PRIVACY POLICY OF

ClinicalAID

This Privacy Policy outlines how we collect, use, and protect personal data in connection with our clinical software solutions. It applies to data processing activities carried out through our web-based clinical application ClinicalAID, web browser interface, and other services or platforms where we act as the data controller.

ClinicalAID is fully automated image processing and visualisation software designed to support dental healthcare professionals in analysing dental radiographic images, including 2D X-rays and bitewings. It is designed to process dental radiographs and automatically identify regions of interest that present visual evidence of pathological and non-pathological features. ClinicalAID consists of various components, and processing data is required for it to operate. We are committed to handling all processed personal data in compliance with applicable data protection laws and best practices, ensuring confidentiality, integrity and security.

Please read this Privacy Policy carefully to understand how we manage your personal data and your rights in relation to it. This Privacy Policy can be updated from time to time, but the latest version is always available on our website www.aidental.ai. The current version of the Privacy Policy is effective as of 1. July 2025.

This Privacy Policy provides you with the following information:

  1. Who is the data controller of your data?
  • Whose data will be processed?
  • What personal data is processed, for what purposes, and on what legal basis?
  • With whom your data may be shared?
  • Is your data transferred to third countries?
  • Are you subject to automated decision making or profiling?
  • What measures are in place to protect personal data?
  • How long is your data processed?
  • What are your rights?

In case you wish to obtain more detailed information as mentioned herein, please do not hesitate to contact us on the e-mail address stated below.

  1. Who is the data controller of your data?

The controller of your personal data is AID s.r.o., Slovak company having its registered seat at Námestie SNP 3, Bratislava - Staré Mesto 811 06, Slovakia, Business ID no.: 518 526 83, registered with the Commercial Registry of the Municipal Court Bratislava III, section: Sro, insert no.: 130255/B (“we”, “us”, or “our”).

This Privacy Policy applies exclusively to the processing of personal data carried out by us as a data controller. It does not apply when we act as a data processor, processing data on behalf of our customers. In this case, it is the respective data controller's obligation to provide you with the information about data processing required under the GDPR.

If you want to learn more about the processing and protection of your personal data or if you have any other questions or comments related to data privacy, you can contact us via e-mail sent to: privacy@aidental.com.

  1. Whose data will be processed?

We process personal data of following individuals:

  1. a) our customers and their representatives
  2. b)patients of our customers, whose data is analysed by ClinicalAID
  3. c) representatives of our research and development partners (e.g. dental clinics, universities)
  4. d)representatives of our other business partners 

(“you”, or “your”).

Please note that personal data of patients, including those over the age of 12, is processed by us as a data controller solely on the basis of explicit consent, and only for the purpose of training and improving the ClinicalAID’s machine learning models. When patient data is processed through the ClinicalAID by our customers, we act as a data processor on their behalf.

  1. What personal data is processed, for what purposes, and on what legal basis?

We will start processing your data as soon as we begin working together, whether that is when your organisation or you as an individual decide to use ClinicalAID for professional or research purposes, or when you become one of our suppliers with whom we collaborate on business activities. We sometimes process your data prior to business cooperation if you contact us or participate in social events where we present ClinicalAID. If you are interested in more information about purposes, scope and legal basis of data processing, see the tables below. Information about how we process your personal data on our website can be found in our Cookie Policy.

ClinicalAID

PURPOSE

DESCRIPTION

PROCESSED DATA

LEGAL BASIS

Account registration, its usage and management

When you decide to actively use ClinicalAID, you will need to register and create your profile.

Identification details (name, surname), log-in data (email address), third party account data (e.g., if you decide to use Google account or other account for logging), your language preferences, technical details about your use of ClinicalAID 

(e.g. logs from your actions)

Contract performance between us and our customer or business partner (art. 6 (1) (b) of GDPR)

Management of contractual relationship

When you or your organization engage with us as a customer, partner, advisor, or in a similar capacity, we may process your personal data for the purpose of effectively managing and maintaining our contractual relationship.

Identification data (name and surname), your professional or private contact details (address, phone number, email), name of organization you represent, information about the position within the organization and the content of the contract itself

Pre-contractual relationship and contract performance between us and our customer or business partner (art. 6 (1) (b) of GDPR)

Provision of customer service and support

From time to time you may need our support with the Application. We strive to ensure the proper functioning of the Application, but in case of some issues, we will support you and try to find the solution.

