Privacy notice
How we handle patient data
Last updated: 2026-05-15 · Version v1.0 (operator-side)
This is the operator-side privacy notice. Each pilot clinic has its own per-clinic variant naming the clinic as the data controller and our company as the data processor.
Draft — pending solicitor review. This notice is published for transparency during the pilot stage and will be reviewed and finalised by a UK solicitor before any production launch with real patient data.
Who we are
Dental AI Receptionist is a text-first missed-call recovery service for UK dental clinics. We act as a data processor on behalf of each clinic; the clinic is the data controller for all patient data. The clinic signs a Data Processing Agreement before any real patient SMS flows.
What we process
- Patient phone number
- SMS body text (inbound and outbound)
- Triage classification (urgency, category, summary)
- Opt-out flag and timestamp
- Conversation timestamps and audit events
Lawful basis
UK GDPR Art. 6(1)(b) — performance of pre-contractual steps where the patient initiates the SMS exchange — and Art. 6(1)(f) legitimate interests of the clinic in following up missed enquiries. Special category (health) data is processed under Art. 9(2)(h) — provision of health care, performed by the clinic. Full DPIA on file.
What we never do
- Diagnose, prescribe, or give clinical advice.
- Book appointments without reception confirmation.
- Train AI models on patient data (OpenAI request-scoped, not stored).
- Read your Practice Management System (EXACT / R4+ / Dentally).
- Pretend to be a person — first SMS opens "a receptionist will review this."
Sub-processors
Vercel (EU) hosting, Supabase (EU Frankfurt) database + auth, Twilio (EU Ireland) SMS delivery, OpenAI (USA) classification — only the current SMS body, not stored for training, optional. Stripe (USA) billing — no patient data. Sentry (EU, optional) error monitoring — no SMS bodies, no phone numbers. Upstash (EU, optional) rate-limit counters — no patient data. Resend (EU, reserved) email. Full sub-processor list in the DPA.
Data residency
All patient data at rest is held in the EU (Supabase Frankfurt). Twilio routes via EU Ireland. OpenAI processes the inbound SMS body in the USA under its UK GDPR DPA + Standard Contractual Clauses. Clinics that decline US transfer can run with OpenAI disabled; the deterministic fallback handles every category.
Retention
24 months from last activity for patient records and audit events; 12 months for callback requests; clinic-staff records retained while the staff member is active. Each clinic may negotiate a shorter retention in the DPA.
Opt-out
Patients may text STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT (any case) at any time. The system stops sending automated SMS to that number immediately, sends a one-line confirmation, and writes an audit event. Patients opt back in by texting START.
Data subject rights (UK GDPR)
Patients may request access, rectification, erasure, restriction, portability, or objection. Requests should be made to the clinic (controller). The clinic forwards to the operator's DPO contact within 5 working days; we respond within the 30-day statutory deadline. Erasure procedure is documented in our retention policy.
ICO complaint
If you believe your rights have been breached you may complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint. The operator's ICO registration number will appear here once issued.
Safety contract
Red-flag wording for emergencies (facial swelling, difficulty breathing or swallowing, heavy bleeding) is fixed text written by clinical reviewers, sent before any AI call. Reception remains in control and can pause the AI on any conversation or clinic-wide. Three layers of defence — deterministic red-flag rule, safety guard on every outbound, and a 30-second kill switch.
Status
Pilot stage. UK only. This page reflects the operator-side notice. Each pilot clinic publishes a per-clinic patient-facing variant with their own contact details and ICO registration number.
Pilot stage. This notice has been reviewed informally per the Mode 2 process (see compliance/COMPLIANCE_MODES.md). When the product reaches Mode 3 (multiple paying clinics), a paid solicitor review will replace this version.