GDPR — Data Protection Information

Last updated: 3 July 2026

This page explains how BestOrto, operated by Vivid & Shine d.o.o., complies with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR). It applies to all personal data processed through the BestOrto platform.

1. Data Controller

Vivid & Shine d.o.o.
Siget 19c, 10000 Zagreb, Croatia
OIB: HR42225147864

Responsible person and Data Protection Contact:
Bruno Blumenschein
brunoblumen@gmail.com

2. Scope — Who Is Affected

BestOrto processes personal data of two categories of people:

  • Account holders (orthodontists) — professionals who register and use the BestOrto dashboard. Vivid & Shine d.o.o. is the data controller for this data.
  • Patients — individuals whose compliance data is entered by their treating orthodontist. The orthodontist is the data controller for patient data; Vivid & Shine d.o.o. acts as the data processor on their behalf.

3. Data We Process

Account holder data

  • Name, email address, encrypted password
  • Clinic name and subscription status
  • Login timestamps and session data
  • Billing history (payment amounts, dates — card data is held by Stripe, not us)

Patient data (processed on behalf of the orthodontist)

  • Name and WhatsApp phone number
  • Aligner treatment parameters (current aligner, total aligners, change interval, next change date)
  • Compliance feedback: fit ratings, photos uploaded by the patient, free-text notes
  • WhatsApp message delivery logs (direction, timestamp, delivery status)

4. Purpose and Legal Basis

PurposeLegal basis (Art. 6 GDPR)
Providing the BestOrto service to account holdersArt. 6(1)(b) — contract performance
Sending automated WhatsApp reminders to patientsArt. 6(1)(b) — contract performance (orthodontist's agreement with BestOrto)
Storing patient compliance feedbackArt. 6(1)(b) — contract performance
Processing subscription paymentsArt. 6(1)(b) — contract performance
Sending transactional emails (confirmation, password reset)Art. 6(1)(b) — contract performance
Security logging and fraud preventionArt. 6(1)(f) — legitimate interest
Compliance with legal obligations (e.g. accounting)Art. 6(1)(c) — legal obligation

5. Data Storage and Transfers

All personal data is stored within the European Union. Our primary database and file storage provider is Supabase, with servers located in Frankfurt, Germany (eu-central-1). No personal data is transferred to countries outside the EEA without appropriate safeguards.

WhatsApp messages are transmitted via Twilio's infrastructure. Twilio maintains EU data residency options and standard contractual clauses (SCCs) for any transfers to third countries.

6. Sub-processors

We use the following sub-processors under Data Processing Agreements (DPAs):

  • Supabase Inc. — database, authentication, file storage (EU region)
  • Twilio Inc. — WhatsApp Business API message delivery
  • Resend Inc. — transactional email delivery
  • Stripe Inc. — payment processing (does not receive patient data)

7. Data Retention

  • Account holder data — retained for the duration of the subscription, deleted within 90 days of account closure on request.
  • Patient records — retained as long as the patient record exists in the account.
  • Message logs — retained for 12 months.
  • Patient photos — retained as long as the related feedback record exists.
  • Billing records — retained for 7 years in accordance with Croatian accounting law (Zakon o računovodstvu).

8. Your Rights as a Data Subject

Under GDPR Articles 15–22, you have the following rights:

  • Right of access (Art. 15) — obtain a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — request that we limit how we use your data.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Art. 22) — BestOrto does not make automated decisions with legal or similarly significant effects on individuals.

To exercise any of these rights, contact:
brunoblumen@gmail.com
We will respond within 30 days. We may ask you to verify your identity before processing the request.

9. Note for Orthodontists — Your Patients' Rights

As an orthodontist using BestOrto, you are the data controller for your patients' data. If one of your patients contacts you to exercise their GDPR rights (access, erasure, portability, etc.), you are responsible for responding to that request. You can delete, export, or update patient data directly from your BestOrto dashboard, or contact us for assistance.

You must ensure you have an appropriate legal basis (such as patient consent or legitimate treatment interest) before adding a patient's data to BestOrto and sending them WhatsApp messages.

10. Security Measures

  • All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
  • Data at rest is encrypted by our storage provider (Supabase / AWS).
  • Row-level security (RLS) ensures each orthodontist can access only their own data.
  • Patient photos are stored in a private, non-publicly-accessible storage bucket.
  • Access to production systems is restricted to authorised personnel only.

11. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. In Croatia, this is:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb
azop.hr

You may also contact the supervisory authority in your country of residence (for EU residents).

12. Updates to This Information

We review and update this GDPR information sheet whenever our data processing activities change. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify account holders by email.