Data privacy

This Privacy Notice describes how and for what purposes we collect, process and use personal data. The responsible handling of your personal data is a central concern for us. We are continuously making adjustments in order to protect your personal data even better. The current version of our Privacy Notice is always available on our website.

1. What is this Privacy Notice about?

The protection of personal data is a matter of trust, and your trust is important to us. In this Privacy Notice, we inform you how and why we collect, process, and use your personal data. 

In this Privacy Notice, you will learn, among other things:

  • what personal data we collect and process;
  • the purposes for which we use your personal data;
  • who has access to your personal data;
  • how you can benefit from our data processing;
  • for how long we process your personal data;
  • what rights you have with respect to your personal data; and
  • how you can contact us.

This Privacy Notice is based on the Swiss Federal Act on Data Protection (FADP/DSG) and its implementing Ordinance on Data Protection (DSV). Where we also process personal data of patients resident in the European Union or European Economic Area, we additionally comply with the EU General Data Protection Regulation (GDPR) to that extent. In the event of any conflict, Swiss data protection law governs our processing of data in Switzerland.

2. Who is responsible for data processing?

According to data protection law, responsibility for data processing lies with the company that determines whether such processing is to take place, for what purposes it is to take place and how it is to be configured. In general, a company of the swiss smile Schweiz AG group (hereinafter referred to as “we” or “us”) is responsible for the data processing in accordance with this Privacy Notice. The companies within the swiss smile Schweiz AG group are listed below. Generally, the company that directed you to this Privacy Notice will be responsible for data processing:

  • swiss smile Schweiz AG, Bahnhofstrasse 110, 8001 Zurich (CHE- 112.965.784) 
  • Bellevue Zahnärzte AG, Theaterstrasse 14, 8001 Zurich (CHE- 449.666. 975)
  • Zahnmedizinisches Zentrum Zürich Nord AG, Herzogenmühlestrasse 14, 8051 Zurich (CHE-108.440.461)
  • Prophylaxe Zentrum Zürich AG, Herzogenmühlestrasse 14, 8051 Zurich (CHE-108.281.949)
  • ZahnCity AG, Freischützgasse 1, 8004 Zurich (CHE-155.220.847)
  • Praxis am Pilatusplatz AG, Pilatusstrasse 39, 6003 Lucerne (CHE-113. 680.373)
  • Praxisgemeinschaft Wolfbach AG, Wolfbachstrasse 1, 8032 Zurich (CHE-460. 997.038)
  • Perfect Smile Ragaz AG, Hans-Albrecht-Strasse, 7310 Bad Ragaz (CHE-112.736.841) 
  • (together, the “swiss smile Group”)

All companies within the swiss smile Group (other than we), as well as Colosseum Dental Schweiz AG and Colosseum AG, act as processors when they have access to or process your personal data — that is, they do so only on our instructions and are not permitted to use your data for their own purposes. They are contractually bound to maintain appropriate data security and to comply with applicable data protection law. In individual cases, a group company may act as a joint controller if it is involved in determining the purposes or means of a particular processing activity. Where this applies, we will inform you on request of the key terms of that arrangement.

3. From whom do we collect personal data?

This Privacy Notice applies to patients and potential patients (including visitors to our websites) whose data we process (referred to as “you”). This Privacy Notice applies to the processing of personal data that has already been collected and personal data that will be collected in the future.

4. Which personal data do we process?

«Personal data» constitute information that can be associated with a specific person. In contrast, information that does not allow conclusions to be drawn about specific persons, such as aggregated data or statistical analysis, is not personal data.

We may process the following personal data:

  • first name, last name, gender, date of birth, nationality;
  • profession, title, employer data;
  • address, e-mail address, telephone number, and other contact details;
  • health data (for example patient histories, examination, anamnesis form, diagnostic findings, X-rays);
  • health insurance data and social security data;
  • payment information (for example stored payment forms, bank details, invoice address);
  • details about related third parties (for example contacts or representatives);
  • patient satisfaction rates and opinions that we may collect via voluntary surveys;
  • content of e-mails, written correspondence; and
  • in connection with our websites, IP address and surfing behaviour, technical data (for example, internet browser, operating system or time of page view).

