Privacy Notice
Last updated: May 7, 2026
Odontavio provides dental clinic operations software. For patient records, the clinic normally acts as data controller and Odontavio acts as processor under clinic instructions. Some limited account, security, billing, and service telemetry may be processed by Odontavio as an independent controller.
Controller and processor roles
Your clinic is the controller for patient health records, appointments, communications, consents, documents, and clinical notes. Odontavio processes those records only to provide, secure, maintain, and support the service under contract.
Categories of data
The service may process identity and contact data, appointment data, dental and health records, prescriptions, consent records, uploaded documents, diagnostic images, staff account data, audit logs, security events, support metadata, and minimized AI usage metadata.
Legal bases
Clinics determine their legal bases for patient-care processing, including healthcare provision, legal obligations, vital interests where applicable, contract administration, legitimate interests, consent where required, and Article 9 healthcare or public-health bases for special-category health data.
Recipients and subprocessors
Data may be made available to authorized clinic staff, service providers used to host, store, secure, email, audit, and support the application, and authorities where legally required. Subprocessors are reviewed for DPA, region, transfer mechanism, and PHI approval before production use.
International transfers
Production deployments should use EU-region hosting, storage, and databases. Transfers outside the EEA require an approved transfer mechanism, such as SCCs and a transfer-impact assessment, before production PHI use.
Retention
Clinical records are retained or restricted according to clinic legal obligations and configured retention policies. Operational and AI metadata should be minimized, deleted, anonymized, or restricted when no longer needed.
Data Subject Requests
Depending on applicable law, you may request access, rectification, erasure where legally allowed, restriction, objection, portability, and a copy of processing information. Patients should submit requests through their clinic or the patient portal.
AI decision support
AI features are clinician-support tools only. Odontavio is designed to minimize PHI sent to AI providers, gate providers by compliance approval, and block production PHI AI processing unless clinic and vendor requirements are satisfied.
Security
The service uses role-based access controls, encryption, audit logging, security event tracking, MFA-ready staff controls, private storage, and retention/audit evidence workflows.
Complaints and contacts
Patients may contact their clinic for privacy requests and may lodge complaints with the Spanish Data Protection Agency or the competent supervisory authority. Clinics should configure a DPO or privacy contact before launch.