Privacy Policy

1.1

The Data Controller responsible for the processing of your personal data is:

1.2

For all matters relating to the processing of your personal data and the exercise of your rights under the GDPR, you may contact the Data Controller at the email address specified above. Responses to data protection inquiries shall be provided within the timeframes mandated by applicable legislation.

In the course of providing our services, we collect and process the following categories of personal data:

2.1.1 Identity and Contact Data

This category encompasses information that identifies you as an individual and enables communication, including:

1. (a)Full legal name (first name and surname)
2. (b)Electronic mail address
3. (c)Telephone number (where voluntarily provided)
4. (d)Postal address (where required for service delivery)
5. (e)Date of birth (where relevant to treatment coordination)
6. (f)Nationality and country of residence

2.1.2 Health Data (Special Category Data)

Given the nature of our treatment coordination services, we may process health-related personal data, which constitutes special category data under Article 9 of the GDPR. Such data may include:

1. (a)Dental health records and treatment history
2. (b)Diagnostic information, including radiographic images
3. (c)Treatment plans and recommended procedures
4. (d)Medical conditions relevant to dental treatment
5. (e)Medication and allergy information

Processing of health data is subject to heightened protection requirements and occurs only with your explicit consent or where necessary for the provision of healthcare coordination services pursuant to Article 9(2)(h) of the GDPR.

2.1.3 Technical and Usage Data

When you access our Website, we automatically collect certain technical information, including:

1. (a)Internet Protocol (IP) address
2. (b)Browser type and version
3. (c)Device identifiers and operating system
4. (d)Pages visited and time spent on the Website
5. (e)Referring website addresses
6. (f)Cookie data as described in Article 7 of this Policy
7. (g)Campaign attribution parameters included in inbound URLs (utm_source, utm_medium, utm_campaign), recorded when you arrive via a campaign link and submit an enquiry form

2.1.4 Communication Data

All correspondence between you and our Company, whether by email, through the contact form, or other means, may be retained for record-keeping, quality assurance, and dispute resolution purposes.

2.1.5 Financial and Transaction Data

When you pay the Treatment Coordination Fee, the following financial and transaction data are processed in connection with your payment:

1. (a)your name and email address as submitted at the time of payment;
2. (b)the transaction amount and currency;
3. (c)the last four digits of the card used and the card brand (for example, Visa or Mastercard), as provided to us by our payment processor following completion of the transaction.

Full card numbers, security codes, and sensitive authentication data are processed exclusively by Stripe and are never transmitted to or stored by the Company.

2.1.6 Data Received via Professional Referrals

In certain cases, your personal data may be submitted to the Company not by you directly, but by a licensed dental professional (your dentist or treating specialist) who initiates a referral on your behalf through the professional referral channel on the Website. Where data is received via this channel, the referring professional has confirmed, prior to submission, that you have been informed about the referral and have consented to the sharing of your personal data with Dental Travel Concierge for the purpose of treatment coordination. The categories of data received through this channel may include:

1. (a)Full name (first name and surname)
2. (b)Email address
3. (c)WhatsApp or telephone number (where provided)
4. (d)Country of residence and preferred language
5. (e)Type of dental treatment sought
6. (f)Clinical notes and imaging links, where provided by the referring professional

In accordance with Article 14 of the GDPR, where personal data has not been collected directly from you, we will contact you within one business day of receiving the referral to provide full transparency about how your data is being used and to offer you the opportunity to exercise your rights under Article 8 of this Policy. No coordination activities will be initiated without your express agreement to proceed.

Pursuant to Articles 13 and 14 of the GDPR, we inform you of the specific purposes for which your personal data are processed and the corresponding legal bases:

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Where processing is based on legitimate interests, the specific interests pursued are: maintaining Website security, preventing fraud, improving service quality, and protecting the Company's legal position in potential disputes. We have conducted a balancing test to ensure that your fundamental rights and freedoms do not override these interests.

Your personal data may be disclosed to the following categories of recipients, where necessary for the purposes described in Article 3:

4.1.1 Partner Clinics and Healthcare Providers

We share relevant personal data, including health data, with dental clinics and healthcare professionals in Romania with whom we coordinate your treatment. Such sharing is essential to the performance of our contractual obligations and is conducted in accordance with Article 9(2)(h) of the GDPR concerning processing for healthcare purposes.

