Section 01
Who processes your data
The person responsible for the decisions on how we process your data is the Data Controller of Oralsnap. For every privacy matter, write to a single address:
Privacy Reference
info@oralsnap.com
Controller
Vladyslav Pereverzyev
Headquarters
Bolzano (BZ), Italy
VAT
IT03281410211
Response within
30 days from receipt (Art. 12 GDPR)
We have not designated a DPO: the mandatory conditions provided by Art. 37 GDPR do not apply. For Oralsnap, the privacy contact point coincides with the Controller.
For clinical data, it's different
When a dentist or dental technician uploads data referable to a patient of theirs into the app, we are only Processors (Art. 28 GDPR) - the Controller is the professional. If you are a patient and want to exercise your rights on clinical data, you must contact your professional.
For details on the relationships between us, the professional and the patient, see the T&C Section 12.
Section 02
Which data we collect, one by one
For each individual data we collect, we explain when we take it, why we need it, where it ends up and how long we keep it. No vague categories, only reality.
Name, profession, practice (optional)
Clinical images and case notes
Social identity (if you use social login)
Section 03
What we do NOT collect, clearly
Since too many Privacy Policies list data they never actually collect, here we tell you in black and white what we don't do and which device permissions we don't use.
✓ Yes, we do these things
- We collect email and password (in encrypted form)
- We save your clinical images on our storage
- We send transactional emails via Brevo
- We use Firebase for authentication
- We keep access logs for security
- We generate public links if you request it
✗ No, we DON'T do these things
- No biometric data (Face ID/fingerprint stay on your device)
- No precise GPS geolocation
- No access to contacts, microphone, calendar
- No marketing cookies of our own (YouTube embeds may set cookies - see Cookie Policy)
- No data sale to third parties
- No advertising profiling by us
- No cross-device tracking by us
- No Google Analytics on site or in the app
When a device permission is not listed above among the "yes", it means we don't request it at all. Concrete examples: the app does NOT request access to the address book, messages, microphone, light sensor, Bluetooth, calendar contacts.
Only necessary permissions
The permissions the app requests from the device are limited to:
- Camera - only when you choose to take a clinical photo.
- Photo gallery - only when you choose to import an existing image.
- NFC - only when you write or read a tag.
- Local biometrics - only if you enable app unlock with Face ID/fingerprint (verification happens on your device, never on our servers).
- Push notifications - only if you accept them.
Section 04
Cookies and similar technologies
On oralsnap.com we use a CookieYes consent banner to manage cookies in compliance with Italian Garante Provision no. 231/2021. We don't run any analytics, marketing or profiling cookies of our own - the cookies you find on the site come either from CookieYes itself (necessary, to remember your choice) or from YouTube embeds in our product pages.
| Category | Cookies | Source | Consent |
| Necessary |
cookieyes-consent, VISITOR_PRIVACY_METADATA |
CookieYes, YouTube |
Exempt (essential) |
| Functional |
VISITOR_INFO1_LIVE, ytidb::LAST_RESULT_ENTRY_KEY |
YouTube |
Required |
| Analytics |
YSC |
YouTube |
Required |
| Advertisement |
__Secure-YNID, __Secure-ROLLOUT_TOKEN, __Secure-YEC |
YouTube |
Required |
i
How to control your choice
You can accept, reject or customise cookie categories at any time through the CookieYes banner (small floating icon at the bottom-left). Rejecting non-necessary categories may prevent embedded YouTube videos from playing, but the rest of the site keeps working perfectly.
For the complete list of all cookies with technical details (purpose, duration, provider), see the Cookie Policy. The mobile app does not use cookies: it relies on JWT authentication tokens stored in the secure native storage of your device.
Section 05
Data collected automatically
When you use the app or site, some technical data is collected without you entering it explicitly. They serve for security, diagnostics and abuse prevention. They are not used to profile you.
| Data | Origin | Retention |
| IP address | Network connection | 12 months |
| User agent (browser/app type) | HTTP header | 12 months |
| Operating system + version | Device | 12 months |
| Installed app version | Device | 12 months |
| Device identifier (anonymous) | Generated at install | While app installed |
| Date/time of access | Server | 12 months |
| Errors and crash reports | Monitoring system | 6 months |
From this data we derive an approximate geolocation at city or region level, only to detect anomalous accesses (e.g. login from a country different from the usual one). We don't track your GPS location.
Section 06
The emails you may receive from us
Emails from Oralsnap are of two types. We explain what to expect and how to manage them.
6.1 - Transactional emails (you cannot unsubscribe)
These are emails necessary for the Service to function. You receive them only as a consequence of your action or a condition of your account:
- Registration confirmation and OTP code
- Password reset
- Access from a new device
- Subscription expiration reminder
- Purchase or plan change confirmations
- Important security notifications
- Updates to T&C or Privacy Policy
You cannot unsubscribe from these emails because they are part of the Service. You receive them only if you have an active account: by deleting the account, you will stop receiving them.
