Privacy Policy

Version: privacy-v1 Last updated: 2026-06-18 Governing law: Danish law

Who we are

NPG Pulse is a patient-feedback platform operated by Nordic Patient Group ApS (CVR 40713352, Fuglebækvej 2C, 1., 2770 Kastrup, Denmark) together with our technical platform provider VEKST Solutions LLC (EIN 98-1931362, 14707 S Dixie Hwy, Suite 402C #186, Miami FL 33176, USA).

For privacy-related inquiries: privacy@nordicpatientgroup.dk.

At-a-glance summary (non-binding)

• When your dental clinic uses NPG Pulse to send you a patient-satisfaction survey, the clinic is the data controller and we (NPG) are the processor. Contact your clinic for access or deletion of your data.
• When you visit nordicpatientgroup.dk or log in to app.nordicpatientgroup.dk as clinic staff, NPG is the controller for technical and account data.
• When NPG collects public reviews from Google and Facebook to provide visibility analytics for the clinic, NPG is the controller under legitimate-interest grounds.
• We do not sell your data and we do not use it for marketing without consent.
• We use sub-processors — the full list is at /subprocessors.

1. Patient data processed on behalf of the clinic

If you have received an NPS or patient-satisfaction survey from your dental clinic via the NPG Pulse platform:

• Controller: the clinic (your dentist / your clinic company).
• Processor: Nordic Patient Group ApS (NPG).
• Sub-processor: VEKST Solutions LLC (platform operations).

The clinic has primary responsibility for informing you about what data they hold and how it is used. The relationship between the clinic and NPG is governed by a Data Processing Agreement (DPA), which the clinic accepts at signup.

For data access, correction, deletion, or objection regarding patient data: contact your clinic directly. The clinic has 30 days to respond. NPG provides export and deletion tooling behind the scenes.

If you cannot reach the clinic, you may also write to privacy@nordicpatientgroup.dk as a backup channel and we will help relay your request.

2. Operator accounts (clinic staff)

If you log in to app.nordicpatientgroup.dk as clinic staff or agency administrator:

Retention: as long as your account is active. On account closure, data is deleted within 90 days; activity logs are anonymised after 12 months.

Your rights: see Section 7 below.

3. Public review data (visibility analytics)

NPG collects publicly available reviews from Google Maps and Facebook concerning the clinics enrolled in NPG Pulse. The purpose is to provide reputation- and visibility analytics for each clinic.

We process only review information that the reviewer has already made public on the relevant platform. We use it to produce reputation and visibility insights for the clinic the review concerns, and we do not combine it with data from other sources to build a profile of the reviewer.

For clinics that officially connect their Google Business Profile to NPG Pulse, reviews are retrieved through Google's official API instead of by collection. See Section 11.

Right to object: if you would like your public reviews excluded from NPG's visibility analytics for the clinic, write to privacy@nordicpatientgroup.dk. We will remove your review from our systems within 30 days. Note: this does not remove the review from Google or Facebook — that must be done directly with them.

4. Visitors to nordicpatientgroup.dk and app.nordicpatientgroup.dk

When you visit our websites we process the following data:

• Technical logs (IP address, user agent, time of visit, page accessed) — retained ~30 days at our hosting provider Vercel. Legal basis: legitimate interest (operations, debugging, abuse prevention).
• Strictly necessary cookies — session cookies to keep you signed in and CSRF protection. No marketing cookies, no tracking pixels, no consent-requiring analytics cookies as of the effective date of this policy.

We do not show a cookie banner because we do not use cookies that require consent. If this changes (e.g. addition of analytics), we will update the policy and introduce a cookie banner at the same time.

5. Recipients of your personal data

We disclose your personal data only to:

1. Technical sub-processors assisting us in operating the platform (database, hosting, email, AI inference). The full list — with purpose, data location and transfer mechanism — is available at /subprocessors.
2. Authorities if we are legally required to do so (police, tax authority, Datatilsynet on supervisory request).
3. The clinic for patient data processed on its behalf (Section 1).

We do not sell your data. We do not share it with marketing third parties.