5. How do we collect your personal data?

You often disclose personal data to us yourself and we collect such personal data in the following ways:  

Appointments:

Upon making an appointment with us, you will be asked for information. This collection of information is based on your request for treatment: providing the requested details upon making an appointment is a prerequisite for arranging your appointment. In addition to appointments booked at the practice or via phone, you can also make an appointment using the online service or through communication with our digital assistant (bot).

Providing preliminary details:

Upon your first appointment with us, you will be asked to fill in an anamnesis form with questions concerning your current state of health. You may also provide the reason for having made an appointment and list your symptoms. These preliminary details are necessary for the planning and implementation of your treatment, and their accuracy and validity will be confirmed at the commencement of each treatment period.

You may fill in the anamnesis form before your appointment either online or on a printed form available at the practice. Details given on a paper form at the practice will be entered into the patient management system by our personnel.

If it is useful for your treatment, information and documents relating to previous (dental) medical treatment may be obtained from your previous (dental) doctor. In this respect, you release us and the requested (dental) doctor from medical confidentiality.

At the practice:

During your appointment, the dentist or dental hygienist (or their assistant) treating you will record details concerning your health for diagnostic purposes as well as for the planning and arranging of your treatment. Any X-rays taken of you at our practices as well as laboratory test results and other data required for diagnostic purposes will be stored either in our patient management system or in a separate imaging system.

Post-appointment invitations for treatment:

At the end of your treatment period, the dentist or dental hygienist treating you will set check-up or treatment intervals based on your personal treatment needs. You can choose the form of contact used to invite you in for treatment in the future.

Invoicing:

For invoicing purposes, we require your contact details, details on the purpose and time of your appointment as well as your personal identity code and invoicing details. For corporate invoicing and for granting contractual benefits, we may also require employer details. In case an invoice is covered by someone other than the patient, invoicing details will also include details of the person paying for the treatment and an invoicing address or insurance information.

Website:

We may also collect personal data about you automatically, such as when you visit our websites.

6. Use of AI-Assisted Services

We use AI tools and systems to help us provide you with better, safer, and more efficient dental care. AI supports our dental professionals — it does not replace their clinical judgement. We use AI in the following ways:

  • Diagnostic image analysis: AI assists in analysing X-rays and other diagnostic images to help identify dental conditions. The analysis is always reviewed by a qualified dentist before any clinical decision is made.
  • Clinical note documentation: AI assists in generating or summarising clinical notes and treatment records from your consultations. All notes are reviewed and approved by the treating professional before they form part of your record.
  • Telephone appointments: When you call or are called by one of our clinics, you may interact with an AI-powered virtual assistant to book, change, or cancel an appointment. Calls may be recorded and transcribed. Recordings and transcripts are processed as personal data and are subject to all protections described in this Privacy Notice.
  • Administrative tasks and quality assurance: AI supports administrative efficiency, quality monitoring, and the continuous improvement of our services.

All AI-generated outputs are reviewed and validated by a qualified dental professional before being used in any decision affecting your care.

The legal basis for using AI to process your health data is your express consent as given in your consent and anamnesis form, or our legal obligation to provide safe, high-quality dental care.

We will never use your health data to train AI models without first obtaining your separate and explicit consent for that specific purpose. You will never be required to give such consent as a condition of receiving treatment.

The names of our current AI service providers are available on request. Please contact us using the details in Section 15.