Registration information, information about how you use ClinicalAID, including technical details of your device, content of our communication and other details necessary to solve your issue

Contract performance between us and our customer or business partner (art. 6 (1) (b) of GDPR)

ClinicalAID development and improvement

We process your data to improve our services and products and to provide you with the best possible user and customer experience.

Identification details (name, surname), contact details (address, phone number, e-mail address), content of your feedback and your ideas share with us by various means, iInformation about usage of ClinicalAID, additional communication between you and us about provided feedback or ideas

Our legitimate interest to provide you with the best customer experience and to support you in solving the issues (art. 6 (1) (f) of GDPR)

AI learning

To ensure proper functioning and further development of ClinicalAID, the machine learning models used by ClinicalAID need to constantly learn from the loaded dental scans and from the descriptions and diagnosis as provided by our customers.

We process health data included in the loaded dental scans, dental scan description and diagnosis as provided by our customers, and in some cases also information about age, gender, and ethnicity of the patients.

Consent of patients with processing special categories of personal data (Art. 9 (2) (a) of GDPR)

Research purposes

We may participate in research projects that contribute to ClinicalAI development. Depending on the nature of the research, we may process data either as a data controller, or as your data processor.

Data required for the registration as ClinicalAID user, health data included in the loaded dental scans, dental scan description and diagnosis as provided by you, diagnosis and scan evaluation as provided by ClinicalAID, and in some cases also information about age, sex and ethnicity of the patients

Contract performance between us and our customer or business partner (art. 6 (1) (b) of GDPR)


Consent of patients with processing special categories of personal data (Art. 9 (2) (a) of GDPR)

Scientific research when processing special categories of personal data (art. 9 (2) (j) of GDPR)

ClinicalAID and user security

We want ClinicalAID to be safe for its users, therefore we adopt security measures to prevent hacker attacks and other security incidents and breaches. We also take some additional measures, the implementation and application of which is required to maintain the safety of ClinicalAID and processed personal data.

Technical information about the device you use when working with ClinicalAID (e.g., IP address, device type), information about the way you use ClinicalAID.

Our legitimate interest to ensure security of ClinicalAID, security of its users and processed data (art. 6 (1) (f) of GDPR)

Product testing

We may ask for your opinion about ClinicalAID, or how you use it, or we may provide you with an option to try and test our new products and features, which will require processing of your data.

Identification details (name, surname, information about the name of organization you represent),

contact details (email address), third-party account data (e.g., if you decide to use your Google account or other account for logging), technical information related to use of ClinicalAID (information about your device, logs from operations you performed, etc.),

your feedback regarding use of ClinicalAID.

Our legitimate interest to test and develop and test the functionalities of ClinicalAID, to ensure positive experience when using ClinicalAID (art. 6 (1) (f) of GDPR).

Defending our rights and claims

When you make a legal claim against us, or when we need to protect our rights through legal or other means, we process your data.

Any personal data that is necessary to achieve the stated purpose, even if your personal data was originally obtained for one of the other purposes, e.g. your identification and contact details, information related to your suggestions, complaints and requests, information related to the use of ClinicalAID etc. The scope of processed personal data may be wider, depending on the concrete claim or dispute.

Our legitimate interest in defending itself against claims (art. 6 (1) (f) of GDPR), as well as when we have a legal obligation to do so as the law prescribes (art. 6 (1) (c) of GDPR), or as part of contract fulfilment (art. 6 (1) (b) of GDPR)

Fulfilment of legal obligations

We are obliged to process your personal data to fulfill our various legal obligations (e.g., tax obligations, accounting obligations). We may also be obliged to provide your personal data in case of inspection by public authorities, when requested by them and for preventing, monitoring and proving fraud, combating money laundering and other criminal activities.

We process your data within the scope as required by applicable legislation.

Fulfilment of legal obligations imposed upon us based on applicable legislation (art. 6 (1) (c) of GDPR)

Other purposes

PURPOSE

DESCRIPTION

PROCESSED DATA

LEGAL BASIS

Direct marketing and promotion

We can use the results and feedback from the trial use of ClinicalAID to promote it. We can also send you a newsletter or other marketing communications containing news about ClinicalAID that may be of interest to you, based on your past preferences.

To promote ClinicalAID, we will process your name, surname and email address, as well as information about your user experience and feedback.

