Company Logo

Privacy Policy

Privacy Policy — Zermmi

Last updated: October 16, 2025

Zermmi is a practice management software for dental clinics published by Blue Lantern Sàrl. We process personal data responsibly, in accordance with the Swiss Federal Data Protection Act (FDPA, 2023) and, where applicable, the GDPR.

This policy explains what data we process, for what purposes, how and where it is used, as well as the rights of data subjects.

1. Contact

Blue Lantern Sàrl

Email: privacy@zermmi.com

Website: https://www.zermmi.com — Application: https://app.zermmi.com

2. Roles and Scope

  • Public website (zermmi.com): Zermmi acts as data controller (prospects, customers, forms, analytics).
  • Application (app.zermmi.com):
    • For patient data managed by clinics, Zermmi acts as data processor; the dental clinic is the data controller.
    • For clinic accounts, billing, and support, Zermmi is the controller.

A Data Processing Agreement (DPA) governs the relationship with each clinic. Our DPA and the list of subprocessors are available upon request or via /legal/subprocessors.

3. Categories of Data Processed (Concise Level)

  • Visitors / prospects (website): contact information provided via forms, preferences, technical information (e.g., IP address, browser type), and aggregated usage data.
  • Customers (clinics) & staff: identity and professional contact details, login credentials (hashed), account settings, support communications, contractual and billing data.
  • Patients (in app, on behalf of clinics): basic data, appointments, records and health data, clinical and billing/insurance documents, communications and reminders if enabled by the clinic.
  • Technical logs: security events, diagnostics, access logs.

4. Purposes and Legal Bases

  • Service provision (PMS), hosting, backups, disaster recovery.

  • Security (incident prevention and detection, audit logs).

  • Customer support, data import on mandate.

  • Billing/subscriptions, operational communications.

  • Reminders via email/SMS/WhatsApp if enabled (the clinic remains responsible for obtaining required consents).

  • Product improvement and aggregated/anonymized statistics.

    Bases: contract performance, legitimate interests, legal obligations; consent where required (e.g., non-essential cookies, B2B marketing).

5. Hosting, Location, and External Services

  • Database and application storage: hosted with Supabase in Switzerland (Zurich region). Customer primary data (including patient data) resides in Switzerland.
  • Application hosting / CDN: the web application may be served via cloud infrastructure where traffic may transit outside Switzerland, without moving the main database.
  • Messaging (e.g., SMS/WhatsApp, email): if a clinic enables these features, some data (contact details, message content) may be processed in the EU/US depending on provider regions.
  • The list and location of our subprocessors are published at /legal/subprocessors (or provided upon request).

6. Cookies and Similar Technologies

  • Public website: necessary cookies (e.g., language, security) and, where applicable, limited audience measurement. Non-essential cookies require consent.
  • Application: no third-party trackers for the PMS; secure authentication cookie (mandatory) and local storage for interface preferences.

7. Security

Technical and organizational measures appropriate to the risk:

encryption in transit (TLS) and at rest, access controls (RBAC/fine-grained policies), audit logs of significant actions, automated backups and restoration tests, prod/staging separation, vulnerability and credential management.

8. Retention

  • Patient data (processor role): duration defined by the clinic according to applicable law; Zermmi applies deletion/anonymization instructions.
  • Customer data (contract, billing, support): during the contractual relationship then for applicable Swiss legal retention periods (e.g., accounting documents).
  • Technical logs: retained for a limited duration proportionate to security needs.

9. Data Subject Rights

  • Clinics & staff: rights of access, rectification, erasure, objection/restriction, portability — within legal limits. Contact: privacy@zermmi.com.
  • Patients: for data managed by your clinic, please contact the clinic directly (data controller). Zermmi assists the clinic in processing your request.

10. Changes

We may update this policy in case of legal, technical, or operational developments. In case of substantial changes, appropriate notice will be provided (e.g., email or in-app message). The published version prevails.

Additional Mentions Suggested (Footer or Separate Legal Page)

  • /legal/dpa — Data Processing Agreement (upon request).
  • /legal/subprocessors — List of subprocessors (country/region, purpose).
  • /legal/cookies — Cookie policy (public website).