Puls' Zahnmedizin
Back to Journey

Data Privacy and AI: How Paira Protects Your Data in Our Practice

8 min read
Data PrivacyGDPRPatient DataSecurity

Why We Take This So Seriously

When a dental practice introduces an AI receptionist, the first question from patients is rarely about features or convenience. It is about trust. Where does my data go? Who can see it? Is it safe?

These are exactly the right questions to ask, and at Pul's Zahnmedizin, we welcome them. Patient data in a dental practice is among the most sensitive information that exists: health records, insurance details, personal identification, medical histories. Under the General Data Protection Regulation (GDPR) and Germany's Federal Data Protection Act (BDSG), this data requires the highest level of protection. Adding AI to the mix does not lower that bar -- it raises it.

We designed our AI receptionist Paira with data privacy as a foundational principle, not an afterthought. Here is exactly how we protect your information.

On-Premise Architecture: Your Data Never Leaves the Building

The single most important architectural decision behind Paira is that she runs entirely on our own infrastructure within the WiloHealthCube in Dortmund-Hörde. This is what the industry calls an "on-premise" deployment.

What does this mean for you in practical terms?

  • No cloud processing: Your conversations with Paira are not sent to servers operated by Google, Amazon, Microsoft, or any other cloud provider. Everything happens right here, within our practice.
  • No transatlantic data transfers: Your health information never crosses borders. It stays in Germany, in our building, on our hardware.
  • No third-party access: No external company has access to the data Paira processes. The infrastructure is owned and maintained by our practice and our technology partner Bodo Tech.

This approach is more complex and more expensive than simply using a cloud-based AI service. We chose it deliberately because we believe patient data protection in healthcare is non-negotiable.

Encryption at Every Layer

Data protection is not just about where data is stored. It is about how it is protected at every stage of its lifecycle.

Data in Transit

Every piece of information exchanged between Paira and our practice systems is encrypted using TLS 1.3, the most current transport encryption standard. This means that even within our own network, data cannot be intercepted or read by unauthorised parties.

Data at Rest

Any data that is stored temporarily during your visit is encrypted using AES-256-GCM, a military-grade encryption standard. Even if someone were to physically access our storage hardware, the data would be unreadable without the proper encryption keys.

Access Controls

Access to Paira's systems and the data she processes is strictly limited to authorised practice personnel. We use role-based access controls, meaning that each team member can only access the information relevant to their specific responsibilities. Every access event is logged for audit purposes.

Data Minimisation: We Collect Only What Is Necessary

GDPR enshrines a principle called data minimisation: organisations should only collect and process the minimum amount of personal data necessary for a specific, stated purpose. We take this principle seriously.

When you interact with Paira during check-in, she collects only the information needed for that specific visit:

  • Identity verification: Name and date of birth to match you with your patient record
  • Insurance information: Insurance provider and card data required for billing
  • Visit-specific details: The reason for your appointment and any pre-treatment information relevant to today's procedure
  • Contact information: Only if not already on file, and only for communication directly related to your care

Paira does not collect browsing habits, location data, social media profiles, or any other information unrelated to your dental care. She does not build advertising profiles. She does not sell data. There is no hidden data monetisation.

Conversation Data: Not Permanently Stored

One of the most common concerns about AI assistants is whether conversations are recorded and stored indefinitely. With Paira, the answer is clear: no.

Conversation data is processed in real time to handle your check-in and answer your questions. Once your interaction is complete and the relevant information has been transferred to your patient record (with the same protections that apply to all medical records), the conversation itself is not retained.

We do not train AI models on your conversations. We do not use your interactions to improve algorithms for other companies. Your dialogue with Paira serves one purpose: making your visit to our practice as smooth and efficient as possible.

GDPR Compliance: What the Law Requires and How We Exceed It

The GDPR establishes specific requirements for processing personal data, especially health data, which falls under the special categories described in Article 9. Here is how Paira's implementation addresses these requirements:

| GDPR Requirement | Our Implementation | |---|---| | Lawful basis for processing | Paira processes data based on the treatment contract between patient and practice (Art. 6(1)(b) and Art. 9(2)(h) GDPR) | | Purpose limitation | Data collected by Paira is used exclusively for reception and check-in purposes | | Data minimisation | Only information necessary for the specific visit is collected | | Accuracy | Patients review and confirm their data during check-in | | Storage limitation | Conversation data is not permanently stored; patient record data follows standard medical retention periods | | Integrity and confidentiality | AES-256-GCM encryption, TLS 1.3, role-based access controls | | Transparency | Patients are informed they are interacting with AI and can review our privacy policy at any time | | Right of access | Patients can request a copy of all data we hold about them | | Right to erasure | Patients can request deletion of their data, subject to legally required medical record retention periods |

The KBV Guidelines and AI in Medical Practices

In 2025, the National Association of Statutory Health Insurance Physicians (KBV) published comprehensive guidance on the use of AI in medical practices. This guidance addresses technical requirements, legal obligations, and ethical considerations for AI systems that interact with patient data.

Our implementation of Paira follows these guidelines. Our clinical and administrative staff receive training on proper interaction with AI systems, covering technical operation, legal responsibilities, and ethical boundaries. We maintain documentation of our AI systems, their purposes, and their data processing activities as required by both the KBV guidance and the EU AI Act.

Transparency Is Not Optional

We believe patients deserve to know exactly how their data is handled. That is why:

  • Paira clearly identifies herself as AI: There is never any ambiguity about whether you are speaking with a machine or a human.
  • Privacy information is available on request: You can ask Paira about our data protection practices, and she will provide clear, accurate information.
  • Human alternative is always available: If you prefer not to interact with AI, our human team is available to assist you with all reception tasks.
  • Our full privacy policy is accessible: Detailed information about data processing is available at our practice and on our website.

A Standard We Hold Ourselves To

Implementing AI in a dental practice comes with responsibility. We could have taken the easier path: a cloud-based chatbot, off-the-shelf solutions, minimal customisation. It would have been cheaper and faster.

We chose the harder path because we believe that when patients trust us with their health, they are also trusting us with their data. That trust must be earned with every architectural decision, every encryption layer, and every policy we implement.

Paira is not just an AI receptionist. She is a reflection of how seriously we take your privacy.

If you have questions about data protection at our practice, contact us at info@pulszahnmedizin.de. We are happy to explain our approach in detail.

Frequently Asked Questions

Does Paira record and store my conversations?

No. Paira processes your conversation in real time to handle check-in and answer your questions. Once your interaction is complete and any relevant information has been transferred to your patient record, the conversation itself is not permanently stored. We do not use your conversations to train AI models or share them with third parties.

Where is my data physically stored when I interact with Paira?

All data is processed and stored on our own on-premise infrastructure within the WiloHealthCube in Dortmund. Nothing is sent to external cloud servers, and no data leaves Germany. This on-premise architecture means your information remains under the direct control of our practice at all times.

What happens if I do not want to interact with an AI system?

You are never required to use Paira. If you prefer human assistance for check-in or any other reception task, our team is available to help you directly. We offer Paira as an option to improve convenience and efficiency, but the choice is always yours. Your care will not be affected regardless of your preference.

How does Paira comply with GDPR when processing my health data?

Health data falls under GDPR Article 9 as a special category requiring additional protections. Paira processes this data under the legal basis of the treatment contract (Art. 9(2)(h) GDPR). We implement data minimisation, purpose limitation, AES-256-GCM encryption, TLS 1.3 transport security, and role-based access controls. Patients retain all GDPR rights including access, rectification, and erasure, subject to legally required medical record retention periods.