When providing you with marketing communications, we will process your name, surname and email address. These will be deleted when you choose to opt out of direct marketing communications.

Our legitimate interest in providing you with direct marketing and in promoting our products and services (art. 6 (1) (f) of GDPR) 

Consent with processing of your data for the purpose of sending you marketing communication (art. 6 (1) (a) of GDPR)

Event and webinar attendance

If you decide to attend our events or sign up for our webinars, we will process your data.

Identification and contact details (name, surname, email address), information about events and webinars you signed up for, information about the company you represent.

We process your data to enable you to attend the respective event / webinar based on contract with you or your company (art. 6 (1) (b) of GDPR)

“Contact us” form

You can reach out to us via contact form on our website to get some information about ClinicalAID and to start potential cooperation with us.

Your interest, email address and phone number, city and country you are coming from, your profession, name of dental clinic/university, information about patient management software and X-ray type used.

Our legitimate interest to develop our business and start new cooperation (art. 6 (1) (f) of GDPR)

Pre-contractual relationship (art. 6 (1) (b) of GDPR)

If we process your personal data based on our legitimate interests, as defined in art. 6(1)(f) of the GDPR, you have the right to object to such processing under art. 21 of the GDPR. If you wish to exercise this right, please contact us via the email address provided.

If processing your personal data is a contractual requirement according to Art. 6(1)(b) of the GDPR, and you decide not to provide us with this personal data, this may result in us being unable to enter into a contractual relationship with you. For example, we may be unable to provide you with ClinicalAID services, or we may experience other difficulties in fulfilling our contractual obligations.

Whenever we process your personal data based on your consent, which you have given to us in accordance with art. 9(2)(a) of the GDPR, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. If you wish to withdraw your consent, please contact us via the above email address.

If we are legally required to process personal data, you may be obliged to provide it to us. If you refuse, this could have various legal consequences for both you and us, including adverse consequences such as the inability to perform a relevant action or continue our cooperation.

As mentioned above, if you are the data controller for data processed by ClinicalAID, you are responsible for fulfilling all applicable legal obligations under the GDPR. This mainly involves transparently informing data subjects about the processing of their data in the application, and ensuring that you have a sufficient legal basis for processing their data. When we act as your data processor, we will conclude a data processing agreement with you containing your instructions on how we should process personal data on your behalf.

  1. With whom your data may be shared?

We take the protection of your personal data very seriously, so we limit the number of people who can access it. Only certain employees and colleagues may have access to your personal data. Access shall only be granted if it is necessary for the purposes described and if the respective employee is bound by a duty of confidentiality.

We may share your data with the following categories of processors:

  • data centre, hosting,
  • marketing services providers,
  • legal services, tax, accounting, and audit services,
  • IT services and technical support providers,
  • information security providers,
  • dental services providers.

If we participate in research projects, we may share your data with relevant research institutions, including dental clinics, universities and other research centres.

We do not allow our processors or data recipients to sell any personal data that we share with them or use it for purposes other than performing the services they provide to us. Before engaging any processor, we carry out thorough due diligence, including detailed privacy, security and legal analysis. We only engage a processor if they meet our quality standards. All of our processors are subject to contract terms that enforce compliance with applicable data protection laws.

Please also be aware that our processors and data recipients may engage additional contractors to support their business and provide certain services, which may involve processing your data. Such services may include, but are not limited to, cloud services, website hosting, data analysis, information technology and related infrastructure, customer service, email delivery, banking and payment method providers, and accounting, legal, tax and audit services. These additional contractors should provide their services in accordance with their contract and applicable law, especially with respect to compliance with applicable data protection legislation..

Lastly, please note that we may share your personal data with our suppliers or clients, tax authorities, social security agencies, law enforcement agencies or other governmental agencies if required to do so by law or decision of a respective public authority or court order.

  1. Is your data transferred to third countries?

Since some of our partners are located outside the EU/EEA, or have contractors or process personal data in third countries, we also process your personal data outside the EU/EEA. In these cases, we ensure that your personal data is only transferred to countries that have an equivalent level of personal data protection, as defined by a relevant European Commission decision. Alternatively, we ensure that the appropriate personal data protection measures are in place. Generally, we use standard contractual clauses for data transfers to third countries, or we require compliance with additional guarantees and measures. Regardless of where your personal data is processed, we take appropriate technical, security and organisational measures to ensure that the level of protection is the same as in the EU/EEA. If you would like more information about the international transfer of your personal data and the relevant safeguards we have in place, please contact us via email address mentioned above.

