Privacy Policy

Last updated: May 31, 2026

1. Introduction

Dently AI (“we,” “us,” or “our”) is a sole proprietorship operating from Serbia. We provide a software-as-a-service platform (“the Service”) that includes an AI-powered Telegram assistant for dental practices, accessible via the Telegram mobile application and the dentlyai.com website.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It applies to all data collected through:

• Our website at dentlyai.com
• Our Telegram bot and associated services
• Any other interactions you may have with Dently AI

By using the Service, you consent to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

For the purposes of the European Union General Data Protection Regulation (GDPR), Dently AI is the data controller of personal data you provide to us directly. Where you enter patient data into the Service as a dental practice, we act as a data processor on your behalf, and you remain the data controller for that patient data.

2. Information We Collect

We collect several categories of information to provide and improve the Service.

a) Account Information

When you sign in via Google OAuth, we collect your name, email address, and Google profile information (including your profile picture URL). This identifies you as a user and links your Google account to your Dently AI tenant.

b) Practice / Clinic Data

During onboarding, you provide information about your dental practice, including specialty, phone number, timezone, and operating hours. This information is used to configure your AI assistant and ensure timezone-aware scheduling.

c) Patient Data

Through the Service, you may enter patient-related information including names, contact details, medical history, tooth chart records, treatment plans, and appointment information. You are solely responsible for ensuring you have a lawful basis to process such patient data. Dently AI processes this data solely on your instructions as a data processor under GDPR.

d) Google OAuth Data

When you connect your Google account, we access your Google Calendar events, Gmail messages, and Google Drive files through OAuth-authorized API calls. The specific scopes and how each is used are detailed in Section 3 below. We do not download or store a bulk copy of your Google data; we access it on demand as needed to process your requests.

e) Payment Data

All payment processing is handled by Paddle (Paddle.com Market Limited / Paddle.com Inc.). We do not collect, process, or store your credit card numbers, bank account details, or any other payment credentials. Paddle provides us with transaction confirmations and subscription status information necessary to manage your account.

f) Usage Data

We automatically collect technical information when you use the Service, including Telegram bot interaction logs, API request counts, feature usage patterns, error logs, and session metadata. This data helps us monitor service health, debug issues, and understand how features are used.

3. Google OAuth Scopes & Data Usage

Our Service requests the following Google OAuth scopes. We explain below exactly what data each scope provides and how we use it.

• userinfo.email / userinfo.profile —  We use your email address and basic profile information to identify you, create your account, and match you to your Dently AI tenant. This is the minimum information needed for authentication.
• calendar.events (read / write) —  We read your Google Calendar events to display your daily schedule and identify available appointment slots. We create and modify calendar events when you instruct the bot to schedule, reschedule, or cancel appointments.
• gmail.modify —  We send patient communications on your behalf (appointment confirmations, reminders, follow-ups). We may read incoming emails to detect patient intake forms and messages directed to your practice. No automated bulk reading or scanning of your inbox occurs; email access is driven by your explicit requests.
• drive (read) —  We search and read files stored in your Google Drive that you reference during conversations with the bot. We do not modify, delete, or share your Drive files.

All Google user data is processed solely to provide the Service to you. We do not use Google data for advertising, analytics, or any purpose unrelated to fulfilling your requests. No Google data is shared with third parties.

Your Google access token is encrypted at rest using AES-128-CBC via the Fernet cryptography library, and we refresh it before each API call to ensure validity. The encryption key is stored only in the server environment and is never logged, exposed to client-side code, or transmitted over the network outside of TLS-encrypted connections.

You may revoke Dently AI's access to your Google account at any time through your Google Account security settings. Revoking access will immediately prevent us from accessing your Google data. Some features of the Service may become unavailable if Google access is revoked.

4. How We Collect Information

• Directly from you: Information you provide during account creation, onboarding, and interactions with the Telegram bot.
• Automatically: Technical logs, usage data, and session information collected as you use the Service.
• From Google: Calendar events, email content, and Drive file metadata accessed through OAuth-authorized API calls upon your request.
• From Paddle: Payment confirmations, subscription status, and billing-related notifications.

5. How We Use Information

We use the information we collect for the following purposes:

• Provide and maintain the Service: Operate the AI assistant, process your chat requests, and maintain your account and workspace.
• Process your requests: Schedule appointments, manage patient records, send messages, generate clinical notes, and perform other functions you request through the bot.
• Communicate with you: Send service-related notices, account updates, and respond to your support inquiries.
• Improve the Service: Analyze usage patterns to enhance features, fix bugs, and optimize performance. Any data used for improvement is de-identified where possible.
• Legal obligations: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

6. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA) and the United Kingdom, we rely on the following legal bases under the GDPR to process your personal data:

• Contractual necessity —  Processing your account information, practice data, and Google OAuth data is necessary to perform our contract with you (i.e., to provide the Service you signed up for). Without this data, we cannot deliver the core functionality.
• Legitimate interest —  We process usage data and limited technical logs to monitor, secure, and improve the Service. We have assessed that this processing does not override your fundamental rights and freedoms.
• Consent —  Where required by law, we will obtain your explicit consent before processing data for a specific purpose. You may withdraw consent at any time, though this will not affect the lawfulness of processing carried out before withdrawal.
• Legal obligation —  We may process and retain data as required to comply with applicable tax, accounting, and regulatory obligations under Serbian and European law.

Patient data note: Patient data you enter into the Service is processed by Dently AI as a data processor acting on your behalf. You, as the dental practice, remain the data controller for that patient data and are responsible for establishing a lawful basis for its collection and processing under GDPR, such as patient consent, contractual necessity, or vital interests.

