Politique de confidentialité

1. Who we are

tuth.app is a software service operated by Yet Another Artificial Intelligence Company (SARL-S), 15 Avenue Dr Klein, L-5630 Mondorf-les-Bains, Luxembourg — RCS Luxembourg B232060 — TVA LU36410809. In this Privacy Policy "we", "us" and "tuth.app" refer to that company. We build a clinic-facing workflow tool for dental prosthetics, and this policy explains how we handle personal data of dentists, clinic staff, and the patients whose records dentists store in tuth.app.

For all questions related to this policy, including data subject requests, write to tuth@yet.lu.

2. The two roles: dentist and patient

Dentists and clinic staff who hold an account with us are our direct users. We are the data controller for their account data (email, name, language, login activity).

Patient records (names, tooth charts, shade codes, lab orders, notes) are entered by dentists into their own clinic. For that data the dentist's clinic is the controller and tuth.app is the processor under GDPR Article 28. The Data Processing Agreement at /dpa governs that relationship.

3. What we collect, and why

Account data: email, display name, preferred language, hashed session tokens, audit log of sign-ins. Lawful basis: contract performance.

Clinic data: clinic name, lab contacts, team invitations, role assignments. Lawful basis: contract performance.

Patient case data entered by dentists: first/last name, optional patient number, prosthetic case fields (work type, tooth, shade, dates, notes). This is health data within the meaning of GDPR Article 9. Lawful basis: Article 9(2)(h) — necessary for the provision of dental care, processed under the dentist's professional obligation of confidentiality.

Operational data: HTTP request logs, error traces, security audit events. Retained for 90 days, used only to keep the service running and to investigate abuse.

4. Where your data lives

All application data is stored in the European Union. Hosting and database are operated by European Union (Scaleway, Paris). Transactional email goes through Scaleway Transactional Email Manager, also EU-hosted.

We do not transfer personal data outside the EU/EEA. We do not sell data to third parties. We do not use behavioural advertising trackers.

5. Subprocessors

Scaleway SAS — application hosting, database, transactional email. Region: Paris, France.

We will update this list before adding any new subprocessor that processes personal data.

6. Retention

Active accounts: data retained for the lifetime of the account.

Closed accounts: clinic data is retained for 30 days after closure to allow recovery, then permanently deleted from active storage. Encrypted backups expire within 90 days.

Audit and security logs: 90 days.

7. Your rights under GDPR

Account holders may exercise their rights of access, rectification, erasure, restriction, portability, and objection at any time by writing to tuth@yet.lu.

Patients should contact their dentist's clinic directly — the clinic is their controller. We will assist any clinic that asks us to facilitate a patient request.

You also have the right to lodge a complaint with your national data protection authority. In Luxembourg this is the Commission nationale pour la protection des données (CNPD) — https://cnpd.public.lu.

8. Security

Data is encrypted in transit (TLS) and at rest. Tenant isolation is enforced at the database row level. Access to production is limited to named maintainers with multi-factor authentication. We will notify affected customers within 72 hours of becoming aware of any personal data breach.

9. Cookies

We use only strictly necessary cookies for authentication and locale preference. We do not use marketing or analytics cookies. No consent banner is required under the ePrivacy Directive for this kind of usage.

10. Changes to this policy

We will post any material change here with an updated revision date and notify active account holders by email at least 30 days before it takes effect.