Using Dentalreel in line with GDC, ASA and UK GDPR
A compliance reference for UK dental practices using the Dentalreel smile simulation widget.
Summary
Dentalreel is designed to comply with the regulatory frameworks that govern UK dental advertising and patient data. This page explains how the product is structured to keep your practice compliant, what your obligations are as the data controller, and what documentation we provide to support you in the event of a regulatory query.
The headline points:
- The widget produces clearly-labelled simulations, not treatment outcome guarantees
- The on-screen disclaimer is permanent and cannot be removed by the practice
- Every patient gives explicit consent before seeing their simulation, with full audit logs
- You are the data controller; we are your processor under a GDPR-compliant DPA
- Patient images are deleted within 1 hour; lead data within 30 days; audit logs retained for 5 years
GDC Standards for the Dental Team
The relevant standards for digital marketing tools are:
Principle 1 — Put patients' interests first
Standard 1.3.2 requires that you do not "exploit the trust, vulnerability or relative lack of knowledge of your patients" and do not "raise expectations which cannot be fulfilled."
How the widget complies: the simulation is framed throughout as an aesthetic projection, not a treatment outcome. The patient sees the disclaimer before consenting, sees it again on every rendered image, and is required to attend a consultation to determine what is actually achievable for them. We do not produce material that suggests guaranteed results.
Principle 2 — Communicate effectively with patients
Standard 2.1 requires effective communication and the avoidance of overstated treatment outcomes.
How the widget complies:the consent flow uses plain English, the disclaimers are written for lay readers, and the language throughout positions the tool as a "preview" or "simulation" rather than a forecast.
GDC Guidance on Advertising (September 2013)
The Guidance requires that all marketing material is "legal, decent, honest and truthful" and prohibits material that is "false, misleading, or has the potential to mislead."
How the widget complies: the simulation is honestly labelled as such. No claim is made about specific treatment outcomes. The patient is directed to a consultation as the appropriate next step. The framing is consistent across the patient flow, the disclaimers, and the marketing copy we provide to practices.
Precedent: Invisalign SmileView
Invisalign's SmileView, launched in 2019, is an AI smile simulation tool that has been running on UK practice websites for several years. It uses the same architecture as Dentalreel (AI generation, prospective patient, marketing-stage interaction). Thousands of GDC-registered practices use it. There has been no GDC enforcement action against the tool or the practices using it.
This establishes that AI smile simulation, properly disclaimed and framed as a marketing visualisation, is not a breach of GDC standards. Dentalreel is built to the same compliance standard with stricter, non-removable disclaimers and full audit logs.
ASA / CAP Code
The Advertising Standards Authority enforces the CAP Code across all UK advertising. The relevant rules for dental marketing are:
- Rule 3.1 — advertisements must not materially mislead
- Rule 3.7 — claims must be substantiated
- Rule 12.1 — medicines, medical devices, health-related products and beauty products
- Rule 12.2 — references to people who can lend authority
The ASA now uses AI-powered Active Ad Monitoring to detect non-compliant advertising across websites and social platforms without waiting for consumer complaints.
How the widget complies:
- Permanent on-screen disclaimer accompanies every generated image
- No claim is made that the simulation reflects what the practice can deliver
- The simulation is framed as a visualisation tool, not a treatment promise
- Marketing copy provided to practices uses observational language ("see a simulation of how cosmetic treatment could look") rather than claim language ("see your new smile")
Your obligation as the practice: ensure that the way you promote the widget on your own pages (the link to it, the headline, the call to action) uses the same observational framing. Suggested copy is provided in your dashboard.
Prescription-only medicines
If your practice offers facial aesthetics involving prescription-only medicines (Botox, fillers, etc.), the CAP Code prohibits direct or indirect advertising to the public. The widget does not produce simulations of facial aesthetic treatments — it focuses on dental cosmetic outcomes — so this restriction does not apply to widget output. Be aware of separate restrictions on how you describe associated services on your wider website.
UK GDPR and the Data Protection Act 2018
Roles
- You (the practice) are the data controller. The patient has a relationship with you and submits their data to your website.
- Dentalreel is your data processor. We process patient data on your instructions to deliver the smile simulation and the lead.
- fal.ai (our AI rendering provider), AWS (storage), Supabase (database), Resend (email), and Vercel (hosting) are our sub-processors, listed and authorised under your DPA.
Article 28 — the Data Processing Agreement
UK GDPR Article 28 requires a written contract between every controller and processor. Your DPA with Dentalreel covers all eight required elements:
- Subject matter and duration of processing
- Nature and purpose of processing
- Type of personal data and categories of data subjects
- Controller's rights and obligations
- Processor obligations (eight specific commitments)
- Sub-processor authorisation and the process for adding new ones
- International data transfer protections (UK IDTA / EU SCCs)
- Data deletion or return at end of contract
The DPA is accepted electronically at signup. UK GDPR explicitly recognises electronic acceptance — no wet signatures or paper documents are required. You can download a PDF copy from your dashboard at any time.
