Legal

GDPR & Data Protection

1. Our Commitment to Data Protection

Dentelyx is committed to protecting personal data and maintaining compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Data protection is built into the design of the Dentelyx platform from the ground up.

This page explains how we approach GDPR compliance as both a data controller (for our own operational data) and a data processor (when processing patient data on behalf of clinic partners).

2. Data Controller Information

Dentelyx is registered as a data controller with the Information Commissioner's Office (ICO).

Where Dentelyx processes patient data on behalf of a clinic partner, the clinic is the data controller and Dentelyx acts as the data processor. A Data Processing Agreement (DPA) is in place between Dentelyx and each clinic partner, as required by UK GDPR Article 28.

3. Data Processing Activities

Dentelyx processes the following categories of personal data as part of providing the platform to dental clinic partners:

3.1 Clinic partner data (as data controller)

3.2 Patient data (as data processor on behalf of clinic partners)

Dentelyx does not access, sell, or share patient data for any purpose other than providing the contracted services to the relevant clinic partner.

4. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR:

For patient data, the lawful basis is determined by the clinic partner as data controller. Clinics are responsible for ensuring they have an appropriate lawful basis (such as legitimate interests or explicit consent) before using Dentelyx to contact patients via SMS.

5. Data Subject Rights

Under UK GDPR, individuals whose data we process have the following rights:

To exercise any of these rights, contact us at qasim@dentelyx.co.uk. We will respond within 30 calendar days.

For patient data processed on behalf of a clinic partner, requests should be directed to the relevant clinic as data controller. We will assist clinics in responding to such requests as required by UK GDPR Article 28.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

7. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction:

8. International Data Transfers

Some of our third-party infrastructure providers may process data outside the UK. Where international transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised by the ICO, in accordance with UK GDPR Chapter V.

Third-party providers involved in data processing include Twilio (SMS), Supabase (database), and Vercel (hosting). Each maintains their own GDPR compliance programmes.

9. Data Breach Procedures

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33. Where the breach is likely to result in high risk to individuals, we will also notify those individuals without undue delay.

Clinic partners will be notified of any breach involving their data as soon as reasonably practicable to enable them to fulfil their own notification obligations.

10. Contact & Complaints

For any data protection enquiries, contact us at:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection: