PRIVACY POLICY

Dental Travel Concierge

Effective Date: January 12, 2026

Website: www.dentaltravelconcierge.com

This Privacy Policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), Romanian Law No. 190/2018 implementing certain provisions of the GDPR, and decisions issued by the
National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, hereinafter “ANSPDCP”).

Article 1: Identity and Contact Details of the Data Controller

1.1. The Data Controller responsible for the processing of your personal data is:

Company Name: DTCONCIERGE Srl.

Registered Office: Municipiul Sibiu, str. Călăraşilor, nr. 5, bloc G, ap 54, judeţ Sibiu, Romania

Email: support@dentaltravelconcierge.com

Website: www.dentaltravelconcierge.com

1.2. For all matters relating to the processing of your personal data and the exercise of your rights under the GDPR, you may contact the Data Controller at the email address specified above. Responses to data protection inquiries shall be provided within the timeframes mandated by applicable legislation.

Article 2: Categories of Personal Data Collected

2.1. In the course of providing our services, we collect and process the following categories of personal data:

2.1.1. Identity and Contact Data

This category encompasses information that identifies you as an individual andenables communication, including:

(a) Full legal name (first name and surname);

(b) Electronic mail address;

(c) Telephone number (where voluntarily provided);

(d) Postal address (where required for service delivery);

(e) Date of birth (where relevant to medical coordination);

(f) Nationality and country of residence.

2.1.2. Health Data (Special Category Data)

Given the nature of our medical coordination services, we may process health-related personal data, which constitutes special category data under Article 9 of the GDPR. Such data may include:

(a) Dental health records and treatment history;

(b) Diagnostic information, including radiographic images;

(c) Treatment plans and recommended procedures;

(d) Medical conditions relevant to dental treatment;

(e) Medication and allergy information.

Processing of health data is subject to heightened protection requirements and occurs onlywith your explicit consent or where necessary for the provision of healthcare coordination services pursuant to Article 9(2)(h) of the GDPR.

2.1.3.Technical and Usage Data

When you access our Website, we automatically collect certain technical information,including:

(a)
Internet Protocol (IP) address;

(b) Browser
type and version;

(c) Device
identifiers and operating system;

(d) Pages
visited and time spent on the Website;

(e)
Referring website addresses;

(f) Cookie
data as described in Article 7 of this Policy.

2.1.4. Communication Data

All correspondence between you and our Company, whether by email, through the contact form, or other means, may be retained for record-keeping, quality assurance, and dispute resolution purposes.

2.1.5. Financial and Transaction Data

Where applicable, we may process payment information necessary to complete transactions, though such data is generally processed by third-party payment service providers acting as independent controllers or joint controllers, as the case may be.

Article 3: Purposes and Legal Bases for Processing

3.1. Pursuant to Articles 13 and 14 of the GDPR, we inform you of the specific purposes for which your personal data are processed and the corresponding legal bases:

3.2. Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.3. Where processing is based on legitimate interests, the specific interests pursued are: maintaining Website security, preventing fraud, improving service quality, and protecting the Company’s legal position in potential disputes. We have conducted a balancing test to ensure that your fundamental rights and freedoms do not override these interests.

Article
4: Recipients and Categories of Recipients

4.1. Your personal data may be disclosed to the following categories of recipients where necessary for the purposes described in Article 3:

4.1.1. Partner Clinics and Healthcare Providers

We share relevant personal data, including health data, with dental clinics and healthcare professionals in Romania with whom we coordinate your treatment. Such sharing is essential to the performance of our contractual obligations and is conducted in accordance with Article 9(2)(h) of the GDPR concerning processing for healthcare purposes.

4.1.2. Service Providers and Processors

We engage third-party service providers who process personal data on our behalf pursuant to written data processing agreements as required by Article 28 of the GDPR. Such processors include:

(a) Website
hosting providers;

(b) Email
and communication platform providers;

(c) Payment
processing services;

(d)
Customer relationship management systems;

(e)
Analytics service providers.

All processors are contractually bound to process personal data only on our documented instructions and to implement appropriate technical and organizational security measures.

4.1.3.
Professional Advisors

Personal data may be disclosed to legal, accounting, or other professional advisors where necessary for the management of our business or the protection of our legal interests.

4.1.4. Public Authorities

We may disclose personal data to public authorities, including courts, law enforcement, and regulatory bodies, where required by law or where necessary for the establishment, exercise, or defence of legal claims.

4.2. We do not sell, rent, or otherwise commercially transfer your personal data to third parties for their independent marketing purposes.

