Privacy Policy - Dental Clinic

Information on the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (GDPR) and Act No. 18/2018 Coll. on personal data protection.

1. Data Controller

Zdravý Zúbok
Registered office: Maloidanská 2, 040 15 Košice-Šaca
Place of business: Hájska cesta 366/1, 044 02 Turňa nad Bodvou
Company ID: 57 325 685
Email: [email protected]
Phone: +421 55 466 2731

2. Purpose of Processing

We process your personal data for the following purposes:

Providing healthcare and maintaining medical records
Booking and management of appointment visits (online and by phone)
Communication with patients - sending appointment reminders and treatment information
Billing for provided health services and contractual relations with health insurance companies
Sending marketing communications (only with patient consent)
Processing the contact form on the website

3. Scope of Data

We process the following categories of personal data:

We process: first name, last name, email, phone number, date of birth, national identification number (for medical records).
Contact details: email address, phone number, correspondence address
Health insurance data: insurance company number, insured person number
Health data: information about health condition, medical history, examination results (special category)
Appointment data: date, time and type of booked treatment

4. Legal Basis — GDPR

We process personal data on the basis of:

Performance of a contract (Art. 6(1)(b) GDPR) - provision of healthcare, appointment management
Legal obligation (Art. 6(1)(c) GDPR) - keeping medical records under Act No. 576/2004 Coll.
Legitimate interest (Art. 6(1)(f) GDPR) - sending appointment reminders, improving services
Consent (Art. 6(1)(a) GDPR) - marketing communication, processing of photographs (before/after)

5. Data retention period

We retain personal data for the period necessary to fulfil the purpose of processing:

Medical records: 20 years from the last treatment (under Act No. 576/2004 Coll.)
Accounting documents: 10 years (under Act No. 431/2002 Coll. on Accounting)
Appointment data: 3 years from the date of the visit
Contact form: 1 year from submission
Marketing consent: until consent is withdrawn
Camera footage: 14 days from recording, then automatic deletion

6. Rights of the data subject

As a data subject, you have the following rights:

Right of access - you have the right to obtain confirmation as to whether your personal data are being processed, and information about the processing
Right to rectification - you have the right to rectification of inaccurate or incomplete personal data
Right to erasure - you have the right to request erasure of personal data if the purpose of processing has ceased (does not apply to medical records)
Right to restriction of processing - you have the right to request restriction of processing of your data
Right to data portability - you have the right to receive your data in a structured, commonly used format
Right to object - you have the right to object to processing based on legitimate interest
Right to withdraw consent - if processing is based on consent, you may withdraw it at any time
Right to lodge a complaint - you have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic

7. Recipients of personal data and processors

Your personal data may be disclosed to the following recipients:

Health insurance companies - for the purpose of billing healthcare
Public authorities - where required by law

For operating the web booking and communication we use the following processors (Article 28 GDPR):

SMSgate.sk (PROFIT BIZ s. r. o., Slovakia) - sending confirmation and reminder SMS. We pass the processor the first name, surname and phone number only for the specific message.
Resend.com (Resend Inc., EU infrastructure) - sending email booking confirmations. We pass the name and email address.
Cloudflare (Cloudflare Inc., EU infrastructure) - reverse proxy, bot protection (Turnstile) and TLS connection encryption. Cloudflare processes the IP address and HTTP request headers; it does not read request content beyond routing.

The original SMS processor GoSMS.eu (ZooControl s.r.o., Czech Republic) was replaced on 26 May 2026 by SMSgate.sk to align the processing contract with the Slovak tax regime (§ 7a Slovak VAT Act).

8. Contact details for data protection enquiries

If you have questions regarding the processing of your personal data, please contact us:

Email: [email protected]
Phone: +421 55 466 2731
By mail: Zdravý Zúbok s.r.o., Hájska cesta 366/1, 044 02 Turňa nad Bodvou

Supervisory authority:
Office for Personal Data Protection of the Slovak Republic
Hraničná 12, 820 07 Bratislava 27
www.dataprotection.gov.sk

9. Traffic analytics - Plausible Analytics (self-hosted)

To measure website traffic we use Plausible Community Edition, which we operate on our own server in the EU. Plausible:

It uses no cookies - so we do not require your consent for analytics
It anonymizes IP addresses - it stores only a daily hash, not the address itself
No data leaves our server - no transfer to the USA or anywhere outside the EU
We do not share data with third parties

We record: visited pages, country (from IP, anonymised daily), device type, browser language and interactions with the booking form (opening, slot selection, completion). No personal data and no patient identifiers.

10. Security - Cloudflare Turnstile

Public forms (online booking, contact, walk-in queue registration) are protected by Cloudflare Turnstile, which verifies that the submission is not automated. Turnstile does not use tracking cookies and does not store identifying data about visitors.

11. Camera system (video monitoring)

The clinic premises are monitored by a camera system for the purpose of protecting property against theft, burglary and vandalism and ensuring the safety of persons.

Monitored areas: the clinic entrance (video doorbell) and the waiting room. The treatment room, staff room, toilet and storage areas are NOT monitored.
Scope of recording: video only - the cameras do not capture audio. We do not use facial recognition or biometric processing.
Legal basis: the legitimate interest of the controller (Art. 6(1)(f) GDPR).
Retention period: 14 days from the recording, after which it is automatically and irreversibly deleted. In the event of an incident investigation, the specific recording is retained for the duration of the proceedings.
Recipients: law enforcement authorities upon their request as part of an investigation. The recording is not provided to third parties for any other purpose.
Processing: the recording is stored locally on a server at the clinic (no cloud, no transfer outside the EEA).

An information notice is posted at the entrance to the monitored area. Your rights (including the right of access, objection and erasure) and the contact for exercising them are set out in sections 6 and 8.

This privacy policy is effective from 1 January 2025 and may be updated from time to time. The current version is always available on this page.