GDPR Compliance Statement

Effective Date: January 10, 2026

Our Commitment to GDPR

ScopeMe is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the EU’s comprehensive data protection law.

This statement explains how we comply with GDPR principles and protect your rights.

GDPR Principles We Follow

1. Lawfulness, Fairness, and Transparency

We process your data lawfully based on:

• Your explicit consent
• Contract performance (providing our services)
• Legal obligations
• Legitimate interests (balanced against your rights)

We are transparent about:

• What data we collect
• Why we collect it
• How we use it
• Who we share it with

2. Purpose Limitation

We collect data only for specified, explicit purposes:

• Providing AI-powered consultations
• Connecting you with healthcare providers
• Improving our services
• Complying with legal requirements

We do not use your data for incompatible purposes without your consent.

3. Data Minimization

We collect only the data necessary for our purposes:

• No excessive data collection
• Only relevant information requested
• Regular reviews to minimize data collected

4. Accuracy

We maintain accurate and up-to-date data:

• You can update your information anytime
• We verify data accuracy where possible
• Outdated data is corrected or deleted

5. Storage Limitation

We retain data only as long as necessary:

• Active accounts: Duration of use + 6 months
• Medical records: 7 years (legal requirement)
• Marketing data: 2 years or until consent withdrawn
• Legal compliance: As required by law

6. Integrity and Confidentiality

We protect your data with appropriate security:

• End-to-end encryption for consultations
• AES-256 encryption for stored data
• TLS/SSL for data transmission
• Regular security audits
• Access controls and authentication

7. Accountability

We demonstrate compliance through:

• This GDPR Compliance Statement
• Regular data protection impact assessments
• Documentation of processing activities
• Training for our staff
• Contracts with data processors

Special Categories of Data (Health Data)

ScopeMe processes special categories of data under GDPR Article 9, specifically health-related information.

Legal Basis for Processing Health Data

We process health data based on:

1. Explicit consent: You provide clear, informed consent for specific purposes
2. Healthcare provision: Processing is necessary for healthcare services (Article 9(2)(h))
3. Public health: In the public interest for health purposes (Article 9(2)(i))

Extra Protections for Health Data

Health data receives enhanced protection:

• ✅ Higher encryption standards
• ✅ Stricter access controls
• ✅ Additional staff training
• ✅ Regular security assessments
• ✅ Limited retention periods

Your GDPR Rights

1. Right to Be Informed

You have the right to know:

• What data we collect
• How we use it
• Who we share it with
• How long we keep it

How to exercise: Read our Privacy Policy

2. Right of Access

You have the right to:

• Request a copy of your personal data
• Receive data in a readable format
• Understand how we process your data

How to exercise: Email smile@antlaradental.com with subject “Data Access Request”

Response time: Within 30 days

3. Right to Rectification

You have the right to:

• Correct inaccurate personal data
• Complete incomplete information
• Update outdated data

How to exercise:

• Update directly in your account settings, OR
• Email smile@antlaradental.com with corrections

Response time: Immediate (account) or within 30 days (email request)

4. Right to Erasure (“Right to Be Forgotten”)

You have the right to request deletion of your data when:

• Data is no longer necessary for its purpose
• You withdraw consent
• You object to processing
• Data was processed unlawfully

Exceptions: We may retain data if required by law (e.g., medical records retention)

How to exercise:

• Use account deletion feature, OR
• Email smile@antlaradental.com with subject “Data Deletion Request”

Response time: Within 30 days

5. Right to Restrict Processing

You have the right to limit how we use your data when:

• You contest the accuracy of data
• Processing is unlawful but you don’t want deletion
• We no longer need the data but you need it for legal claims
• You’ve objected to processing (pending verification)

How to exercise: Email smile@antlaradental.com with subject “Restrict Processing”

6. Right to Data Portability

You have the right to:

• Receive your data in a structured, machine-readable format (e.g., JSON, CSV)
• Transfer your data to another service

How to exercise: Email smile@antlaradental.com with subject “Data Portability Request”

What you’ll receive:

• Personal information
• Consultation records
• Appointment history
• Communication transcripts

7. Right to Object

You have the right to object to processing based on:

• Legitimate interests
• Direct marketing
• Profiling and automated decision-making

How to exercise:

• Marketing: Click “unsubscribe” in emails, OR
• Other processing: Email smile@antlaradental.com

