Privacy Policy
Last updated: March 30, 2026
1. Introduction
Dentara is a cloud-based dental practice management platform operated by eDenGroups ("we," "us," or "our"). We are committed to protecting the privacy of dental practitioners, clinic staff, and their patients. This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) of India and applicable data protection regulations.
By using Dentara, you consent to the practices described in this policy. If you are a dental practitioner, you act as the Data Fiduciary for your patients' data, and Dentara acts as a Data Processor on your behalf.
2. Data We Collect
We collect and process the following categories of data:
Clinic & Account Information
Clinic name, address, GST number, practitioner names, email addresses, phone numbers, professional qualifications, and login credentials (passwords stored as bcrypt hashes, never in plaintext).
Patient Records
Patient name, phone number, email address, date of birth, gender, medical history, allergies, current medications, dental charts, SOAP notes, treatment plans, prescriptions, X-ray references, and clinical photographs metadata.
Billing & Financial Data
Invoice details, payment records, insurance information, GST calculations, and transaction history.
Usage & Technical Data
IP addresses, browser type, device information, session data, and error logs (collected via Sentry for debugging purposes only).
3. How We Use Your Data
- •Providing and maintaining the Dentara platform and its features
- •Managing patient records, appointments, and treatment plans on behalf of your clinic
- •Generating GST-compliant invoices and financial reports
- •Sending appointment reminders and follow-ups via WhatsApp (when enabled by the clinic)
- •Processing voice dictation input into structured SOAP notes
- •Diagnosing technical issues and improving platform stability
- •Complying with legal obligations including medical record retention requirements
4. Voice Dictation
Dentara offers voice dictation for SOAP notes using the Web Speech API built into your browser. This is an important distinction:
- →Voice recognition is processed entirely by your browser (Chrome, Edge, Safari) using the Web Speech API.
- →Raw audio is never sent to or stored on Dentara servers.
- →Only the resulting text transcript is saved as part of the SOAP note.
- →The Smart Fill feature may send the transcript to an AI service (OpenAI) for parsing into structured SOAP fields. No patient identifiers are included in these requests beyond what is spoken.
5. Storage & Security
Your data is stored securely with the following measures:
- •Database: Encrypted PostgreSQL database hosted on a dedicated OVH bare-metal server located in Canada.
- •Transport: All data transmitted over HTTPS/TLS. No unencrypted connections are accepted.
- •Authentication: Passwords are hashed using bcrypt. Sessions are managed with secure, HTTP-only cookies.
- •Server Hardening: SSH key-only access, UFW firewall, fail2ban intrusion prevention, and automatic security updates.
- •Tenant Isolation: Each clinic's data is logically isolated. Clinics cannot access each other's data under any circumstances.
6. Data Retention
We retain data in accordance with Indian regulatory requirements and medical best practices:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Medical / Patient Records | Minimum 3 years | Indian Medical Council Regulations |
| Billing & GST Records | 8 years | GST Act, Income Tax Act |
| Audit Logs | 2 years | Security best practices |
| Session Data | 30 days | Operational necessity |
| Account Data | Until deletion requested | Consent / Contract |
Upon account deletion, we remove all data not subject to mandatory retention periods within 30 days.
7. Third-Party Services
We integrate with a limited number of third-party services:
WhatsApp (via Baileys)
Used to send appointment reminders, follow-ups, and treatment plan notifications when enabled by the clinic. Patient phone numbers and message content are transmitted via WhatsApp's end-to-end encrypted protocol.
Sentry
Used exclusively for error tracking and application stability monitoring. Sentry receives error stack traces and minimal context — no patient data, medical records, or personally identifiable information is sent to Sentry.
OpenAI (Voice Smart Fill)
When Smart Fill is used, voice transcripts are sent to OpenAI for parsing into structured SOAP fields. No patient identifiers are included beyond what is spoken in the dictation. OpenAI does not use API data for training.
We do not sell, rent, or trade personal data to any third party. Ever.
9. Your Rights Under DPDPA 2023
Under the Digital Personal Data Protection Act, 2023, you have the following rights:
- •Right to Access: Request a summary of your personal data that we process.
- •Right to Correction: Request correction of inaccurate or incomplete personal data.
- •Right to Erasure: Request deletion of your personal data, subject to mandatory retention periods (medical records, GST compliance).
- •Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.
- •Right to Grievance Redressal: Lodge a complaint with us or with the Data Protection Board of India.
- •Right to Withdraw Consent: Withdraw consent at any time, though this may affect our ability to provide services.
To exercise any of these rights, contact us at support@dentara.health. We will respond within 30 days.
10. Data Breach Policy
In the event of a data breach that affects personal data, we will:
- •Notify affected users and the Data Protection Board of India within 72 hours of becoming aware of the breach.
- •Provide details of the nature of the breach, data affected, and steps taken to mitigate harm.
- •Take immediate measures to contain the breach and prevent further unauthorized access.
- •Conduct a thorough investigation and implement corrective measures.
11. Children's Data
Dental clinics may treat minor patients. Patient records for minors are maintained under the responsibility of the treating clinic (Data Fiduciary) with verifiable consent from a parent or legal guardian as required by DPDPA Section 9. Dentara processes this data solely on the clinic's instructions.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered clinic administrators at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us: