Dentio AB β Privacy Policy
Version 1.3 - 2 June 2026
Legal entity: Dentio AB
Organisationsnummer: 559498-5136
Address: Norrtullsgatan 6, 113 29 Stockholm, Sweden
Contact: [email protected]
1. Introduction and Scope
This Privacy Policy explains how Dentio AB ("Dentio") processes personal data. Our cloud platform (the "Service") converts recorded dental consultations into structured administrative drafts.
This policy applies to:
- Website Visitors: How we process your data (e.g., via cookies).
- Clinic Staff ("Users"): How we process your account and usage data as a Data Controller.
- Patients: How we process your health data as a Data Processor on behalf of your clinic.
Our GDPR Roles:
| Situation | Dentio's GDPR Role | Examples of Data |
|---|---|---|
| Clinic staff who create a Dentio account. | Controller | Name, social security number, work email, role, audit logs. |
| Patient consultation content generated for a clinic. | Processor (your clinic is the controller) | Audio, transcript, AI-generated draft notes. |
AI Transparency: Dentio uses large-language models solely to draft administrative documentation text. We never use patient data to train AI models or for any other secondary purpose.
AI & Model Training Restriction: Dentio does not use Customer Data or Personal Data (including audio recordings and transcripts) to train, fine-tune, or improve the foundational Artificial Intelligence models used in the Service. Your data is isolated and used solely for generating your specific documentation.
Voice Profile for Speaker Identification: To enable accurate speaker diarization (distinguishing between different speakers during a consultation), Dentio stores a short voice sample of up to five (5) seconds for each User. This voice profile is encrypted at rest and in transit, stored securely within the EU, and used solely for the purpose of identifying speakers within the Service. By using the Service, Users consent to the storage and processing of their voice profile for this limited purpose. Voice profiles are deleted upon account termination or upon request.
2. How and Why We Process Personal Data
| Purpose | Dentio's Role | Legal Basis (GDPR) |
|---|---|---|
| A. Provide and maintain the Service for Users | Controller | Art. 6(1)(b) β Contract |
| B. Transcribe and draft notes from consultations | Processor | Art. 28 β DPA Instructions |
| C. Billing, accounting, and tax compliance | Controller | Art. 6(1)(c) β Legal Obligation |
| D. Platform security and fraud prevention | Controller | Art. 6(1)(f) β Legitimate Interest |
| E. Product development & troubleshooting | Processor | Art. 28 β DPA Instructions |
| F. Speaker identification via voice profile | Controller | Art. 6(1)(b) β Contract / Art. 6(1)(a) β Consent |
3. Data Retention and Deletion
- Raw Audio Stream: Deleted immediately after transcription (transient buffer, β€ 24 hours).
- Full Transcript & AI Drafts: Retained for 30 days from creation, then automatically deleted. Data exists only for re-running jobs in case of failure.
- Voice Profiles: Retained for the duration of the User's active account, then deleted upon account termination or upon request.
- Application & Security Logs: Retained for up to 400 days.
- Encrypted Backups: Retained for 30 days on a rolling basis, then purged.
4. Sub-processors and Data Transfers
We use a limited number of sub-processors to deliver the Service. Patient data is processed and stored within the EU/EEA in line with the sub-processor setup described below.
| # | Sub-processor | Purpose | Location (EU) |
|---|---|---|---|
| 1 | Google Ireland Ltd. | Cloud infrastructure (Cloud Run), storage, AI models (Vertex AI/Gemini). | Finland, Sweden, Belgium, Poland, The Netherlands |
| 2 | Amazon Web Services EMEA SARL | AI inference for clinical documentation (Claude via Bedrock). | Stockholm, Frankfurt, Ireland, Paris, Milan, Spain |
| 3 | Supabase Inc. | Managed PostgreSQL database, authentication. | Sweden |
| 4 | Soniox Inc. | Real-time speech-to-text transcription. | EU/EEA |
We will notify clinic administrators at least 30 days in advance before changing sub-processors.
5. Your Individual Rights
The GDPR provides you with rights over your personal data. How you exercise these rights depends on our role.
| GDPR Right | For Clinic Staff (Dentio = Controller) | For Patients (Dentio = Processor) |
|---|---|---|
| Information | Provided in this Policy. | Your clinic provides you with their privacy notice. |
| Access, Rectification, Erasure, etc. | Submit your request to [email protected]. | Submit your request directly to your dental clinic. We will support your clinic in fulfilling your request. |
6. Security Measures
We take the security of your data seriously. Our security program includes encryption in transit and at rest, strict access controls, and a formal incident response plan. In the event of a Personal Data Breach affecting you, we will notify your clinic without undue delay and within 24 hours where feasible.
7. Cookies and Similar Technologies
We use strictly necessary cookies to operate our Service. We use analytics and marketing cookies only if you provide explicit consent via our cookie banner. The table below lists every cookie we set.
| Cookie | Provider | Category | Purpose | Expiry |
|---|---|---|---|---|
| Google Analytics | Analytics | Assigns a unique client ID and maintains session state to distinguish website visitors. | 2 years | |
| Google Ads | Analytics | Stores and tracks ad conversion events from Google Ads campaigns. | 3 months | |
| PostHog | PostHog (EU) | Analytics | Measures page views for website analytics. If you arrive via a link in an email from us, the visit may be linked to your contact profile in our CRM system. | 1 year |
| Meta Pixel | Meta (Facebook) | Marketing | Identifies browsers to track conversions and deliver targeted advertisements. | 3 months |
You can manage or withdraw your cookie consent at any time via the cookie banner.
8. External Links
Our website may contain links to external sites. We are not responsible for their content or privacy practices.
9. Children's Privacy
The Service is not directed to children under 16. Clinics must ensure any recording involving minors complies with Swedish healthcare consent rules.
10. Changes to This Policy & Contact
We will notify you of any material changes to this policy at least 30 days before they take effect. For any questions, please contact us at [email protected]. The supervisory authority in Sweden is the Integritetsskyddsmyndigheten (IMY).
For more information, contact us at [email protected].