Article 6 lawful basis
Your lawful basis for processing patient data through the widget is typically:
- Consent (Article 6(1)(a)) — the patient ticks a consent box before processing begins
- Legitimate interests (Article 6(1)(f)) — for the subsequent step of contacting them about their enquiry, balanced against their reasonable expectations as someone who actively submitted contact details for that purpose
You should document your lawful basis in your own records.
Article 9 — special category data
The image data processed by the widget is not "data concerning health" under Article 9. It is marketing data collected from a prospective patient before any clinical relationship exists. Article 9's heightened consent requirements therefore do not apply.
If you later treat that patient, the clinical records you generate from that point onwards are subject to your existing GDC and CQC record-keeping obligations — these are not affected by widget use.
Data subject rights
The DPA commits us to helping you respond to data subject rights requests within statutory time limits:
- Right of access (Article 15) — we can produce all data we hold on a named patient within 7 days of your request
- Right to erasure (Article 17) — we can delete a named patient's data within 72 hours
- Right to data portability (Article 20) — we can export a patient's data in machine-readable format
- Right to object (Article 21) — we will cease processing on your instruction
Most requests will not require involving us because patient images are already deleted within 1 hour and lead data is deleted within 30 days unless you've exported it.
Breach notification
We notify you within 72 hours of becoming aware of any breach affecting your data. You then assess whether the breach meets the Article 33 threshold for ICO notification and act accordingly.
Data retention
| Data type | Retention | Reason |
|---|---|---|
| Patient selfie image | Maximum 1 hour | Privacy by design |
| Generated simulation image | Maximum 1 hour | Privacy by design |
| Generated video | Maximum 1 hour | Privacy by design |
| Lead data (name, email, location, intent) | 30 days from creation | Allow you to export to your CRM |
| Consent audit logs | 5 years | Support regulatory record-keeping |
| Billing and usage records | 7 years | UK tax law requirement |
International transfers
Storage and database processing occur in the UK and EU. AI rendering through fal.ai may involve brief processing in the US. This transfer is covered by the UK International Data Transfer Agreement (IDTA) clauses incorporated into your DPA. Images are deleted within minutes of rendering.
ICO registration
You are already registered with the Information Commissioner's Office as a data controller for processing patient data in your dental practice. Using Dentalreel as a processor does not normally require an amendment to your registration. If you have any doubt, the ICO's self-assessment tool at ico.org.uk can confirm in 5 minutes.
CQC (Care Quality Commission)
The widget is a marketing tool and does not affect your CQC registration, regulated activities, or inspection regime. Patient data captured through the widget is not part of the patient's clinical record unless and until you choose to treat them and create one in your practice management system.
Tooth whitening
UK case law (GDC v Jamous) established that tooth whitening is the practice of dentistry. The widget produces simulated outcomes — these are visualisations, not products or services. You are advertising your own clinical services as a GDC-registered professional. The widget does not introduce new tooth whitening compliance considerations.
What we provide to support your compliance
- The Data Processing Agreement — downloadable PDF in your dashboard
- Sub-processor list — kept current, with 30 days' notice before any changes
- Privacy policy template language — to add to your existing privacy policy
- Compliant marketing copy — pre-written headlines, calls to action and supporting copy that match the simulation framing
- Patient consent audit logs — accessible from your dashboard, retained for 5 years
- Incident response support — if you receive a regulatory query about the widget, contact compliance@dentalreel.com and we will provide documentation within 24 hours
- Indemnifier letter — a template you can send to your indemnifier confirming use of a smile simulation tool
What we expect from you
- Display the link to the widget in a way that frames it as a simulation, not a guaranteed outcome
- Add the provided template language to your privacy policy
- Inform your indemnifier (template letter provided) — they will almost certainly have no concerns
- Use the consultation following a lead submission to set realistic expectations based on clinical assessment
- Do not edit, modify or attempt to remove the in-widget disclaimers (this is technically prevented but is also a contractual obligation)
If something goes wrong
In the unlikely event of a GDC or ASA query, the audit logs we maintain will support the following defence:
- The patient explicitly consented to AI processing for visualisation purposes
- The disclaimer was shown on screen at the moment of viewing
- The simulation was clearly framed as a non-clinical projection
- A consultation was offered as the next step for clinical assessment
- No outcome guarantee was made by the widget or the practice
Contact compliance@dentalreel.com and we will produce the documentation for the affected patient within 24 hours.
Disclaimer.This page reflects our understanding of UK regulatory requirements as of May 2026. It is provided to help practices use Dentalreel compliantly and is not legal advice. For specific concerns about your practice's regulatory position, consult a dental law specialist, your indemnifier, or the relevant regulator directly. Last updated: May 2026.