Privacy Policy
Privacy Policy
PRIVACY POLICY FOR LUXADENT AB
Last updated: May 20, 2026
ABOUT THIS POLICY
This privacy policy explains how Luxadent AB ("Luxadent", "we", "us", "our") processes personal data when you:
Book an appointment or become a patient at one of our clinics.
Visit our website luxadent.se, any campaign pages, or use our digital services (e.g., booking widget from Muntra).
Contact us via email, phone, chat, or forms.
Receive marketing from us, such as newsletters, SMS, social media ads, or tailored offers.
The policy describes what personal data we collect, for what purposes, the legal bases we rely on, and what rights you have under the General Data Protection Regulation (GDPR) and the Patient Data Act.
Luxadent only accepts patients from 18 years of age and older.
PERSONAL DATA WE PROCESS
Appointment booking (web, phone, email) Data: Name, personal identity number, contact details (email, phone), booking history, reason for the visit. Purpose: Administer and confirm bookings, prepare treatment. Legal basis: Contract or pre-contractual measures (Art. 6.1 b). Retention period: 24 months after the last visit.
Patient record Data: Health data, medical history, diagnoses, measures, X-rays, payment information. Purpose: Provide safe dental care and fulfill legal obligations. Legal basis: Legal obligation (Art. 6.1 c) and care and treatment (Art. 9.2 h). Retention period: At least 10 years according to the Patient Data Act Chapter 3, Section 17.
Customer service inquiries Data: Name, contact details, case history, potential health data. Purpose: Answer questions and complaints. Legal basis: Legitimate interest (Art. 6.1 f). Retention period: 3 years after the case is closed.
Web statistics and security Data: IP address, device ID, session ID, cookie identifiers, logs. Purpose: Operation, troubleshooting, security, and improvement of the website. Legal basis: Legitimate interest (Art. 6.1 f), or consent for non-essential cookies. Retention period: 26 months (Google Analytics), see Cookie Policy.
Newsletter and SMS mailings to existing patients Data: Name, email, phone, treatment history on a general level. Purpose: Information and offers about similar services. Legal basis: Legitimate interest / so-called soft opt-in according to the Marketing Act Section 19. Retention period: Until you unsubscribe or 24 months after the last interaction.
Newsletter and SMS mailings to non-patients Data: Name, email, phone. Purpose: Marketing. Legal basis: Consent (Art. 6.1 a). Retention period: Until consent is withdrawn or 24 months after the last interaction.
Feedback and review SMS after visit Data: Name, phone, visit date. Purpose: Ask for feedback and review. Legal basis: Legitimate interest (Art. 6.1 f). Retention period: 12 months.
Social media advertising (Meta Custom Audiences, etc.) Data: Hashed email and phone, behavioral data, potential visit data. Purpose: Segmentation and targeted advertising. Legal basis: Consent (Art. 6.1 a) via cookie banner. Retention period: Until consent is withdrawn.
In the event of an ongoing dispute or legal requirement, data may be retained longer. Accounting material is kept for 7 years according to the Accounting Act Chapter 7, Section 2.
2.1 Personal Identity Number
We process personal identity numbers because it is required for secure identification within health and medical care, medical record keeping, and invoicing (Chapter 3, Section 10 of the Data Protection Act).
2.2 Sensitive Personal Data
Health data is processed only in the patient record supported by the Patient Data Act and GDPR Art. 9.2 h. Only authorized healthcare personnel have access.
HOW WE COLLECT DATA
Directly from you when you fill out forms, call, or visit the clinic.
Automatically through cookies and similar technologies – see our Cookie Policy.
From third parties, such as our booking system Muntra, payment providers, and forms on Meta platforms (Facebook/Instagram lead forms) when you have chosen to submit data there.
RECIPIENTS OF DATA
Medical record and booking system (Muntra) – Processor – Booking and medical record keeping – EU/EEA.
IT and office platform (Microsoft 365, One.com) – Processor – Operation, storage, communication – EU/EEA.
Cloud and hosting (Amazon Web Services) – Processor – Web and data hosting – EU regions, SCC.
Payment and debt collection services (Klarna, Swedbank Pay) – Independent controller – Payment and invoicing – EU/EEA.
SMS provider (46elks) – Processor – Booking confirmations and review SMS – Sweden.
Marketing partners (Meta Platforms Ireland, Google LLC) – Joint controllers / independent controllers – Ads, Custom Audiences, measurement – USA, DPF / SCC.
Authorities (the Swedish Social Insurance Agency, the Swedish Tax Agency, IMY) – Independent controllers – Laws and supervision – Sweden.
We never sell your personal data to third parties.
4.1 Joint Controllership with Meta
When you visit our digital channels or interact with our advertisements, some collection takes place via Meta's pixel and Conversion API. Luxadent and Meta Platforms Ireland Limited are joint controllers for this collection pursuant to Art. 26 GDPR. Meta is solely responsible for the further processing in its own systems. More information can be found in Meta's data policy and in the Controller Addendum provided by Meta.
4.2 Transfers to Third Countries
When we use Meta Custom Audiences, Google Ads, or other tools with servers in the US, a transfer outside the EU/EEA takes place. We then rely on the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses (SCC) to ensure an adequate level of protection.
PROFILING AND AUTOMATED DECISION-MAKING
We may segment customers into target groups (e.g., based on treatment history or place of residence) to display relevant marketing. This constitutes profiling under the GDPR, but does not involve automated decisions with legal or similarly significant consequences for you.
You always have the right to object to profiling for direct marketing (Art. 21.2 GDPR). We will then immediately cease such processing.
RETENTION PERIODS
We never keep personal data longer than necessary. See Section 2 for specific periods.
Patient records: at least 10 years according to the Patient Data Act Chapter 3, Section 17.
Accounting material: 7 years according to the Accounting Act Chapter 7, Section 2.
When retention is no longer justified, the data is deleted or anonymized in a secure manner.
YOUR RIGHTS
You have the right to:
Request access to the personal data we process about you.
Have incorrect data corrected or supplemented.
Request erasure in certain cases (does not apply to data in patient records during statutory retention periods).
Restrict processing under certain circumstances.
Object to processing based on legitimate interest, and to any profiling for direct marketing purposes.
Receive data in a structured format (data portability) when processing is based on consent or contract.
Withdraw consent at any time without affecting the lawfulness of the processing before the consent was withdrawn.
Lodge a complaint with the Swedish Authority for Privacy Protection (IMY, imy.se) if you believe we are processing your data incorrectly.
To exercise your rights, please contact us using the details in Section 10.
INFORMATION SECURITY
We use appropriate technical and organizational measures – including access control, encryption, and logging – to protect personal data against unauthorized access, loss, or alteration. All record keeping is done in accordance with the regulations of the National Board of Health and Welfare and the Patient Data Act.
DIRECT MARKETING AND COOKIES
You can at any time:
Unsubscribe from newsletters via the link in each mailing.
Reply STOP to SMS mailings.
Object to all direct marketing and profiling linked to this by contacting us as set out below.
Cookie settings are adjusted via the tool on the website. More information can be found in our Cookie Policy.
. CONTACT DETAILS
Data Controller: Luxadent AB Registration No.: 559252-9886 Address: Hyllie Boulevard 13C, 215 32 Malmö Email: info@luxadent.se Phone: [to be verified before publication] Data Protection Officer:
. CHANGES TO THE POLICY
We may update this privacy policy from time to time. The latest version is always available on luxadent.se. In the event of material changes, we will inform you via email or on the website.
Adopted: May 20, 2026
PRIVACY POLICY FOR LUXADENT AB
Last updated: May 20, 2026
ABOUT THIS POLICY
This privacy policy explains how Luxadent AB ("Luxadent", "we", "us", "our") processes personal data when you:
Book an appointment or become a patient at one of our clinics.
Visit our website luxadent.se, any campaign pages, or use our digital services (e.g., booking widget from Muntra).
Contact us via email, phone, chat, or forms.
Receive marketing from us, such as newsletters, SMS, social media ads, or tailored offers.
The policy describes what personal data we collect, for what purposes, the legal bases we rely on, and what rights you have under the General Data Protection Regulation (GDPR) and the Patient Data Act.
Luxadent only accepts patients from 18 years of age and older.
PERSONAL DATA WE PROCESS
Appointment booking (web, phone, email) Data: Name, personal identity number, contact details (email, phone), booking history, reason for the visit. Purpose: Administer and confirm bookings, prepare treatment. Legal basis: Contract or pre-contractual measures (Art. 6.1 b). Retention period: 24 months after the last visit.
Patient record Data: Health data, medical history, diagnoses, measures, X-rays, payment information. Purpose: Provide safe dental care and fulfill legal obligations. Legal basis: Legal obligation (Art. 6.1 c) and care and treatment (Art. 9.2 h). Retention period: At least 10 years according to the Patient Data Act Chapter 3, Section 17.
Customer service inquiries Data: Name, contact details, case history, potential health data. Purpose: Answer questions and complaints. Legal basis: Legitimate interest (Art. 6.1 f). Retention period: 3 years after the case is closed.
Web statistics and security Data: IP address, device ID, session ID, cookie identifiers, logs. Purpose: Operation, troubleshooting, security, and improvement of the website. Legal basis: Legitimate interest (Art. 6.1 f), or consent for non-essential cookies. Retention period: 26 months (Google Analytics), see Cookie Policy.
Newsletter and SMS mailings to existing patients Data: Name, email, phone, treatment history on a general level. Purpose: Information and offers about similar services. Legal basis: Legitimate interest / so-called soft opt-in according to the Marketing Act Section 19. Retention period: Until you unsubscribe or 24 months after the last interaction.
Newsletter and SMS mailings to non-patients Data: Name, email, phone. Purpose: Marketing. Legal basis: Consent (Art. 6.1 a). Retention period: Until consent is withdrawn or 24 months after the last interaction.
Feedback and review SMS after visit Data: Name, phone, visit date. Purpose: Ask for feedback and review. Legal basis: Legitimate interest (Art. 6.1 f). Retention period: 12 months.
Social media advertising (Meta Custom Audiences, etc.) Data: Hashed email and phone, behavioral data, potential visit data. Purpose: Segmentation and targeted advertising. Legal basis: Consent (Art. 6.1 a) via cookie banner. Retention period: Until consent is withdrawn.
In the event of an ongoing dispute or legal requirement, data may be retained longer. Accounting material is kept for 7 years according to the Accounting Act Chapter 7, Section 2.
2.1 Personal Identity Number
We process personal identity numbers because it is required for secure identification within health and medical care, medical record keeping, and invoicing (Chapter 3, Section 10 of the Data Protection Act).
2.2 Sensitive Personal Data
Health data is processed only in the patient record supported by the Patient Data Act and GDPR Art. 9.2 h. Only authorized healthcare personnel have access.
HOW WE COLLECT DATA
Directly from you when you fill out forms, call, or visit the clinic.
Automatically through cookies and similar technologies – see our Cookie Policy.
From third parties, such as our booking system Muntra, payment providers, and forms on Meta platforms (Facebook/Instagram lead forms) when you have chosen to submit data there.
RECIPIENTS OF DATA
Medical record and booking system (Muntra) – Processor – Booking and medical record keeping – EU/EEA.
IT and office platform (Microsoft 365, One.com) – Processor – Operation, storage, communication – EU/EEA.
Cloud and hosting (Amazon Web Services) – Processor – Web and data hosting – EU regions, SCC.
Payment and debt collection services (Klarna, Swedbank Pay) – Independent controller – Payment and invoicing – EU/EEA.
SMS provider (46elks) – Processor – Booking confirmations and review SMS – Sweden.
Marketing partners (Meta Platforms Ireland, Google LLC) – Joint controllers / independent controllers – Ads, Custom Audiences, measurement – USA, DPF / SCC.
Authorities (the Swedish Social Insurance Agency, the Swedish Tax Agency, IMY) – Independent controllers – Laws and supervision – Sweden.
We never sell your personal data to third parties.
4.1 Joint Controllership with Meta
When you visit our digital channels or interact with our advertisements, some collection takes place via Meta's pixel and Conversion API. Luxadent and Meta Platforms Ireland Limited are joint controllers for this collection pursuant to Art. 26 GDPR. Meta is solely responsible for the further processing in its own systems. More information can be found in Meta's data policy and in the Controller Addendum provided by Meta.
4.2 Transfers to Third Countries
When we use Meta Custom Audiences, Google Ads, or other tools with servers in the US, a transfer outside the EU/EEA takes place. We then rely on the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses (SCC) to ensure an adequate level of protection.
PROFILING AND AUTOMATED DECISION-MAKING
We may segment customers into target groups (e.g., based on treatment history or place of residence) to display relevant marketing. This constitutes profiling under the GDPR, but does not involve automated decisions with legal or similarly significant consequences for you.
You always have the right to object to profiling for direct marketing (Art. 21.2 GDPR). We will then immediately cease such processing.
RETENTION PERIODS
We never keep personal data longer than necessary. See Section 2 for specific periods.
Patient records: at least 10 years according to the Patient Data Act Chapter 3, Section 17.
Accounting material: 7 years according to the Accounting Act Chapter 7, Section 2.
When retention is no longer justified, the data is deleted or anonymized in a secure manner.
YOUR RIGHTS
You have the right to:
Request access to the personal data we process about you.
Have incorrect data corrected or supplemented.
Request erasure in certain cases (does not apply to data in patient records during statutory retention periods).
Restrict processing under certain circumstances.
Object to processing based on legitimate interest, and to any profiling for direct marketing purposes.
Receive data in a structured format (data portability) when processing is based on consent or contract.
Withdraw consent at any time without affecting the lawfulness of the processing before the consent was withdrawn.
Lodge a complaint with the Swedish Authority for Privacy Protection (IMY, imy.se) if you believe we are processing your data incorrectly.
To exercise your rights, please contact us using the details in Section 10.
INFORMATION SECURITY
We use appropriate technical and organizational measures – including access control, encryption, and logging – to protect personal data against unauthorized access, loss, or alteration. All record keeping is done in accordance with the regulations of the National Board of Health and Welfare and the Patient Data Act.
DIRECT MARKETING AND COOKIES
You can at any time:
Unsubscribe from newsletters via the link in each mailing.
Reply STOP to SMS mailings.
Object to all direct marketing and profiling linked to this by contacting us as set out below.
Cookie settings are adjusted via the tool on the website. More information can be found in our Cookie Policy.
. CONTACT DETAILS
Data Controller: Luxadent AB Registration No.: 559252-9886 Address: Hyllie Boulevard 13C, 215 32 Malmö Email: info@luxadent.se Phone: [to be verified before publication] Data Protection Officer:
. CHANGES TO THE POLICY
We may update this privacy policy from time to time. The latest version is always available on luxadent.se. In the event of material changes, we will inform you via email or on the website.
Adopted: May 20, 2026