  1. Are you subject to automated decision making or profiling?

Your personal data are not subject to automated decision making or profiling.

  1. What measures are in place to protect personal data?

We make every effort to ensure that the security measures we implement are appropriate to the risks associated with processing your personal data. We maintain technical and organisational measures designed to protect your personal data within our organisation against relevant security threats, including unauthorised access, destruction, loss, alteration or misuse. As mentioned above, only a limited number of authorised personnel have access to your data. If you would like to find out more about our technical and organisational measures, please contact us using the email address mentioned above.

  1. How long is your data processed?

We will store your personal data for as long as is necessary to fulfil the purposes mentioned in this Privacy Policy for which the data were obtained, to pursue our legitimate interests, and to comply with applicable laws. This means that we will retain most of your personal data for as long as we are cooperating together, or for as long as you have given us consent. However, if possible, we will erase certain data sooner, once it is no longer needed for the original purpose or if you withdraw your consent or request us to delete your data. Please note that we may process some of your personal data for a longer period of time after the termination of our contractual relationship if: (i) applicable law (e.g. tax and accounting laws) requires us to do so; (ii) there are ongoing legal proceedings; or (iii) you have given us permission to keep your personal data on record for a longer period of time. These periods may be prolonged in the event of a request from a relevant public authority or court. If you are interested in the detailed retention periods that we apply, please contact us via the email address mentioned above.

  1. What are your rights?

You are entitled to exercise following rights as a data subject with respect to the processing of your personal data:

    • Right to access: You have the right to obtain information about whether we are processing your personal data. If so, you can request a copy of the personal data we are processing. We may charge a fee for this. If we are processing your personal data, you can request information about why we are processing it, what data we are processing, who we are sharing it with, how long we are storing it for and how we determine this period, your rights to rectification or erasure, restriction or objection to the processing of your data, your right to lodge a complaint with a supervisory authority, where we collected it from if not directly from you, whether you are subject to automated decision-making or profiling and whether we transfer it to third countries. All of this information is included in this Privacy Policy.
  • Right to rectification: It is important that we have the correct information, and we request you to notify us if any of your personal data is incorrect or if any of your personal data have been changed. We will rectify your personal data without undue delay upon your notification.
  • Right to erasure (“right to be forgotten”): If the processing of your personal data is no longer necessary or has been unlawfully processed, you withdraw your consent or object to the processing of your personal data, you may request us to erase your personal data.
  • Right to restrict processing: From the moment when you (i) asked for rectification of your personal data, or (ii) objected to the processing, until we assess your request, you are entitled to request us to restrict the processing. You may also request us to restrict the processing of your personal data if the processing was unlawful, but you do not want us to delete your personal data, or if we do not need your data anymore for the original processing purposes, however the data are important for defending your legal claims. 
  • Right to object processing: If we process your personal data based on our legitimate interest or for direct marketing purposes, you may object to such processing. We can process your personal data further if we can demonstrate the compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
  • Right to data portability: You may request us to provide you with the personal data that you provided to us for the processing based on the consent or for fulfillment of the contract. We should provide you with your personal data in a structured, commonly used and machine-readable format. You also have the right to request the transfer of these data directly to another data controller, if it is technically feasible.
  • Right to withdraw your consent: If some processing activities are based on the consent, you will have the right to withdraw such consent at any time. Please note that the withdrawal of your consent does not affect legality of the processing previously performed based on the originally granted valid consent.
  • Rights related to automated decision making and profiling: You have the right not to be subjected to automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect. We do not use automated decision-making or profiling for the outlined purposes of data processing. However, if you have been subject to an automated decision and do not agree with the outcome, you can contact us using the details below and ask us to review the decision in a non-automated manner.

If you wish to exercise any of the aforementioned rights, if you wish to file a complaint about how we process your personal data, or if you have any further questions regarding the processing of your personal data, please contact us using the above contact details. We will then review your request or suggestion and reply to your question.

If you are not satisfied with our response or if you believe that we process your data unfairly or unlawfully, you may lodge a complaint with a relevant supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic (address: Námestie 1. Mája, 811 06 Bratislava, Slovakia) for more information, please visit www.dataprotection.gov.sk.