Dental Marketing Ltd
Company Registration Number: 16344607
Registered Address: 20 Wenlock Road, London, N1 7GU
1. Introduction
This Privacy Policy explains how Dental Marketing Ltd (“we”, “us”, “our”) collects, uses, stores, and protects personal data in connection with our products and services: Perpetua (AI clinical note-taking), Practice Intelligence (business intelligence for dental practices), and Nurtura (dental CRM built on GoHighLevel), collectively referred to as “the Services”.
We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection legislation.
This Privacy Policy is intended for two audiences:
- Practice customers -- dental practice owners, managers, and staff who subscribe to and use our Services. We have a direct relationship with you, and we act as data controller for your account and business information.
- Patients and other individuals whose personal data is processed through our Services on behalf of dental practices. In this context, the dental practice is the data controller for your personal data, and we act as a data processor on their behalf.
If you are a patient, your dental practice is responsible for how your personal data is used. Questions about your personal data should be directed to your dental practice in the first instance. We explain this further in Section 4 below.
2. Who We Are
We are Dental Marketing Ltd, a company registered in England and Wales.
- Company number: 16344607
- Registered address: 20 Wenlock Road, London, N1 7GU
- Data protection contact: Ope Sodeinde, ope@dental-marketing.io
We have assessed our obligation to appoint a Data Protection Officer under Article 37 of the UK GDPR and are not currently required to do so. We will reassess this when our client base exceeds twenty dental practices.
3. Data We Collect Directly (as Data Controller)
When a dental practice subscribes to our Services, we collect and process personal data about the practice and its team as a data controller. The lawful bases for this processing are set out in Section 5.
3.1 Practice Account Information
When you register for our Services, we collect:
- Full name of the account holder
- Email address
- Telephone number
- Practice name and address
- Job title or role within the practice
3.2 Billing and Payment Information
We collect billing details necessary to process subscription payments. Payment card details are processed by our payment provider, Stripe. We do not store full card numbers on our own systems.
3.3 Usage Data
We collect information about how you and your team use the Services, including:
- Features accessed and frequency of use
- Number of clinical notes generated
- AI usage metrics (e.g. token counts, processing times -- no clinical content is stored in usage records)
- Error logs and system performance data
3.4 Communications
We retain records of communications between you and us, including:
- Support emails and enquiries
- Feedback and feature requests
- Correspondence relating to your account
3.5 Security and Login Data
When you sign in to the Services, we collect limited technical data for security purposes:
- Device fingerprint (a non-identifying token used to recognise trusted devices)
- IP address at the point of login
- Browser user agent string
This data is used solely for device verification, login security, and audit logging. We do not use it for analytics, profiling, or tracking. It is not shared with any third party.
3.6 Supplier and Contractor Data
Where we engage suppliers or contractors, we may hold their contact details (name, email address, telephone number) and payment information for invoicing purposes. The lawful basis for this processing is Article 6(1)(b) (performance of a contract) and Article 6(1)(f) (legitimate interest in managing our business relationships).
4. Data We Process on Behalf of Dental Practices (as Data Processor)
When practices use our Services, we process personal data about patients and other individuals on their behalf. In this relationship:
- The dental practice is the data controller. The practice determines why and how patient data is processed.
- We are the data processor. We process personal data only in accordance with the practice’s instructions and our Data Processing Agreement (DPA).
If you are a patient or other individual whose data is processed through our Services, your dental practice is your primary point of contact for any questions or requests relating to your personal data. See Section 9 for more detail on exercising your rights.
4.1 Categories of Personal Data Processed
We process the following categories of personal data on behalf of dental practices:
Patient Clinical Data
- Audio recordings of dental consultations (for transcription purposes)
- Transcripts of clinical consultations
- Structured clinical notes, including procedures, findings, medications, and treatment plans
- Treatment letters
- Clinical note version history
- Patient AI chat queries and responses
- Patient experience analysis data
Patient Personal Data
- Full name, date of birth, and address
- NHS number (where provided)
- Contact details (email address, telephone number)
- Allergies, medications, and medical history
- Personal events recorded for patient rapport (e.g. birthdays, family milestones)
Financial Data
- Treatment costs and payment plans included in treatment letters
Lead and Enquiry Data
- Names, email addresses, and telephone numbers of individuals who contact the practice
- Enquiry message content (email, SMS, WhatsApp)
- Conversation history and AI-drafted replies
- CRM contact records, opportunity data, and tags
Job Applicant Data
- Names, email addresses, and application content of individuals applying for roles at the practice
Staff and Clinician Data
- Names, email addresses, and role assignments of practice team members
- Staff development notes, action items, and performance observations from practice meetings
- Meeting transcripts containing references to named individuals
Referring Clinician Data
- Names and practice details of referring dental or medical professionals, as referenced in clinical records
Family Member Data
- Names or references to patients’ family members where recorded in clinical notes or personal events
4.2 Special Category Data
Patient clinical data constitutes special category data (health data) under Article 9 of the UK GDPR. The dental practice, as data controller, relies on Article 9(2)(h) -- processing necessary for the provision of healthcare -- as the lawful basis for this processing. We process this data solely in accordance with the practice’s instructions under our DPA.
4.3 How Patient Data Is Processed
Our Services process patient data for the following purposes, all under the instruction of the dental practice:
- Transcription: Audio recordings of consultations are transcribed using AI speech recognition. Audio recordings are stored securely and deleted 90 days after successful transcription.
- Anonymisation: Transcripts are anonymised before being sent to AI services for processing. Patient names, NHS numbers, contact details, dates of birth, and other identifiers are replaced with pseudonyms. Pseudonym mappings are stored securely to enable de-anonymisation when the practice needs the completed output.
- Clinical note generation: Anonymised transcripts are processed by AI to extract clinical information and generate structured notes and narratives.
- Treatment letter generation: Anonymised clinical data is processed by AI to generate treatment letters, which are de-anonymised only at the point of document creation.
- Quality checking: AI-generated outputs are validated by a separate AI quality-checking step before being presented to the clinician for review.
- Business intelligence: Practice meeting transcripts are processed to extract action items, decisions, staff development notes, and business insights. Transcript data is anonymised before vector embedding.
- Lead management: Inbound enquiries are classified, and AI-drafted responses are composed for practice review and approval before sending.
- Knowledge base indexing: Clinical and practice content is embedded as vector representations for semantic search, using anonymised data.
- CRM operations: Contact records, opportunities, and communications are managed through the CRM platform on behalf of the practice.
In all cases, clinicians retain full control over AI-generated outputs. No clinical note, letter, or communication is finalised or sent without clinician or practice review.
5. Legal Bases for Processing
5.1 Practice Customer Data (we are controller)
| Purpose | Lawful Basis |
|---|---|
| Providing and administering the Services | Article 6(1)(b) -- performance of a contract |
| Processing subscription payments | Article 6(1)(b) -- performance of a contract |
| Responding to support enquiries | Article 6(1)(b) -- performance of a contract |
| Sending service-related communications | Article 6(1)(b) -- performance of a contract |
| Product improvement using anonymised and aggregated data | Article 6(1)(f) -- legitimate interest |
| Marketing to existing customers | Article 6(1)(f) -- legitimate interest (see Section 12) |
| Marketing to prospective customers | Article 6(1)(a) -- consent (see Section 12) |
| Compliance with legal and financial obligations | Article 6(1)(c) -- legal obligation |
| Establishing, exercising, or defending legal claims | Article 6(1)(f) -- legitimate interest |
| Fraud prevention and due diligence | Article 6(1)(f) -- legitimate interest |
5.2 Patient and Other Data (practice is controller, we are processor)
The dental practice determines the lawful basis for processing patient data. Typically:
- Patient clinical data: Article 6(1)(b) (contract for dental care) and Article 9(2)(h) (healthcare provision)
- Lead and enquiry data: Article 6(1)(f) (legitimate interest of the practice in responding to enquiries)
- Staff data: Article 6(1)(b) (employment contract) and Article 6(1)(f) (legitimate interest in practice management)
- Job applicant data: Article 6(1)(b) (steps prior to entering a contract) and Article 6(1)(f) (legitimate interest in recruitment)
We process all such data solely under the practice’s instructions as set out in our DPA.
6. Data Sharing and Sub-Processors
We do not sell personal data to any third party. We share personal data only where necessary to provide the Services, and only with organisations that have appropriate data protection agreements in place.
6.1 Sub-Processors
We use the following sub-processors to deliver the Services. Each sub-processor has a data processing agreement in place, and we regularly review their data protection practices.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, file storage, authentication | UK (AWS eu-west-2, London) |
| Anthropic (Claude) | AI clinical extraction, note generation, letter generation, quality checking, lead reply composition, business intelligence extraction | US |
| Google Cloud (Gemini) | Vector embedding generation, PDF conversion | US (global processing) |
| AssemblyAI | Audio transcription with speaker identification | US; EU endpoint available (Ireland) |
| GoHighLevel | CRM, messaging (email, SMS, WhatsApp), social media management | US |
| Stripe | Subscription billing and payment processing | US and Ireland (EMEA) |
| Vercel | Web application hosting | US; EU regions available |
| Railway | Audio file assembly (transient processing) | US; EU region available (Netherlands) |
| Slack (Salesforce) | Internal notifications and approval workflows | US |
| Zapier | Integration middleware for device transcript relay | US |
| Microsoft (Graph API) | Practice email access and delivery (Outlook integration) | Regional (UK tenants use UK data centres) |
| Elestio | Workflow automation hosting | EU |
| Resend | System alert and notification emails | US |
6.2 Other Disclosures
We may also share personal data where required:
- To comply with a legal obligation, court order, or regulatory requirement
- To protect our rights, property, or safety, or the rights, property, or safety of others
- In connection with a merger, acquisition, or sale of assets (with appropriate confidentiality protections)
7. International Transfers
Some of our sub-processors are based in the United States and other countries outside the United Kingdom. When personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreement (UK IDTA) or Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office
- EU-US Data Privacy Framework (and UK Extension), where the recipient is certified under the framework
- Adequacy decisions, where applicable
The specific safeguards for each sub-processor are as follows:
- GoHighLevel, Zapier, Stripe, Vercel, Slack, Supabase, Google Cloud, Microsoft: Certified under the EU-US Data Privacy Framework (UK Extension). Additional SCCs in place.
- Anthropic: Not certified under the Data Privacy Framework. Transfers are protected by Standard Contractual Clauses and Anthropic’s DPA.
- AssemblyAI, Railway: SCCs in place. EU processing endpoints available and under evaluation for use.
- Elestio: EU-based. No international transfer required.
- Microsoft (Graph API): UK tenants’ data is stored in UK data centres. EU-US DPF certified for any data that transits US infrastructure.
You may request a copy of the relevant transfer safeguards by contacting us at ope@dental-marketing.io.
8. Data Retention
8.1 Data Processed on Behalf of Practices
| Data Type | Retention Period |
|---|---|
| Audio recordings of consultations | Deleted 90 days after successful transcription |
| Transcripts, clinical notes, and treatment letters | Retained for the duration of the practice’s subscription |
| Lead and enquiry data | Retained for the duration of the practice’s subscription |
| Meeting transcripts and business intelligence data | Retained for the duration of the practice’s subscription |
| CRM contact records | Retained for the duration of the practice’s subscription |
On subscription termination: Practices are provided a 30-day window to download and export their data. After this period, all practice data is permanently deleted from our systems. Practices are responsible for exporting records to their Practice Management System during the subscription period.
8.2 Practice Customer Data (we are controller)
| Data Type | Retention Period |
|---|---|
| Account information | Duration of subscription plus 30 days |
| Billing and financial records | 6 years from the date of the transaction (HMRC requirement) |
| Support correspondence | 2 years from the date of the communication |
| Usage data | Duration of subscription, then anonymised |
8.3 Anonymised and Aggregated Data
We may retain anonymised and aggregated data indefinitely for product improvement and research purposes. This data cannot be used to identify any individual.
9. Your Rights
Your rights depend on whether we are acting as data controller or data processor in relation to your personal data.
9.1 If You Are a Patient or Other Individual (we are processor)
Your dental practice is the data controller for your personal data. To exercise any of your data protection rights, please contact your dental practice directly. The practice will liaise with us where necessary to fulfil your request.
We do not have a direct relationship with patients and cannot independently fulfil data subject requests relating to data we process on behalf of a practice.
9.2 If You Are a Practice Customer (we are controller)
You have the following rights under the UK GDPR. To exercise any of these rights, contact us at ope@dental-marketing.io.
Right of Access -- You have the right to request confirmation of whether we process your personal data, and to obtain a copy of that data.
