Privacy document

Privacy policy

We explain in detail which data we collect, why we collect it, where it ends up, and how you can control it. No legalese - only transparency.

Version 3.1 Last updated: June 28, 2026 GDPR compliant
i
This document is different from the Terms & Conditions
The Terms & Conditions explain what you can do with Oralsnap and your responsibilities as a user. This Privacy Policy instead explains what we do with your personal data. They complement each other: read both.
Index - 12 sections
  1. Who processes your data
  2. Which data we collect, one by one
  3. What we do NOT collect (clearly)
  4. Cookies and similar technologies
  5. Data collected automatically
  6. Emails you may receive
  7. What happens when you create an account
  8. What the App Stores do
  9. Your rights, in practice
  10. Minors under 18
  11. Automated decisions
  12. Changes and contacts
Section 01

Who processes your data

The person responsible for the decisions on how we process your data is the Data Controller of Oralsnap. For every privacy matter, write to a single address:

Privacy Reference
info@oralsnap.com
Controller
Vladyslav Pereverzyev
Headquarters
Bolzano (BZ), Italy
VAT
IT03281410211
Response within
30 days from receipt (Art. 12 GDPR)

We have not designated a DPO: the mandatory conditions provided by Art. 37 GDPR do not apply. For Oralsnap, the privacy contact point coincides with the Controller.

For clinical data, it's different

When a dentist or dental technician uploads data referable to a patient of theirs into the app, we are only Processors (Art. 28 GDPR) - the Controller is the professional. If you are a patient and want to exercise your rights on clinical data, you must contact your professional.

For details on the relationships between us, the professional and the patient, see the T&C Section 12.

Section 02

Which data we collect, one by one

For each individual data we collect, we explain when we take it, why we need it, where it ends up and how long we keep it. No vague categories, only reality.

Email address
When
At account registration.
Why
Login, password recovery, OTP sending, service communications.
Where
Primary database at Hostinger (Germany) + email index on Firebase Auth.
How long
For the entire duration of the account, +30 days in backups.
Password
When
Only if you choose email/password login (not for social logins).
Why
To authenticate you securely.
Where
Exclusively on Firebase Authentication, in the form of a bcrypt hash. We never see your password in clear text, not even us.
How long
As long as the account exists.
Name, profession, practice (optional)
When
If you choose to fill them in your profile. They are optional.
Why
To personalize the experience in the app and emails.
Where
Primary database on Hostinger (Germany).
How long
As long as the account exists.
Subscription token
When
When you activate a paid plan.
Why
To know which plan you have active and enable the corresponding features.
Where
Technical token managed by RevenueCat. We do not receive credit card numbers or IBANs: payment happens on the App Store or Google Play.
How long
For the duration of the subscription. Billing data (invoice issued) kept for 10 years for Italian fiscal obligations.
Clinical images and case notes
When
When you upload an intraoral photo, a note, a scan, a case metadata.
Why
To document the workflow and enable its consultation via NFC tags and links.
Where
Storage on Hostinger (Germany), with encrypted backup in France. Randomized file names, never original names. 10 MB file limit, image formats only.
How long
For the duration of the subscription. For the data lifecycle after expiration, see T&C Section 24.
Social identity (if you use social login)
When
Only if you choose "Continue with Apple/Google/Facebook".
Why
To link your account to a unique identifier from the provider.
Where
Anonymous unique ID stored on Firebase. We don't receive passwords, friend lists, detailed profile photos or posts.
How long
As long as the account exists. You can revoke the connection from the social provider's settings.
Section 03

What we do NOT collect, clearly

Since too many Privacy Policies list data they never actually collect, here we tell you in black and white what we don't do and which device permissions we don't use.

Yes, we do these things
  • We collect email and password (in encrypted form)
  • We save your clinical images on our storage
  • We send transactional emails via Brevo
  • We use Firebase for authentication
  • We keep access logs for security
  • We generate public links if you request it
No, we DON'T do these things
  • No biometric data (Face ID/fingerprint stay on your device)
  • No precise GPS geolocation
  • No access to contacts, microphone, calendar
  • No marketing cookies of our own (YouTube embeds may set cookies - see Cookie Policy)
  • No data sale to third parties
  • No advertising profiling by us
  • No cross-device tracking by us
  • No Google Analytics on site or in the app

When a device permission is not listed above among the "yes", it means we don't request it at all. Concrete examples: the app does NOT request access to the address book, messages, microphone, light sensor, Bluetooth, calendar contacts.

Only necessary permissions

The permissions the app requests from the device are limited to:

Section 04

Cookies and similar technologies

On oralsnap.com we use a CookieYes consent banner to manage cookies in compliance with Italian Garante Provision no. 231/2021. We don't run any analytics, marketing or profiling cookies of our own - the cookies you find on the site come either from CookieYes itself (necessary, to remember your choice) or from YouTube embeds in our product pages.

i
How to control your choice
You can accept, reject or customise cookie categories at any time through the CookieYes banner (small floating icon at the bottom-left). Rejecting non-necessary categories may prevent embedded YouTube videos from playing, but the rest of the site keeps working perfectly.

For the complete list of all cookies with technical details (purpose, duration, provider), see the Cookie Policy. The mobile app does not use cookies: it relies on JWT authentication tokens stored in the secure native storage of your device.