7. For what purposes do we process your data?

We process your personal data for the following purposes:

  • Providing dental care: Planning, arranging, carrying out, and following up on your dental treatment, so that we can offer you the best care possible. This includes using your data — including X-rays, clinical findings, and your treatment history — to support diagnosis, identify patterns that may indicate conditions requiring treatment, and provide personalised treatment recommendations based on your dental and medical history.
  • Communicating with you: Contacting you about your appointments, treatment plan, results, and follow-up care, including recall reminders for recommended check-ups and preventive treatments. Recall reminders are part of providing your care and are distinct from marketing.
  • Improving care quality, safety, and effectiveness: Continuously improving the quality, accuracy, safety, and efficiency of the dental care we provide, including through quality assurance, clinical audit, patient satisfaction surveys conducted for clinical quality purposes and monitoring and improving the tools and systems — including AI-assisted tools — that we use to support diagnosis and treatment.
  • Invoicing and payment: Processing invoices, matching and monitoring payments, debt collection, and — where you use our payment financing option — assessing creditworthiness.
  • Legal compliance: Complying with our legal obligations as a healthcare provider, including mandatory data retention, reporting to health authorities and insurers, and keeping you informed of your rights.
  • Business operations and analytics: Understanding your needs and preferences so that we can offer you treatments and services that are relevant to you, planning, developing and improving our operations, service offering and clinic network; analysing revenue, pricing and demand patterns and developing loyalty and retention initiatives from which you may benefit; using anonymised or aggregated data where possible, including for internal statistics, service development, and medical research.
  • Intra-group administration and operational support: Sharing your personal data with other companies within the swiss smile Group and the wider Colosseum Dental group where necessary to support your dental treatment, invoicing, administration, and the operation of our clinics. All such group companies act as processors on our instructions.
  • Marketing: Sending you promotional offers, voluntary satisfaction surveys for marketing purposes, and review requests, where you have given your prior consent. You may withdraw your marketing consent at any time without any effect on your dental care.
  • Establishing, exercising, or defending legal claims: Processing your personal data to the extent necessary to establish, exercise, or defend legal rights or claims, including enforcement of outstanding invoices.

8. Why are we allowed to use your data?

Because dental care involves health data, all processing of your personal data is subject to a higher level of protection under Swiss data protection law. Health data is classified as particularly sensitive personal data, and where consent is required for such data, it must be given expressly, freely, and after adequate information has been provided.

We process your personal data on the following legal bases:

 

Purpose

Legal basis

Providing dental treatment, diagnosis, follow-up care, and clinical documentation- including by means of AI-assisted tools for diagnostic image analysis, clinical note documentation, and telephone appointment handling

Legal obligation under applicable cantonal health legislation and the Federal Health Insurance Act; and/or contract performance (your treatment agreement with us); and your express consent given in the consent and anamnesis form

Communicating with you about your appointments, treatment plan, recall reminders, and follow-up care

Contract performance (your treatment agreement with us); and/or legal obligation under applicable cantonal health legislation. Recall reminders are part of providing care and are distinct from marketing

Invoicing, payment processing, and credit assessment

Contract performance; legal obligation; and your express consent for credit assessment

Complying with legal obligations (e.g. mandatory record retention, reporting to health authorities, insurance)

Legal obligation

Improving the quality, safety, and effectiveness of dental care, including quality assurance, clinical audit, patient satisfaction surveys conducted for clinical quality purposes, and monitoring and improving the tools and systems — including AI-assisted tools — used to support diagnosis and treatment

Overriding legitimate interest in providing high-quality care, using anonymised or aggregated data where possible; or your express consent where identifiable health data is used

Marketing and promotional communications (including offers, voluntary satisfaction surveys for marketing purposes, and review requests)

Your prior express consent (opt-in). You may withdraw marketing consent at any time without affecting your treatment

Business operations, analytics, service development, and medical research (using anonymised or aggregated data where possible)

 

Overriding legitimate interest in planning and improving our services and clinical outcomes; where identifiable health data is used (e.g. for medical research), your express consent

 

Intra-group administration and operational support (sharing with group companies acting as processors)

 

Contract performance and/or overriding legitimate interest in ensuring efficient group administration; group companies act as processors on our instructions

 

Establishing, exercising, or defending legal claims

Overriding legitimate interest

 

A note on the difference between recall reminders and marketing: We will contact you to remind you of scheduled check-ups, recommended follow-up treatments, or other clinical care that our dental professionals consider appropriate for your health. These communications are part of providing dental care and do not require your marketing consent. Marketing communications — such as promotional offers, discounts, and review requests — are separate and will only be sent if you have given your consent by ticking the marketing opt-in on your consent form. You may withdraw marketing consent at any time without any effect on your treatment.

