MouthWise Logo

Privacy Policy

Last Updated: May 21, 2025

Introduction

MouthWise, operated by Somazero, Lda ("we," "our," or "us"), provides AI-driven diagnostic tools for dental professionals.

This Privacy Policy governs the collection, processing, and protection of data through our website (https://www.mouth-wise.com) and application (collectively, the "Services").

We process dental images in-memory without storage and store only anonymized patient case descriptions as a data processor, prioritizing compliance with the EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA) where applicable, and the EU Medical Device Regulation (EU MDR).

This policy applies to dental professionals using our Services. Patients should refer to their dental provider's privacy practices for information on their data. By using our Services, you acknowledge and agree to this Privacy Policy and our Terms and Conditions.

Contact us at hello@mouth-wise.com if you have questions regarding this policy.

Information We Collect

We collect minimal data to provide our Services, ensuring no storage of dental images and anonymization of stored data:

  • Dental Images: When you upload dental images (e.g., X-rays, CBCT scans), we process them in-memory to generate diagnostic insights. Images are not stored or recoverable. We require images to exclude personally identifiable information (PII) or Protected Health Information (PHI), such as patient names or medical record numbers, and use automated tools to reject non-anonymized images.
  • Patient Case Descriptions: We store text descriptions of patient cases you provide (e.g., "caries on molar, no pain"). You are responsible for ensuring these descriptions are anonymized and free of PII/PHI. We may reject descriptions containing potential identifiers (e.g., names, dates).
  • User Account Data: Includes email address and password for authentication, not linked to patient data.
  • Usage Data: Non-identifiable data (e.g., API call frequency, browser type) to improve functionality.
  • Payment Information: Credit card details and billing information, securely processed by Stripe and not stored by us.
  • Metadata: Pseudonymized metadata (e.g., hashed user IDs, timestamps) for security and auditing.

We do not collect patient PII/PHI unless inadvertently included, in which case uploads are rejected. Automatically collected data includes:

  • Device Information: Browser type, operating system, device details.
  • Cookies: Used solely for authentication. You may disable cookies via browser settings, but this may limit Service access.

How We Use Your Information

We use collected data to:

  • Provide AI-driven diagnostic insights to dental professionals.
  • Authenticate user accounts and ensure Service security.
  • Process payments securely via Stripe.
  • Respond to customer support inquiries.
  • Analyze aggregated, non-identifiable usage data to improve Services.
  • Send technical or security alerts (e.g., account updates).
  • Develop new features or services.

Legal Basis (GDPR)

  • Health Data (Images, Descriptions): We process dental images and case descriptions as a data processor under GDPR Article 9(2)(h) (processing necessary for medical diagnosis) or with explicit patient consent obtained by you, the data controller. You must confirm a legal basis before uploading data.
  • User Account Data: Processed under GDPR Article 6(1)(b) (contract performance) to provide access.
  • Usage Data: Processed under GDPR Article 6(1)(f) (legitimate interests) for service improvement, with minimal privacy impact.

HIPAA (US Users)

If images or descriptions contain PHI, we process as a business associate under a Business Associate Agreement (BAA) with US dental professionals. We aim to process only anonymized data, minimizing HIPAA applicability.

How We Share Your Information

We limit data sharing to ensure privacy:

  • Dental Images: Not stored or shared with any parties.
  • Patient Case Descriptions: Stored on our EU servers and shared only with third-party providers (e.g., Render for hosting) under GDPR-compliant Data Processing Agreements (DPAs).
  • User Account and Usage Data: Shared with providers (e.g., Stripe for payments) under DPAs or, for US users, BAAs if PHI is involved.
  • Payment Information: Securely handled by Stripe, not stored by us.
  • Legal Obligations: We may disclose data if required by law (e.g., court order), limited to what is necessary.
  • Business Transactions: Data may be shared in mergers or acquisitions, subject to confidentiality.