Article 4A: Processing of Personal Data of Clinics and Healthcare Providers

4A.1. Scope of Application

This Article applies to the processing of personal data relating to representatives, employees, collaborators, or other contact persons of dental clinics, healthcare providers, and professional partners (hereinafter collectively referred to as “Clinics”) who interact with Dental Travel Concierge for the purposes of professional evaluation, cooperation, or service coordination.

4A.2. Categories of Data Processed

In the context of clinic questionnaires, professional correspondence, and cooperation discussions, the following categories of personal data may be processed:

(a) Name and surname of clinic representatives or staff members;

(b) Professional email address and telephone number;

(c) Professional position or role within the clinic;

(d) Clinic identification data (name, address, registration details);

(e) Professional qualifications, experience, and service descriptions provided voluntarily;

(f) Communication content exchanged in relation to cooperation or evaluation.

Sensitive personal data of clinic representatives is not intentionally collected.

4A.3. Purposes of Processing

 Personal data of Clinics is processed exclusively for the following purposes:

(a) Evaluation of clinics for potential professional cooperation;

(b) Communication regarding clinic capabilities, services, and operational standards;

(c) Coordination of patient referrals and professional cooperation;

(d) Maintenance of professional records and audit trails;

(e) Compliance with legal and regulatory obligations;

(f) Protection of the Company’s legitimate business and legal interests.

4A.4. Legal Bases for Processing

Processing of clinic-related personal data is based on:

(a) Article 6(1)(b) GDPR — processing necessary for the performance of pre-contractual or contractual measures;

(b) Article 6(1)(f) GDPR — legitimate interests in evaluating and managing professional cooperation relationships;

(c) Article 6(1)(c) GDPR — compliance with legal obligations, where applicable.

Legitimate interests include ensuring service quality, professional accountability, patient safety, and operational transparency.

4A.5. Data Retention

Personal data of Clinics shall be retained for the duration of the professional relationship and for five (5) years following the last interaction, unless a longer retention period is required by applicable law or necessary for the establishment, exercise, or defense of legal claims.

4A.6. Data Recipients

Clinic-related personal data may be accessed only by authorized personnel of Dental Travel Concierge and by professional advisors (legal, accounting, compliance) under strict confidentiality obligations. Such data are not sold, rented, or transferred for independent marketing purposes.

4A.7. Rights of Clinic Representatives

Clinic representatives whose personal data are processed have the same rights provided under Article 8 of this Policy, including the rights of access, rectification, erasure, restriction, objection, and data portability, as applicable.

Requests may be submitted to:

support@dentaltravelconcierge.com

4A.8. Source of Data

Personal data of Clinics is obtained directly from:

(a) Clinic questionnaires and submitted documents;

(b) Professional correspondence;

(c) Publicly available professional sources where lawfully permitted.

4A.9. Professional Nature of Processing

Processing of clinic-related personal data is conducted strictly within a professional, business-to-business context and does not constitute consumer profiling, automated decision-making, or marketing profiling.

Article 5: International Data Transfers

5.1. Your personal data are primarily processed within the European Economic Area (EEA), where they benefit from the protections afforded by the GDPR and Romanian national law.

5.2. Where personal data is transferred to countries outside the EEA, we ensure thatappropriate safeguards are in place in accordance with Chapter V of the GDPR. Such safeguards may include:

(a) Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection. As of the date of this Policy, adequacy decisions exist for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United
States (organizations participating in the EU-US Data Privacy Framework), and Uruguay;

(b) Standard Contractual Clauses: Where no adequacy decision exists, we utilize the standard contractual clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR;

(c) Binding Corporate Rules: Where applicable and approved by competent supervisory authorities.

5.3. You may obtain a copy of the safeguards relied upon for international transfers by contacting us at support@dentaltravelconcierge.com.

Article 6: Data Retention Periods

6.1. Personal data shall be retained only for as long as necessary to fulfil the purposes for which they were collected, subject to applicable legal retention requirements:

6.2. Upon expiration of the applicable retention period, personal data shall be securely deleted or anonymised such that they can no longer be associated with an identified or identifiable natural person.

6.3. In certain circumstances, we may retain personal data for longer periods where necessary for the establishment, exercise, or defence of legal claims, or where required by applicable law.

Article 7: Cookie Policy and Tracking Technologies

7.1. Our Website employs cookies and similar tracking technologies to ensure functionality, enhance user experience, and analyze Website traffic. The legal basis for processing personal data through cookies is either your consent (for non-essential cookies) or our legitimate interest in maintaining Website functionality (for essential cookies).

7.2. The following cookies are deployed on our Website:

7.2.1. Necessary Cookies

These cookies are essential for the operation of our Website and cannot be disabled without affecting site functionality.

7.3. You may manage cookie preferences through your browser settings or through the cookie consent mechanism displayed upon first visiting our Website. Disabling certain cookies may affect Website functionality.

