Privacy Policy
Effective: September 06, 2022 | Last updated: Oct. 02, 2025
1. Introduction
BrightPlans Kft. ("we", "us", "the Company") is committed to protecting your personal data. This Privacy Policy (the "Policy") details how we collect, use, share, and protect your personal data when you use our services (the "Service").
Our Service is primarily provided to healthcare providers ("Clients") to enable them to create and manage treatment plans for their own patients ("Patients"). This Policy covers our data processing practices related to both our Clients and, through our Clients, the Patients.
2. Our Role in Data Protection
Under data protection laws, particularly the General Data Protection Regulation (GDPR), it is important to clarify our role:
- Data Controller: When we process the business data of our Clients (e.g., dental clinics)—such as registration and billing information—we act as a Data Controller. In this capacity, we determine the purposes and means of processing this data.
- Data Processor: When our Clients record the personal and health data of their own Patients in our system, we act as a Data Processor. In this case, the Client is the Data Controller who determines the purpose and legal basis for the processing, and we perform the technical data processing operations (e.g., storage, backup) on their behalf and according to their instructions.
3. Data We Collect and Process
We process data falling into two main categories:
3.1. Client Data (data about you, the clinic)
- Identifier and contact data: Name, email address, phone number.
- Financial data: Our payment provider, Paddle, collects billing and payment information. We do not store credit card details.
3.2. Patient Data (which you, as the clinic, record)
- Personal identification data: Name, email address, date of birth.
- Special category (health) data: Diagnoses, treatment plans, medical notes, and uploaded files such as X-rays and photographs.
4. Purpose and Legal Basis for Processing
We conduct all data processing activities for a clear purpose and with an appropriate legal basis.
| Processing Activity | Data Categories Processed | Legal Basis (under GDPR) |
|---|---|---|
| Account creation and provision of the Service | Client identifier and contact data. | Article 6(1)(b) of the GDPR: necessary for the performance of a contract. |
| Managing payments and subscriptions | Client financial and transaction data. | Article 6(1)(b) (performance of a contract) and (c) (compliance with a legal obligation, e.g., accounting regulations) of the GDPR. |
| Storing and managing Patient data | Patient identification and health data. | Article 9(2)(a) of the GDPR: the explicit consent of the data subject (Patient), which the Data Controller (the Client) is obligated to obtain. |
| Sending newsletters and marketing communications | Client name and email address. | Article 6(1)(a) of the GDPR: the consent of the data subject (Client). |
| Ensuring system security and technical operation | Technical data (e.g., IP address, log files). | Article 6(1)(f) of the GDPR: our legitimate interest to protect the security and integrity of the service. |
Important Note on Patient Data: We declare that we process the special category health data of Patients exclusively as a Data Processor, on your (as the Data Controller's) behalf. It is your responsibility to obtain the appropriate, documented, and explicit consent from your Patients for the processing of this data within the BrightPlans system.
5. Data Sharing and Third-Party Providers
We never sell your personal data. However, to provide the Service, we use trusted third-party service providers (sub-processors).
| Partner | Service | Data Shared | Data Center Location |
|---|---|---|---|
| Linuxweb Kft. | VPS Hosting | Encrypted client and patient databases. | Hungary (EU) |
| Amazon Web Services (AWS) | File Storage (S3) | Encrypted, user-generated files (e.g., treatment plans, X-rays). | Ireland (EU) / Global |
| Paddle.com Market Ltd. | Payment Processing and Invoicing | Client billing and contact details. | United Kingdom / Ireland (EU) |
| Brevo | Marketing Communications, Newsletter | Client name and email address. | France (EU) / Global |
6. International Data Transfers
As we have a global client base, it may be necessary to transfer personal data outside the European Economic Area (EEA). In such cases, we ensure that the data is protected at the level required by the GDPR through mechanisms such as European Commission adequacy decisions (e.g., the EU-U.S. Data Privacy Framework) or Standard Contractual Clauses (SCCs).
7. Data Security
We take the security of your data extremely seriously and apply state-of-the-art technical and organizational measures to protect it:
- Encryption: All data is encrypted both at-rest and in-transit. Our central databases and files stored on AWS S3 are both encrypted.
- Access Control: We apply strict access control policies based on the "principle of least privilege," ensuring that only authorized personnel can access data to the extent strictly necessary to perform their duties.
- Infrastructure Security: We operate our central databases on secure virtual private servers (VPS) within the EU. For file storage, we use the world-class, secure infrastructure of Amazon Web Services (AWS), which includes blocking public access by default.
8. Data Retention Period
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with our legal obligations.
- Client Data: For the duration of the contractual relationship, plus the statute of limitations for legal claims (typically 5 years).
- Billing Data: For at least 8 years, in accordance with Hungarian accounting laws.
- Patient Data: According to your (as the Data Controller's) instructions, for the period specified in the data processing agreement between us.
- Marketing Data: Until consent is withdrawn.
9. Your Data Protection Rights
Under the GDPR and other data protection laws, you (and your Patients) have the following rights:
- Right of access: You have the right to request information about the personal data we process about you.
- Right to rectification: You can request the correction of inaccurate or incomplete data.
- Right to erasure ('right to be forgotten'): Under certain conditions, you can request the deletion of your data.
- Right to restriction of processing: You can request the restriction of data processing.
- Right to data portability: You have the right to receive your data in a machine-readable format.
- Right to object: You can object to the processing of your personal data, especially for direct marketing purposes.
To exercise these rights, please contact us at privacy@bright-plans.com. In the case of Patients, requests should primarily be submitted to the Data Controller (i.e., your clinic), but we will cooperate with you in every way to fulfill these requests.
10. Special Provisions (HIPAA)
For our Clients in the United States who are "Covered Entities" under the Health Insurance Portability and Accountability Act (HIPAA), BrightPlans acts as a "Business Associate." We are committed to protecting Protected Health Information (PHI) and adhere to the administrative, physical, and technical safeguards required by the HIPAA Security Rule. Our Business Associate Agreement (BAA) with Amazon Web Services ensures infrastructure-level compliance.
11. Changes to This Policy
We reserve the right to update this Privacy Policy from time to time. We will notify you of any material changes via email or through the Service.
12. Contact Us
If you have any questions or comments about our privacy practices, please contact us at the following email address: