Privacy statement

PRIVACY POLICY (GDPR) – WHAT DENTIST

Last updated: 23.02.2026

1) WHO WE ARE (DATA CONTROLLER)

The controller of personal data in relation to the use of the website www.stomatolog-online.com and the management of patient inquiries is:

Putnička agencija Adriatic Health & Care Travel Agency d.o.o.
Registered office: Osječka 78, 51000 Rijeka, Croatia
OIB: 25415719036
E-mail: info@stomatolog-online.com

This Privacy Policy applies to website visitors as well as to individuals who send us inquiries (via form, e-mail, phone, chat, or other communication channels we make available).

2) DATA PROTECTION OFFICER (DPO)

Data Protection Officer (DPO): Iva Petris
Contact: dpo@stomatolog-online.com

3) WHAT WE DO AND ROLES (US AND THE CLINICS)

What Dentist is an informational and intermediation platform that collects patient inquiries and forwards them to dental clinics listed on the website, based on the patient’s choice or the requirements specified by the patient.

• We (Data Controller) process personal data in order to receive the inquiry, contact the patient, manage the case, and forward the request to the selected clinic(s).
• The clinics to which the inquiry is forwarded generally act as independent data controllers for further activities (contacting the patient, appointment booking, treatments, issuing offers, medical documentation, etc.). Their own privacy policies apply to such processing.

4) WHAT DATA WE COLLECT / PROCESS

Depending on how you contact us and the content of your inquiry, we may process:

A) Identification and contact data:

• first and last name (if provided)
• e-mail address
• phone number
• city/location (if provided)

B) Data related to the inquiry and preferences:

• content of the inquiry and requested service
• preferred clinic or location
• preferred time / time slot for contact
• other information you voluntarily provide

C) Health data and medical documentation (special categories of data):

• photographs, medical reports, X-rays, symptom descriptions, etc., if voluntarily provided

D) Communication data:

• e-mail correspondence
• call data (date/time, duration)
• call recordings (only if you have been informed in advance and recording is active)
• communications via chat / WhatsApp / other channels if used

E) Review-related data:

• content of the review/comment and rating
• identity indicated in the review (name/nickname)

F) Technical and website usage data:

• IP address
• browser and device type
• access logs, cookies, and identifiers (depending on your settings)

We do not request or wish to receive more personal data than is necessary to manage your inquiry.

5) HOW WE COLLECT DATA

We collect data:

• directly from you (website form, e-mail, phone, chat, WhatsApp, etc.)
• indirectly (e.g., if the clinic informs us about the status of the inquiry/appointment, only to the extent necessary for case management and user support)

6) PURPOSES OF PROCESSING AND LEGAL BASES (ART. 6 AND ART. 9 GDPR)

6.1. Receiving and managing inquiries, contacting you, case management
Purpose: to manage your inquiry and communicate with you.
Legal basis: Art. 6(1)(b) GDPR – performance of pre-contractual measures at your request / provision of the requested service (intermediation and contact organization).

6.2. Forwarding inquiries to selected clinic(s)
Purpose: to enable the clinic to prepare an offer, respond to your inquiry, and arrange a visit/appointment.
Legal basis: Art. 6(1)(b) GDPR.

6.3. Processing health data (if voluntarily provided)
Purpose: to forward relevant information to the clinic and facilitate handling of your inquiry.
Legal basis: Art. 6(1)(a) GDPR – consent, and Art. 9(2)(a) GDPR – explicit consent for processing special categories of data.
Note: We process health data only if you voluntarily provide it and when necessary for managing your inquiry.

6.4. Organization of additional services upon request (e.g., transport/accommodation) – if applicable
Purpose: to organize services you expressly request.
Legal basis: Art. 6(1)(b) GDPR.

6.5. Service improvement, statistics, and system security
Purpose: traffic analysis, functionality improvement, abuse prevention, and system security.
Legal basis: necessary (functional) cookies: Art. 6(1)(f) GDPR (legitimate interest) and/or necessity for website functionality; analytical/marketing cookies (if used): Art. 6(1)(a) GDPR – consent via cookie banner/settings.

6.6. Sending offers and promotional communications (marketing)
Purpose: sending promotional communications.
Legal basis: Art. 6(1)(a) GDPR – consent (revocable at any time).

