Privacy Policy

Last updated: March 2026

Language disclaimer: In case of any discrepancy between the English and Romanian versions of this document, the Romanian version shall prevail.

1. Introduction

This Privacy Policy describes how Oris, operated by [Company Name], a company registered in Romania under CUI [CUI], with registered office at [Registered Address] ("we", "us", "our", or "Oris"), collects, uses, stores, and protects your personal data when you use our dental clinic management platform (the "Service").

Oris is a Software-as-a-Service (SaaS) platform designed for dental clinics operating in Romania. We are committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Romanian Law 190/2018 implementing the GDPR, and all other applicable data protection legislation.

This Privacy Policy applies to all users of our Service, including clinic administrators, dental professionals, clinic staff, and individuals whose data is processed through the Service.

2. DATA CONTROLLER vs. DATA PROCESSOR Role

This section is critical to understanding how personal data is handled through the Oris platform.

Oris as DATA CONTROLLER: We act as the data controller for the following categories of data, meaning we determine the purposes and means of processing:

Account registration data (name, email address, password hash)
Service usage analytics and telemetry data
Cookie and consent preference data
Payment and subscription information
Communication data (emails sent by us regarding the Service)

Oris as DATA PROCESSOR: We act as the data processor for all patient health data entered by dental clinics into the platform. In this capacity:

The dental clinic is the DATA CONTROLLER for all patient health data
We process patient health data solely on behalf of and under the instructions of the dental clinic
We do not access, use, or share patient health data for our own purposes
A Data Processing Agreement (DPA) is available upon request and governs our obligations as a data processor

This distinction means that if you are a patient whose data is managed through Oris, your dental clinic is responsible for the lawfulness of processing your personal data. Any requests regarding your patient data should be directed to your dental clinic in the first instance.

3. What Data We Collect

a) Account Data

When you register for and use Oris, we collect:

Full name
Email address
Password (stored as a cryptographic hash, never in plain text)
Organization/clinic name and details
Role within the organization (e.g., owner, doctor, hygienist, nurse, receptionist)

b) Usage Analytics

We collect data about how you interact with the Service:

Pages viewed and features used
IP addresses
Browser type and device information
Session duration and frequency
Error and performance logs

c) Cookie Data

We use cookies and similar technologies to:

Maintain your session (strictly necessary)
Store your language preference (functional)
Collect analytics data (only with your explicit consent)

See Section 11 for full details on cookies.

d) Payment Information

Payment processing is handled by our sub-processor Stripe. We do not store full credit card numbers or payment method details. We store only:

Subscription status and tier
Payment history (dates and amounts)
Stripe customer identifier

e) Patient Health Data (as Processor)

On behalf of dental clinics, we process the following categories of patient health data. The dental clinic remains the data controller for this data:

Patient demographics (name, date of birth, national identification number (CNP), contact details)
Medical and dental history
Dental charts and clinical examination records
Clinical notes (SOAP format)
Treatment plans and procedure records
Prescriptions and medication data (including ANMDMR medication catalog lookups)
Consent forms and signatures
Uploaded patient files (X-rays, photographs, documents)
Appointment history
Billing and payment records related to treatment
Periodontal measurements and assessments
Patient portal activity and messages

4. How We Use Your Data

We use personal data for the following purposes:

Service provision: To operate, maintain, and deliver the Oris platform and its features
Account management: To create and manage your account, authenticate your identity, and manage your organization membership
Security: To protect against unauthorized access, detect fraud, and ensure the integrity of the Service
Analytics: To understand how the Service is used and to improve functionality, performance, and user experience
Legal compliance: To comply with applicable laws, regulations, and legal obligations
Communication: To send you Service-related notifications, security alerts, and administrative messages
Support: To provide technical support and respond to your inquiries

5. Legal Basis for Processing

We process personal data on the following legal bases under Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)): Processing of account data is necessary for the performance of the contract between you and Oris (your subscription agreement)
Legitimate interest (Art. 6(1)(f)): Analytics and security monitoring are based on our legitimate interest in improving the Service and maintaining its security. We have conducted balancing tests to ensure these interests do not override your fundamental rights
Consent (Art. 6(1)(a)): Analytics cookies and marketing communications are processed only with your explicit consent, which you may withdraw at any time
Legal obligation (Art. 6(1)(c)): Certain data processing is required by Romanian law, including healthcare record retention obligations under Order 1410/2016

For patient health data processed in our capacity as data processor, the legal basis for processing is determined by the dental clinic (the data controller) and is typically based on the patient's consent or the necessity for the provision of healthcare services.

