UAB D LABS
PRIVACY POLICY
Processing of personal data of ordering system users and patients
Editorial: 2026-02-17
1. GENERAL PROVISIONS
1.1. This privacy policy (hereinafter referred to as the Privacy Policy) establishes the conditions and procedure for processing personal data managed by UAB D LABS (hereinafter referred to as the Company or Data Controller), legal entity code 123229678, registered office address Žemaitės g. 26, Vilnius, using the Company's order system (hereinafter referred to as the System), which operates on the website and mobile app.
1.2. The company is a dental laboratory that manufactures dentures according to orders from dental clinics. The system is designed for dental clinic employees to submit orders for the production of dentures.
1.3. The Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the GDPR), the Law of the Republic of Lithuania on the Legal Protection of Personal Data and other applicable legal acts.
1.4. By using the System, you confirm that you have read this Privacy Policy and agree to the terms and conditions of personal data processing described therein.
2. DATA CONTROLLER AND CONTACT INFORMATION
2.1. Personal data controller:
- Name: UAB D LABS
- Legal entity code: 123229678
- Registered office address: Žemaitės g. 26, Vilnius
- Email for privacy issues: info@dlabs.lt
2.2. The Company has not appointed a data protection officer. For all questions related to the processing of personal data, you can contact the contact details provided above.
3. PERSONAL DATA PROCESSED, PURPOSES AND LEGAL GROUNDS
3.1. Clinic staff (System users) data
| Data category | Purpose of processing | Legal basis | Shelf life |
|---|---|---|---|
| Name, surname | User identification in the system, order processing | Contract (GDPR Art. 6 (1) (b)) | 15 years since last order |
| Duties | Administration of user rights in the System | Contract (GDPR Art. 6 (1) (b)) | 15 years since last order |
| Identification data in the System (login name, password) | Ensuring access to the System, authentication | Contract (GDPR Art. 6 (1) (b)) | 15 years since last order |
3.2. Patient data
| Data category | Purpose of processing | Legal basis | Shelf life |
|---|---|---|---|
| Name, surname or pseudonym (code) given by the clinic | Patient identification for order fulfillment purposes, denture manufacturing | Contract / legal obligation / data processing when necessary to provide healthcare or treatment (GDPR Art. 6 (1) (b), (c); GDPR Art. 9 (2) (h)) | 15 years from order fulfillment |
| Year of birth | Choosing the right denture according to age | Contract / legal obligation / data processing when necessary to provide healthcare or treatment (GDPR Art. 6 (1) (b), (c); GDPR Art. 9 (2) (h)) | 15 years from order fulfillment |
| Images (dental photos, in some cases facial photos) | Production of dental prosthesis according to individual patient parameters, quality assurance | Contract / legal obligation / data processing when necessary to provide healthcare or treatment (GDPR Art. 6 (1) (b), (c); GDPR Art. 9 (2) (h)) | 15 years from order fulfillment |
3.3. Some dental clinics provide their own pseudonyms (codes) in the System instead of the patients' names and surnames. In such a case, the Company cannot directly identify the patient, and the pseudonymized data shall be considered as indirectly identifying personal data in relation to the Company.
3.4. Patient health data (dental and facial images, health-related order information) is a special category of personal data under Article 9 of the GDPR. The basis for processing this data is healthcare purposes (Article 9(2)(h) of the GDPR), as dental prosthetics is part of a healthcare service.
4. DATA RECIPIENTS AND TRANSFER
4.1. Personal data may be transferred to the following categories of data recipients:
- Server hosting service providers – Data storage systems and technical infrastructure for assurance;
- IT maintenance service providers – For system support, technical services and troubleshooting;
- State authorities – when required by applicable law (e.g. law enforcement authorities, supervisory authorities).
4.2. All data processors providing services to the Company act only in accordance with the Company's instructions and are committed to ensuring appropriate technical and organizational measures to protect personal data.
4.3. Personal data is not transferred to third countries (outside the EU/EEA). All data processors operate within the territory of the European Union/European Economic Area.
