Legal
This Data Processing Agreement (DPA) forms part of the Terms of Service and governs the processing of personal data by DentaFlow on behalf of Clinic Customers.
Last updated: June 7, 2026
This Data Processing Agreement (“DPA”) is entered into between DentaFlow(“Processor”) and the Clinic Customer (“Controller”) who uses our Services. This DPA forms part of and is incorporated into the Terms of Service.
The Controller is the data controller for End User personal data collected through the chatbot widget on their website. The Processor processes this data on the Controller's behalf, strictly on the Controller's documented instructions, to provide the Services.
The nature and purpose of processing is: providing an AI-powered chatbot that answers patient questions, captures leads, and manages appointment requests for dental clinics.
The types of personal data processed include: names, phone numbers, email addresses, conversation content, and appointment request details of End Users.
The Processor shall:
The Controller shall:
The Controller grants general authorization for the Processor to engage sub-processors. The current list of sub-processors is available at our Sub-Processors page. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subjects' requests to exercise their rights (access, rectification, erasure, portability, restriction, objection). The Controller may use the Privacy Requests feature in the dashboard to fulfill end-user requests.
The Processor implements the following technical and organizational measures:
The Processor shall notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach. The notification shall describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it and mitigate its possible adverse effects.
Upon termination of the Services, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on the Controller's behalf, and delete existing copies, unless retention is required by applicable law. The Controller may use the Privacy Center to initiate account deletion at any time.
The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations. The Processor shall contribute to the audit in accordance with its obligations under applicable law.
Where Personal Data is transferred outside the European Economic Area, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or reliance on an adequacy decision.
For questions about this DPA, please contact us at support@dentaflow.chat.