Privacy Policy
Last updated: 3 July 2026
This Privacy Policy explains how Vivid & Shine d.o.o. ("we", "us", or "our"), the operator of BestOrto, collects, uses, and protects personal data when you use our service at bestorto.com.
1. Who We Are
Vivid & Shine d.o.o.
Siget 19c, 10000 Zagreb, Croatia
OIB: HR42225147864
Data Controller: Bruno Blumenschein
Contact: brunoblumen@gmail.com
2. What Data We Collect
Account holders (orthodontists)
- Name, email address, and password (provided at registration)
- Clinic name and branding preferences
- Billing information (processed by Stripe — we do not store card data)
- Usage data: login times, features used, session metadata
Patient data entered by account holders
- Patient name and WhatsApp phone number
- Aligner treatment details (current aligner, total aligners, change interval)
- Compliance feedback submitted by patients via WhatsApp (fit ratings, photos, notes)
- Automated reminder message logs
Patient data is entered into BestOrto by the treating orthodontist. We process this data on behalf of the orthodontist, who remains the data controller for their patients.
3. How We Use Your Data
- To provide, operate, and maintain the BestOrto service
- To send automated WhatsApp reminders to patients on the orthodontist's behalf
- To store and display patient compliance feedback in the dashboard
- To process subscription payments
- To send transactional emails (account confirmation, password reset)
- To improve the service and diagnose technical issues
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Legal Basis for Processing (GDPR)
- Contract performance — processing necessary to provide the service you subscribed to
- Legitimate interest — service security, fraud prevention, and improvement
- Legal obligation — where required by applicable law
- Consent — where you have explicitly given consent (e.g. marketing communications)
For patient data specifically, the legal basis is the orthodontist's contractual relationship with their patients and applicable healthcare regulations in the orthodontist's jurisdiction.
5. Third-Party Services and Sub-processors
We use the following sub-processors to deliver our service. All are contractually bound to protect your data:
- Supabase (database and file storage) — data stored in Frankfurt, Germany (EU). Privacy policy
- Twilio / WhatsApp Business API (message delivery) — used to send WhatsApp reminders and receive patient replies. Privacy policy
- Resend (transactional email) — used for account and password emails. Privacy policy
- Stripe (payment processing) — used to process subscription payments. We never store card data. Privacy policy
6. Data Retention
- Account data is retained for the duration of your subscription and deleted within 90 days of account closure upon request.
- Patient data is retained as long as the patient record is active in your account.
- Message logs are retained for 12 months for audit and compliance purposes.
- Billing records are retained for 7 years as required by Croatian and EU accounting law.
7. Data Security
All data is encrypted in transit (TLS) and at rest. Access is controlled via row-level security policies. Patient photo uploads are stored in a private, access-controlled storage bucket. We conduct regular security reviews and promptly address any vulnerabilities.
8. Your Rights
Under GDPR you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — ask us to restrict processing of your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
To exercise any of these rights, contact us at brunoblumen@gmail.com. We will respond within 30 days.
9. Cookies
BestOrto uses only essential cookies required for authentication (session token). We do not use advertising or analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.
10. Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify account holders by email.
11. Contact
For any questions about this Privacy Policy or how we handle your data:
brunoblumen@gmail.com
Vivid & Shine d.o.o., Siget 19c, 10000 Zagreb, Croatia