4.1.2 Service Providers and Processors

We engage third-party service providers who process personal data on our behalf pursuant to written data processing agreements as required by Article 28 of the GDPR. Such processors include:

1. (a)Website hosting and infrastructure: Vercel Inc. The Website runs on Vercel's Frankfurt (Germany) region: server-side code executes and form submissions are processed within the European Union. Static assets are delivered through Vercel's global edge network. Vercel Inc. is incorporated in the United States; any incidental access by Vercel personnel for support or operational purposes is covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
2. (b)Email and communication platform providers (Resend / Plus Five Five, Inc., United States, transfers covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework)
3. (c)Payment processing services: Stripe Payments Europe, Ltd., Grand Canal Street Lower, Dublin 2, Ireland. Where data are transferred to Stripe, Inc. in the United States, such transfers are governed by Standard Contractual Clauses and the EU-US Data Privacy Framework. Stripe processes payment data directly from you at the time of transaction. Full card credentials are never transmitted to or accessible by the Company. Stripe's Privacy Policy is available at stripe.com/privacy.
4. (d)Cookieless analytics: Vercel Web Analytics and Vercel Speed Insights, operated by Vercel Inc., as further described in Article 7. These services do not set cookies, do not collect personal data, and do not track visitors across websites. They are activated only when you accept the Analytics category in the cookie consent banner.
5. (e)Appointment scheduling platform (Cal.com)
6. (f)Artificial intelligence services (Anthropic, PBC, United States), used solely to extract and translate structured information from documents submitted by partner clinics. Currency conversion (e.g. from Romanian leu to euro) is performed by our own systems using public reference exchange rates, not by Anthropic. Transfers to Anthropic, PBC are covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Anthropic processes data on documented instructions only, retains inputs for a maximum of 30 days for safety review, and does not use such data to train its models.
7. (g)Rate limiting and short-lived token storage: Upstash, Inc. We use Upstash's serverless Redis service, hosted in the European Union, to enforce rate limits on form submissions (storing hashed IP addresses with short retention) and to store opaque, time-limited tokens used for plan acceptance and for verifying data subject requests. No long-term personal data is held in this store. Upstash, Inc. is incorporated in the United States; any incidental access by Upstash personnel is covered by EU Standard Contractual Clauses.
8. (h)Document storage: Vercel Blob, operated by Vercel Inc. We use Vercel Blob to store documents uploaded by partner clinics and treatment plan files generated through the coordination workflow, hosted in Vercel's Frankfurt (Germany) region. These files may contain health data within the meaning of Article 9 GDPR, and access is limited to authorised Company personnel and the partner clinic that submitted the file. Files are stored encrypted at rest. Vercel Inc. is incorporated in the United States; any incidental access by Vercel personnel for support or operational purposes is covered by EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
9. (i)Application error monitoring: Sentry, operated by its US-incorporated provider, with our organisation configured on the European Union data residency region. Sentry receives error events from our servers and the Website to help us diagnose and resolve technical issues. We have configured Sentry to disable default personal data collection, to redact sensitive tokens before transmission, and to strip authorization and cookie headers. Session replay is disabled. Any incidental access to error data by Sentry personnel outside the European Union is covered by EU Standard Contractual Clauses.

All processors are contractually bound to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures.

4.1.3 E-Invoicing Platform (independent controller)

When you complete a payment, we are required by Romanian Law 139/2022 to issue an electronic fiscal invoice (e-factura). For this purpose, we transmit your name, email address, and billing address to StartCo (operated by EXODIGITAL SRL, Str. Artelor 4, Cluj-Napoca, Romania, CUI RO39998730). StartCo acts as an independent data controller for this data and processes it in accordance with their privacy policy (startco.ro) and applicable Romanian fiscal law. The legal basis for this transfer is Article 6(1)(c) GDPR: compliance with a legal obligation. Invoice data is retained by StartCo for a minimum of 5 years as required by Romanian fiscal law.

4.1.4 Professional Advisors

Personal data may be disclosed to legal, accounting, or other professional advisors where necessary for the management of our business or the protection of our legal interests.

4.1.5 Public Authorities

We may disclose personal data to public authorities, including courts, law enforcement, and regulatory bodies, where required by law or where necessary for the establishment, exercise, or defence of legal claims.

We do not sell, rent, or otherwise commercially transfer your personal data to third parties for their independent marketing purposes.

4A.1 Scope of Application

This Article applies to the processing of personal data relating to representatives, employees, collaborators, or other contact persons of dental clinics, healthcare providers, and professional partners (hereinafter collectively referred to as "Clinics") who interact with Dental Travel Concierge for the purposes of professional evaluation, cooperation, or service coordination.