Right to Rectification -- You have the right to request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure -- You have the right to request deletion of your personal data, subject to any legal obligations that require us to retain it.
Right to Restriction of Processing -- You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest its accuracy.
Right to Data Portability -- You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to Object -- You have the right to object to processing based on legitimate interests, including direct marketing. Where you object to direct marketing, we will stop immediately.
Right to Withdraw Consent -- Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Rights Relating to Automated Decision-Making -- We do not make any decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals. All AI-generated clinical content is reviewed and approved by a qualified clinician before use.
We will respond to all data subject requests within one calendar month. If a request is particularly complex, we may extend this by a further two months, and we will inform you of any such extension.
10. Children’s Data
Dental practices may use our Services to record clinical data about patients of all ages, including children. Where a patient is a child, the dental practice (as data controller) is responsible for ensuring that appropriate consent has been obtained from a parent or guardian in accordance with applicable law.
We process children’s data in the same manner as adult patient data -- securely, and only in accordance with the practice’s instructions under our DPA.
The Services are not intended for direct use by children under the age of 13. Under the Data Protection Act 2018, the age of digital consent in the United Kingdom is 13. The Services are accessed by dental professionals, not by patients directly.
11. Cookies and Similar Technologies
Our web application uses essential cookies that are strictly necessary for the application to function. These include:
- Authentication cookies -- to keep you signed in during your session
- Security cookies -- to protect against cross-site request forgery and other threats
- Preference cookies -- to remember your application settings
We do not use third-party advertising or tracking cookies. We do not use cookies to profile users or serve targeted advertisements.
If we introduce any non-essential cookies in the future, we will update this policy and obtain your consent before setting them.
12. Marketing
12.1 Marketing to Existing Practice Customers
We may send you information about our Services, new features, and relevant updates by email. We do so on the basis of legitimate interest (soft opt-in), as you have an existing business relationship with us.
Every marketing communication includes an easy way to unsubscribe. If you opt out, we will stop sending marketing communications promptly. Opting out of marketing will not affect service-related communications necessary for the operation of your account.
12.2 Marketing to Prospective Customers
We will only send marketing communications to prospective customers who have given their consent to receive them. You may withdraw your consent at any time using the unsubscribe mechanism in any marketing email, or by contacting us at ope@dental-marketing.io.
12.3 No Marketing to Patients
We do not send marketing communications to patients. Any communications sent to patients through the Services are sent by and on behalf of the dental practice, not by us.
13. Product Improvement
We analyse anonymised and aggregated data from across the Services to improve our products, identify common clinical workflows, and enhance the accuracy of our AI models. This data is fully anonymised and cannot be used to identify any individual patient, clinician, or practice.
The lawful basis for this processing is legitimate interest (Article 6(1)(f)). We have conducted a legitimate interest assessment and are satisfied that our interest in improving our products does not override the rights and freedoms of data subjects, particularly given that only anonymised data is used.
We do not use identifiable patient data for product development, model training, or any purpose beyond providing the Services to the practice that controls that data.
14. Security
We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it, including:
- Encryption in transit and at rest -- all data is encrypted using industry-standard protocols
- Access controls -- role-based access controls and multi-tenant data isolation ensure that each practice can only access its own data
- Anonymisation -- patient-identifiable data is anonymised before being sent to AI services for processing, with pseudonym mappings stored separately
- Secure audio storage -- audio recordings are stored in private cloud storage buckets with restricted access
- Audit logging -- all data access and modifications are logged for compliance and accountability
- Sub-processor security -- all sub-processors are required to maintain appropriate security measures under their respective DPAs
- Regular review -- we regularly review and update our security practices
If you become aware of any security incident affecting data processed through our Services, please contact us immediately at ope@dental-marketing.io.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or business practices. Where we make material changes, we will notify practice customers by email or through the Services before the changes take effect.
We encourage you to review this Privacy Policy periodically. The “Last updated” date at the top of this document indicates when it was most recently revised.
16. How to Contact Us
If you have any questions about this Privacy Policy, or wish to exercise your rights as a practice customer, please contact us:
Dental Marketing Ltd
20 Wenlock Road, London, N1 7GU
Email: ope@dental-marketing.io
17. Complaints
If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at ope@dental-marketing.io.