1. Introduction
This Data Protection & Privacy Policy ("Policy") sets out how Deccansoft Software Services Pvt Ltd, through its brand DentoMate AI ("the Company" / "the Platform"), collects, uses, stores, shares, and safeguards personal data. It applies to all individuals using the Platform, including patients, dental practitioners, clinic operators, administrative staff, and subscribers.
By using the Platform, the User ("Data Principal") acknowledges and provides consent for their data to be processed in line with this Policy and in compliance with the Digital Personal Data Protection Act, 2023 (India).
2. Consent Framework
The Company only processes personal data when a lawful basis exists, with consent being the primary ground. Users give consent explicitly when they provide their information on the Platform, for example by ticking consent boxes on registration or appointment forms. Consent is not assumed or implied and is never pre-ticked; the User must make an active choice.
Where Users opt into AI features such as automatic summarisation, image analysis, or transcription, separate consent is collected to ensure that Users are fully aware that AI processing will be applied to their data. These AI-generated outputs are advisory only, and medical responsibility always remains with the treating dentist.
For minors under the age of 18, personal data is processed only with verifiable parental or guardian consent. Verification may be done through OTP confirmation, signed authorization, or other legally acceptable mechanisms.
Users may also withdraw their consent at any time by contacting support@dentomateai.com. Withdrawal stops further processing of that User's data for the specific consented purpose, except where retention is legally required (for example, invoices under tax law).
3. Categories of Data Collected
The Platform collects different types of information depending on how it is used:
- Patient Data: This includes demographic details (such as name, age, and gender), contact details (such as phone number, email, and address), clinical and medical information (such as case histories, prescriptions, diagnoses, and treatment notes), diagnostic images (such as X-rays or lab reports), and billing information.
- Clinic and Staff Data: This includes names, email IDs, and phone numbers of staff members to enable role-based login access, clinic details such as address and services offered, and subscription billing details. Payroll or salary information is not collected.
- Financial Data: This includes subscription invoices, billing addresses, and transaction references. Sensitive financial data such as card numbers or banking credentials are not stored by the Company, as all payments are processed securely by third-party gateways.
- Technical Data: This includes information automatically generated by the Platform, such as IP addresses, device identifiers, login times, and system usage logs. It also includes detailed audit logs that record who accessed or modified patient records, when, and how.
The Company does not collect irrelevant or sensitive personal attributes unrelated to dental care, such as religion, caste, or political opinions.
4. Data Collection Methods
Personal data is collected in several ways:
- Direct Input by Users: Patients or doctors may provide data directly, for example when registering on the app, filling out an intake form, or entering prescriptions.
- System-Generated Data: The Platform automatically generates data to support operations, such as appointment confirmations, invoice records, and time-stamped logs of activities.
- Authorized Staff Input: Clinic staff may input or update patient details on behalf of patients, such as updating phone numbers or booking follow-up appointments.
- Third-Party Integrations: Minimal data may be shared with or received from external services. For example, payment gateways confirm whether a subscription payment was successful, messaging APIs confirm whether reminders were delivered, and AI services return summaries or analyses of inputted information.
5. Legal Basis for Processing
Processing occurs only under lawful bases:
- Explicit Consent of Users: Users must provide clear and affirmative consent before their data is processed. For example, ticking a consent checkbox before submitting registration details.
- Legitimate Use for Service Delivery: Certain processing is essential for providing services. For example, storing a patient's phone number to send an appointment reminder is a necessary part of the service.
- Legal Obligations: The Company may need to retain or disclose data to comply with laws, such as maintaining patient records for medical council requirements or retaining tax invoices under GST law.
6. Purpose Limitation
The Company only processes personal data for defined, lawful purposes:
- To digitize and securely store clinical records, including history, diagnoses, and imaging.
- To schedule, confirm, and send reminders for patient appointments.
- To generate invoices, process subscription payments, and maintain billing records.
- To provide AI-enabled support tools (only if enabled by Users), such as summarising medical notes, analysing X-rays, or transcribing spoken notes.
- To comply with medical, tax, audit, and other applicable legal obligations.
No personal data is processed for unrelated purposes such as advertising or marketing without explicit additional consent.
7. Data Classification and Sensitivity
The Company classifies data to ensure that higher-risk categories receive stronger protections:
- General Data includes details such as contact numbers, addresses, and subscription information.
- Sensitive Personal Data includes medical and dental histories, clinical notes, and diagnostic images. These receive the highest level of safeguards, including encryption and restricted access.
- System Data includes technical identifiers such as IP addresses, device details, and logs, which help maintain security and auditability.
8. Data Retention and Deletion
- Patient health records are stored for a default period of five years after the last interaction. Clinics and doctors may request longer retention if medical regulations require it.
- After the retention period expires, data is either securely deleted (irrecoverable) or anonymised so that it cannot identify individuals.
- Financial records such as invoices are retained for as long as required under tax and corporate laws, which may exceed five years.
- If a User requests deletion of their data, the Company will honour the request unless the data must be kept for legal reasons. A confirmation will be provided once deletion or anonymisation is completed.
9. Security Measures
The Company applies multiple layers of protection:
- All sensitive data is encrypted both when stored and when transmitted between devices and servers.
