Last updated: 2026-04-25
Privacy Policy
What personal data ODent collects, why, and what your rights are. Plain English.
Privacy Policy
Last updated: 2026-04-25
This policy explains what personal data ODent collects, how we use it, and what your rights are. It is written in plain English. If anything here is unclear, email lee@odent.app and we will rewrite the section.
1. Who we are
ODent is operated by ODent Limited (in formation), a company registered in England and Wales (company number to be inserted), with registered office to be inserted. We are registered with the Information Commissioner's Office (ICO registration to be inserted) as a data controller for our own business records and as a data processor on behalf of the dental practices that subscribe to our service.
For this policy:
- "ODent", "we", "us" means ODent Limited (in formation).
- "Practice" means a dental practice that subscribes to our software.
- "Patient Data" means personal data about a patient of a Practice that the Practice records in ODent.
- "Practice Data" means personal data about a Practice's staff, owners and authorised users that they enter into ODent (name, email, role).
2. The controller / processor distinction (it matters)
UK GDPR distinguishes between the data controller (who decides what personal data is processed and why) and the data processor (who processes it on the controller's instructions).
- For Patient Data, the Practice is the controller and ODent is the processor. We process Patient Data only on the Practice's documented instructions, under the Data Processing Agreement that forms part of the Practice's subscription.
- For Practice Data (staff accounts, billing contacts, account metadata), ODent is the controller. This policy covers that processing.
If you are a patient of a practice that uses ODent and you want to exercise your data rights (access, rectification, erasure, portability), contact your practice — they are the controller. If your practice is unresponsive, you may also escalate to us and we will assist them in fulfilling the request.
3. What data we collect
Practice Data (we are the controller)
- Account information — name, email address, role at the Practice, password hash, multi-factor authentication state.
- Practice information — practice name, address, GDC and CQC numbers, contact details, billing details (handled by Stripe; we store a customer reference, not card numbers).
- Usage information — sign-in events, IP address at sign-in, browser and device fingerprint at sign-in, which features have been used. We use this for security and for prioritising what to build next.
- Support correspondence — emails you send us and our replies.
Patient Data (the Practice is the controller; we are the processor)
The categories of Patient Data we hold on a Practice's behalf are determined by the Practice. Typically they include name, contact details, date of birth, medical history, clinical notes, treatment plans, odontogram and periodontal charts, consent records, photos, x-rays, uploaded documents, appointment history, and financial records (invoices and payments).
This data is special-category data under UK GDPR Art. 9 (health data) and is handled accordingly — see Section 4.
4. Lawful basis
Practice Data
- Art. 6(1)(b) — performance of a contract. We process staff and practice account data because it is necessary to provide the service the Practice has subscribed to.
- Art. 6(1)(f) — legitimate interests. Sign-in security, fraud prevention, and product analytics (in aggregate, never to profile an individual user) are based on our legitimate interest in running a secure, sustainable service.
- Art. 6(1)(c) — legal obligation. Financial records (invoices, VAT records) are retained for the period UK tax law requires (see Section 7).
Patient Data
We process Patient Data on behalf of the Practice, on their documented instructions. The Practice's lawful basis for processing patient data is typically:
- Art. 6(1)(b) — performance of the dentist–patient contract.
- Art. 9(2)(h) — provision of healthcare and management of healthcare systems by a regulated health professional.
We do not determine the lawful basis for Patient Data — that is the Practice's responsibility under the controller/processor split.
5. Cookies and similar technologies
We use the smallest possible set of cookies. Specifically:
- Authentication cookies — set by Supabase Auth so you can stay
signed in. Marked
httpOnly,secure,sameSite=lax. These are strictly necessary; the service does not function without them. - CSRF protection cookie — used to validate that form submissions came from your browser session.
We do not use any third-party advertising, analytics or tracking cookies. We do not run Google Analytics. We do not have a Facebook pixel. We do not profile individual users for marketing.
Because we use only strictly-necessary cookies, we do not display a cookie consent banner. If we ever add cookies that require consent, we will add a banner first.
6. Subprocessors
We use a small number of trusted infrastructure providers (subprocessors) to run the service. Each is bound by a data processing agreement. The current list:
| Subprocessor | Role | What data they see | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All Practice Data and Patient Data, encrypted at rest | UK / EU |
| Vercel | Application hosting, edge runtime | Request metadata, application logs (PII-scrubbed), no patient records persisted | UK / EU edge; US-based control plane covered by SCCs / UK IDTA |
| Stripe | Subscription billing | Practice billing contact, subscription state, payment method (held by Stripe, not by us) | UK / EU; some operational data crosses to US under SCCs / UK IDTA |
| Resend | Transactional email (recall reminders, receipts, password resets) — wired pending API key | Email address, message body | EU (with US fallback under SCCs / UK IDTA) |
Each provider's own privacy and DPA documentation:
- Supabase: https://supabase.com/privacy
- Vercel: https://vercel.com/legal/privacy-policy
- Stripe: https://stripe.com/gb/privacy
- Resend: https://resend.com/legal/privacy-policy
We will give Practices at least 30 days' notice before we add or change a subprocessor that handles Patient Data, with the right to object as set out in the DPA.