7. Data Sharing & Third Parties

We share information with the following third-party service providers only to the extent necessary to provide the Service:

• Paddle(Paddle.com Market Limited, UK / Paddle.com Inc., USA) — Our payment processor. When you subscribe, Paddle collects your billing information and processes payments. Paddle acts as an independent data controller for payment processing. See Paddle's Privacy Policy.
• Google— We access Google APIs (Calendar, Gmail, Drive) on your behalf through OAuth. Google is a separate data controller for data stored in your Google account. Google's use of your data is governed by Google's Privacy Policy.
• DeepSeek— Our AI model provider. Conversation text is transmitted to DeepSeek for natural-language processing and response generation. We do not intentionally send standalone patient personally identifiable information (PII) to the AI provider; however, some conversational context may include incidental references. DeepSeek processes this data solely to generate responses and does not retain it for model training.
• Microsoft Azure (West Europe region) — Our cloud hosting provider. All Service data is stored on Azure infrastructure within the European Union.

We do not sell, rent, or trade your personal data to any third party. We do not share data with third parties for their own marketing or advertising purposes.

8. International Data Transfers

Your data is primarily stored and processed on Microsoft Azure servers located in the West Europe region (within the European Economic Area). However, certain processing may involve data transfers outside the EEA:

• DeepSeek API: Conversation text transmitted to the AI model provider may be processed on servers located outside the European Union. We rely on applicable transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs), to ensure an adequate level of data protection.
• Paddle: Paddle.com Market Limited processes payments primarily in the UK. Paddle.com Inc. may process data in the United States. Paddle handles international transfers per its own GDPR compliance program, which includes SCCs.
• Telegram:Your interactions with the bot occur through Telegram's platform. Telegram's data processing is governed by its own privacy policy and may involve servers outside the EEA.

Where data is transferred outside the EEA, we take steps to ensure that it is protected by appropriate safeguards in accordance with applicable data protection laws.

9. Data Retention

• Account data: Retained for as long as your account remains active.
• Patient data: Retained until you delete it through the Service or your account is closed, whichever comes first. You control what patient data is stored.
• OAuth tokens: Stored encrypted at rest. Refreshed automatically before each Google API call. Permanently deleted when you disconnect your Google account or close your Dently AI account.
• Session cookies: HTTP session cookies expire after 7 days of inactivity.
• Usage logs: Retained for up to 90 days for monitoring and debugging purposes.
• Post-termination: Upon account closure, we delete all personal data within 30 days. Aggregated or anonymized data that cannot identify you may be retained.

You may request earlier deletion of your data at any time by contacting us (see Section 16). We will comply within 30 days unless a legal obligation requires us to retain specific data.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• OAuth access and refresh tokens are encrypted at rest using AES-128-CBC (Fernet). The encryption key is stored only in the server environment and is never logged or exposed.
• All data in transit between your browser, our servers, and third-party APIs is protected by HTTPS / TLS encryption.
• Session cookies are set with httpOnly, secure, and samesite=lax flags to prevent client-side script access and cross-site request forgery.
• Our server runs on an isolated Azure virtual machine with a host-level firewall restricting inbound and outbound traffic.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

11. Cookies

We use only one essential, first-party session cookie:

• dently_session — An encrypted, httpOnly session cookie required for authentication. It contains a session identifier and no personal data. It expires after 7 days of inactivity.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. Your theme preference (light / dark) is stored in your browser's localStorage and is not a cookie.

12. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at support@dentlyai.com.

• Right of access —  You may request a copy of the personal data we hold about you. We will provide this within one month of your request.
• Right to rectification —  You may request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure (“right to be forgotten”) —  You may request the deletion of your personal data where there is no compelling reason for us to continue processing it, subject to legal retention obligations.
• Right to restriction of processing —  You may request that we limit the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of contested data).
• Right to data portability —  You may request a copy of your data in a structured, commonly used, machine-readable format, and have it transmitted directly to another controller where technically feasible.
• Right to object —  You may object to the processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
• Right to withdraw consent —  Where we rely on your consent to process data, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint —  You have the right to lodge a complaint with a supervisory authority. The relevant authority in Serbia is the Commissioner for Information of Public Importance and Personal Data Protection (povrenik.rs). You may also contact your local data protection authority in your country of residence.

For California residents, the California Consumer Privacy Act (CCPA) provides additional rights, including:

• Right to know —  Request disclosure of the categories and specific pieces of personal data we have collected about you in the preceding 12 months.
• Right to delete —  Request deletion of personal data we have collected from you, subject to certain exceptions.
• Right to opt-out of sale —  We do not sell personal data, as defined under the CCPA. No opt-out is necessary.
• Right to non-discrimination —  We will not discriminate against you for exercising any of your CCPA rights.

To exercise CCPA rights, contact us at support@dentlyai.com. We will verify your identity before processing the request.

13. Children's Privacy

Our Service is intended for licensed dental professionals and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a person under 18 has provided us with personal data, we will take steps to delete such information promptly. If you believe we may have collected data from a child, please contact us immediately.

14. Third-Party Links

Our Service integrates with and may link to third-party platforms, including Telegram, Google, and Paddle. These third-party services have their own privacy policies, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you interact with through our platform.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will notify you by email (to the address associated with your account) or through a prominent notice on the Service prior to the change becoming effective.

The “Last updated” date at the top of this page indicates when this policy was last revised. Your continued use of the Service after we post any modifications constitutes your acceptance of the updated policy.

16. Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: support@dentlyai.com
• Data controller: Dently AI, sole proprietorship, Republic of Serbia

For GDPR-specific inquiries, please include “GDPR” in the subject line of your email to help us route your request appropriately.

You also have the right to lodge a complaint with your local data protection supervisory authority at any time, as described in Section 12.