Legal

GDPR & Data Processing

Draft for legal review. The text below is placeholder content reflecting our intended approach. It is not yet a substitute for legal advice.

Controller / processor

Under UK GDPR, the dental practice is the controller of patient data. DentaCall acts as a processor and signs a Data Processing Agreement (DPA) with every practice before going live.

Data residency

Patient data is processed and stored within the United Kingdom. Where sub-processors are based outside the UK, transfers rely on appropriate safeguards including the UK IDTA.

SMS consent

The first SMS to any caller clearly identifies the practice and offers an unsubscribe path. Consent is captured at first contact and recorded against the contact in the CRM, with a full audit trail.

Data subject rights

Patients can exercise their rights of access, rectification, erasure, restriction and portability via the practice. DentaCall provides tools to respond to these requests within UK GDPR statutory timeframes.

Sub-processors

We maintain a published list of sub-processors and notify customers in advance of any material change.

Breach notification

In the unlikely event of a personal-data breach affecting a customer, we notify the affected practice without undue delay and in any event within 72 hours of becoming aware.