EU Data Protection Governance
Effective Date: May 15, 2026. This page outlines how DentistExpand implements GDPR-aligned controls across platform and data operations.
DentistExpand applies GDPR-aligned governance for relevant processing activities involving personal data linked to EU/EEA individuals.
This page summarizes our operational approach to lawful processing, rights handling, and accountability controls for business data workflows.
Depending on context, DentistExpand may operate as a controller for core account and website operations, and as a processor/service provider for selected customer-configured workflows.
Role allocation is determined by processing purpose, operational control, and contract terms.
Where GDPR applies, processing is mapped to recognized lawful bases such as legitimate interests, contractual necessity, and legal obligations.
Lawful basis evaluation is documented at workflow level and reviewed when product capabilities or processing purposes materially change.
We process only categories relevant to service delivery, including account information, billing records, support interactions, and professional business-contact attributes in eligible data products.
Data minimization principles are applied through schema design, field review, and retention controls.
Processing is limited to defined business purposes such as order fulfillment, platform operations, customer support, security controls, and service improvement.
Use outside these defined purposes requires a governance review and appropriate legal basis.
We maintain procedures for handling access, correction, deletion, restriction, objection, and portability requests where applicable.
Requests are logged, validated, routed, and resolved within statutory timelines, subject to legal exceptions and verification requirements.
Where objections or opt-out requests are received, suppression controls are applied to prevent future use in relevant workflows.
Suppression records are retained only as needed to honor rights requests and ensure continued compliance.
We use layered technical and organizational controls, including access governance, encrypted transport, environment-level monitoring, and least-privilege enforcement.
Security controls are reviewed periodically and updated based on risk posture, vendor changes, and operational requirements.
Where cross-border processing occurs, we apply transfer safeguards appropriate to applicable legal frameworks and vendor arrangements.
Transfer risk considerations are included in vendor onboarding and periodic compliance reviews.
Retention is governed by purpose, legal requirements, contractual obligations, and security needs. Records are deleted or de-identified when no longer required.
Retention schedules are maintained by data category and reviewed for proportionality.
Service providers are selected under security and privacy due diligence standards and are expected to operate under contractual data-protection obligations.
Subprocessor scope is limited to operational necessity and monitored through governance controls.
We maintain documented incident response workflows covering detection, triage, containment, remediation, and post-incident review.
Where legally required, relevant stakeholders and authorities are notified in line with applicable breach reporting obligations.
For GDPR-related rights requests or governance inquiries, contact us via our Contact Us page and include the subject line: GDPR Request.