A note on business analytics, service development, and medical research: Where we use your data for purposes such as internal statistics, service development, quality improvement analysis, or medical research, we do so on the basis of Art. 31(2)(e) of the Swiss Federal Act on Data Protection (FADP). This provision permits processing of personal data for non-personal purposes — such as research, planning, or statistics — provided that: (i) we anonymise your data as soon as the purpose of the processing allows; where full anonymisation is not possible or would require disproportionate effort, we take appropriate technical and organisational measures to prevent your identification; (ii) where particularly sensitive personal data (including your health data) is shared with third parties for such purposes, it is shared only in a form in which you are not identifiable; where this is not possible, those third parties are contractually required to process the data for non-personal purposes only; and (iii) any results arising from such processing are published in a form in which no individual patient is identifiable.

9. To whom do we disclose personal data?

Upon making an appointment, you consent to our health care personnel having access to your personal data. All patient information is stored in a patient management system maintained by us which is used by our health care personnel in processing your data.

We share your personal data with other companies within the swiss smile Group and the wider Colosseum Dental group where this is necessary for the purposes of your dental treatment, intra-group administration, service development, or business analytics. All such group companies act as processors — they process your data only on our instructions. In individual cases, a group company may act as a joint controller; where this applies, we will inform you on request of the key terms of that arrangement.

We may also disclose your personal data to third companies if we make use of their services. These service providers generally process personal data on our behalf as so-called “processors” or “sub-processors”. Our processors/sub-processors are obliged to only process personal data in accordance with our instructions and to take suitable measures to ensure data security. Certain service providers are also jointly responsible with us for certain processing activities. Where this is the case, we will make the key terms of that arrangement available to you on request. We ensure through the selection of service providers and suitable contractual agreements that data protection is upheld during the entire processing of your personal data.

Processors/sub-processors are used for services in the following areas:

  • dental, orthodontic and other laboratories and manufacturers, if required for your medical treatment;
  • AI service providers, to support diagnostic image analysis, clinical documentation, telephone appointment handling (including call transcription and storage), administrative tasks, and quality assurance. All AI service providers act as our processors and are contractually bound to process your personal data only on our instructions, to maintain appropriate security, and not to use your data for their own purposes — including for AI model training — without your separate and explicit consent. The names of our current AI service providers are available on request. Please contact us using the details in Section 15;
  • advertising, marketing services, newsletters and patient opinion surveys, for example for the delivery of messages and information;
  • customer relationship management (CRM) and marketing platform, to manage patient communications, marketing activities, satisfaction surveys, and customer service interactions;
  • payment, invoicing and financial operating services;
  • to send you reminders when you need dental care and preventive treatments;
  • to re-engage inactive patients through communications encouraging return to digital care;
  • digital onboarding and patient management, if you choose to register on the platform and use the service;
  • gap filling, to proactively offer you available appointment slots;
  • patient nurturing, to respond to your enquiries and provide information about our dental services
  • collection services, for example for the reminder of outstanding receivables and their enforcement;
  • IT services, for example in the areas of data storage (hosting), cloud services, the delivery of e-mail newsletters, online booking, online completion of the anamnesis form, etc.;
  • advisory services.

We may also disclose personal data to third parties for their own purposes, for example if you have granted us your consent to do so, if we are legally obliged or authorized to share such information, or if we have overriding interests in disclosing it. In such cases, the data recipient is legally responsible as the controller of the data.

Examples of such cases include the following:

  • other doctors, healthcare professionals and medical institutions, if you ask us to do so or if we are asked to do so by them on your behalf;
  • authorities or insurance companies;
  • the transfer of claims to other companies, such as debt collection agencies;
  • the disclosure of information on payment behavior to credit agencies that carry out credit checks for us or provide credit information;
  • the processing of personal data in order to comply with a court or administrative order, or to enforce or defend legal rights or claims, or if we consider such processing to be necessary on any other legal grounds.

Personal data may be transferred in the context of the sale or transfer of all or any part of our business. Where this occurs, we will rely on our overriding interests in completing the transaction and will ensure appropriate confidentiality obligations are imposed on any recipient.

Please take note of our cookie banner concerning independent data collection by third-party providers whose tools we have integrated into our websites.

10. Where is your data processed?

Your personal data is processed and stored primarily in Switzerland. It may also be transferred to or accessed by our service providers in the following countries:

  • EEA member states: All EEA member states have been recognised by the Swiss Federal Council as providing an adequate level of data protection. No additional safeguards are required for transfers to these countries.
  • United Kingdom: The UK has been recognised by the Swiss Federal Council as providing an adequate level of data protection. No additional safeguards are required for transfers to the UK.
  • United States: Transfers to US-based service providers are made only to organisations certified under the Swiss-US Data Privacy Framework, which has been recognised by the Swiss Federal Council as providing an adequate level of data protection for certified organisations. Where a US provider is not certified, transfers are made using standard data protection clauses approved or issued by the FDPIC.
  • Other countries: Where service providers or sub-processors are located in countries not on the Federal Council's adequacy list, transfers are made using standard data protection clauses approved or issued by the FDPIC, or other appropriate safeguards permitted under applicable Swiss law.

A list of the countries to which your data may be transferred is available on request. Please contact us using the details in Section 15.

11. How do we protect personal data?

We take, and require our processors/sub-processors to take, appropriate technical and organizational security measures in order to safeguard your personal data, protect you against unauthorized or unlawful processing activities, and to address the risk of loss, unintentional changes, inadvertent disclosure, or unauthorized access.

All our personnel have been trained to ensure a high level of data protection and security. This training is a compulsory part of all new employees’ induction

When we use AI tools and systems, we implement additional safeguards to protect your personal data. We carefully select AI service providers based on their security standards, data protection practices, and compliance with applicable regulations. We conduct assessments of AI tools before implementation to evaluate privacy risks and ensure appropriate safeguards are in place. Where AI tools and systems are used for clinical purposes, outputs are reviewed and validated by qualified healthcare professionals to ensure accuracy and appropriateness. We maintain oversight of AI processing activities and regularly review the performance and security of AI systems used in our operations.

When we use AI tools and systems, we implement additional safeguards to protect your personal data. We carefully select AI service providers based on their security standards, data protection practices, and compliance with applicable regulations. We conduct assessments of AI tools before implementation to evaluate privacy risks and ensure appropriate safeguards are in place. Where AI tools and systems are used for clinical purposes, outputs are reviewed and validated by qualified healthcare professionals to ensure accuracy and appropriateness. We maintain oversight of AI processing activities and regularly review the performance and security of AI systems used in our operations.

12. Automated Decision Making and Profiling

We do not make any decisions about your dental care based solely on automated processing that would have a legal or similarly significant effect on you. All outputs from our AI tools are reviewed by a qualified dental professional before any clinical decision is taken.

However, if you choose to use our payment financing option provided by MF Group AG (or its successor entity), please be aware that MF Group AG or its financing partner may carry out an automated credit assessment. This assessment may affect which payment options are available to you. You have the right to be told if such an automated decision has been made, to put forward your point of view, and to request that the decision be reviewed by a person. For further information about MF Group AG's credit assessment process, please contact us at the details in Section 15.

Separately, we may send you treatment offers, appointment reminders, or relevant information based on your treatment history or the type of care you have received. These communications are personalized, but do not constitute legally significant automated decisions.

