Privacy Policy

This policy applies to all individuals whose data is processed through OralOS:

• Clinic account holders. the organisation or individual who signs up for an OralOS subscription, including multi-branch and enterprise accounts.
• Clinic staff. administrators, dentists, receptionists, nurses, hygienists, and any other personnel granted access to the dashboard.
• Patients. individuals whose clinical records are created and managed within OralOS, including patients accessed via the patient mobile app or patient web portal.
• Patient family members. guardians and family members linked via family accounts, including minors in paediatric charting.
• Corporate account holders. employers or insurers who fund dental care for employees and whose billing or coverage data is processed within OralOS.
• API integration users. developers and third-party systems that connect to OralOS via the public API or webhooks.
• Website visitors. anyone who browses teliyaduoralos.com without creating an account.

We process personal data on the following legal bases:

• Contract performance. processing necessary to deliver the OralOS service to clinic account holders and their staff.
• Legitimate interests. security monitoring, fraud prevention, product improvement, and aggregated analytics, where these do not override individual rights.
• Legal obligation. compliance with applicable law, including health data regulations, tax requirements, and court orders.
• Consent. marketing communications to website visitors; voice recording during telemedicine sessions; non-essential communication channels (WhatsApp, marketing campaigns) where opt-in is required.
• Vital interests. in exceptional circumstances where health data must be disclosed to protect a patient's life.

For special category health data (clinical records, medical history, imaging), processing is based on Article 9(2)(h) GDPR (healthcare provision) and equivalent provisions under applicable national law. The clinic, as data controller, is responsible for establishing and documenting the patient's consent for the creation of health records.

• To create and manage clinic accounts, staff profiles, and patient records.
• To authenticate users, maintain sessions, and enforce role-based access controls across all branches.
• To power clinical workflows: appointment scheduling, charting, visit notes, prescriptions, treatment plans, and imaging.
• To send appointment reminders, recall notices, post-visit follow-ups, and two-way SMS via the clinic's configured communication channels.
• To run patient marketing campaigns and loyalty programmes on behalf of the clinic, where the clinic has obtained patient consent.
• To generate reports: daily cash closings, doctor performance, outstanding balances, insurance ageing, inventory levels, patient satisfaction, and custom analytics.
• To process subscription payments (Stripe) and clinic-to-patient payments (Chapa).
• To facilitate insurance billing, pre-authorisation, and claim tracking.
• To deliver AI-assisted charting suggestions and voice transcriptions to authorised clinicians.
• To support telemedicine sessions between clinicians and patients.
• To serve the patient mobile app and patient web portal with the patient's own appointment, balance, and communication data.
• To process API requests from authorised third-party integrations on behalf of the clinic.
• To diagnose errors, monitor uptime, and improve platform performance.
• To respond to support requests.
• To comply with applicable law and respond to lawful legal requests.

We do not sell your data. We do not use patient health data, clinical notes, or imaging to train AI models operated by Teliyadu or any third party. AI features within OralOS process data in real time to generate suggestions; they do not feed a shared training corpus.

Each clinic organisation's data is stored in a dedicated PostgreSQL schema, entirely separate from every other clinic on the platform. This is enforced at the database level . there is no shared table with a clinic identifier column that could be bypassed by an application bug. Middleware on every API request verifies the clinic's subdomain and activates the correct schema before any query runs.

For multi-branch organisations, all branches share a single tenant schema owned by the organisation. Branch-level data segregation within the schema is enforced by the application's RBAC layer . staff assigned to Branch A cannot view Branch B's patient records or financials unless granted explicit cross-branch permissions by the organisation's Admin.

Teliyadu platform staff access tenant data only for authorised support operations, require internal approval for each access event, and every access is immutably audit-logged with the reason and the approving manager.

We retain different categories of data for different periods:

• Active clinical records . retained for the life of the subscription. Clinics control record-level deletion within their account.
• Closed clinic accounts . data is held for 30 days after account closure to allow export, then permanently and irreversibly deleted, including all backups that fall within the deletion window.
• Audit logs . retained for 7 years to meet healthcare regulatory requirements in the jurisdictions we operate in.
• Financial records . invoices, payment records, and tax-relevant data are retained for 7 years from the transaction date.
• Communication logs . SMS, email, and push notification delivery records retained for 2 years.
• Voice recordings . processed in real time; not stored unless explicitly saved by the clinician. Saved recordings follow the clinical record retention period.
• Telemedicine session metadata . retained for 2 years. Recordings (if made with consent) follow the clinical record retention period.
• API & webhook event logs . retained for 90 days.
• Server & access logs . retained for 90 days.
• Database backups . automated daily snapshots retained for 30 days, then purged.
• Anonymised aggregated analytics . may be retained indefinitely; they contain no personal identifiers.

We engage the following sub-processors. Each is bound by a data processing agreement and processes data only as instructed by Teliyadu.

• Amazon Web Services (AWS) . cloud infrastructure (eu-central-1, Frankfurt): ECS (compute), RDS PostgreSQL (database), ElastiCache Redis (caching/queuing), S3 (file storage), SNS (SMS), SES (email), CloudFront (CDN), CloudWatch (infrastructure monitoring), Secrets Manager (credential storage).
• Stripe . SaaS subscription billing and payment card processing. Stripe is PCI-DSS Level 1 certified. We receive tokenised payment references only.
• Chapa . clinic-to-patient payment processing for East African payment methods (mobile money, local bank transfer). Used for patient invoice payments within the OralOS platform.
• Firebase (Google) . push notifications delivered to the OralOS patient mobile app and staff mobile app on iOS and Android.
• Sentry . real-time application error monitoring. Error payloads are scrubbed to remove patient identifiers before transmission.
• Better Stack . uptime monitoring, log aggregation, and on-call alerting. Infrastructure-level logs only; no patient record content.
• Twilio / AWS SNS . two-way SMS for appointment reminders and patient communication.
• AI inference provider . where AI-assisted charting or voice transcription is enabled, audio and structured clinical prompts are sent to an approved AI inference provider under a strict data processing agreement that prohibits training use. The specific provider is disclosed in the AI feature settings within your OralOS account.