7.4. For additional information regarding cookies and tracking technologies, please contact support@dentaltravelconcierge.com.

Article 8: Rights of Data Subjects

8.1. Under the GDPR, you possess the following rights regarding your personal data. These rights may be exercised by submitting a written request to support@dentaltravelconcierge.com:

8.1.1. Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you are being processed and, where that is the case, access to the personal data together with specified supplementary information, including the purposes of processing, categories of data, recipients, retention periods, and the existence of your other rights.

8.1.2. Right to Rectification (Article 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

8.1.3. Right to Erasure (Article 17 GDPR)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies:

(a) The personal data are no longer necessary in relation to the purposes for which they were collected;

(b) You withdraw consent and there is no other legal ground for processing;

(c) You object to processing and there are no overriding legitimate grounds;

(d) The personal data have been unlawfully processed;

(e) Erasure is required for compliance with a legal obligation.

This right is subject to exceptions, including where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for archiving purposes in the public interest.

8.1.4. Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where:

(a) The accuracy of the personal data is contested, for a period enabling verification;

(b) The processing is unlawful and you oppose erasure, requesting restriction instead;

(c) We no longer need the personal data but they are required by you for legal claims;

(d) You have objected to processing pending verification of overriding legitimate grounds.

8.1.5. Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance.

8.1.6. Right to Object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to processing based on legitimate interests. We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

8.1.7. Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal shall not affect the lawfulness of processing based on consent prior to withdrawal.

8.1.8. Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in solely automated decision-making processes.

8.2. Response Timeframes: We shall respond to requests to exercise data subject rights within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We shall inform you of any such extension within one (1) month of receipt, together with reasons for the delay.

8.3. Verification of Identity: To protect your personal data from unauthorized disclosure, we may require verification of your identity prior to responding to requests.

8.4. Fees:
The exercise of data subject rights is free of charge. However, where requests are manifestly unfounded or excessive, particularly if repetitive, we may charge a reasonable fee based on administrative costs or refuse to act on the request.

Article 9: Right to Lodge a Complaint

9.1. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR.

9.2. In Romania, the competent supervisory authority is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, România

Website: www.dataprotection.ro

9.3. You have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Article 10: Security of Personal Data

10.1. We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including, as appropriate:

(a) Pseudonymization and encryption of personal data where appropriate;

(b) Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(c) Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) Regular testing, assessing, and evaluating the effectiveness of security measures.

10.2. All personnel with access to personal data are bound by confidentiality obligations and receive appropriate training on data protection requirements.

10.3. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we shall notify the ANSPDCP within seventy-two (72) hours of becoming aware of the breach and, where required, communicate the breach to you without undue delay, in accordance with Articles 33 and 34 of the GDPR.

Article 11: Processing of Health Data

11.1. Health data constitutes special category data subject to additional protections under Article 9 of the GDPR. We process health data solely for the following purposes and under the following legal bases:

(a) Explicit Consent (Article 9(2)(a) GDPR): Where you expressly consent to the processing of health data for medical coordination purposes;

(b) Healthcare Purposes (Article 9(2)(h) GDPR): Where processing is necessary for the provision of health or social care or treatment, or the management of health or social care systems and services, based on Union or Member State law or pursuant to contract with a health professional.

11.2. Health data shared with Partner Clinics becomes subject to the independent privacy policies and practices of those healthcare providers. We recommend that you review the privacy notices of all healthcare providers with whom you engage.

11.3. We have implemented enhanced security measures for the protection of health data, including access controls, encryption, and restricted data handling protocols.

Article 12: Children’s Privacy

12.1. Our Services are not directed to individuals under the age of eighteen (18) years. We do not knowingly collect personal data from children.

12.2. Where medical coordination services are requested for a minor, such requests must be submitted by a parent or legal guardian who bears responsibility for providing and managing the minor’s personal data.

12.3. If we become aware that we have collected personal data from a child without parental consent, we shall take steps to delete such information promptly.

Article 13: Amendments to This Privacy Policy

13.1. We reserve the right to amend this Privacy Policy at any time. Material changes shall be communicated through prominent notice on our Website or by direct communication where practicable.

13.2. The “Effective Date” at the beginning of this Policy indicates the date of the most recent revision. Your continued use of the Services following publication of changes constitutes acceptance of the revised Policy.

13.3. We encourage you to review this Privacy Policy periodically to remain informed about our data protection practices.

Article 14: Contact Information

For all inquiries concerning this Privacy Policy or the processing of your personal data, please contact:

Dental Travel Concierge

Email: support@dentaltravelconcierge.com

Website: www.dentaltravelconcierge.com

We are committed to addressing your concerns and will respond to all legitimate inquiries within the timeframes prescribed by applicable law.