Privacy Policy – bleach.dental

Last Updated: 28.12.2025

This Privacy Policy (the “Policy”) explains how PIPEXE OÜ (registry code 17216141), Tornimäe tn 5, Kesklinna linnaosa, Tallinn, Harju maakond, Estonia (“PIPEXE OÜ”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you use https://www.bleach.dental/ (the “Site” or “Service”).

We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and applicable national laws.

1) Scope and acceptance

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, do not use the Service.

If you upload or provide personal data about another person (for example, a patient), you confirm that you have a lawful basis to do so (including any required consents) and that you have informed them appropriately.

2) Roles: Controller and Processor

• Individual users / direct customers: PIPEXE OÜ generally acts as a data controller for personal data processed to operate the Service (accounts, billing, support, security).
• Clinics uploading patient data: The clinic is typically the data controller, and PIPEXE OÜ acts as a data processor to provide the Service on the clinic’s instructions, to the extent applicable.

If you are a clinic and require a Data Processing Agreement (DPA), contact us using the details in Section 12.

3) Personal data we collect

We collect the following categories of data:

A. Account and contact data

• Email address, name (if provided), account identifiers
• Records of Terms/Policy acceptance (timestamp, version, user ID)
• Messages you send us (support requests, emails)

B. User Content and outputs

• Photos and inputs you upload (e.g., smile/teeth images)
• Generated Simulations and related metadata

Important: Depending on context, photos and Simulations used for dental visualization may be considered health-related data under GDPR. We treat such data as sensitive and apply heightened safeguards.

C. Payments and billing data

• Subscription status, plan information, Credits usage, invoices
• Payment processors may handle payment method details (e.g., card numbers). We generally store only transaction references and billing identifiers.

D. Technical and usage data

• IP address, device/browser information, operating system
• Log data (date/time, pages/actions, errors)
• Security signals (fraud indicators, suspicious activity patterns, rate-limit events)

E. Cookies and similar technologies
We use cookies for authentication, security, preferences, and (where enabled) analytics. See Section 10.

4) How we use personal data

We use personal data to:

1. Provide the Service

• Create and manage accounts and sessions
• Generate Simulations from uploaded inputs
• Store content and outputs for access and history (depending on your plan)

2. Security and abuse prevention

• Detect and prevent fraud, scraping, account sharing, and suspicious activity
• Enforce rate limits and protect the Service

3. Support and communications

• Respond to inquiries and provide customer support
• Send important service messages (e.g., changes to Terms/Policy, security notices)

4. Billing and administration

• Process subscriptions and payments, manage Credits, and issue invoices

5. Service maintenance and improvement

• Monitor performance, troubleshoot, fix bugs, and improve reliability and user experience
• Review certain outputs for quality assurance and security

AI training clarification: We do not use your uploaded photos or other User Content to train third-party AI models unless explicitly stated in this Policy or you separately consent where required by law.

5) Legal bases for processing (GDPR)

We rely on one or more of the following legal bases, depending on the situation:

• Contract necessity: to provide the Service (accounts, simulations, billing, support).
• Legitimate interests: to secure the Service, prevent abuse/fraud, improve reliability, and maintain operations.
• Consent: where required (e.g., certain cookies, and certain sensitive-data processing depending on context).
• Legal obligation: to meet legal and regulatory requirements (e.g., accounting/tax, lawful requests).

If you are a clinic uploading patient data, you are responsible for ensuring you have an appropriate legal basis (often explicit consent or another lawful basis under applicable law).

6) How we share personal data

We do not sell your personal data.

We may share data with:

A. Service providers (subprocessors)
We use trusted vendors to provide hosting, storage, AI processing, payments, analytics/monitoring, and support tooling. These providers process data only on our instructions and are bound by confidentiality and security obligations.

B. Legal and safety disclosures
We may disclose data where necessary to comply with law, respond to lawful requests, enforce our Terms, or protect the rights, safety, and security of PIPEXE OÜ, our users, or the public.

C. Business transfers
Personal data may be transferred as part of a merger, acquisition, financing, reorganization, or sale of assets, subject to applicable law.

D. Third-party links
The Site may link to third-party websites. Their privacy practices are governed by their own policies.

7) Free Credits and related processing

Our Terms state that Simulations generated using Free Credits are owned by PIPEXE OÜ. For privacy purposes, this means we may store and reuse those Free-Credit Simulations for:

• Platform operation
• Security and fraud prevention
• Quality assurance
• Product improvement

We will not publicly use patient-identifiable content for marketing without appropriate consent or a lawful basis.

8) Data retention

We retain personal data only as long as necessary for the purposes described above:

• Account data: for as long as your account is active and as needed to provide the Service.
• Account Deletion and Data Retention Policy: When you request to delete your account, Pipexe OU will permanently erase your profile, usage history, and associated personal data from our active systems, subject to the limited exceptions outlined below.
  
  1. Retention for Security and Promotional Fairness: Upon account deletion, we do not completely erase your email address. We retain your email address (stored securely via a one-way cryptographic hash) on a restricted internal blocklist. We retain this specific identifier under the legal basis of our legitimate business interests strictly for the following purposes:
  
  Preventing Promotional Abuse: To ensure fairness for all users, we may offer promotional credits, free trials, or introductory features to new accounts. Retaining your email address prevents the abuse of these systems by stopping individuals from repeatedly deleting and recreating accounts to fraudulently accumulate credits.
  
  Security & Platform Integrity: To protect our application from malicious activity, spam, and other violations of our Terms of Service.
  
  2. No Account Recreation: To maintain the security and fairness of our platform, account deletion is a final and irreversible action. Because we must protect our promotional credit systems from exploitation, once your account is deleted, you will not be permitted to register a new account using the same email address in the future.
  
  3. Isolation of Retained Data: Your retained email address is strictly isolated from all marketing, analytics, and active operational databases. It will never be used to contact you, nor will it be shared with third parties for commercial purposes. It exists solely as an automated security measure to block subsequent registration attempts.
• Uploaded photos and Simulations: retained to provide access/history unless deleted (where supported) or requested, subject to legal and operational requirements.
• Logs/security records: retained for a limited period for security, fraud prevention, and troubleshooting.
• Billing records: retained as required by tax and accounting laws.

If you request deletion, we will delete or anonymize data where feasible, unless we must retain it for legal obligations or legitimate interests (e.g., fraud prevention, accounting).

9) International transfers

Your data may be processed outside the EEA depending on where our providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

10) Cookies

We use cookies and similar technologies for:

• Strictly necessary purposes (authentication, security, session management)
• Preferences (settings)
• Analytics (where enabled and where required by law, with consent)

You can manage cookies via your browser settings. Disabling cookies may affect key features such as login.

11) Your rights

Depending on your location and applicable law, you may have rights to:

• Access, correct, or delete your personal data
• Object to or restrict processing
• Data portability
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with a Data Protection Authority (DPA)

If we process data as a processor for a clinic, requests may need to be directed to the clinic (the controller). We will assist as required.

12) Contact

For privacy questions or requests, contact:

PIPEXE OÜ (registry code 17216141)
Tornimäe tn 5, Kesklinna linnaosa, Tallinn, Harju maakond, Estonia
Email: support@bleach.dental

13) Security

We apply appropriate technical and organizational measures designed to protect personal data. However, no internet transmission or storage system can be guaranteed 100% secure.

14) Changes to this Policy

We may update this Policy from time to time. If changes are material, we will post a prominent notice on the Site and/or notify you where appropriate. Continued use after updates means you accept the revised Policy.