Last updated: 4 November 2025

1. About this policy

This privacy policy explains how Luxadent AB ("Luxadent", "we", "us", "our") processes personal data when you:

1. Book an appointment or become a patient at one of our clinics.

2. Visit our website luxadent.se, any campaign pages, or use our digital services (e.g., booking widget from Muntra).

3. Contact us via email, phone, chat, or form.

4. Receive marketing from us, such as newsletters, social media ads, or tailored offers.

The policy describes what personal data we collect, for what purposes, the legal bases we rely on, and what rights you have under the General Data Protection Regulation (GDPR) and the Patient Data Act.

2. Personal data we process

Situation

Categories of personal data

Purpose

Legal basis

Storage duration*

Appointment booking (web, phone, email)

Name, personal ID number, contact information (email, phone), booking history, reason for visit

Administer and confirm bookings

Consent (art. 6.1 a)

24 months after last contact or until consent is withdrawn

Patient records

Health data, medical history, diagnoses, procedures, X-rays, payment information

Provide safe dental care, fulfill legal obligations

Legal obligation (art. 6.1 c) & public interest (art. 9.2 h)

At least 10 years according to the Patient Data Act

Customer service cases

Name, contact details, case history, any health data

Respond to inquiries and complaints

Legitimate interest (art. 6.1 f)

3 years after case closed

Web statistics & security

IP address, device ID, session ID, cookie identifiers, logs

Operation, troubleshooting, security and improvement of website

Legitimate interest

26 months (Google Analytics), see Cookie Policy

Marketing & newsletters

Name, email, phone, address, purchase history, segmentation, interactions

Send targeted offers, customer communication, customize ads (including Meta Custom Audiences)

Consent / legitimate interest

Until you unsubscribe or 24 months after last interaction

*In the event of an ongoing dispute or legal requirement, data may be retained longer.

2.1 Sensitive personal data

Health data is processed solely in the patient records supported by the Patient Data Act and GDPR art. 9.2 h. Only authorized healthcare personnel have access.

3. How we collect data

• Directly from you when you fill in forms, call, or visit the clinic.

• Automatically through cookies and similar technologies – see our Cookie Policy.

• Third parties like our booking system Muntra or payment solutions.

4. Recipients of data

Recipient category

Example

Purpose

Country / Protection mechanism

IT providers

Muntra (medical record system), Microsoft 365, One.com

Operation, storage

EU/EES

Cloud & hosting

Amazon Web Services

Web & data hosting

EU regions, SCC

Payment & debt collection services

Klarna, Swedbank Pay

Payment & invoicing

EU/EES

Marketing partners

Meta Platforms Ireland (Facebook/Instagram), Google LLC

Ads, Custom Audiences

USA, DPF / SCC

Authorities

Försäkringskassan, Tax Agency, IMY

Laws & supervision

Sweden

We never sell your personal data to third parties.

4.1 Transfers to third countries

When we use Meta Custom Audiences or other tools with servers in the US, a transfer occurs outside the EU/EES. We then rely on the EU-US Data Privacy Framework or the EU Commission's Standard Contractual Clauses to ensure an adequate level of protection.

5. Profiling and automated decisions

We may segment customers into target groups (e.g., based on treatment history or location) to display relevant marketing. This constitutes profiling but does not involve any automated decisions with legal or similar significant consequences for you.

6. Storage times

We never keep personal data longer than necessary. See the tables above for specific periods. Accounting material is kept for 7 years according to the Accounting Act. When storage is no longer justified, the data is deleted or anonymized securely.

7. Your rights

You have the right to:

1. Request access to the personal data we process about you.

2. Have incorrect data corrected or completed.

3. Request erasure in certain cases.

4. Restrict processing under certain circumstances.

5. Object to processing based on legitimate interest.

6. Retrieve data in a structured format (data portability) where the processing is based on consent or agreement.

7. Withdraw consent at any time without affecting the legality of processing before consent was withdrawn.

8. Submit complaints to the Swedish Privacy Protection Authority (IMY) if you believe we are processing your data incorrectly.

8. Information security

We employ appropriate technical and organizational measures, including access control, encryption, and logging, to protect personal data against unauthorized access, loss, or alteration. All record-keeping occurs in accordance with the regulations of the National Board of Health and Welfare and the Patient Data Act.

9. Direct marketing and cookies

You can unsubscribe from newsletters at any time via the link in each dispatch or by contacting us as below. Cookie settings are adjusted via the tool on the website. More information can be found in our Cookie Policy.

10. Contact details

Data Controller: Luxadent AB
Org.no: 559252-9886
Address: Hyllie Boulevard 13C, 215 32 Malmö
Email: info@luxadent.se
Phone: 040-123 456

Data Protection Officer: privacy@luxadent.se

11. Changes to the policy

We may occasionally update this privacy policy. The latest version is always available at luxadent.se. In the event of significant changes, we will inform you via email or on the website.

Adopted: 4 November 2025