Privacy Policy

Dentiphoto AI ("we," "us," or "our") is operated by ARTX L.L.C-FZ, a company registered in Dubai, United Arab Emirates (Formation Number 2540387), located at Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E. This Privacy Policy describes how we collect, use, store, and protect your information when you use our website at dentiphoto.ai and our related services (collectively, the "Service").

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you register for the Service, we collect your name, email address, and authentication credentials. If you sign in using Google OAuth, we receive your name, email address, and profile picture from Google.

1.2 Payment Information

If you subscribe to a paid plan, payment is processed by Stripe, Inc. We do not store your credit card number, bank account details, or other payment credentials on our servers. Stripe processes and stores this information in accordance with PCI DSS standards. We receive only a transaction identifier, subscription status, and billing history from Stripe.

1.3 User-Uploaded Content

You may upload photographs, images, and other visual content to the Service for editing, enhancement, and other processing. We store this content in secure cloud storage associated with your account.

1.4 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, device type, operating system, and referring URLs. This data is collected through Google Analytics.

1.5 Cookies

We use only essential cookies required for authentication through Supabase Auth. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use advertising cookies, tracking cookies, or third-party marketing cookies.

2. How We Use Your Information

We use your information for the following purposes:

• To provide, maintain, and improve the Service, including processing your uploaded images using artificial intelligence tools.
• To manage your account, process payments, and provide customer support.
• To send you service-related communications, including account notifications, updates, and security alerts via Resend email service.
• To send you marketing communications if you have opted in. You may unsubscribe at any time.
• To analyze usage patterns and improve the Service using aggregated, non-identifiable data.
• To detect, prevent, and address fraud, abuse, and technical issues.
• To comply with legal obligations.

3. AI Processing of Your Content

Our Service uses third-party artificial intelligence services to process your uploaded images. This processing may include photo retouching, background editing, smile enhancement, image generation, and content creation. The following third-party AI services may process your content:

• Retouch4me — for photo retouching and skin enhancement
• fal.ai — for AI image generation and processing
• Anthropic (Claude) — for text generation and AI-assisted content creation
• Replicate — for AI model inference and image processing

If you are a dental professional uploading patient photographs, you are responsible for obtaining appropriate consent from your patients before uploading their images, including consent for AI processing by third-party services. See Section 9 for more details.

4. How We Store and Protect Your Data

Your data is stored on secure servers provided by Supabase, which operates on Amazon Web Services (AWS) infrastructure located in the United States (US East, Virginia).

We implement the following security measures:

• Encryption at rest using AES-256 for all stored data.
• Encryption in transit using TLS 1.2 or higher for all data transmissions.
• Row Level Security (RLS) to ensure users can only access their own data.
• Signed URLs with expiration for all image access.
• Multi-factor authentication (MFA) available for all accounts.
• Automatic session timeout after a period of inactivity.
• Regular backups with point-in-time recovery capability.

While we take reasonable measures to protect your information, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.

5. Who We Share Your Data With

We do not sell, rent, or trade your personal information to third parties. We share your data only with the following categories of service providers who assist us in operating the Service:

• Supabase (database hosting and authentication) — United States
• Amazon Web Services (cloud infrastructure) — United States
• Stripe (payment processing) — United States
• Resend (email communications) — United States
• Google Analytics (usage analytics) — United States
• Retouch4me, fal.ai, Anthropic, Replicate (AI processing) — see Section 3

We may also disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International Data Transfers

Our Service is operated from the United Arab Emirates, and your data is stored on servers in the United States. By using the Service, you consent to the transfer of your data to the United States and other countries where our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data outside the EEA. A Data Processing Agreement incorporating SCCs is available upon request.

We do not knowingly store or process personal data of residents of the Russian Federation on servers outside the Russian Federation, in compliance with Federal Law No. 152-FZ. The Service is not intended for storing personal data of Russian Federation residents.

7. Data Retention

We retain your data as follows:

• Account information: retained for as long as your account is active.
• Uploaded content: retained until you delete it or delete your account.
• Payment records: retained for 7 years as required by applicable tax and accounting laws.
• Usage analytics: retained in aggregated, anonymized form indefinitely.
• Audit logs: retained for 6 years for compliance purposes.

When you delete your account, we will delete your personal data and uploaded content within 30 days. Backup copies will be purged within 90 days. Some data may be retained longer if required by law.

8. Your Rights

8.1 All Users

Regardless of your location, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Delete your account and personal data.
• Export your data in a commonly used format.
• Opt out of marketing communications at any time.

8.2 Additional Rights for EEA, UK, and Swiss Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you additionally have the right to:

• Restrict the processing of your personal data.
• Object to the processing of your personal data.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority.

Our legal bases for processing your data under GDPR are: performance of a contract (providing the Service), legitimate interests (improving the Service, fraud prevention), consent (marketing communications), and legal obligation (tax and regulatory requirements).

8.3 California Users (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information.

9. Information for Healthcare Professionals

If you are a dental professional or healthcare provider using the Service to process patient photographs, please note the following:

• You are the data controller (or "covered entity" under HIPAA) for any patient data you upload.
• You are responsible for obtaining valid patient consent before uploading any patient photographs to the Service.
• Patient consent must include authorization for cloud storage, AI processing, and transfer to third-party processing services.
• You are responsible for compliance with all applicable healthcare data protection laws, including HIPAA (United States), GDPR (European Union), and any other local regulations.
• We provide a sample patient consent form template for your convenience, but it is your responsibility to ensure it meets the requirements of your jurisdiction.
• A Business Associate Agreement (BAA) is available for users subject to HIPAA upon request.

We do not have a direct relationship with your patients. We process patient photographs solely on your instructions and for the purposes you specify.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies before providing any information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to request a Data Processing Agreement, please contact us at: