Huomio: Dentio on tällä hetkellä saatavilla vain Ruotsin markkinoilla, ja tämä asiakirja on saatavilla englanniksi ja ruotsiksi. Alla oleva sisältö on virallinen asiakirja sen julkaisukielellä.

Dentio AB – Privacy Policy

Version 1.4 - 6 June 2026

Legal entity: Dentio AB

Organisationsnummer: 559498-5136

Address: Norrtullsgatan 6, 113 29 Stockholm, Sweden

Contact: [email protected]

1. Introduction and Scope

This Privacy Policy explains how Dentio AB ("Dentio") processes personal data. Our cloud platform (the "Service") converts recorded dental consultations into structured administrative drafts.
This policy applies to:

Website Visitors: How we process your data (e.g., via cookies).
Clinic Staff ("Users"): How we process your account and usage data as a Data Controller.
Patients: How we process your health data as a Data Processor on behalf of your clinic.
Job Applicants: How we process your data when you apply for a role with us (see section 10).

Our GDPR Roles:

Situation	Dentio's GDPR Role	Examples of Data
Clinic staff who create a Dentio account.	Controller	Name, social security number, work email, role, audit logs.
Patient consultation content generated for a clinic.	Processor (your clinic is the controller)	Audio, transcript, AI-generated draft notes.

AI Transparency: Dentio uses large-language models solely to draft administrative documentation text. We never use patient data to train AI models or for any other secondary purpose.

AI & Model Training Restriction: Dentio does not use Customer Data or Personal Data (including audio recordings and transcripts) to train, fine-tune, or improve the foundational Artificial Intelligence models used in the Service. Your data is isolated and used solely for generating your specific documentation.

Voice Profile for Speaker Identification: To enable accurate speaker diarization (distinguishing between different speakers during a consultation), Dentio stores a short voice sample of up to five (5) seconds for each User. This voice profile is encrypted at rest and in transit, stored securely within the EU, and used solely for the purpose of identifying speakers within the Service. By using the Service, Users consent to the storage and processing of their voice profile for this limited purpose. Voice profiles are deleted upon account termination or upon request.

2. How and Why We Process Personal Data

Purpose	Dentio's Role	Legal Basis (GDPR)
A. Provide and maintain the Service for Users	Controller	Art. 6(1)(b) – Contract
B. Transcribe and draft notes from consultations	Processor	Art. 28 – DPA Instructions
C. Billing, accounting, and tax compliance	Controller	Art. 6(1)(c) – Legal Obligation
D. Platform security and fraud prevention	Controller	Art. 6(1)(f) – Legitimate Interest
E. Product development & troubleshooting	Processor	Art. 28 – DPA Instructions
F. Speaker identification via voice profile	Controller	Art. 6(1)(b) – Contract / Art. 6(1)(a) – Consent
G. Recruitment – assessing job applicants	Controller	Art. 6(1)(a) – Consent

3. Data Retention and Deletion

Raw Audio Stream: Deleted immediately after transcription (transient buffer, ≤ 24 hours).
Full Transcript & AI Drafts: Retained for 30 days from creation, then automatically deleted. Data exists only for re-running jobs in case of failure.
Voice Profiles: Retained for the duration of the User's active account, then deleted upon account termination or upon request.
Application & Security Logs: Retained for up to 400 days.
Encrypted Backups: Retained for 30 days on a rolling basis, then purged.
Job Applications (incl. CV, cover letter, and recruiter notes): Retained for up to 24 months from submission, then automatically deleted — or sooner on request.

4. Sub-processors and Data Transfers

We use a limited number of sub-processors to deliver the Service. Patient data is processed and stored within the EU/EEA in line with the sub-processor setup described below.

#	Sub-processor	Purpose	Location (EU)
1	Google Ireland Ltd.	Cloud infrastructure (Cloud Run), storage, AI models (Vertex AI/Gemini).	Finland, Sweden, Belgium, Poland, The Netherlands
2	Amazon Web Services EMEA SARL	AI inference for clinical documentation (Claude via Bedrock).	Stockholm, Frankfurt, Ireland, Paris, Milan, Spain
3	Supabase Inc.	Managed PostgreSQL database, authentication.	Sweden
4	Soniox Inc.	Real-time speech-to-text transcription.	EU/EEA

We will notify clinic administrators at least 30 days in advance before changing sub-processors.

5. Your Individual Rights

The GDPR provides you with rights over your personal data. How you exercise these rights depends on our role.

GDPR Right	For Clinic Staff (Dentio = Controller)	For Patients (Dentio = Processor)
Information	Provided in this Policy.	Your clinic provides you with their privacy notice.
Access, Rectification, Erasure, etc.	Submit your request to [email protected].	Submit your request directly to your dental clinic. We will support your clinic in fulfilling your request.

6. Security Measures

We take the security of your data seriously. Our security program includes encryption in transit and at rest, strict access controls, and a formal incident response plan. In the event of a Personal Data Breach affecting you, we will notify your clinic without undue delay and within 24 hours where feasible.

7. Cookies and Similar Technologies

We use strictly necessary cookies to operate our Service. We use analytics and marketing cookies only if you provide explicit consent via our cookie banner. The table below lists every cookie we set.

Cookie	Provider	Category	Purpose	Expiry
Google Analytics	Google	Analytics	Assigns a unique client ID and maintains session state to distinguish website visitors.	2 years
Google Ads	Google	Analytics	Stores and tracks ad conversion events from Google Ads campaigns.	3 months
PostHog	PostHog (EU)	Analytics	Measures page views for website analytics. If you arrive via a link in an email from us, the visit may be linked to your contact profile in our CRM system.	1 year
Meta Pixel	Meta (Facebook)	Marketing	Identifies browsers to track conversions and deliver targeted advertisements.	3 months

You can manage or withdraw your cookie consent at any time via the cookie banner.

8. External Links

Our website may contain links to external sites. We are not responsible for their content or privacy practices.

9. Children's Privacy

The Service is not directed to children under 16. Clinics must ensure any recording involving minors complies with Swedish healthcare consent rules.

10. Job Applicants (Recruitment)

When you apply for a job at Dentio through our careers site, Dentio AB is the Controller for the personal data in your application.

What we collect: your name, contact details (email, phone), country and work-eligibility/visa information, language levels, salary expectation, links you provide (LinkedIn, website), your CV and cover letter, and any notes our team records during the process.
Why and legal basis: we process this data to assess your suitability for the role you applied for and similar roles. Our legal basis is your consent (Art. 6(1)(a) GDPR), which you give when submitting your application. You can withdraw it at any time.
Retention: we keep applications for up to 24 months from submission, after which they are automatically deleted. You can ask us to delete your data sooner at any time.
Recipients: your application is handled by Dentio's hiring team in our internal recruitment tool, hosted on our EU cloud infrastructure (Google Ireland Ltd.). Recruitment emails are sent via Resend. We do not sell your data or use it to train AI models.
Your rights: you can access, correct, or delete your application data, withdraw consent, or object to/restrict processing at any time by emailing [email protected].

11. Changes to This Policy & Contact

We will notify you of any material changes to this policy at least 30 days before they take effect. For any questions, please contact us at [email protected]. The supervisory authority in Sweden is the Integritetsskyddsmyndigheten (IMY).

För mer information, kontakta oss på [email protected].

Tietosuojakäytäntö