We publish an up-to-date sub-processor list at teliyaduoralos.com/security. We will provide 30 days' notice before adding a new sub-processor that processes health data.

All primary data storage and processing occurs in Frankfurt, Germany (AWS eu-central-1), within the European Economic Area. Some sub-processors (Stripe, Sentry, Firebase, AI inference) may process data in the United States or other countries. Where data is transferred outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Binding Corporate Rules where the sub-processor has published them.

Clinics operating under Ethiopian law: OralOS is designed to comply with Ethiopia's Computer Crime Proclamation (No. 958/2016) and the relevant provisions of the Ethiopian Health Sector Transformation Plan regarding patient data confidentiality. We continue to monitor the development of a dedicated health data protection framework in Ethiopia and will update our practices as legislation evolves.

OralOS includes optional AI-powered features including voice-to-chart dictation, AI-assisted diagnosis suggestions, automated clinical note summaries, and intelligent treatment plan recommendations. The following rules govern how AI features handle your data:

• AI features are opt-in per clinic and can be disabled by the clinic Admin at any time.
• Clinical data sent to AI inference endpoints is transmitted over TLS and is used solely to generate the requested output . it is not retained by the AI provider or used to train models.
• All AI-generated suggestions are presented to the clinician as suggestions requiring review. OralOS records which actions were taken by AI versus by a human clinician in the audit log.
• Clinics are responsible for reviewing AI outputs before recording them as clinical fact and for complying with any applicable regulations on the use of AI in clinical settings.
• We never use patient health data from one clinic to generate suggestions for another clinic. AI inference is scoped to the requesting clinic's session only.

OralOS enables clinics to communicate with patients for clinical purposes (appointment reminders, recalls, post-visit follow-ups) and, where the patient has opted in, for marketing purposes (promotions, loyalty rewards, health awareness campaigns). The clinic is responsible for:

• Obtaining and recording patient opt-in consent before sending marketing communications.
• Honouring opt-out requests promptly . OralOS provides a one-click unsubscribe mechanism for email campaigns and automatic opt-out handling for SMS STOP replies.
• Ensuring marketing content complies with applicable laws (including Ethiopia's commercial communications regulations and GDPR where applicable).

Teliyadu does not send marketing communications to patients on its own behalf. All patient-facing messages are sent by the clinic through OralOS, with the clinic's name and contact information visible to the recipient.

Depending on your jurisdiction, you may have the following rights over your personal data:

• Access. obtain a copy of the personal data we hold about you.
• Rectification. correct inaccurate or incomplete data.
• Erasure. request deletion of your data where we have no overriding legal basis to retain it.
• Restriction. ask us to limit how we use your data while a dispute is resolved.
• Portability. receive your data in a structured, machine-readable format (JSON or CSV).
• Objection. object to processing based on legitimate interests.
• Withdraw consent. where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint. you have the right to complain to your local data protection authority.

Patients should direct data rights requests to their clinic first . the clinic is the data controller for clinical records. If the clinic cannot fulfil the request, patients may contact us at support@teliyadu.com.

Clinic staff and account holders may exercise rights over their own account data by emailing support@teliyadu.com. We will respond within 30 days.

OralOS dashboard: A single session cookie is set on login for authentication. No third-party cookies are set by the dashboard application.

Patient mobile app: Uses device-local storage for the authentication token. No advertising SDKs are included in the app.

Marketing site (teliyaduoralos.com): Essential cookies only (locale preference, CSRF token). We do not use advertising networks, retargeting pixels, or cross-site behavioural tracking cookies.

Embeddable booking widget: When a clinic embeds the OralOS online booking widget on their own website, the widget sets a single session cookie to maintain the booking flow. It does not set any tracking cookies on the host site.

OralOS is not directed at children as end users. Minors appear as patients in clinical records under the authority of their treating clinic and the consent of their legal guardian. Paediatric patient records are flagged in the system and access is restricted to clinical staff. Guardians may request access to or deletion of their child's records by contacting the clinic.

The patient mobile app and patient web portal require users to be at least 16 years old to create an account. Younger patients may be given access by a guardian who manages the account on their behalf.

Where a corporate employer or insurance provider is linked to a clinic's account, we process the corporate entity's name, contact details, and the list of covered individuals (name, employee/policy ID, coverage tier). This data is visible only to the clinic's Admin role and to the corporate account holder's designated contact. Individual employees' clinical records remain confidential to the treating clinic and are not shared with the employer . billing summary data (procedure codes, amounts) may be shared with the insurer as part of the claims process, consistent with the patient's consent and applicable law.

We will notify clinic account holders by email at least 14 days before any material changes to this policy take effect. Minor clarifications (grammar, formatting, new examples that do not change meaning) may be made without notice. The current version of this policy is always available at teliyaduoralos.com/privacy with the effective date shown at the top.

For questions about this policy, data rights requests, or security concerns:

Email: support@teliyadu.com

Subject line: "Privacy" or "Data Rights Request"

We aim to acknowledge all privacy enquiries within 48 hours and resolve them within 30 days.