Privacy Policy

Effective date: April 18, 2026

This policy explains what Dentospire does with the data you and your patients trust us with. It is written to meet India's Digital Personal Data Protection Act 2023 (DPDP) and the EU General Data Protection Regulation (GDPR). Where a rule applies to only one of these, we say so.

1. Who we are

Dentospire is a cloud-based dental clinic management platform operated by Dentospire Technologies LLP, a limited liability partnership registered in India with its principal office in Pune, Maharashtra.

For GDPR purposes, we act as a data processor for patient records entered by your clinic, and as a data controller for clinic owner and staff account information. For DPDP purposes, your clinic is the data fiduciary for patient records and we act on your documented instructions.

2. What data we collect

Clinic account data: owner and staff names, email, phone, clinic address, specialty, subscription plan.
Patient clinical data (entered by your clinic): demographics, dental charts, treatment plans, prescriptions, X-rays and intraoral images, appointments, consent forms, and signed documents.
Practice financial data: invoices, payments, refunds, payouts, and tax records.
Technical data: IP address, device type, browser, timestamps, and error traces (used for security and debugging).
Communications: support tickets, chat transcripts, and feedback you send us.

3. Why we use this data

To run the platform features you asked for (scheduling, charting, billing, messaging).
To keep the service secure, detect abuse, and keep audit logs.
To send transactional notifications (invoices, password resets, service alerts).
To provide support when you contact us.
To improve the product using aggregated, non-identifying usage patterns.

We do not sell your data. We do not train public AI models on your patient records. AI features run per-request for clinical decision support only.

4. Legal basis for processing

(Applies under GDPR; summarised for DPDP below.)

Contract (GDPR Art. 6(1)(b)): to deliver the platform to your clinic under our Terms of Service.
Legal obligation (Art. 6(1)(c)): tax, accounting, and lawful law-enforcement requests.
Legitimate interests (Art. 6(1)(f)): security, fraud prevention, and product improvement.
Consent (Art. 6(1)(a) / Art. 9(2)(a) for health data):for cookies, marketing, and all patient health data processed on behalf of your clinic. Your clinic is responsible for obtaining patient consent.

DPDP (India): We process personal data based on your consent or for a legitimate use as defined under the Act. Health data is processed on the instructions of your clinic as the data fiduciary, with patient notice and consent obtained by the clinic.

5. Sub-processors

We use the vendors below to operate Dentospire. We have data-processing agreements (or equivalent contractual terms) in place with each of them and review them periodically.

Vendor	Purpose	Region
Clerk	User authentication and session management	USA
Neon	PostgreSQL database for clinic and patient records (encrypted at rest)	USA / EU
Vercel	Application hosting and global CDN	USA / EU
Cloudflare R2	Primary storage for images, PDFs, X-rays and other clinical attachments	Global edge network
Vercel Blob	Secondary (legacy) blob storage for historical attachments	USA / EU
Razorpay	Payment processing for India customers	India
WhatsApp Cloud API (Meta)	Patient messaging and appointment reminders	Global
Resend	Transactional email delivery	USA / EU
Anthropic (Claude)	AI processing for dental images, prescriptions, and clinical summaries	USA
Google (Gemini)	AI processing for clinical summaries and image analysis	USA / EU
Groq	Low-latency AI inference for assistive features	USA
ElevenLabs	Text-to-speech for the in-app support assistant	USA / EU
Azure Speech	Voice-to-SOAP clinical dictation	Global Azure regions
Vomyra	IVR and outbound voice calls	India
Sentry	Error and performance monitoring (no patient PII)	USA / EU
PostHog	Product analytics on aggregated, non-PII usage	USA / EU
Google Analytics	Website analytics (only with your cookie consent)	USA / EU

6. International data transfers

Dentospire is operated from India and several sub-processors are located in the United States, the European Union, or operate globally.

EU / UK customers (GDPR): transfers outside the EEA rely on the European Commission's Standard Contractual Clauses (2021/914) together with supplementary technical measures (TLS 1.3 in transit, AES-256 at rest).
India customers (DPDP): transfers occur only to jurisdictions not restricted by the Central Government and under written contractual safeguards with each processor.

7. How long we keep data

Active clinics: we keep your data for as long as your account is active.
On cancellation: your data enters soft-delete for 30 days so you can recover it. After that, we permanently delete patient records within 90 days unless a longer period is required by law (for example, Indian tax records retained for 8 years).
Backups: encrypted backups roll off within 35 days of deletion.
Audit logs: access logs for patient data are kept for 2 years for security and compliance.

8. Your rights

Under GDPR you can ask us to access, correct, delete, restrict, port, or object to the processing of your personal data, and withdraw consent at any time.

Under the DPDP Act you (as a data principal) can ask for a summary of your personal data, correction, updating, erasure, grievance redressal, and nomination of another person to exercise your rights.

Clinic owners can use the in-app export tool to download a full copy of their clinic's data at any time. Patients should contact their clinic first, since the clinic is the data fiduciary. If you cannot reach the clinic, email us and we will forward the request.

EU / EEA supervisory authority: you can lodge a complaint with your local Data Protection Authority. India: you can escalate to the Data Protection Board of India if your grievance is not resolved within the statutory period.

9. How we protect your data

AES-256 encryption at rest for databases and clinical attachments.
A dedicated PII encryption key for patient records, separate from application secrets.
TLS 1.3 for all data in transit.
Per-clinic data isolation enforced by row-level clinicId filters in every query.
Full audit logs for every read or write on patient health information.
24-hour admin / doctor-only edit lock on clinically critical fields.
Soft-delete with a recovery window so accidental deletes can be undone.
Multi-factor authentication available on every account via Clerk.
Periodic vulnerability scans and dependency updates.

Dentospire is not HIPAA-certified. US customers handling PHI must sign a Business Associate-equivalent contract before production use; contact us for terms.

10. Cookies and similar technologies

Strictly necessary: authentication, session, and security cookies. These do not require consent.
Analytics: Google Analytics and PostHog run only with your cookie consent on the marketing site. You can change your choice anytime from the cookie banner.
No advertising cookies. We do not sell data to ad networks.

11. Children

Dentospire does not create direct accounts for anyone under 18. Pediatric dental records are processed as patient health data of a minor, where the clinic must obtain verifiable parental or lawful guardian consent before entering data. Under DPDP, processing of children's data requires verifiable guardian consent and we do not permit tracking, behavioural monitoring, or targeted advertising directed at children.

12. Contact us

For privacy questions or to exercise your rights, email privacy@dentospire.com.

Grievance Officer (India, DPDP Act 2023):
Name: [TO BE FILLED]
Email: grievance@dentospire.com
Phone: [TO BE FILLED]

Data Protection Officer (EU / UK):
Email: dpo@dentospire.com

Postal address: Dentospire Technologies LLP, Pune, Maharashtra, India. [Full registered address TO BE FILLED]

13. Changes to this policy

We will post any change on this page and update the effective date. For material changes we will also email clinic owners at the address on file at least 14 days before the change takes effect, so you have time to review or close your account.