Section 05

Data collected automatically

When you use the app or site, some technical data is collected without you entering it explicitly. They serve for security, diagnostics and abuse prevention. They are not used to profile you.

DataOriginRetention
IP addressNetwork connection12 months
User agent (browser/app type)HTTP header12 months
Operating system + versionDevice12 months
Installed app versionDevice12 months
Device identifier (anonymous)Generated at installWhile app installed
Date/time of accessServer12 months
Errors and crash reportsMonitoring system6 months

From this data we derive an approximate geolocation at city or region level, only to detect anomalous accesses (e.g. login from a country different from the usual one). We don't track your GPS location.

Section 06

The emails you may receive from us

Emails from Oralsnap are of two types. We explain what to expect and how to manage them.

6.1 - Transactional emails (you cannot unsubscribe)

These are emails necessary for the Service to function. You receive them only as a consequence of your action or a condition of your account:

You cannot unsubscribe from these emails because they are part of the Service. You receive them only if you have an active account: by deleting the account, you will stop receiving them.

6.2 - Optional emails (you can unsubscribe at any time)

Only if you explicitly accept, we send you emails with:

You find the unsubscribe link at the bottom of every optional email. Unsubscribe is immediate. You can also write to info@oralsnap.com.

Technical email sending is managed by Brevo (based in France), which acts as Data Processor. Brevo receives only the recipient's email address and the content to send.

Section 07

What happens when you create an account

To be even more transparent, here is the exact flow of your data at the key moments of your relationship with Oralsnap:

Step 01
When you register
The email is saved on Firebase Auth. The password is encrypted with bcrypt and immediately forgotten in clear. A 6-digit OTP is generated and sent via Brevo. The OTP token expires in 10 minutes.
Step 02
When you upload data
The image is uploaded to Hostinger (Germany), saved with randomized filename, validated (max 10 MB, image formats only). The daily backup copies it to France. The associated metadata is saved in the MySQL database.
Step 03
When you delete the account
All operational data is immediately deleted from database and storage. Firebase Auth is deleted. Public links are deactivated within minutes. Backups are rotated: your data is no longer recoverable within 30 days. Only fiscal data remains for legal obligations (10 years).
Section 08

What the App Stores do with your data

!
Important
Apple App Store and Google Play collect their own data when you download and use Oralsnap. That data is processed according to their privacy policies, not ours. We don't control them and in many cases don't even receive them.

In particular, the App Stores autonomously manage:

To learn more:

Section 09

Your rights, in practice

The GDPR guarantees you a series of rights you can exercise at any time, free of charge. For each one we tell you how you can practically do it, not just which article of law it is.

Art. 15
See your data
In the app, go to Profile → "Download my data". You receive a file with all the data we have on you. Free, anytime.
Art. 16
Correct your data
From the Profile section in the app you can modify email, name, profession. For corrections not manageable from the app, write to us.
Art. 17
Delete everything
In the app, Profile → "Delete Account". Immediate and definitive deletion. Backups rotated within 30 days.
Art. 18
Restrict processing
If you contest the accuracy of a data point and request its verification, we can freeze its use until resolved. Write to us.
Art. 20
Take your data
"Download my data" exports everything in structured format (JSON + images). You can upload it to another service.
Art. 21
Object to processing
For processing based on our legitimate interest (security, fraud prevention) you can object by writing to us, with motivation.
Art. 7
Withdraw consent
For processing based on consent (e.g. social login, optional emails) you can withdraw it at any time.
Art. 77
Complain to the Authority
If you think we are violating the GDPR, you can complain to the Italian Privacy Authority. The complaint is free.

Response times

We will respond to any request within 30 days. In complex cases we can extend by 60 days with written motivation. To verify your identity before processing sensitive requests, we may ask you for additional information - this is to protect yourself from unauthorized access.

Section 10

Minors under 18

Oralsnap is not intended for minors under 18 as registered users. The app's conditions provide that the professional user must be of legal age and authorized to practice the profession.

If we become aware that a minor has created an account providing personal data, we will delete the account and all associated data without notice. If you are a parent or guardian and suspect that a minor family member has created an account, write to us at info@oralsnap.com.

Minor patients in clinical cases

The case of minor patients whose clinical data is managed by the professional in the app is different. In this scenario:

For details, see T&C Section 10.

Section 11

Automated decisions and profiling

In short: we don't profile
Oralsnap does not make automated decisions on your data that produce legal effects or significantly affect you. No AI deciding for you, no algorithms that select content, no commercial profiling.

The only automation active in the Service is technical and security-related:

These automations are aimed at security, not profiling, and do not produce legal effects or significant decisions pursuant to Art. 22 GDPR.

Section 12

Changes and contacts

12.1 - How we notify you if something changes

We will update this Privacy Policy whenever necessary to adapt to new regulations, Service evolutions or changes to our providers. When changes are substantial (e.g. new categories of data, new subprocessor, new purpose):

For minor changes (formatting corrections, clarifications) we limit ourselves to updating the document and date, without direct notification.

12.2 - Single contact

Contact point
info@oralsnap.com
For any question on this Privacy Policy - data access, deletion, opposition, DPA request, reporting issues - write to this address. We respond within 30 days.

For complete legal data of the Controller (certified email, REA, tax code), they are publicly available at the Bolzano Chamber of Commerce Business Register.