Privacy Policy

Data Controller

Dentra (Laboratorio Odontotecnico CAM SRL)
Via Pasubio 58D, 36078 Valdagno (VI), Italy
VAT IT04557450246
Email: [email protected]

Data Collected

In the context of portal usage and service provision, we collect the following categories of data:

• Identification and business data: company name, contact person name and surname, office address, VAT number, fiscal code, SDI code, certified email (PEC).
• Contact data: email address, phone number.
• Authentication data: email address and password (encrypted) for portal access.
• Order data: design files, technical specifications, requested materials.
• Billing data: fiscal information necessary for electronic invoice issuance.

Purpose of Processing

Personal data is processed for the following purposes:

• User account management and portal access.
• Receiving, processing, and tracking manufacturing orders.
• Issuing electronic invoices and fulfilling fiscal and accounting obligations.
• Digital delivery of completed design files.
• Service communications regarding order status and operational notifications.

Legal Basis

Data processing is based on the following legal grounds:

• Performance of a contract (Art. 6(1)(b) GDPR): processing is necessary for the execution of commissioned work and management of the business relationship.
• Legal obligation (Art. 6(1)(c) GDPR): processing is necessary to comply with fiscal, accounting, and regulatory obligations under Italian law.
• Explicit consent (Art. 6(1)(a) GDPR): for optional opt-in processing, such as publishing anonymous work in the public gallery or a case history of your practice. Consent can be revoked at any time from the client profile.

Patient Data from Our Clients

When a dentist client uses Dentra to produce dental work, they may upload files and images related to one of their patients (3D intraoral scans, intraoral photos, frontal photos for Smile Configurator). For such data:

• Dentra acts as data processor, while the dentist client remains data controller. A responsibility relationship under Art. 28 GDPR applies, governed by the platform's terms of service.
• We receive only what is strictly necessary for the work from the dentist. We do not request or receive the patient's name, fiscal code, or contact data. It is the dentist's responsibility to anonymize files before uploading.
• Patient data is accessible only to the Dentra operational team (freelance collaborators assigned to the job, bound by contractual NDA; authorized internal staff). Access is tracked via audit log.
• Requests to exercise the patient's GDPR rights (access, deletion, rectification) must be addressed to the controlling dentist. Dentra cooperates with the dentist to execute the request (e.g., order file deletion within 30 days).

Cookies and Tracking Technologies

This site uses the following categories of cookies:

• Technical cookies (necessary): authentication session management and portal operation. These are always active and do not require consent.
• Analytics cookies: we use Google Analytics 4 (GA4) via Google Tag Manager to analyze site traffic and usage in aggregate and anonymized form. Data is processed by Google Ireland Limited with servers in the European Union. These cookies are only activated with your explicit consent.
• Marketing cookies: to measure the effectiveness of advertising campaigns. These cookies are also only activated with your explicit consent.

You can manage your preferences at any time by clicking "Cookie Settings" in the site footer. The preference is stored locally in your browser and is not transmitted to external servers.

The site implements Google Consent Mode v2: no analytics or marketing scripts are loaded until the user expresses consent.

Third-Party Services

To provide our services, we use the following providers, who act as data processors:

• Database and authentication — portal database hosting and authentication (EU servers).
• Server infrastructure (EU) — storage of work files (STL, OBJ, images), implant library, videocall recordings, and WhatsApp media (cloud object storage, EU servers).
• FattureInCloud (TeamSystem) — electronic invoice issuance and management via the Italian Exchange System (EU servers).
• SendCloud B.V. — shipment management and shipping label generation.
• Stripe Payments Europe Ltd. — payment processing for third-party services integrated into the portal (e.g. Smile Configurator). Used only for these specific services: the main lab service relationship is invoiced via bank transfer through FattureInCloud.
• Meta Platforms Ireland Ltd. — service communications via WhatsApp Business API (phone number, messages, any attachments sent by the client).
• Transactional emails — delivery of transactional emails (order confirmations, notifications, service communications).
• Domain email mailboxes — management of email mailboxes for the @dentra.it domain (EU servers).
• Video consultation infrastructure — infrastructure for video consultations between client and Dentra team. Videocall recordings are stored on a European cloud server and accessible only to authorized staff.
• Audio transcription — automatic transcription of videocall recordings (AI service, EU servers).
• Smile Configurator module — provider of the Smile Configurator module integrated into the portal. The module receives patient photos provided by the client for the generation of the aesthetic simulation. For automatic face segmentation it relies on a US-based AI provider (see the "Extra-EU Transfers" section below).
• Conversational analysis — text processing of video and voice call recordings to produce operational summaries for the internal team (Anthropic Inc., USA). Covered by DPA + Standard Contractual Clauses.
• Artificial intelligence services — other AI services used for: chat assistance on the portal (Google Vertex AI, EU Belgium region), automatic analysis of public gallery images, and operational suggestions to the team. Data passed to the models is limited to the minimum necessary for the specific request and is not used for training the models themselves.

Data Transfers Outside the European Union

Dentra's main infrastructure is in the European Union (Supabase Frankfurt, Hetzner S3 Germany, Vertex AI Belgium). Some secondary providers are based or have failover outside the EU; for each one we indicate purpose, safeguards, and technical measures.

• Smile Configurator — automatic face/teeth segmentation: For face and teeth detection, the patient's photo is sent in real time to an AI provider based in the United States. On each call we apply specific technical measures that prevent the provider from storing the payload (header X-Fal-Store-IO=0) and force the automatic expiration of temporary URLs within minutes. Behavior verification documented internally. Legal basis for the transfer: explicit consent of the patient collected and declared by the dentist (Art. 49(1)(a) GDPR). The final photorealistic render is generated within the EU (Vertex AI Belgium).
• Stripe — payments for integrated tools: Primary servers in Ireland (EU), failover in the United States for resilience. Covered by Stripe DPA and Standard Contractual Clauses (SCC).
• Resend — transactional emails: Servers in the United States. Covered by Resend DPA + SCC. Volume limited to operational notifications.
• Anthropic — conversational recording analysis: Servers in the United States. Used in limited functionality (summarization of internal video and voice call recordings). Covered by Anthropic DPA + SCC.
• Speechmatics — audio transcription: Servers in the United Kingdom (country deemed adequate by the European Commission for personal data protection).
• Migadu — domain email mailboxes: Servers in Switzerland (country deemed adequate by the European Commission).

Data Retention

Personal data is retained for the time strictly necessary to pursue the stated purposes:

• Accounting and fiscal data: retained for 10 years pursuant to Italian tax law (Art. 2220 of the Civil Code).
• Order data: retained for the duration of the business relationship and for the following 10 years.
• Account data: retained until the account is deleted by the user or the business relationship ends.

Data Subject Rights

Under Articles 15–22 of the GDPR, the data subject has the right to:

• Access their personal data and obtain a copy.
• Request rectification of inaccurate or incomplete data.
• Request erasure of data, within the limits provided by law.
• Request restriction of processing.
• Request data portability in a structured format.
• Object to processing, on legitimate grounds.
• Lodge a complaint with the Italian Data Protection Authority ( www.garanteprivacy.it).

Exercise your rights

Fill in the form to submit a formal request. You will receive a response within 30 days as required by the Regulation.