6.7. Publication of reviews
Purpose: publishing user experiences to inform other users.
Legal basis: Art. 6(1)(a) GDPR – consent through voluntary submission of the review for publication.
Advice: Do not include health data or third-party personal data in your review.

7) MANDATORY NATURE OF DATA PROVISION AND CONSEQUENCES

Providing personal data is voluntary. However, to receive and manage your inquiry and forward it to a clinic, basic contact data (e.g., e-mail and/or phone number) and the content of your inquiry are required. Without this data, we cannot process your request.
Providing additional data (e.g., city/location, further preferences) and medical documentation/health data is voluntary.

8) RECIPIENTS OF DATA (WHO WE SHARE DATA WITH)

8.1. Clinics

• dental clinics selected by you or matching your request, for the purpose of establishing contact and managing the inquiry (to the necessary extent).

8.2. Our data processors (IT and operational support)

• hosting providers, maintenance providers, e-mail service providers, CRM systems, and communication tools (telephony, chat), strictly under our instructions and under a data processing agreement (DPA).

8.3. Marketing agency (if involved)

• solely as a data processor and only as necessary (e.g., campaign analysis), under DPA and confidentiality obligations.

8.4. Transport/accommodation/tourism partners (if requested)

• exclusively if you request such services and only to the extent necessary for their provision.

8.5. Public authorities

• when required by applicable law or upon legitimate request.

9) TRANSFERS TO THIRD COUNTRIES (OUTSIDE THE EEA)

If we use service providers that process or store data outside the European Economic Area (EEA), such transfers will be carried out with appropriate safeguards under the GDPR (e.g., Standard Contractual Clauses) and, where necessary, additional protective measures.

10) RETENTION PERIOD

We retain data only as long as necessary for the purposes described, and at most as follows (unless longer retention is required by law or for the establishment, exercise, or defense of legal claims):

• Inquiry and communication data (without medical documentation): up to 24 months from the last case activity.
• Data relating to inquiries involving additional services or procedures requiring legal protection: up to 5 years from completion.
• Medical documentation and health data: up to 12 months from completion of case handling, unless earlier deletion is requested or longer retention is necessary for legal claims.
• Call recordings (if recorded): up to 6 months (or less per internal policy), unless needed for complaints/disputes.
• Reviews: as long as the clinic is listed or until removal is requested, unless earlier removal is required.
• Technical logs: generally up to 12 months.

11) YOUR RIGHTS

• request access to your data and obtain a copy
• request rectification of inaccurate data
• request erasure (“right to be forgotten”) where applicable
• request restriction of processing
• object to processing based on legitimate interest
• request data portability where processing is based on consent or contract and carried out by automated means
• withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal)

12) HOW TO EXERCISE YOUR RIGHTS

To exercise your rights, contact:
dpo@stomatolog-online.com (DPO – Iva Petris)

For privacy protection, we may require reasonable identity verification before responding.
We respond within GDPR deadlines (generally within 1 month).

13) RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY (AZOP)

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the competent supervisory authority:
Agencija za zaštitu osobnih podataka (AZOP)

14) COOKIES AND ANALYTICS

We use cookies to ensure proper website functionality and (depending on your choice) for analytics and service improvement.
Analytical tools (e.g., Google Analytics) are activated only in accordance with your cookie settings/consent, where applicable.
You may modify cookie settings via the “Cookie Settings” tool on the website (if available) or via your browser settings.

15) AUTOMATED DECISION-MAKING AND PROFILING

We do not carry out automated decision-making (including profiling) that produces legal effects or similarly significantly affects you.

16) EXTERNAL PLATFORMS (E.G., WHATSAPP AND SOCIAL MEDIA)

If you contact us via WhatsApp or communicate through social media, processing also takes place in accordance with those platforms’ privacy policies. We recommend reviewing their policies before use.

17) MINORS

The service is not intended for individuals under 16 years of age. If you are under 16, do not provide personal data without parental or guardian consent.

18) SECURITY

We implement appropriate technical and organizational measures (access control, authorization limitations, backups, secure communication channels, etc.) to protect personal data against unauthorized access, loss, or misuse.

19) CHANGES TO THIS PRIVACY POLICY

We may periodically update this Privacy Policy. The updated version will be published on this website with the date of the last update.