13. For how long do we process personal data?

We will process and store your personal data only for as long as is necessary: 

  • to fulfil the purpose for which it is processed; 
  • in compliance with the relevant legislation;  
  • if we are legally obliged to maintain it; and/or
  • to defend our interests in the context of a legal dispute (in or out of court).

After that, your personal data will generally be deleted, destroyed or anonymised, unless you have given us your consent to store it for a longer period.

Treatment records (including clinical notes, examination findings, X-rays, and anamnesis forms) must be retained for a minimum period after your last treatment as required by applicable cantonal health legislation and the Federal Health Insurance Act (KVG). Depending on the canton and type of record, this period is generally between 10 and 20 years from the date of your last treatment. X-rays may be subject to specific cantonal requirements within this range. We will inform you of the specific retention period applicable to your records on request.

14. Your rights as our patient

As a dental practice, we process personal data about you — including health data — in order to provide you with dental care. Some of this processing is required by law (for example, we are required to keep patient records for a minimum period under applicable health legislation). Where this is the case, you cannot ask us to delete that data during the legally required retention period.

You have the right to ask us whether we hold personal data about you, and if so, to receive a copy of that data together with key information about how we use it — including the purposes for which it is processed, how long we keep it, where it came from (if not collected from you directly), and who it has been shared with. We will respond free of charge, as a rule within 30 days. You may not waive this right in advance.

Where the applicable conditions are met and no legal exception applies, you also have the following rights:

  • Correction: You can ask us to correct personal data about you that is inaccurate, unless a legal provision prevents us from making the change.
  • Deletion and prohibition of processing: You can ask, through the courts, for certain processing of your personal data to be prohibited, for specific disclosures to third parties to be stopped, or for your data to be deleted or destroyed. Please note that we may be required by law to retain certain records for a minimum period and cannot delete them during that time.
  • Dispute notation: If neither the accuracy nor the inaccuracy of certain data can be established, you can ask for a note of dispute to be added to your record.
  • Data portability: You can ask for the personal data you have provided to us to be given to you in a standard electronic format, or to be transferred to another organisation, where the relevant conditions are met.
  • Withdrawal of consent: Where we process data based on your consent, you can withdraw that consent at any time. This will not affect anything we have done before you withdrew it.
  • Automated decisions: If a decision affecting you is made solely by automated means, we will tell you. You can ask to put your point of view and to have the decision reviewed by a person.
  • Data security breaches: If we suffer a personal data security breach that is likely to pose a high risk to your rights, we will inform you as quickly as possible and tell you what happened, what the likely consequences are, and what steps we have taken or plan to take. We will also report the breach to the Federal Data Protection and Information Commissioner (FDPIC).

Please be aware that these rights may be restricted, deferred or refused in individual cases — for example, where a formal law requires it (including to protect professional secrecy or to comply with mandatory retention obligations), where overriding interests of third parties make it necessary, or where a request is clearly unfounded or abusive. We will always tell you the reason if we limit or refuse a request.

If you wish to exercise one of your rights or have questions about the processing of your personal data, please contact our customer services or our dental practice personnel or use the contact details provided in Section 15 below.

In addition, you are free to lodge a complaint with a competent supervisory authority if you believe that the processing of your personal data may be in breach of applicable law. The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3005 Bern, Switzerland (www.edoeb.admin.ch).

15. How can you contact us?

If you have any questions or concerns relating to this Privacy Notice or the processing of your personal data, please contact us by post at swiss smile Schweiz AG, Bahnhofstrasse 110, CH-8001 Zurich or by e-mail at datenschutz@swiss-smile.com and/or by telephone +41 43 300 10 01.

You may also contact our Group Data Protection Officer using the following contact details:
Group Data Protection Officer, Colosseum AG, Talstrasse 70, 8001 Zurich e-mail: dataprotection@colosseumdental.com

Last updated: 14 April 2026