5. DATA STORAGE PERIODS
5.1. Personal data is stored in the System for 15 (fifteen) years. This period is established in accordance with applicable legal acts regulating the storage of healthcare documentation.
5.2. The storage period is calculated as follows:
- For clinic staff data – from the date of the last order or System account deletion, whichever is later;
- For patient data – from the date of order fulfillment.
5.3. After the expiry of the retention period, personal data shall be deleted or irretrievably anonymized within a reasonable period not exceeding 30 calendar days.
6. RIGHTS OF DATA SUBJECTS
6.1. You have the following rights under the GDPR:
- Right to know (to be informed). You have the right to receive information about your personal data. This Privacy Policy is the main method of information.
- Right to access data. You have the right to obtain confirmation as to whether your personal data is being processed, and, if so, to obtain access to it and related information.
- Right to request rectification of data. You have the right to request that inaccurate or incomplete data be corrected or supplemented.
- Right to erasure ("right to be forgotten"). You have the right to request the erasure of personal data when it is no longer necessary for the purposes for which it was collected or in other cases provided for in the GDPR. This right may be restricted where data retention is required by law.
- Right to restriction of data processing. You have the right to request restriction of data processing under GDPR 18 in the cases provided for in the article.
- Right to data portability. You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit them to another data controller.
- Right to object. You have the right to object to data processing where it is based on legitimate interests.
6.2. To exercise your rights, you may contact the Company using the contact details specified in Section 2 of this Privacy Policy. The person submitting the request must confirm their identity.
6.3. The Company shall respond to the request no later than within 30 calendar days from the date of receipt of the request. If the request is complex or a large number of requests are received, the deadline may be extended by another 60 days, informing the data subject thereof.
7. COOKIES AND ANALYTICS TOOLS
7.1. The Company's website and the System use cookies - small text files that are stored on your device.
7.2. Categories of cookies used:
- Necessary (technical) cookies – necessary for the operation of the System, including user authentication and session maintenance. These cookies are used without separate consent, as they are necessary for the provision of the service.
- Analytical cookies – used to collect and analyze website traffic statistics in order to improve the website and the System. These cookies require your consent.
7.3. When you first visit the website, you will be presented with a cookie consent message where you can choose which non-essential cookies you allow to be used.
7.4. You can change your cookie settings at any time in your browser settings or in the cookie settings section of the website.
8. DATA SECURITY
8.1. The Company implements appropriate technical and organizational measures to protect personal data against unlawful processing, accidental loss, destruction or damage. The measures applied include, among others:
- System access control (authentication, rights management);
- Data encryption during transmission (SSL/TLS);
- Regular data backup;
- System security monitoring and updates;
- Training employees on data protection issues.
8.2. Access to personal data in the System is granted only to those employees of the Company who need it to perform their work functions.
9. MOBILE APP
9.1. The system is also accessible via a mobile app. When using the app, the following additional technical data may be processed:
- Device type and operating system version;
- App version;
- Push notification identifiers, if the user has granted permission.
9.2. This data is processed solely for the purpose of ensuring the functionality of the System.
10. AUTOMATED DECISION MAKING
10.1. The Company does not use automated decision-making, including profiling, which would produce legal consequences for the data subject or similarly significantly affect him/her.
11. COMPLAINTS
11.1. If you believe that your personal data is being processed in violation of the GDPR or other legal acts, you have the right to file a complaint:
- First of all – to the Company using the contact details specified in Section 2 of this Privacy Policy. The company will examine the complaint and provide a response within 30 calendar days.
- Supervisory authority – State Data Protection Inspectorate (L. Sapiegos g. 17, 10312 Vilnius, e-mail ada@ada.lt, website www.ada.lt).
12. CHANGES TO THE PRIVACY POLICY
12.1. The Company reserves the right to change this Privacy Policy at any time. Users will be informed about any significant changes in the System.
12.2. The current version of the Privacy Policy is always published on the Company's website and mobile application.
12.3. By continuing to use the System after changes to the Privacy Policy, you confirm that you agree to the updated Privacy Policy.
Last update date: 2026-02-17