7. Data retention
| Data | Retention |
|---|---|
| Patient Data | For as long as the Practice tells us to keep it. The Practice is the controller and decides. On request, we delete it under GDPR Art. 17 — usually within 30 days. |
| Practice account data | For the lifetime of the subscription, plus 60 days after cancellation to allow data export, then deleted. |
| Financial records (invoices, VAT records, billing history) | 6 years from the end of the relevant accounting period, per HMRC's standard requirement. |
| Audit log entries | 7 years — long enough to satisfy a Subject Access Request relating to historic processing or a regulatory enquiry. |
| Database backups | Point-in-time recovery covers the last 30 days. Data deleted from production rolls off backups within this window. |
| Sign-in logs | 90 days. |
| Support correspondence | 3 years. |
If you cancel your subscription, you have 60 days to export your data. After 60 days we GDPR-delete; we do not retain hostage-style copies.
8. Your rights
You have the rights set out in UK GDPR Articles 15–22:
- Art. 15 — Access. A copy of your personal data and the categories we process. For staff accounts, ask us. For patient records, ask the Practice — they can produce a Subject Access Response in minutes from the per-patient activity tab in ODent.
- Art. 16 — Rectification. Correction of inaccurate data. Staff accounts: from your profile page or by emailing us. Patient records: via the Practice.
- Art. 17 — Erasure. Deletion of your personal data, subject to legal obligations we have to retain certain financial records. The Practice can erase a patient with a one-click cascade in ODent that anonymises retained financial rows.
- Art. 18 — Restriction of processing. Pause processing in specific scenarios.
- Art. 20 — Portability. A copy of your data in a structured, machine-readable format. Patients receive a ZIP containing a JSON record, a human-readable Markdown summary, signed consent PDFs, photos and uploaded documents.
- Art. 21 — Objection. Object to processing based on legitimate interests; we will weigh your interests against ours.
- Art. 22 — Automated decision-making. ODent does not make automated decisions with legal or similarly significant effect about you.
To exercise any right that relates to your staff account or our handling of practice data, email lee@odent.app. We will respond within one calendar month.
To exercise rights relating to patient records, contact the Practice that holds them.
If you are unhappy with how we have handled your data, you may complain to the Information Commissioner's Office at https://ico.org.uk/.
9. International transfers
Patient Data is held in the UK and EU only. We do not transfer Patient Data outside the UK / EU.
Some operational and account metadata (e.g. control-plane logs at our hosting providers, billing telemetry at Stripe) may be processed by US-based infrastructure operated by our subprocessors. Where this happens, the transfer is covered by the UK International Data Transfer Addendum (IDTA) or the EU Standard Contractual Clauses (SCCs) as appropriate, with the additional safeguards described in our subprocessors' own documentation.
10. Security
We take security seriously and have designed for it from the schema up,
not bolted it on. The full engineering framework is described in
docs/data-segregation.md. In summary:
- Tenant isolation — every database table is protected by Postgres Row-Level Security driven by a signed JWT claim. One practice's data is never visible to another, even under SQL injection.
- Encryption — TLS 1.2+ in transit; AES-256 at rest on managed Postgres and storage.
- Audit log — every meaningful action is recorded with actor, entity, timestamp and a structured diff. Append-only.
- Access control — service-role database access is confined to a small allowlist of audited paths, enforced by CI guard.
- Personnel — production access is restricted to two named engineers, logged on the Supabase side. No PII is copied to laptops.
- Backups — daily snapshots, 30-day point-in-time recovery, encrypted.
- Incident response — see Section 11.
11. Data breach notification
If we become aware of a personal data breach affecting a Practice's data, we will notify the affected Practice without undue delay and within 72 hours of becoming aware, in line with UK GDPR Article 33. Our notification will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take.
We will use the email address on file for the Practice's primary owner account. Practices should keep that address current.
12. Contact
For all data protection matters:
Lee Caller ODent Limited (in formation) lee@odent.app
ODent is not currently required to designate a formal Data Protection Officer under UK GDPR Art. 37 at our scale. Lee acts as the data protection point of contact and will refer matters to a qualified DPO or solicitor where appropriate.
13. Changes to this policy
We will post a new version here and update the "Last updated" date. For material changes that affect how we handle Patient Data, we will give Practices at least 30 days' notice by email before the change takes effect.
Honest software for honest practices.