GDPR Compliance

Under the GDPR, the distinction between Data Controller and Data Processor determines who bears primary responsibility for personal data. Cavitech operates in both capacities depending on the category of data being processed.

Patient Data — Your dental practice is the Data Controller. When a dental practice uploads patient radiographs, clinical notes, or any other patient-identifiable information to the Cavitech AI platform, the practice determines the purposes and means of processing that data. The practice is responsible for obtaining valid legal bases (including patient consent where required), ensuring data accuracy, and fulfilling data subject requests. Cavitech acts as the Data Processor, processing Patient Data solely on the instructions of the dental practice and exclusively for the purpose of delivering the Service — AI-powered radiograph analysis, clinical decision support, treatment planning assistance, and related functionality. We do not use Patient Data for model training, marketing, profiling, or any purpose beyond service delivery.

Account Information — Cavitech is the Data Controller. For personal data provided by dental professionals during account registration and platform usage — such as name, email address, practice details, login credentials, and usage analytics — Cavitech acts as the Data Controller. We determine the purposes and means of processing this data, which include account administration, service delivery, security monitoring, product improvement, and communication about the Service.

We enter into Data Processing Agreements (DPAs) with all dental practices that process EU/EEA personal data through our platform. These DPAs set out the subject matter, duration, nature, and purpose of processing, the types of personal data, and the obligations of both parties under Article 28 of the GDPR.

The GDPR requires that every processing activity be grounded in a valid lawful basis under Article 6. We rely on the following bases depending on the nature and purpose of processing:

Article 6(1)(b) — Performance of a contract. We process Account Information and operational data as necessary to deliver the Service to registered dental professionals. This includes account creation, authentication, radiograph analysis, report generation, treatment planning, scheduling, and all other functionality described in our Terms of Service.

Article 6(1)(f) — Legitimate interests. We process certain data where it is necessary for our legitimate interests, provided those interests are not overridden by the rights and freedoms of the data subject. Our legitimate interests include platform security and fraud prevention, service reliability monitoring, aggregate usage analytics (anonymised where possible), and improving the quality and safety of our clinical decision support tools. We conduct legitimate interest assessments and maintain records of these assessments.

Article 6(1)(c) — Legal obligation. We process personal data where necessary to comply with legal obligations to which we are subject, including tax and accounting requirements, regulatory reporting, responding to lawful requests from public authorities, and data breach notification obligations.

Article 6(1)(a) — Consent. Where we rely on consent as the lawful basis for processing, consent is freely given, specific, informed, and unambiguous. This applies to optional marketing communications, optional analytics cookies, and any processing activity that falls outside the scope of our contractual or legitimate interest bases. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Special category data — Article 9(2)(h). Patient radiographs and associated clinical data constitute health data, which is a special category of personal data under the GDPR. The dental practice, as Data Controller, is responsible for establishing a valid exemption under Article 9. Processing is typically justified under Article 9(2)(h) — that processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services. As Data Processor, Cavitech processes health data strictly in accordance with the dental practice's instructions and the terms of our Data Processing Agreement.

The GDPR grants individuals comprehensive rights over their personal data. We are committed to facilitating the exercise of these rights in a transparent, accessible, and timely manner.

Right of access (Article 15). You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the source of the data.

Right to rectification (Article 16). You have the right to request correction of inaccurate personal data and, taking into account the purposes of the processing, to have incomplete personal data completed.

Right to erasure (Article 17). You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other legal basis applies), where you object to processing and there are no overriding legitimate grounds, where the data has been unlawfully processed, or where erasure is required to comply with a legal obligation.

Right to restriction of processing (Article 18). You have the right to request restriction of processing where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, where we no longer need the data but you require it for the establishment, exercise, or defence of legal claims, or where you have objected to processing pending verification of our legitimate grounds.

Right to data portability (Article 20). Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Right to object (Article 21). You have the right to object to processing based on legitimate interests or public interest grounds. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes.

Rights relating to automated decision-making (Article 22). You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. Cavitech's AI analysis is designed as a clinical decision support tool — all AI Output must be reviewed and approved by a qualified dental professional before any clinical action is taken. No treatment decisions are made by automated means alone.

For Account Information (where Cavitech is Data Controller): submit requests directly to gdpr@cavitech-ai.com. We will respond within 30 calendar days. If we require an extension (up to two additional months for complex requests), we will inform you within the initial 30-day period with an explanation of the reasons for delay. We provide this service free of charge, though we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

For Patient Data (where your dental practice is Data Controller): patients should direct data subject requests to their dental practice. We will assist the practice in fulfilling these requests in accordance with our Data Processing Agreement.

Cavitech AI is headquartered in South Africa. When personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to South Africa or to our infrastructure providers in other jurisdictions, we ensure that appropriate safeguards are in place to protect that data in accordance with Chapter V of the GDPR.

Standard Contractual Clauses — Article 46(2)(c). We rely on the European Commission's Standard Contractual Clauses (SCCs) as the primary transfer mechanism for personal data leaving the EEA. We use the most current versions of the SCCs as adopted by Commission Implementing Decision (EU) 2021/914. Where data is transferred from the United Kingdom, we use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

Supplementary measures. In addition to SCCs, we implement supplementary technical, organisational, and contractual measures where necessary to ensure that the level of protection for personal data is not undermined by the transfer. These measures include encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256), strict access controls and role-based permissions, pseudonymisation of data where technically feasible, and contractual commitments from our sub-processors regarding government access requests.

Data Processing Agreements. We maintain DPAs with all sub-processors that handle personal data on our behalf, including our cloud infrastructure providers, database hosting services, and file storage providers. These DPAs include obligations regarding data security, confidentiality, sub-processing, international transfers, and cooperation with data subject requests.

Transfer Impact Assessments. We conduct Transfer Impact Assessments (TIAs) to evaluate the laws and practices of destination countries, identify any risks to data subject rights, and determine whether supplementary measures are necessary and sufficient to address those risks. We review and update these assessments periodically and whenever there are material changes in the legal framework of a destination country.

We take data security seriously and have implemented comprehensive incident response procedures in compliance with Articles 33 and 34 of the GDPR.

Notification to supervisory authorities — Article 33. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Where notification is not made within 72 hours, we will provide a reasoned justification for the delay. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the name and contact details of our data protection contact, a description of the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

Notification to data subjects — Article 34. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to the affected individuals without undue delay. This communication will describe the nature of the breach in clear and plain language, provide the name and contact details of our data protection contact, describe the likely consequences of the breach, and explain the measures taken or proposed to address the breach and mitigate adverse effects.

Where Cavitech is Data Processor: we will notify the dental practice (Data Controller) without undue delay upon becoming aware of a personal data breach affecting Patient Data, so that the practice can fulfil its own notification obligations under Articles 33 and 34.

Breach documentation. We document all personal data breaches, regardless of whether they meet the threshold for notification. This documentation includes the facts surrounding the breach, its effects, and the remedial action taken. These records are maintained in accordance with Article 33(5) and are available for inspection by supervisory authorities upon request.

If you are located in the European Economic Area and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

A full list of EU/EEA data protection authorities and their contact details is maintained by the European Data Protection Board (EDPB) at edpb.europa.eu.

We encourage you to contact us first at gdpr@cavitech-ai.com so that we can address your concerns directly. We are committed to resolving complaints promptly and in good faith. However, contacting us does not affect your right to lodge a complaint with a supervisory authority at any time.