We do not sell or rent your personal information to third parties for marketing purposes.

Data Storage and Retention

  • Dental Images: Processed in-memory and not stored or recoverable.
  • Patient Case Descriptions: Stored in an encrypted database in Frankfurt, Germany (eu-central-1), deleted upon account termination or user request within 30 days, unless required by law.
  • User Account Data: Stored for the duration of your account, deleted upon closure.
  • Usage Data and Metadata: Pseudonymized and retained for 30 days for security and auditing, then deleted.
  • Location: All data is processed and stored in the EU to comply with GDPR data residency requirements.

We adhere to GDPR's data minimization principle, retaining data only as necessary for Service delivery.

Data Security

We implement industry-standard safeguards:

  • Encryption: TLS 1.2 or higher for data in transit, AES-256 for stored case descriptions.
  • Access Controls: Restricted via API keys and role-based authentication.
  • Pseudonymization: Hashed identifiers in logs and metadata.
  • Hosting: Render servers in Frankfurt, Germany, compliant with ISO 27001.

No transmission or storage is 100% secure, but we take reasonable steps to protect your data. We conduct security reviews as needed to maintain compliance with GDPR, HIPAA, and EU MDR.

Your Privacy Rights

Depending on your jurisdiction, you may have rights to:

  • Access: Request a copy of your data (e.g., account details, case descriptions).
  • Rectification: Correct inaccurate data.
  • Erasure: Delete case descriptions or account data.
  • Restriction: Limit processing in certain cases.
  • Portability: Receive data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.

To exercise these rights, contact us at hello@mouth-wise.com. Requests will be processed in accordance with applicable laws and regulations.

Role as Data Processor

  • GDPR: We act as a data processor for patient case descriptions, processing on behalf of dental professionals (data controllers). You must sign a Data Processing Agreement (DPA), available at hello@mouth-wise.com, outlining responsibilities.
  • HIPAA: For US users, if case descriptions or images inadvertently contain PHI, we act as a business associate under a BAA, available at hello@mouth-wise.com. We aim to process only anonymized data to minimize HIPAA applicability.

EU MDR Compliance

MouthWise is classified as a [Class IIa/IIb, pending confirmation] medical device under EU MDR (2017/745). To avoid non-compliance with CE marking requirements, we restrict access in the following 32 countries: the European Union (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden), European Economic Area (Iceland, Liechtenstein, Norway), Switzerland, Turkey, and Northern Ireland. We enforce these restrictions using IP geolocation and registration data. Users in these countries may not access our Services. Contact hello@mouth-wise.com for updates.

Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for processing dental images and case descriptions, as required by GDPR Article 35. Our no-storage image processing and anonymized text storage minimize privacy risks. Contact hello@mouth-wise.com for details.

Children's Privacy

Our Services are intended solely for individuals aged 18 or older. We do not knowingly collect data from individuals under the age of 18. Should we discover such data collection, we will promptly delete the information.

Cookie Policy

We use Cookies exclusively for authentication purposes. You have the option to disable cookies through your browser settings; however, doing so may restrict access to certain features of our Services.

International Data Transfers

Data is processed and stored in Frankfurt, Germany (eu-central-1), ensuring EU data residency. If you access Services from outside the EU (e.g., Serbia, UK Great Britain), data remains in the EU, and no international transfers occur. For US users, payment data processed by Stripe may be handled in the US, subject to Stripe's GDPR-compliant safeguards. By using our Services, you consent to data processing in the EU.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Policy changes if and where this is required by applicable data protection laws.

You can see when this Privacy Policy was last updated by checking the "Last Updated" date displayed at the top of this Privacy Policy.

Contact Us

For any inquiries or concerns regarding this Privacy Policy, please contact us:

Email: hello@mouth-wise.com
Address: MouthWise, is a product of Somazero, Lda, Rua Pombal, N.º 1, 3.º Esquerdo 9050-075 Funchal, Madeira, Portugal.