated: 2026-07-14

Privacy Policy

How DentOrd processes data of clinics, users, and marketing site visitors.

This text is a working draft tailored to the DentOrd model (SaaS, EU). It is not a substitute for legal advice. A legal review is required before paid production (2027).

1. Who we are (controller vs processor)

DentOrd is cloud software for running a dental clinic. The platform operator trades under the DentOrd brand (dentord.com).

When a dental clinic (“Clinic”) enters patient data into DentOrd, the Clinic determines the purposes and means of that processing and acts as controller. DentOrd provides software and infrastructure and acts as processor under the Data Processing Agreement (DPA).

For Clinic account data and data collected on the marketing site, DentOrd may act as controller.

2. Data we collect

Account data: name, email, password (hash), role, owner MFA status.

Clinic data: name, contact details, address, hours, branding, fee schedule.

Patient data entered by the Clinic: identity and contact details, clinical records, appointments, invoices, documents — the Clinic is controller of that data.

Usage analytics and cookies: feature-usage events (no patient names), plus essential and — with consent — analytics cookies on the marketing site.

Marketing leads: name, clinic name, phone, email and message you voluntarily submit via the contact form.

4. Clinic role

The Clinic is controller for patient data. DentOrd is processor and processes that data solely to provide the service and on the Clinic’s instructions (including in-app configuration).

The Clinic is responsible for having a lawful basis to enter and process patient health data in DentOrd.

5. Storage and location

Primary database and storage infrastructure is in the EU (Supabase EU). The goal is to keep patient data within the European Economic Area.

6. Recipients (sub-processors)

We use trusted providers: Supabase (database, auth, storage), Vercel (app hosting), Resend (email), Sentry (application errors), PostHog (product analytics — no patient names), and Stripe for billing from 2027.

Each recipient processes data only as needed for its service under appropriate contractual safeguards.

7. Retention

During an active subscription or the free period until 31 Dec 2026, Clinic data is retained while the account is active.

After a paid or free period ends: read-only mode for up to 7 days, export opportunity, then permanent deletion per retention policy.

AI transcripts (when available): indicative 90 days unless the Clinic requests otherwise under the DPA.

Marketing leads: while needed to handle the enquiry, or until you request deletion.

8. Data subject rights

Depending on your role (Clinic user vs patient), you may have rights of access, rectification, erasure, portability and objection.

Patients should generally contact the Clinic as controller. DentOrd helps Clinics via export and deletion tools (in-app GDPR flow).

Requests where DentOrd is controller (accounts, marketing) go to support@dentord.com.

9. Security

Encryption in transit (TLS), clinic isolation via Row Level Security, role-based access, owner MFA, daily backups and an audit trail of key actions.

10. Children / minors

DentOrd is not directed at children as users. Data about minor patients is entered only by the Clinic as clinical records.

11. Analytics

We use product analytics to understand feature usage. We do not send patient first or last names to analytics tools. Event identifiers relate to clinic and user role, not patient identity.

On the marketing site, PostHog loads only after you accept analytics cookies.

12. Privacy contact

Email: support@dentord.com. We respond within a reasonable time under applicable law.

13. Policy changes

We may update this policy. The last-updated date appears at the top of the page. Material changes will be highlighted on the site or communicated to account owners where appropriate.