GDPR & data protection

Last updated:

DDSEMail is built for U.S. dental practices but applies GDPR-aligned data-protection practices: clear controller/processor roles, data-minimization, encryption, a named sub-processor list, and support for data-subject rights. Where we process personal data on your behalf, we act as a processor under your instructions.

Controller and processor roles

For account and billing data we collect to run the service, DDSEMail acts as a controller. For the email content and patient data you send and receive through the service, we act as a processor acting on your documented instructions — the practice is the controller. Where U.S. HIPAA applies, this maps to our Business Associate Agreement.

Lawful bases

  • Contract — to provide the service you sign up for.
  • Legitimate interests — to secure, maintain, and improve the service, balanced against your rights.
  • Legal obligation — to meet record-keeping and compliance duties.
  • Consent — where specifically requested (e.g., optional communications).

Data-subject rights

Subject to applicable law, individuals may request access, rectification, erasure, restriction, portability, and objection. If you are a patient of a practice that uses DDSEMail, direct your request to that practice (the controller); we will assist them as their processor. Account holders can contact us at {{TODO: privacy contact email}}.

International transfers

DDSEMail and its sub-processors operate global infrastructure, so personal data may be processed in the United States and other countries. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses. See Sub-processors for the providers involved and the data categories they handle.

Security

We protect personal data with encryption in transit and at rest, access controls, and audit logging. See Security for details and security.txt for vulnerability reporting.

Contact & representative

Data controller / contracting entity: {{TODO: legal entity name}}, {{TODO: business mailing address}}. EU/UK representative (if appointed): {{TODO: EU/UK Article 27 representative, if applicable}}. For the full picture of what we collect and why, read the Privacy Policy.