Legal
Last updated: April 2026
Dentalys.ai is committed to protecting the privacy of clinic operators and their patients. This policy explains what data we collect and how we use it.
We collect information you provide directly when creating an account (name, email, clinic details) and information generated through use of the service (patient names, phone numbers, appointment history, conversation logs). We also collect technical data such as IP addresses, browser type, and usage analytics to operate and improve the platform.
We use collected data to: deliver and operate the AI receptionist service; send appointment reminders and booking confirmations; process payments via Stripe; provide customer support; improve AI response quality; and comply with legal obligations. We do not sell, rent, or trade your data or your patients' data to third parties.
All data is stored in Supabase (PostgreSQL) infrastructure hosted on AWS. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access to production databases is restricted to authorised personnel only. We perform regular backups and security reviews. Despite these measures, no system is 100% secure and we cannot guarantee absolute security.
Dentalys.ai integrates with the following third-party services to deliver its features: • Meta (Facebook/Instagram) — for Instagram DM and Facebook Messenger bot functionality via the Meta Graph API. Messages are routed through Meta's infrastructure. • Google Calendar — for appointment sync. We request only the permissions required to read/write calendar events. • Stripe — for payment processing. We do not store card details; all payment data is handled by Stripe's PCI-compliant systems. • Supabase — as our database and authentication provider. • OpenAI — to power AI-generated responses. Conversation content is sent to OpenAI's API for processing. OpenAI's data usage policy applies. Each third party is governed by their own privacy policy.
We retain your account and business data for as long as your account is active. Conversation logs and booking records are retained for 12 months by default and may be purged on request. On account deletion, all personal data is removed within 30 days, except where retention is required by law or for fraud prevention.
Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion of your data; object to or restrict processing; and data portability. To exercise any of these rights, contact us at the address below. We will respond within 30 days.
We use session cookies to maintain authentication. We do not use third-party advertising cookies. Analytics cookies (if any) are used solely to understand aggregate usage patterns and are not used to build individual profiles.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the service after changes constitutes acceptance of the updated policy.
For privacy-related questions, data requests, or concerns, contact us at: support@cvidsproductions.net We aim to respond to all enquiries within 5 business days.
Dentalys.ai uses Google API Services to provide calendar-based appointment booking for our clinic customers. When you connect your Google account, we request the following OAuth scopes:
- https://www.googleapis.com/auth/calendar — to read upcoming events for availability checks, and to create, update, and cancel appointment events on your behalf. - https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile — to identify the connected Google account.
How we use Google user data: - We read calendar events only to determine which time slots are free when a patient requests an appointment. - We create, update, and delete calendar events that we ourselves originate through bookings made via our AI assistant. - We store OAuth access tokens, refresh tokens, the connected email address, and the calendar ID in our encrypted Supabase Postgres database (AES-256 at rest, TLS 1.2+ in transit). - We do NOT copy, cache, or persist the contents of calendar events beyond the event IDs of events we ourselves create.
How we protect Google user data: - We do NOT sell, rent, trade, or otherwise transfer Google user data to any third party for advertising or any other purpose. - We do NOT use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models. - Access to production databases is strictly limited to authorised engineering personnel. - Users may disconnect Google Calendar at any time from their dashboard. On disconnection, OAuth tokens are revoked and deleted from our systems within 24 hours. - On account deletion, all associated Google user data is deleted within 30 days.
Compliance statement: Dentalys.ai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (link: https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
Contact: For data access, correction, or deletion requests related to Google user data, contact support@cvidsproductions.net. We respond within 30 days.