1. Who we are
Flextann AS (org. no. 933 644 927), Fjellgata 4, 2212 Kongsvinger, Norway, is the data controller for the personal data described in this policy. Flextooth.com is a digital platform connecting patients with dental clinics in Norway. This policy explains how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).
2. What data we collect
Website visitors
When you visit flextooth.com without logging in, we may collect: IP address, browser type and version, operating system, pages visited, time of visit, and cookies (only with your consent for analytics and marketing cookies). Strictly necessary cookies do not require consent.
Patients with an account
If you create an account or book an appointment, we collect: name, email address, phone number, booking history, and preferences. If you complete a pre-visit intake form, we additionally collect health data such as medical history, medications, allergies, and chief complaint. Health data is special category personal data under GDPR Article 9 and is processed only with your explicit consent.
Clinic users
If you represent a dental clinic and use our platform, we collect: name, email address, role within the organisation, and organisation number.
Unclaimed clinic profiles
Flextooth displays publicly available information about dental clinics in Norway, including business name, address, phone number, opening hours, and services. This is done based on our legitimate interest (GDPR Article 6(1)(f)) in providing a useful directory service. Clinics may request removal at any time via our contact page.
3. Legal basis for processing
We process personal data based on the following legal grounds: Consent (Article 6(1)(a)): Analytics and marketing cookies, and health data (Article 9(2)(a) — explicit consent). Performance of a contract (Article 6(1)(b)): Account creation and management, processing of bookings and appointments. Legitimate interest (Article 6(1)(f)): Displaying publicly available clinic information in the directory, fraud prevention, service improvement, and system security. Legal obligation (Article 6(1)(c)): Retention of accounting records and health records as required by Norwegian law.
4. Retention periods
We retain personal data only for as long as necessary for the purpose it was collected: Cookies: Varies per cookie — see our cookie policy for details. Account data: As long as the account is active, plus 30 days after a deletion request. Booking history: 5 years (Norwegian accounting law). Health data (intake forms): 10 years (Health Personnel Act § 40). Server logs: 90 days. When the retention period expires, data is deleted or anonymised.
5. Third-party processors
We use the following third-party processors who handle personal data on our behalf. We have signed a Data Processing Agreement (DPA) with all of them: Google (Analytics, Maps) — Analytics and map functionality — EU. Stripe — Payment processing — EU. Twilio — SMS messaging — EU. SendGrid — Email delivery — EU. Google Cloud Platform (europe-north1, Finland) — Hosting and data storage — EU. Vercel — Website delivery (CDN) — EU. No patient health data is ever sent to any analytics platform.
6. Data transfers
All data is stored within the EEA, primarily in GCP europe-north1 (Finland). If any of our processors handle data outside the EEA, the transfer is secured through EU Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V.
7. Your rights
Under the GDPR, you have the following rights: Right of access (Article 15): You may request a copy of your personal data. Right to rectification (Article 16): You may request that inaccurate data be corrected. Right to erasure (Article 17): You may request deletion of your personal data, except where we have a legal obligation to retain it (e.g., health records). Right to restriction (Article 18): You may request that processing be restricted. Right to data portability (Article 20): You may request your data in a structured, machine-readable format. Right to object (Article 21): You may object to processing based on legitimate interest. Right to withdraw consent (Article 7(3)): You may withdraw your consent at any time. Right to lodge a complaint with Datatilsynet: You may file a complaint with the Norwegian Data Protection Authority (datatilsynet.no) if you believe your rights have not been respected.
8. Children
Flextooth is not intended for users under 16 without parental consent. Account creation includes an age confirmation step. Family accounts (where a parent books for a child) are handled via the dependent patient profile system.
9. Contact us
For privacy questions or to exercise your rights, contact us: Email: personvern@flextooth.com You may also submit a formal request for access, deletion, or correction via our data request form. Datatilsynet (Norwegian Data Protection Authority): Postboks 458 Sentrum, 0105 Oslo Phone: 22 39 69 00 Website: datatilsynet.no
10. Changes to this policy
We may update this privacy policy from time to time. For material changes, we will notify you via email or a prominent notice on the website. The 'Last updated' date at the top of this page will always reflect the current version.