Privacy Policy

Last updated: May 30, 2026

1. Introduction

OralSpares ("we", "us", "our") operates the oralspares.com platform, a digital dental prosthetics case management service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

2. Information We Collect

Account Information

When you register for an account, we collect your name, email address, phone number, clinic name, and professional credentials. Account creation is subject to approval by our team.

Case Data

When you submit dental cases through our platform, we collect case details including patient reference identifiers, prosthetic specifications, 3D design files, clinical photographs, and communication history related to the case. We do not collect patient names or direct patient identifiers unless you include them in case notes.

Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, browser type, IP address, and device information. We use Google Analytics (G-GBVKWH806S) to analyze usage patterns.

Uploaded Files

Files you upload to the platform (STL files, images, documents) are stored securely and associated with your account and the relevant case.

3. How We Use Your Information

  • To provide, operate, and maintain the dental prosthetics case management platform
  • To process and fulfill dental prosthetic orders and case submissions
  • To communicate with you about your cases, including real-time status updates
  • To verify your professional credentials and approve account access
  • To send service-related notifications and updates
  • To improve our platform, services, and user experience
  • To detect, prevent, and address technical issues or abuse

4. Lawful Basis & Special-Category (Health) Data

Where we process ordinary personal data (such as account and usage information), we rely on the lawful bases of contract performance (Art. 6(1)(b) GDPR) and our legitimate interests in operating and securing the platform (Art. 6(1)(f) GDPR).

Dental and clinical case information — including patient reference identifiers, clinical case details, and CBCT scans — constitutes special-category data concerning health under Art. 9 GDPR. In respect of this data, OralSpares acts as a processor on the documented instructions of the treating dental professional or clinic, who is the controller. The treating dental professional is responsible for establishing the relationship with the patient and for obtaining the patient's explicit consent (or otherwise ensuring a valid Art. 9 condition) before submitting health data to the platform.

The processing of health data is permitted under Art. 9(2)(h) GDPR (processing necessary for the provision of health or dental care and the management of health-care services) and, where applicable, Art. 9(2)(a) GDPR (the data subject's explicit consent), in each case obtained and maintained by the controlling dental professional.

5. Data Sharing & Sub-Processors

We do not sell your personal information. We may share data with:

  • Legal requirements — when required by law, regulation, or legal process

We engage the following sub-processors to operate the platform. Each is bound by data-processing terms and processes data only on our instructions:

  • Neon — PostgreSQL database hosting for all application and case data
  • Microsoft Azure Blob Storage — storage of case files and CBCT scans
  • Brevo — transactional email delivery (emails may contain a patient name and case details)
  • Vercel — application hosting and content delivery (functions run in the fra1 / Frankfurt region)
  • Google Analytics — usage analytics (set only with your consent)
  • Vercel Speed Insights — performance metrics (collected only with your consent)
  • Segmentation service (GPU) — receives the CBCT scan and the case identifier to compute segmentation and returns the results
  • Supabase — community forum data (stored in a separate silo)
  • Monday.com — case workflow synchronization
  • Web Push services — browser push notification delivery via VAPID

6. Data Security

We implement industry-standard security measures to protect your data, including encrypted connections (HTTPS), secure authentication with hashed passwords, role-based access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy. Specific retention periods include:

  • Account data — retained while your account is active, and thereafter for any statutory dental-record retention period required by applicable dental/medical record-keeping regulations.
  • Case data and CBCT scans — retained for the duration required by applicable dental/medical record-keeping regulations on behalf of the controlling dental professional.
  • Rejected job applications and their CVs — deleted 90 days after the application is rejected.
  • Read notifications — deleted 12 months after they are marked as read.
  • Password-reset tokens — expire within 1 hour of being issued.

You may request deletion of your account by contacting us, subject to legal retention requirements.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Object to or restrict certain processing of your data
  • Data portability — receive your data in a structured format
  • Lodge a complaint with a supervisory authority — if you believe our processing of your personal data infringes data-protection law, you have the right to complain to the data-protection supervisory authority in your country (for example, the National Center for Personal Data Protection of the Republic of Moldova, or the supervisory authority of your EU/EEA member state)

Where we act as a processor on behalf of a treating dental professional, requests relating to patient health data should generally be directed to that dental professional as the controller; we will support them in responding. To exercise any of these rights, contact us at the address below.

9. International Data Transfers

Our platform serves dental professionals in Moldova, Romania, and internationally. Some of the sub-processors listed above may process personal data in countries outside the European Economic Area (EEA). Where such transfers occur, we rely on appropriate safeguards as required by GDPR — principally the European Commission's Standard Contractual Clauses (SCCs), or transfers to countries covered by a European Commission adequacy decision.

10. Children's Privacy

Our platform is intended for dental professionals and is not directed at individuals under 18. We do not knowingly collect information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

OralSpares

Email: liviu.racovita@oralspares.com

Website: oralspares.com

© 2026 OralSpares. All rights reserved.