8. Rights Related to Automated Decision-Making

You have the right to:

• Not be subject to solely automated decisions with significant effects
• Request human review of automated decisions
• Challenge automated decisions

ScopeMe’s automated processing:

• AI consultation routing
• Appointment recommendations
• Language detection and translation

How to exercise: Email smile@antlaradental.com to request human review

Data Protection Officer (DPO)

DPO Contact: smile@antlaradental.com
Responsibilities:

• Monitoring GDPR compliance
• Advising on data protection
• Cooperating with supervisory authorities
• Acting as contact point for data subjects

Data Processing Activities

Data Controller

ScopeMe / Antlara Dental is the data controller for:

• Patient/user data
• Consultation records
• Account information
• Platform usage data

Responsibilities:

• Determining purposes of processing
• Ensuring lawful processing
• Implementing security measures
• Respecting data subject rights

Data Processors

We work with third-party processors for:

Cloud Hosting:

• Provider: [AWS / Google Cloud / Azure]
• Location: EU data centers
• Processing: Data storage and hosting

AI Services:

• Provider: [OpenAI / Anthropic / Custom]
• Processing: Natural language processing, voice/video AI

CRM Integration:

• Providers: Various clinic CRM systems
• Processing: Appointment data synchronization

All processors:

• ✅ Sign data processing agreements (DPAs)
• ✅ Implement appropriate security measures
• ✅ Process data only on our instructions
• ✅ Assist with GDPR compliance

International Data Transfers

EU to Non-EU Transfers

When transferring data outside the EU/EEA, we ensure adequate protection through:

1. EU Standard Contractual Clauses (SCCs)
2. Adequacy decisions (for countries deemed adequate by EU Commission)
3. Binding Corporate Rules (where applicable)
4. Privacy Shield (if reinstated for US transfers)

Current Transfer Mechanisms

• Cloud storage: EU-based data centers preferred
• AI processing: [Specify if EU or adequacy-based]
• CRM data: Depends on clinic location

Data Security Measures

Technical Measures

• End-to-end encryption (E2EE) for video/voice
• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Multi-factor authentication (MFA)
• Regular penetration testing
• Automated vulnerability scanning

Organizational Measures

• Staff confidentiality agreements
• GDPR training for all employees
• Access controls (role-based)
• Incident response plan
• Regular security audits
• Data protection impact assessments (DPIAs)

Data Breach Procedures

In case of a personal data breach:

Our Obligations

Within 72 hours:

• Notify relevant supervisory authority
• Assess breach severity and impact

Without undue delay:

• Notify affected individuals (if high risk)
• Document the breach
• Take mitigation measures

What We’ll Tell You

If you’re affected, we’ll inform you about:

• Nature of the breach
• Likely consequences
• Measures taken to address it
• Contact point for questions

Children’s Privacy

ScopeMe does not target or knowingly collect data from children under 16 (or applicable age in your country).

If we discover we’ve collected data from a child:

• We delete it immediately
• We notify parents/guardians if identifiable

Parental consent: Required for users under 16 in EU countries (or higher age if national law requires)

Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority:

EU/EEA Residents

Contact your local data protection authority:

• List: https://edpb.europa.eu/about-edpb/board/members_en

Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for high-risk processing activities:

Assessed activities:

• AI-powered health consultations
• Cross-border data transfers
• Large-scale health data processing
• Automated decision-making

DPIA findings inform:

• Risk mitigation measures
• Security implementations
• Processing limitations
• Data subject safeguards

Regular Compliance Reviews

We regularly review our GDPR compliance:

Quarterly:

• Data processing inventory updates
• Security measure assessments
• Processor agreement reviews

Annually:

• Full GDPR compliance audit
• Staff training refreshers
• Policy updates
• DPIA reviews

Contact

Antlara Dental

Adress: Zümrütova, Sinanoğlu Cd. No:53A, Muratpaşa/Antalya, Türkiye 
Email: smile@antlaradental.com
Phone: +90530 202-6868

Updates to This Statement

We may update this GDPR Compliance Statement to reflect:

• Legal changes
• New processing activities
• Enhanced security measures

We will notify you of changes by:

• Updating this page
• Sending email notifications
• Displaying prominent notices

---

Last Updated: January 10, 2026

ScopeMe is committed to ongoing GDPR compliance and protecting your privacy rights.