4A.2 Categories of Data Processed

In the context of clinic questionnaires, professional correspondence, cooperation discussions, and patient referral forms submitted through the Website, the following categories of personal data may be processed:

1. (a)Name and surname of clinic representatives or staff members
2. (b)Professional email address and telephone number
3. (c)Professional position or role within the clinic
4. (d)Clinic identification data (name, address, registration details)
5. (e)Professional qualifications, experience, and service descriptions provided voluntarily
6. (f)Communication content exchanged in relation to cooperation or evaluation
7. (g)Individual professional registration or licence number (where provided through the patient referral channel)

Sensitive personal data of clinic representatives is not intentionally collected.

4A.3 Purposes of Processing

Personal data of Clinics is processed exclusively for the following purposes:

1. (a)Evaluation of clinics for potential professional cooperation
2. (b)Communication regarding clinic capabilities, services, and operational standards
3. (c)Coordination of patient referrals and professional cooperation
4. (d)Maintenance of professional records and audit trails
5. (e)Compliance with legal and regulatory obligations
6. (f)Protection of the Company's legitimate business and legal interests

4A.4 Legal Bases for Processing

Processing of clinic-related personal data is based on:

1. (a)Article 6(1)(b) GDPR, processing necessary for the performance of pre-contractual or contractual measures
2. (b)Article 6(1)(f) GDPR, legitimate interests in evaluating and managing professional cooperation relationships
3. (c)Article 6(1)(c) GDPR, compliance with legal obligations, where applicable

Legitimate interests include ensuring service quality, professional accountability, patient safety, and operational transparency.

4A.5 Data Retention

Personal data of Clinics shall be retained for the duration of the professional relationship and for five (5) years following the last interaction, unless a longer retention period is required by applicable law or necessary for the establishment, exercise, or defense of legal claims.

4A.6 Data Recipients

Clinic-related personal data may be accessed only by authorized personnel of Dental Travel Concierge and by professional advisors (legal, accounting, compliance) under strict confidentiality obligations. Such data are not sold, rented, or transferred for independent marketing purposes.

4A.7 Rights of Clinic Representatives

Clinic representatives whose personal data are processed have the same rights provided under Article 8 of this Policy, including the rights of access, rectification, erasure, restriction, objection, and data portability, as applicable. Requests may be submitted to privacy@dtconcierge.eu.

4A.8 Source of Data

Personal data of Clinics is obtained directly from:

1. (a)Clinic questionnaires and submitted documents
2. (b)Professional correspondence
3. (c)Publicly available professional sources where lawfully permitted
4. (d)Patient referral forms submitted through the Website by referring dental professionals

4A.9 Professional Nature of Processing

Processing of clinic-related personal data is conducted strictly within a professional, business-to-business context and does not constitute consumer profiling, automated decision-making, or marketing profiling.

Your personal data are primarily processed within the European Economic Area (EEA), where they benefit from the protections afforded by the GDPR and Romanian national law.

Where personal data is transferred to countries outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. Such safeguards may include:

1. (a)Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection. As of the date of this Policy, adequacy decisions exist for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (organizations participating in the EU-US Data Privacy Framework), and Uruguay.
2. (b)Standard Contractual Clauses: Where no adequacy decision exists, we utilize the standard contractual clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR.
3. (c)Binding Corporate Rules: Where applicable and approved by competent supervisory authorities.

You may obtain a copy of the safeguards relied upon for international transfers by contacting us at privacy@dtconcierge.eu.

Personal data shall be retained only for as long as necessary to fulfil the purposes for which they were collected, subject to applicable legal retention requirements:

Upon expiration of the applicable retention period, personal data shall be securely deleted or anonymised such that they can no longer be associated with an identified or identifiable natural person.

In certain circumstances, we may retain personal data for longer periods where necessary for the establishment, exercise, or defence of legal claims, or where required by applicable law.

Our Website employs cookies and similar tracking technologies to ensure functionality, enhance user experience, and analyze Website traffic. The legal basis for processing personal data through cookies is either your consent (for non-essential cookies) or our legitimate interest in maintaining Website functionality (for essential cookies).

The following cookies are deployed on our Website:

7.2.1 Necessary Cookies

These cookies are essential for the operation of our Website and cannot be disabled without affecting site functionality.

7.2.2 Cookieless Monitoring (Vercel Analytics & Speed Insights)

We use two cookieless services from Vercel Inc. (United States): Vercel Web Analytics collects anonymous, aggregated data about how visitors interact with our Website, such as pages visited, referring source, country, and device type; Vercel Speed Insights measures Web Vitals (loading performance, interactivity, and visual stability). Neither service sets cookies, collects or stores personal data, or tracks visitors across websites. Both services are activated only when you accept the 'Analytics' category through our cookie consent banner. Data is processed by Vercel Inc. under the EU–US Data Privacy Framework.