6. Data Retention

We retain personal data for the following periods:

| Data Category | Retention Period | Basis | |---------------|-----------------|-------| | Account data | Duration of active service + 30 days after account deletion | Contract performance | | Usage analytics | 24 months from collection | Legitimate interest | | Cookie consent preferences | 12 months from consent | GDPR requirement | | Payment records | 10 years from transaction | Romanian fiscal legislation | | Audit logs | 5 years from creation | Security and legal compliance | | Patient health data (as processor) | As instructed by the dental clinic controller, in accordance with Romanian healthcare legislation (Order 1410/2016), which requires retention for a minimum period as defined by applicable law | Legal obligation of the controller |

Upon termination of a clinic's subscription, patient health data is retained for 30 days to allow data export, after which it is permanently deleted unless a longer retention period is required by applicable law.

7. Sub-Processors

We use the following third-party sub-processors to deliver the Service:

| Sub-Processor | Purpose | Location | Data Processed | |---------------|---------|----------|----------------| | Stripe | Payment processing | Ireland (EU) | Payment method details, transaction data | | Resend | Transactional email delivery | United States | Email addresses, email content | | S3-compatible storage (MinIO) | File and document storage | Configurable (EU recommended) | Uploaded patient files, documents | | Vercel | Application hosting and CDN | EU and United States | Request data, IP addresses |

All sub-processors are bound by data processing agreements that ensure GDPR-compliant data handling. Transfers to sub-processors located outside the European Economic Area (EEA) are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission. See Section 12 for more information on international transfers.

We maintain an up-to-date list of sub-processors and will notify you of any changes that may affect the processing of your personal data.

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR:

Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and to access a copy of that data
Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data
Right to erasure (Art. 17): You have the right to request deletion of your personal data, subject to legal retention obligations
Right to restriction (Art. 18): You have the right to request restriction of processing in certain circumstances
Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format
Right to object (Art. 21): You have the right to object to processing based on legitimate interest
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal
Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority (see Section 9)

To exercise any of these rights, please contact us at [DPO Email].

For patient health data: If you are a patient whose data is managed through Oris, please direct your data subject requests to your dental clinic (the data controller) in the first instance. The clinic may then instruct us to carry out the necessary actions.

We will respond to data subject requests within 30 days, as required by the GDPR. This period may be extended by a further 60 days for complex requests, in which case we will inform you of the extension.

9. Supervisory Authority

The competent supervisory authority for data protection in Romania is:

ANSPDCP -- Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal

Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucuresti, Romania
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro

You have the right to lodge a complaint with the ANSPDCP if you believe that your personal data has been processed in violation of the GDPR or applicable Romanian data protection law.

10. Data Protection Officer

We have designated a Data Protection Officer (DPO) who can be contacted regarding any questions or concerns about our data processing practices:

Email: [DPO Email]
Address: [Registered Address]

11. Cookies

Oris uses cookies and similar technologies on its website and platform. We categorize our cookies as follows:

Strictly necessary cookies: These are essential for the operation of the Service and cannot be disabled. They include session cookies for authentication and security tokens.

Functional cookies: These cookies enable enhanced functionality, such as remembering your language preference. They are set based on actions you take on the Service.

Analytics cookies: These cookies help us understand how the Service is used and are only set with your explicit consent through our cookie consent banner. You may change your cookie preferences at any time through the cookie settings available in the footer of our website.

We do not use advertising or tracking cookies.

12. International Data Transfers

We strive to process personal data within the European Economic Area (EEA) wherever possible. Where data is transferred to sub-processors outside the EEA (see Section 7), we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Decision 2021/914
Technical and organizational measures to protect data during transfer

We do not transfer personal data to countries that do not provide an adequate level of data protection without appropriate safeguards.

13. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption of data in transit (TLS 1.2+) and at rest
Cryptographic hashing of passwords
Role-based access control with granular permissions
Audit logging of data access and modifications
Regular security reviews and updates
Organizational access controls limiting data access to authorized personnel

While we take all reasonable measures to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

14. Children's Privacy

The Oris Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such data promptly.

15. Regulatory References

This Privacy Policy has been prepared in accordance with the following regulations:

GDPR -- Regulation (EU) 2016/679 of the European Parliament and of the Council
Romanian Law 190/2018 -- implementing the GDPR in Romania
Law 46/2003 -- regarding patient rights in Romania
Order 1410/2016 -- regarding medical records retention in Romanian healthcare facilities
eIDAS Regulation -- Regulation (EU) No 910/2014 on electronic identification and trust services, applicable to electronic consent and signatures collected through the platform

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will:

Notify you by email at the address associated with your account
Display a prominent notice within the Service
Update the "Last updated" date at the top of this document

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you should discontinue use of the Service.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Email: [DPO Email]
Address: [Registered Address]
Company: [Company Name], CUI [CUI]