Privacy Policy

Last updated: 25 June 2026

This Privacy Policy explains how Oralink processes personal data when you visit our website, contact us, or interact with an AI-assisted communication and booking assistant operated by Oralink on behalf of a service business. It also describes your rights under the EU General Data Protection Regulation (GDPR) and how to exercise them.

1. Who is responsible for your data

Oralink ("Oralink", "we", "our", "us") is the controller for personal data processed through this website and for data processed by our own systems for the purpose of providing the Oralink service. When Oralink operates an AI assistant on behalf of a service business (the "Client"), the Client is generally the controller of the end-customer conversations and booking data, and Oralink acts as a processor on the Client's instructions.

2. How to contact us about privacy

For any privacy question, request, or complaint, contact us at contact@oralink.ee.

3. Service description

Oralink provides AI-assisted communication and booking systems for service businesses. The assistant can answer customer enquiries, share information about services, help select an appropriate service, collect booking information, check availability, create or manage appointments, send confirmations, and transfer complex questions to a human representative.

4. Personal data we may process

  • Instagram username and account ID
  • Messages sent through Instagram Direct
  • Telephone number
  • Name
  • Requested service
  • Preferred appointment date and time
  • Booking details
  • Conversation history with the assistant
  • Language preference
  • Technical identifiers and webhook event data
  • Any other information voluntarily provided by the user

5. Why we process personal data

  • Answer customer enquiries
  • Provide information about services
  • Collect booking information
  • Check appointment availability
  • Create or manage appointments
  • Send confirmations
  • Transfer complex questions to a human
  • Maintain security and prevent misuse

6. Legal bases (GDPR Article 6)

  • Performance of a contract (Art. 6(1)(b)) — to respond to your enquiry and create or manage a booking.
  • Legitimate interests (Art. 6(1)(f)) — to operate the assistant securely and improve reliability.
  • Consent (Art. 6(1)(a) and Art. 9(2)(a) for sensitive data) — including health-related information.
  • Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data to comply with law.

7. Health-related information

For some Clients, the assistant may ask limited safety or contraindication questions when required before a booking. Health-related information is sensitive personal data under GDPR and is processed only when voluntarily provided. The AI does not diagnose or provide medical advice — complex cases are routed to a human.

8. Automated processing

AI is used to interpret messages, prepare responses, structure booking information, and route enquiries. Important medical, safety-related, or otherwise exceptional decisions are not made solely by automated processing.

9. Service providers (processors)

  • Meta Platforms and Instagram (messaging and account identifiers)
  • Make (workflow automation)
  • OpenAI (language model processing)
  • Google Calendar and other Google services (scheduling)
  • Telephony and messaging providers
  • Hosting, database, security, and infrastructure providers

10. International data transfers

Some service providers may process personal data outside the EEA. Where this happens, appropriate safeguards are used as required by GDPR, such as adequacy decisions or Standard Contractual Clauses.

11. Data retention

Personal data is retained only for as long as necessary for the purpose for which it was collected, to fulfil contractual obligations, to maintain security, or to comply with legal requirements.

12. Security

We use reasonable technical and organisational measures appropriate to the nature of the data and the risks involved, including access controls and encryption in transit.

13. No sale of personal data

Oralink does not sell personal data to advertisers.

14. Your GDPR rights

  • Access to your personal data
  • Correction of inaccurate data
  • Deletion ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Lodge a complaint with the competent data protection authority

15. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available on this page.

16. Contact

For any privacy-related question or request, please contact contact@oralink.ee.