Privacy Policy
Last updated: June 4, 2026
1. Introduction
This Privacy Policy explains how DENTARI ("DENTARI", "we", "us", "our"), operating the website dentari.app and the dashboard at app.dentari.app, collects, uses, discloses, and protects personal data.
We comply with the General Data Protection Regulation (GDPR, EU 2016/679), the Bulgarian Personal Data Protection Act (ЗЗЛД), and Romanian Law no. 190/2018 on the implementation of the GDPR.
By using our services, you acknowledge that you have read and understood this Policy.
2. Who We Are and Our Roles Under GDPR
DENTARI operates a multi-tenant SaaS platform for dental clinic management. Our data processing roles differ depending on the data involved:
- Data Controller — for data we collect directly from users (account registration, payments, website analytics) and for our own business operations.
- Data Processor — for patient data and other clinic-specific records entered by dental clinics (our customers). The clinic acts as the Data Controller for that data, and we process it solely on their instructions under a Data Processing Agreement (DPA).
Contact: DENTARI, Burgas, Bulgaria, e-mail: info@dentari.app
3. Personal Data We Collect
3.1 Account Data
When you register or sign in, we collect: full name, email address, clinic name, and account preferences. Authentication is provided via Google OAuth or email/password through Supabase.
3.2 Patient Health Data (GDPR Article 9 — Special Categories)
Dental clinics enter patient data into the platform on behalf of their patients. This data may include: name, contact information, date of birth, appointment history, treatment plans, dental records, and clinical notes.
This constitutes health data under GDPR Article 9 — a special category of personal data. DENTARI processes this data only as a Data Processor, acting on the instructions of the clinic (Data Controller). The legal basis for the clinic's processing is Article 9(2)(h) GDPR — provision of healthcare — and, where applicable, the data subject's explicit consent.
3.3 Payment Data
Subscription billing is handled by Stripe. We store only your billing email, subscription plan, and subscription status. Payment card details are processed and stored directly by Stripe and are never transmitted to or stored on our servers.
3.4 Technical and Usage Data
We may collect IP address, browser type, operating system, session duration, and page interactions for security, debugging, and service improvement.
3.5 Analytics Data
We use Vercel Analytics (cookieless, privacy-friendly) to understand how our website is used.
4. Legal Basis for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Account registration and service delivery | Art. 6(1)(b) — performance of a contract |
| Payment processing and invoicing | Art. 6(1)(b) — performance of a contract |
| Accounting and tax records | Art. 6(1)(c) — legal obligation |
| Service security and fraud prevention | Art. 6(1)(f) — legitimate interests |
| Vercel Analytics (cookieless) | Art. 6(1)(f) — legitimate interests |
| Patient health data (as Processor) | Art. 9(2)(h) — healthcare provision, per Controller's instructions |
5. Analytics
5.3 Cookieless Analytics (Vercel Analytics)
Vercel Analytics collects aggregated, anonymised performance metrics without setting any cookies or storing personal data. No consent is required.
6. Third-Party Data Processors
| Processor | Purpose | Data location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt region) |
| Stripe Inc. | Payment processing | EU + US (SCCs in place) |
| Google LLC | OAuth authentication | EU + US (SCCs in place) |
| Vercel Inc. | Hosting, CDN, cookieless analytics | Global edge (EU primary) |
All processors are bound by data processing agreements and appropriate safeguards (Standard Contractual Clauses where applicable).
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data (staff) | Duration of account + 12 months after closure |
| Patient data (as Processor) | As directed by the clinic; deleted within 30 days of account termination |
| Payment and invoicing records | 5 years (legal obligation under Bulgarian/Romanian tax law) |
| Security/audit logs | 12 months |
8. International Data Transfers
Stripe, Google, and Vercel are headquartered in the United States. Where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 GDPR to ensure an adequate level of data protection.
9. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — obtain confirmation of whether we process your data and a copy of it.
- Right to rectification (Art. 16) — request correction of inaccurate data.
- Right to erasure (Art. 17) — request deletion ("right to be forgotten").
- Right to restriction of processing (Art. 18) — request that we limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
To exercise any of these rights, contact us at info@dentari.app. We will respond within 30 days.
Right to Lodge a Complaint
You may lodge a complaint with your national supervisory authority:
- Bulgaria: Commission for Personal Data Protection (CPDP) — www.cpdp.bg
- Romania: National Supervisory Authority for Personal Data Processing (ANSPDCP) — www.dataprotection.ro
10. Children's Data
Our platform is not directed at children under 16. We do not knowingly collect personal data from children. Patient records for minors are processed at the clinic's direction under their own legal obligations.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before the changes take effect. The current version is always available at dentari.app/en/privacy.
12. Contact Us
DENTARI
Burgas, Bulgaria
E-mail: info@dentari.app