Your cookie consent preferences are stored in your browser's localStorage (not a cookie) under the key dtc_consent_v1. This entry is created only after you make a choice in the consent banner and is never transmitted to our servers.

You may manage cookie preferences through your browser settings or through the cookie consent mechanism displayed upon first visiting our Website. Disabling certain cookies may affect Website functionality.

For additional information regarding cookies and tracking technologies, please contact privacy@dtconcierge.eu.

Under the GDPR, you possess the following rights regarding your personal data. You may exercise your right of access or erasure using the self-service request form, or submit any written request to privacy@dtconcierge.eu:

8.1.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you are being processed and, where that is the case, access to the personal data together with specified supplementary information, including the purposes of processing, categories of data, recipients, retention periods, and the existence of your other rights.

8.1.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

8.1.3 Right to Erasure (Article 17 GDPR)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies:

1. (a)The personal data are no longer necessary in relation to the purposes for which they were collected
2. (b)You withdraw consent and there is no other legal ground for processing
3. (c)You object to processing and there are no overriding legitimate grounds
4. (d)The personal data have been unlawfully processed
5. (e)Erasure is required for compliance with a legal obligation

This right is subject to exceptions, including where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for archiving purposes in the public interest.

8.1.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where:

1. (a)The accuracy of the personal data is contested, for a period enabling verification
2. (b)The processing is unlawful and you oppose erasure, requesting restriction instead
3. (c)We no longer need the personal data but they are required by you for legal claims
4. (d)You have objected to processing pending verification of overriding legitimate grounds

8.1.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance.

8.1.6 Right to Object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests. We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

8.1.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal shall not affect the lawfulness of processing based on consent prior to withdrawal.

8.1.8 Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in solely automated decision-making processes.

8.2 Response Timeframes

We shall respond to requests to exercise data subject rights within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We shall inform you of any such extension within one (1) month of receipt, together with reasons for the delay.

8.3 Verification of Identity

To protect your personal data from unauthorized disclosure, we may require verification of your identity prior to responding to requests.

8.4 Fees

The exercise of data subject rights is free of charge. However, where requests are manifestly unfounded or excessive, particularly if repetitive, we may charge a reasonable fee based on administrative costs or refuse to act on the request.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR.

In Romania, the competent supervisory authority is:

You have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including, as appropriate:

1. (a)Pseudonymization and encryption of personal data where appropriate
2. (b)Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
3. (c)Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
4. (d)Regular testing, assessing, and evaluating the effectiveness of security measures
5. (e)Multi-factor authentication (MFA) is enforced for all administrative access to systems that store or process personal data

All personnel with access to personal data are bound by confidentiality obligations and receive appropriate training on data protection requirements.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we shall notify the ANSPDCP within seventy-two (72) hours of becoming aware of the breach and, where required, communicate the breach to you without undue delay, in accordance with Articles 33 and 34 of the GDPR.

Health data constitutes special category data subject to additional protections under Article 9 of the GDPR. We process health data solely for the following purposes and under the following legal bases:

1. (a)Explicit Consent (Article 9(2)(a) GDPR): Where you expressly consent to the processing of health data for treatment coordination purposes
2. (b)Healthcare Purposes (Article 9(2)(h) GDPR): Where processing is necessary for the provision of health or social care or treatment, or the management of health or social care systems and services, based on Union or Member State law or pursuant to contract with a health professional

Health data shared with Partner Clinics becomes subject to the independent privacy policies and practices of those healthcare providers. We recommend that you review the privacy notices of all healthcare providers with whom you engage.

We have implemented enhanced security measures for the protection of health data, including access controls, encryption, and restricted data handling protocols.

Our Services are not directed to individuals under the age of eighteen (18) years. We do not knowingly collect personal data from children.

Where treatment coordination services are requested for a minor, such requests must be submitted by a parent or legal guardian who bears responsibility for providing and managing the minor's personal data.

If we become aware that we have collected personal data from a child without parental consent, we shall take steps to delete such information promptly.

We reserve the right to amend this Privacy Policy at any time. Material changes shall be communicated through prominent notice on our Website or by direct communication where practicable.

The "Effective Date" at the beginning of this Policy indicates the date of the most recent revision. Your continued use of the Services following publication of changes constitutes acceptance of the revised Policy.

We encourage you to review this Privacy Policy periodically to remain informed about our data protection practices.

We are committed to addressing your concerns and will respond to all legitimate inquiries within the timeframes prescribed by applicable law.