6.2 - Optional emails (you can unsubscribe at any time)
Only if you explicitly accept, we send you emails with:
- Updates on new features
- Tips to better use the app
- Invitations to beta tests (if active)
You find the unsubscribe link at the bottom of every optional email. Unsubscribe is immediate. You can also write to info@oralsnap.com.
Technical email sending is managed by Brevo (based in France), which acts as Data Processor. Brevo receives only the recipient's email address and the content to send.
Section 07
What happens when you create an account
To be even more transparent, here is the exact flow of your data at the key moments of your relationship with Oralsnap:
Step 01
When you register
The email is saved on Firebase Auth. The password is encrypted with bcrypt and immediately forgotten in clear. A 6-digit OTP is generated and sent via Brevo. The OTP token expires in 10 minutes.
Step 02
When you upload data
The image is uploaded to Hostinger (Germany), saved with randomized filename, validated (max 10 MB, image formats only). The daily backup copies it to France. The associated metadata is saved in the MySQL database.
Step 03
When you delete the account
All operational data is immediately deleted from database and storage. Firebase Auth is deleted. Public links are deactivated within minutes. Backups are rotated: your data is no longer recoverable within 30 days. Only fiscal data remains for legal obligations (10 years).
Section 08
What the App Stores do with your data
!
Important
Apple App Store and Google Play collect their own data when you download and use Oralsnap. That data is processed according to their privacy policies, not ours. We don't control them and in many cases don't even receive them.
In particular, the App Stores autonomously manage:
- Purchase data (credit card, IBAN, billing address) - we don't receive them, we only see if a purchase was successful.
- Advertising identifier (IDFA/AAID) - we don't request it or use it.
- Download statistics and aggregate crash reports - Apple and Google show them to us in anonymous and aggregate form, not at the level of individual user.
- Sign in with Apple data - when you choose Apple login, Apple generates an anonymous email on your behalf if you prefer. We only see that anonymous email.
To learn more:
Section 09
Your rights, in practice
The GDPR guarantees you a series of rights you can exercise at any time, free of charge. For each one we tell you how you can practically do it, not just which article of law it is.
See your data
In the app, go to Profile → "Download my data". You receive a file with all the data we have on you. Free, anytime.
Correct your data
From the Profile section in the app you can modify email, name, profession. For corrections not manageable from the app, write to us.
Delete everything
In the app, Profile → "Delete Account". Immediate and definitive deletion. Backups rotated within 30 days.
Restrict processing
If you contest the accuracy of a data point and request its verification, we can freeze its use until resolved. Write to us.
Take your data
"Download my data" exports everything in structured format (JSON + images). You can upload it to another service.
Object to processing
For processing based on our legitimate interest (security, fraud prevention) you can object by writing to us, with motivation.
Withdraw consent
For processing based on consent (e.g. social login, optional emails) you can withdraw it at any time.
Complain to the Authority
Response times
We will respond to any request within 30 days. In complex cases we can extend by 60 days with written motivation. To verify your identity before processing sensitive requests, we may ask you for additional information - this is to protect yourself from unauthorized access.
Section 10
Minors under 18
Oralsnap is not intended for minors under 18 as registered users. The app's conditions provide that the professional user must be of legal age and authorized to practice the profession.
If we become aware that a minor has created an account providing personal data, we will delete the account and all associated data without notice. If you are a parent or guardian and suspect that a minor family member has created an account, write to us at info@oralsnap.com.
Minor patients in clinical cases
The case of minor patients whose clinical data is managed by the professional in the app is different. In this scenario:
- The responsibility of consent collection falls on the professional (Controller).
- Consent must be signed by both parents or by the legal guardian.
- Enhanced protections apply for Art. 8 GDPR (minors under 14 in the EU).
- Even for minors, the prohibition on entering direct identifying data applies (Section 02).
For details, see T&C Section 10.
Section 11
Automated decisions and profiling
✓
In short: we don't profile
Oralsnap does not make automated decisions on your data that produce legal effects or significantly affect you. No AI deciding for you, no algorithms that select content, no commercial profiling.
The only automation active in the Service is technical and security-related:
- Automatic block after 5 failed login attempts - to prevent attacks.
- Rate limiting on API calls - to guarantee Service stability.
- Automatic filtering of files with disallowed extensions - to prevent malicious uploads.
These automations are aimed at security, not profiling, and do not produce legal effects or significant decisions pursuant to Art. 22 GDPR.
Section 12
Changes and contacts
12.1 - How we notify you if something changes
We will update this Privacy Policy whenever necessary to adapt to new regulations, Service evolutions or changes to our providers. When changes are substantial (e.g. new categories of data, new subprocessor, new purpose):
- We will notify you via email to your registered address and via in-app notification.
- Notice will be at least 30 days.
- The "last updated" date at the top will be updated.
- Previous versions remain available upon request.
For minor changes (formatting corrections, clarifications) we limit ourselves to updating the document and date, without direct notification.
12.2 - Single contact
Contact point
info@oralsnap.com
For any question on this Privacy Policy - data access, deletion, opposition, DPA request, reporting issues - write to this address. We respond within 30 days.
For complete legal data of the Controller (certified email, REA, tax code), they are publicly available at the Bolzano Chamber of Commerce Business Register.