This public register documents all processing activities carried out by dentisti.pro as a Data Processor on behalf of our clinic customers, in compliance with Article 30 GDPR.
This register is maintained under Article 30(2) GDPR and is made publicly available as part of our transparency commitment. Each clinic using our platform maintains their own Article 30(1) register for their independent processing activities as Data Controllers.
| Activity ID | Purpose | Data Categories | Data Subjects | Legal Basis | Retention | Subprocessors |
|---|---|---|---|---|---|---|
| ROP-001 | Patient Record Management Storage and management of dental charts, medical history, and clinical notes within the Platform. |
Special category health data (Art. 9), identity data, contact data, imaging data | Patients, guardians | Art. 6(1)(b) Contract (clinic-patient treatment contract) |
7 years from last treatment | Hostinger (EU) |
| ROP-002 | Appointment Scheduling Calendar management, availability booking, and automated reminder dispatch. |
Identity data, contact data (phone, email), appointment metadata | Patients, clinic staff | Art. 6(1)(b) Contract |
7 years | Hostinger (EU), WhatsApp Business API (EU) |
| ROP-003 | Billing & Invoicing Generation of invoices, payment tracking, insurance claim processing. |
Financial data, identity data, insurance policy data, transaction records | Patients, insurance representatives | Art. 6(1)(c) Legal Obligation (tax law) |
10 years | Hostinger (EU), Stripe (USA — SCCs) |
| ROP-004 | Patient Communication WhatsApp/SMS/email reminders, confirmations, and clinical follow-ups. |
Contact data (phone, email), communication content, consent records | Patients | Art. 6(1)(a) Consent (for marketing) Art. 6(1)(b) Contract (for treatment-related) |
Consent records: 2 years Messages: 3 years |
WhatsApp Business API (EU), Hostinger (EU) |
| ROP-005 | Platform Authentication User login, session management, access control, and multi-factor authentication. |
Identity data, credentials (hashed), IP addresses, device info | Clinic staff (users) | Art. 6(1)(b) Contract Art. 6(1)(f) Legitimate Interest (security) |
Active account + 90 days | Hostinger (EU) |
| ROP-006 | Audit & Security Logging Recording of user actions, access attempts, and system events for security and compliance. |
Technical data (IP, user agent), activity metadata, timestamps | Clinic staff, patients (indirect) | Art. 6(1)(f) Legitimate Interest (security, fraud prevention) |
6 years | Hostinger (EU) |
| ROP-007 | Platform Analytics Aggregated usage statistics for product improvement and performance optimization. |
Pseudonymized usage data, feature interaction metrics, error logs | Clinic staff (pseudonymized) | Art. 6(1)(f) Legitimate Interest (platform improvement) |
2 years | Hostinger (EU), Google Analytics (anonymized) |
| ROP-008 | Data Subject Rights Fulfillment Processing access, rectification, erasure, and portability requests. |
All data categories depending on the request scope | Patients, clinic staff | Art. 6(1)(c) Legal Obligation (GDPR Chapter III) |
Request log: 6 years Exported data: deleted after transmission |
Hostinger (EU) |
| ROP-009 | Backup & Disaster Recovery Encrypted snapshot creation and storage for business continuity. |
All data categories (encrypted at rest) | All data subjects | Art. 6(1)(b) Contract (availability obligations) |
30 days rolling | Hostinger (EU), AWS EU (Frankfurt) |
| ROP-010 | Customer Support Handling support tickets, troubleshooting, and account assistance. |
Identity data, contact data, account metadata, communication content | Clinic staff, patients (when Clinic requests assistance) | Art. 6(1)(b) Contract |
3 years | Hostinger (EU) |
| ROP-011 | SaaS Subscription Billing Processing clinic subscription payments, invoicing, and dunning. |
Financial data (card tokens), billing address, transaction history | Clinic representatives | Art. 6(1)(b) Contract |
10 years | Stripe (USA — SCCs), PokPay (EU) |
| ROP-012 | Cookie Consent Management Recording and honoring visitor cookie preferences. |
Consent choices, anonymized IP, timestamp, browser agent | Website visitors | Art. 6(1)(c) Legal Obligation (ePrivacy Directive) |
1 year | Hostinger (EU) |
The following technical and organizational security measures apply across all processing activities:
All primary personal data processing occurs within the European Union. The following transfers to third countries occur with appropriate safeguards:
| Subprocessor | Country | Transfer Mechanism | Additional Safeguards |
|---|---|---|---|
| Stripe, Inc. | USA | EU Standard Contractual Clauses (2021/914) | Tokenized card data; encryption; Stripe EU DPA |
This register is reviewed and updated at least annually, and whenever there is a material change to our processing activities, subprocessors, or legal basis. The current version is always published at this URL.
For questions about this register, contact our DPO at dpo@dentisti.pro.