Privacy Policy
Last updated: 3 June 2026
This policy explains how we handle personal data for (1) this website and (2) the AI receptionist service we provide to dental practices. Where you are a patient of a practice that uses our service, that practice is the data controller and this notice describes the role we play on its behalf.
1. Who we are (data controller)
This website is operated by MYG Media SRL, a Romanian limited liability company (registration / fiscal code RO50059004), Bulevardul George Enescu, Nr. 23, Bloc G45, Scara B, Ap. 6, 720246 Suceava, Romania.
For privacy questions or to exercise your rights, contact our data protection contact at max@myg-media.com (general enquiries: contact@myg-media.com).
2. The data we process
When you visit this website
- Server logs. Our hosting provider records technical data (IP address, browser type, time of request) to deliver the site securely and prevent abuse.
- Local storage. We store a single setting in your browser's local storage to remember your light/dark theme preference. This is set only when you toggle the theme, it is not used to track you, and it never leaves your device.
- No tracking. This website uses no advertising or analytics cookies, no tracking pixels, and no third-party fonts. Fonts are served from our own server.
When you contact us
- If you email us or message us on WhatsApp, we process the contact details and message content you choose to send (for example your name, practice, phone number, and enquiry) to respond and to scope a possible engagement.
When we run the AI receptionist for a practice
- On behalf of the practice (the controller), the service may process caller and patient data such as name, contact details, appointment details, and the content of calls and chats. This can include health data (a special category under Article 9 GDPR), for example the reason for a visit.
3. Purposes and legal bases
- Operating and securing the website - our legitimate interests (Art. 6(1)(f)).
- Remembering your theme preference - strictly necessary for a function you request; no consent banner is required.
- Responding to your enquiry - steps prior to entering a contract and our legitimate interests (Art. 6(1)(b), (f)).
- Providing the AI receptionist service - we act as a processor under Article 28 GDPR on the documented instructions of the practice, which determines the purposes and legal bases (typically the patient's care relationship and, for health data, Art. 9(2)(h) or explicit consent).
4. Health and other special-category data
Where the service processes health data, we apply additional safeguards: data minimisation, EU data residency, access controls, encryption in transit and at rest, and a documented retention period agreed with the practice. We process such data only on the practice's instructions and under a signed Data Processing Agreement.
5. AI transparency
The voice and chat assistant is an AI system. In line with the EU AI Act, it identifies itself as a virtual assistant at the start of a call or chat, and it hands off to a member of the practice's team when a conversation needs a person.
6. Recipients and processors
We share data only with service providers acting on our or the practice's instructions, including:
- Website hosting: Vercel Inc. (hosting and content delivery).
- AI model providers used to operate the assistant: OpenAI, Anthropic, and Google.
- The practice's own booking / practice-management system, where the assistant writes appointments.
We do not sell personal data.
7. International transfers
We aim to keep data within the EU/EEA. Where a provider processes data outside the EEA, we rely on an adequacy decision or the European Commission's Standard Contractual Clauses (Art. 46 GDPR) with appropriate supplementary measures. Our AI model providers (OpenAI, Anthropic, Google) may process data in the United States under these clauses.
8. How long we keep data
Our retention periods are:
- Website access logs: 90 days.
- Enquiry correspondence: 3 years from last contact.
- Marketing consent records: until consent is withdrawn, or after 2 years of inactivity.
- Client / service data: duration of the contract plus 7 years, in line with Romanian legal requirements.
Data processed under the service for a practice is kept for the period agreed with that practice and then deleted or returned.
9. Your rights
Subject to the conditions in the GDPR, you have the right to access, rectify, erase, restrict, and port your data, to object to processing, and to withdraw consent at any time. To exercise these rights for service data, contact the practice (the controller); we will support them. For website or enquiry data, contact us directly.
You also have the right to lodge a complaint with a supervisory authority - in Cyprus, the Office of the Commissioner for Personal Data Protection; in Romania (our lead authority), the National Supervisory Authority for Personal Data Processing (ANSPDCP).
10. Security
We use appropriate technical and organisational measures, including encryption in transit (HTTPS), access controls, and EU-based storage, to protect personal data against unauthorised access, loss, or disclosure.
11. Changes
We may update this policy from time to time. The date at the top shows when it was last revised.
12. Contact
MYG Media SRL - contact@myg-media.com - myg-media.com