Legal
GDPR & Data Protection
1. Our Commitment to Data Protection
Dentelyx is committed to protecting personal data and maintaining compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Data protection is built into the design of the Dentelyx platform from the ground up.
This page explains how we approach GDPR compliance as both a data controller (for our own operational data) and a data processor (when processing patient data on behalf of clinic partners).
2. Data Controller Information
Dentelyx is registered as a data controller with the Information Commissioner's Office (ICO).
- Company name: Dentelyx
- Contact email: qasim@dentelyx.co.uk
Where Dentelyx processes patient data on behalf of a clinic partner, the clinic is the data controller and Dentelyx acts as the data processor. A Data Processing Agreement (DPA) is in place between Dentelyx and each clinic partner, as required by UK GDPR Article 28.
3. Data Processing Activities
Dentelyx processes the following categories of personal data as part of providing the platform to dental clinic partners:
3.1 Clinic partner data (as data controller)
- Name, email address, and contact details of clinic staff and administrators
- Account and authentication data
- Billing and payment information (processed via our payment provider)
3.2 Patient data (as data processor on behalf of clinic partners)
- Patient phone numbers from missed call events
- Patient names provided voluntarily via SMS conversation
- Enquiry type and appointment preference information
- SMS conversation transcripts between patient and automated system
Dentelyx does not access, sell, or share patient data for any purpose other than providing the contracted services to the relevant clinic partner.
4. Lawful Basis for Processing
We rely on the following lawful bases under UK GDPR:
- Contract (Article 6(1)(b)): Processing necessary to perform our service agreement with clinic partners
- Legitimate interests (Article 6(1)(f)): Improving the platform, detecting fraud, and ensuring platform security
- Legal obligation (Article 6(1)(c)): Complying with applicable UK law
For patient data, the lawful basis is determined by the clinic partner as data controller. Clinics are responsible for ensuring they have an appropriate lawful basis (such as legitimate interests or explicit consent) before using Dentelyx to contact patients via SMS.
5. Data Subject Rights
Under UK GDPR, individuals whose data we process have the following rights:
- Right of access (Article 15): Request a copy of personal data held
- Right to rectification (Article 16): Request correction of inaccurate data
- Right to erasure (Article 17): Request deletion of personal data
- Right to restriction (Article 18): Request limits on how data is used
- Right to portability (Article 20): Receive data in a portable format
- Right to object (Article 21): Object to certain processing activities
To exercise any of these rights, contact us at qasim@dentelyx.co.uk. We will respond within 30 calendar days.
For patient data processed on behalf of a clinic partner, requests should be directed to the relevant clinic as data controller. We will assist clinics in responding to such requests as required by UK GDPR Article 28.
6. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Clinic partner account data: Retained for the duration of the subscription and for 90 days following termination
- Patient lead and conversation data: Retained for the duration of the clinic's subscription, and deleted upon request or account closure
- Billing records: Retained for 7 years in accordance with financial record-keeping requirements
7. Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction:
- Data encrypted in transit using TLS
- Data encrypted at rest in our database infrastructure
- Role-based access controls limiting data access to authorised personnel
- Clinic data isolation — each clinic can only access their own data
- Regular security reviews and dependency updates
- HTTP-only secure cookies for session management
8. International Data Transfers
Some of our third-party infrastructure providers may process data outside the UK. Where international transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised by the ICO, in accordance with UK GDPR Chapter V.
Third-party providers involved in data processing include Twilio (SMS), Supabase (database), and Vercel (hosting). Each maintains their own GDPR compliance programmes.
9. Data Breach Procedures
In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33. Where the breach is likely to result in high risk to individuals, we will also notify those individuals without undue delay.
Clinic partners will be notified of any breach involving their data as soon as reasonably practicable to enable them to fulfil their own notification obligations.
10. Contact & Complaints
For any data protection enquiries, contact us at:
- Email: qasim@dentelyx.co.uk
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Telephone: 0303 123 1113