6. International transfers

Several of our sub-processors are established in the United States (including VEKST Solutions LLC, Vercel, Postmark, OpenRouter). The transfer is covered by the EU Commission's Standard Contractual Clauses (SCCs) — for Postmark supplemented by the EU-US Data Privacy Framework — plus a concrete risk assessment (Transfer Impact Assessment / TIA) per vendor.

Details about the transfer mechanism per vendor are available at /subprocessors. For patient data processed on the clinic's behalf, the clinic DPA's Annex D (TIA) applies — contact your clinic for details.

7. Your rights

Under GDPR you have the following rights, alongside the rights granted under Danish data-protection law:

• Right of access (Art. 15) — receive a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate data.
• Right to erasure ("right to be forgotten", Art. 17) — where the law permits.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your data in a structured, commonly used and machine-readable format.
• Right to object (Art. 21) — particularly to processing based on legitimate interest.
• Right to withdraw consent — where processing is based on consent.

How to exercise these rights:

• For patient data (Section 1) — contact your dental clinic directly. You may also write to privacy@nordicpatientgroup.dk for assistance.
• For account data, review data and website data (Sections 2, 3, 4) — write to privacy@nordicpatientgroup.dk. We respond within 30 days as a baseline; for particularly complex requests, the response window may be extended by up to 2 additional months, per GDPR Art. 12(3). You will be notified of any such extension and the reason for it.

8. Complaint to the Danish Data Protection Authority

You have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) if you are dissatisfied with how we process your personal data:

Datatilsynet Carl Jacobsens Vej 35 2500 Valby, Denmark www.datatilsynet.dk Phone: +45 33 19 32 00

9. Changes to this privacy policy

We update this policy when our processing changes (e.g. addition of new sub-processors or new functionality). Material changes are communicated to registered users via email or dashboard notification. The version currently in effect is shown at the top with version number + date.

10. Contact

11. Official Google Business Profile connection

If your clinic chooses to connect its Google Business Profile to NPG Pulse, you (as clinic staff) authorize NPG to access certain data from the clinic's Google account through Google's official Business Profile APIs. The connection is opt-in: nothing happens until a user from the clinic clicks "Connect with Google" and grants access on Google's own consent screen.

What we access. Only the Google Business Profile(s) your clinic manages: account and location details, reviews with star ratings, and your own replies to reviews. We do NOT access Gmail, contacts, calendar, Drive files, or any other Google service.

Why. To show the clinic's reviews in the dashboard, and to reply to reviews on the clinic's behalf after the clinic has reviewed and approved each individual reply. An AI feature may suggest a draft reply based on the review text; no reply is ever posted automatically.

Roles and legal basis.

• Connection and access data (encrypted tokens, account/location identifiers, matched Place ID) is processed by NPG as part of the operator relationship with the clinic, under Art. 6(1)(b), performance of contract (the same basis as Section 2).
• Review content (the reviewer's display name, rating, text, timestamp) is processed by NPG as controller under Art. 6(1)(f), legitimate interest (reputation and visibility analytics for the clinic), on exactly the same basis as the public reviews in Section 3. For officially connected clinics, the API access replaces collection.
• Posting a reply is carried out as processing on the clinic's documented instruction, under Art. 28. The reply itself is published on the clinic's own Google profile, which the clinic controls.

Scope requested. Google offers only a single combined access level (business.manage), whose label ("see, edit, create and delete your business listings") is broader than our actual use. We request the minimum Google makes available and use it solely to read reviews and post approved replies. We do not edit, create, or delete business listings.

How we store it. Access and refresh tokens are encrypted at rest with AES-256-GCM and are never logged or shared. Review content is stored as review history in the dashboard, in the same way as other review data.

What we never do. We do not sell data received from Google's APIs, do not use it for advertising, and do not share it except as needed to provide the feature (for example, we send the review text to our AI provider to draft a suggested reply; the text is not retained there and is not used to train models). We do not use data received from Google's APIs to develop, improve, or train generalized AI or ML models. NPG Pulse's use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Your control. The clinic can disconnect at any time inside NPG Pulse (Settings → Connections), or revoke access directly with Google at myaccount.google.com/permissions. Disconnecting deletes the stored tokens on our side.