- Access is restricted using role-based controls, meaning staff can only access the information relevant to their role (for example, operators cannot view medical notes unless explicitly authorized).
- Audit logs record every access and modification to ensure accountability.
- Data is hosted on Microsoft Azure, which provides healthcare-grade infrastructure security and certifications.
- Encrypted backups are taken regularly and tested to ensure recovery capability in case of failures.
- Employees undergo mandatory training on confidentiality and secure handling of personal data.
- Privacy by Design principles are followed in developing new features, ensuring data collection is minimal and security is embedded by default.
- If a data breach occurs, Users and the Data Protection Board of India will be notified within 72 hours, along with information about remedial steps.
10. Rights of Data Principals
Users have the following rights under the DPDP Act:
- Right of Access: Users can request a summary of the data held about them and the purposes of its use.
- Right of Correction/Update: Users can correct errors or update outdated information, such as changing contact details.
- Right of Erasure: Users can request deletion of their data when it is no longer legally required to be retained.
- Right of Portability: Users can request their data in a structured, machine-readable format, such as CSV or PDF, to transfer to another provider.
- Right of Nomination: Users can designate another person to exercise their rights in case of death or incapacity.
- Right to Grievance Redressal: Users can lodge complaints if they believe their data has been misused or mishandled.
All requests are subject to verification to prevent unauthorized misuse and are typically resolved within seven working days.
11. Use of Anonymised Data
The Company may anonymise personal data so that it cannot be linked to individuals. Such anonymised data may be used to:
- Generate Statistical Reports, such as calculating average patient wait times, appointment attendance rates, or common oral health trends across a population. These reports help clinics plan better and improve efficiency.
- Improve AI Models, for example by using de-identified notes to train algorithms to produce more accurate summaries or analyses. Personal identifiers are stripped out so that the AI cannot identify specific individuals.
- Conduct Research and Analytics, such as identifying patterns in dental health conditions across a region, without exposing any personal records.
Anonymisation ensures that privacy risks are eliminated while allowing useful insights to be generated for healthcare improvement.
12. Intellectual Property and Brand Protection
"DentoMate AI" and its logo are proprietary marks of Deccansoft Software Services Pvt Ltd. Unauthorized use, reproduction, or imitation of the brand name, logo, content, or software is strictly prohibited. Any fraudulent use, counterfeit distribution, or impersonation of the Company or its services may result in legal action under applicable intellectual property and anti-counterfeit laws. Users are advised to access services only through official websites, apps, and communication channels.
13. Transactions and Payment Security
All financial transactions related to subscriptions are processed exclusively through authorized payment gateways such as Razorpay, Stripe, PayPal or any third-party (when integrated). The Company does not store card or banking details. Subscription invoices, billing addresses, and payment confirmations may be stored for compliance and entitlement verification.
Users are responsible for securing their own payment methods and must notify their bank and the Company in case of suspected fraud. The Company is not liable for losses resulting from unauthorized transactions carried out via unofficial channels or fraudulent platforms. Refunds and disputes are governed separately by the Terms of Service.
14. Limitations of Liability
The Company applies industry-standard safeguards but no digital system is absolutely risk-free. Accordingly:
- The Company is not liable for breaches caused independently by third-party processors such as cloud hosting providers, AI vendors, or payment gateways.
- The Company is not responsible for unauthorized disclosures caused by employees or contractors acting outside their authorized duties.
- Users are responsible for protecting their own login credentials and for providing accurate and truthful data.
- The Company is not liable for breaches caused by force majeure events such as cyberattacks, natural disasters, or government actions beyond its control.
Liability applies only where the Company's direct negligence is conclusively established.
15. Reservation of Rights and Compliance Buffer
The Company reserves the right to interpret, modify, or update this Policy at its discretion, provided changes remain consistent with applicable laws. Reasonable time may be required to implement operational changes after updates. In case of new legal or regulatory obligations, the Company is entitled to a reasonable period to review, interpret, and implement compliance.
Failure to enforce any provision of this Policy does not constitute a waiver of the Company's right to enforce it in the future.
16. Internal Resolution First
Before any external legal or regulatory escalation, Users must first submit grievances or claims in writing to the Company's Data Privacy Contact. The Company will be given reasonable opportunity to investigate, verify, and resolve the matter internally.
17. AI Transparency and Healthcare Disclaimer
AI features on the Platform are assistive tools designed to save time and improve documentation. They cannot replace professional clinical judgment. Final treatment decisions always rest with the licensed dentist. The Platform is a technology service provider, not a medical services provider.
18. Children's Data Protection
The Company processes minors' data only with verified parental or guardian consent. Children's data is not used for targeted advertising, behavioral profiling, or tracking. Special care is taken to ensure children's wellbeing is not adversely affected by any processing.
19. Dispute Resolution and Governing Law
Disputes relating to this Policy shall first attempt resolution through mediation with the Company. If unresolved, disputes fall under the exclusive jurisdiction of courts in Hyderabad, Telangana, and are governed by the laws of India.
20. Severability
If any part of this Policy is held invalid, the remaining sections continue in effect. This Policy represents the entire agreement on data protection between the User and the Company.
21. Version Control and Updates
Each version of this Policy carries an effective date. Updated versions will be posted on the Platform, and continued use constitutes acceptance. Users are encouraged to review the latest version regularly.