Privacy Policy

The data controller within the meaning of Art. 4(7) GDPR is the operator of DentalLocal, danila.s.anikin@gmail.com. A formal Data Protection Officer (DPO) is not appointed; please direct all enquiries to that email.

If the Customer processes personal data of their own patients through the Service (e.g. in review text), the Customer is a separate controller in that regard, and the Provider acts as a processor under the Data Processing Agreement (Art. 28 GDPR).

We process the following categories of personal data:

a) User identification and contact data: name, email, role within the organisation. b) Authentication data: password hash (via Supabase Auth) or OAuth tokens (Google), login audit log. c) Customer's Google Business Profile data: location identifiers, photos, opening hours, categories — and consequently the names and content of reviews published by patients on Google. d) Billing data: company name, company ID, VAT ID, address, email, payment method reference (tokenised by Stripe; we never store card numbers). e) Technical data: IP address, browser user-agent, usage logs (logins, key actions), error telemetry in Sentry. f) Analytics: anonymised product usage events in PostHog (after consent on the cookie banner).

We process the data for these purposes:

• Provision of the Service and contract performance — categories a)–d). Legal basis: Art. 6(1)(b) GDPR (contract performance). • Invoicing, bookkeeping and tax obligations — category d). Legal basis: Art. 6(1)(c) GDPR (legal obligation, esp. Act No. 563/1991 Coll. on accounting). • Security and prevention of misuse — categories a)–c) and e). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service security). • Communication with the Customer — categories a) and d). Legal basis: Art. 6(1)(b) GDPR. • Product analytics and improvement — category f). Legal basis: Art. 6(1)(a) GDPR (consent given on the cookie banner). • Marketing communication about the Provider's product — only to existing Customers and within the scope of Czech Act No. 480/2004 Coll., with opt-out in every email.

To operate the Service we work with the following sub-processors. We have DPAs in place with all of them, and each processes data in compliance with GDPR (using Standard Contractual Clauses for transfers to the US where applicable).

• Supabase, Inc. (USA, data hosted in Frankfurt EU) — database, authentication. • Vercel, Inc. (USA, edge in EU) — application hosting. • Stripe Payments Europe, Ltd. (IE) — payment processing. Stripe acts as an independent controller for transaction data. • Anthropic, PBC (USA) — generative AI models. Input data is not used to train the model (Anthropic Zero Data Retention). • Resend, Inc. (USA) — transactional email delivery. • Inngest, Inc. (USA) — background job orchestration. • DataForSEO LLC (USA) — Google search position checks. • Google LLC / Google Ireland Ltd. (IE) — Google Business Profile API, Places API. Only data the Customer authorised via OAuth. • Sentry GmbH (DE) — production error tracking. • PostHog Inc. (USA, EU instance) — product analytics; active only after cookie-banner consent.

An up-to-date list with links to each vendor's DPA is available on request at danila.s.anikin@gmail.com.

Most data is processed within the EU. For sub-processors based in the USA (Supabase, Vercel, Anthropic, Resend, Inngest, DataForSEO, PostHog) we transfer data under Standard Contractual Clauses adopted by the European Commission 2021/914, or under an adequacy decision (EU-US Data Privacy Framework) where the sub-processor is certified. We provide copies of the safeguards on request.

We retain data for the period strictly necessary:

• Operational data (reviews, responses, posts, ranking snapshots) — for the duration of the contract plus 30 days after termination for export. • Accounting and billing documents — 10 years under Act No. 235/2004 Coll. • Security log (audit_log) — 24 months, then pseudonymised. • PostHog analytics — 12 months or until consent is revoked. • Sentry error reports — 90 days (Developer plan).

As a data subject under GDPR you have the right to:

• access your data (Art. 15), • rectification of inaccurate data (Art. 16), • erasure (Art. 17, "right to be forgotten"), • restriction of processing (Art. 18), • data portability (Art. 20) — we provide machine-readable export in JSON and CSV, • object to processing based on legitimate interests (Art. 21), • withdraw given consent (Art. 7), notably consent to analytics cookies, • lodge a complaint with the supervisory authority (Art. 77) — Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

To exercise your rights please contact danila.s.anikin@gmail.com. We respond within 30 days (extendable to 60 days for complex requests).

A detailed cookies description is at dentallocal.cz/en/cookies. In brief:

• Essential cookies (login, language preference, CSRF protection) — required for the Service to function; no consent needed. • Analytics cookies (PostHog) — only after your consent on the cookie banner. You can withdraw consent at any time.

The Service is intended solely for businesses and persons over 18. We do not knowingly process data of persons under 16. If we learn we have collected data of a person under 16 without parental consent, we will delete it without undue delay.

We have adopted technical and organisational measures appropriate to the risk, in particular:

• Encryption of data in transit (TLS 1.2+), • encryption of OAuth tokens and sensitive fields at rest at the database level, • PostgreSQL Row-Level Security policies isolating data between organisations, • restricted employee access with logging and 2FA, • regular backups and recovery tests, • security incident response plan with the 72-hour notification deadline under Art. 33 GDPR.

We may update this policy. We will notify you of material changes by email or in-app notice at least 30 days before they take effect. The last-updated date is shown in the header.