Legal

Data Processing Agreement

Effective [Date of acceptance]

Effective Date: [Date of acceptance]

This Data Processing Agreement (the "DPA") forms part of, and is incorporated into, the Dentalreel Subscription Terms of Service (the "Terms") between:

(1) Implants Local Ltd trading as Dentalreel, a company registered in England and Wales with company number 16197776, whose registered office is at Ayton Firs Hall, Great Ayton, Middlesbrough, England, TS9 6JB ("Dentalreel", the "Processor"); and

(2) the dental practice or business identified during subscription (the "Customer", the "Controller"),

each a "Party" and together the "Parties".

This DPA sets out the terms on which Dentalreel processes Personal Data on behalf of the Customer in connection with the Dentalreel Platform.

1. Definitions and Interpretation

1.1 In this DPA:

  • "Data Protection Laws" means the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 ("PECR"), and any other applicable laws and regulations relating to the processing of Personal Data and privacy.

  • "Personal Data", "Process" (and its grammatical variants), "Controller", "Processor", "Sub-processor", "Data Subject", "Supervisory Authority" and "Personal Data Breach" have the meanings given in the UK GDPR.

  • "Customer Personal Data" means Personal Data Processed by Dentalreel on behalf of the Customer in connection with the Terms.

  • "Patient" means a website visitor or patient of the Customer who interacts with the Dentalreel Widget on the Customer's website.

  • "Services" means the Dentalreel Platform and related services provided under the Terms.

  • "Sub-processor" means any third party engaged by Dentalreel to Process Customer Personal Data on its behalf.

  • "Effective Date" means the date the Customer first accepts the Terms.

1.2 Capitalised terms not defined here have the meanings given in the Terms.

1.3 References to Articles in this DPA refer to Articles of the UK GDPR unless otherwise stated.

2. Roles of the Parties

2.1 In respect of Customer Personal Data Processed under the Terms:

(a) the Customer is the Controller; (b) Dentalreel is the Processor.

2.2 Each Party will comply with its obligations under Data Protection Laws.

2.3 Dentalreel will Process Customer Personal Data only:

(a) on documented instructions from the Customer (the Terms and this DPA constitute the Customer's complete and final documented instructions, subject to clause 5 below); (b) as required by applicable law (Dentalreel will inform the Customer of any such legal requirement before Processing, unless prohibited by law from doing so).

2.4 Nothing in this DPA appoints Dentalreel as a joint Controller of Customer Personal Data.

3. Subject Matter, Duration and Nature of Processing

3.1 The subject matter of the Processing is the provision of the Services as described in the Terms.

3.2 The duration of the Processing matches the duration of the Customer's subscription, plus any retention period set out in clause 11.

3.3 The nature and purpose of the Processing is:

(a) generating AI smile-preview visualisations from Patient-submitted photos; (b) capturing and storing Patient contact and treatment-interest data for the purpose of forwarding leads to the Customer; (c) providing the Customer with reporting and analytics on Widget usage and lead capture; (d) operating the Widget on the Customer's website, including consent collection, terms display, and follow-up email delivery to Patients who interact with the Widget.

4. Categories of Personal Data and Data Subjects

4.1 Categories of Data Subjects whose Personal Data is Processed:

(a) Patients (website visitors of the Customer who interact with the Widget); (b) the Customer's authorised users of the Platform dashboard.

4.2 Categories of Personal Data Processed:

For Patients:

  • Photographs of the Patient's face (uploaded for AI smile-preview generation);
  • AI-generated smile-preview outputs derived from those photographs;
  • Name;
  • Email address;
  • Phone number (where provided);
  • Location data (postcode or general locality where provided);
  • Treatment interest indicators (e.g. implants, veneers, whitening);
  • Consent records (timestamp, IP address, consent text version);
  • Technical data relating to the Patient's interaction (browser, device type, session identifiers).

For Customer authorised users:

  • Name;
  • Email address;
  • Role and practice affiliation;
  • Account authentication data (hashed credentials, session tokens);
  • Usage logs of the dashboard.

4.3 Special Category Personal Data. Photographs of an identifiable individual's face may, in some contexts, constitute biometric data within the meaning of Article 9 UK GDPR. The Parties acknowledge that:

(a) the Patient's photograph is collected with the Patient's explicit consent at the point of upload via the Widget; (b) the photograph is used solely for the AI smile-preview visualisation requested by the Patient and is not used for biometric identification or authentication; (c) the Customer is responsible for ensuring its privacy notice and consent collection comply with the requirements for processing special category data where applicable.

5. Customer Instructions and Responsibilities

5.1 The Customer instructs Dentalreel to Process Customer Personal Data:

(a) for the purposes set out in clause 3; (b) in accordance with this DPA and the Terms; (c) as configured by the Customer in its Platform dashboard (e.g. follow-up email content, branding, lead routing preferences).

5.2 The Customer warrants and undertakes that:

(a) it has all necessary rights, consents, and lawful bases to Process the Customer Personal Data and to authorise Dentalreel to do so on its behalf; (b) its instructions to Dentalreel comply with Data Protection Laws; (c) it has provided Patients with all required information (privacy notice, consent statements) before allowing them to interact with the Widget; (d) it collects valid consent from Patients before they upload photographs or submit contact information; (e) it maintains records of consent for the period required by Data Protection Laws; (f) Personal Data submitted to the Platform does not exceed what is necessary for the Services; (g) it does not configure the Widget or use the Services in any way that contravenes Data Protection Laws.

5.3 If Dentalreel reasonably believes that an instruction from the Customer infringes Data Protection Laws, Dentalreel will inform the Customer without undue delay. Dentalreel may suspend Processing under that instruction pending resolution.

6. Dentalreel's Obligations

6.1 Dentalreel will:

(a) Process Customer Personal Data only on the Customer's documented instructions; (b) ensure that persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations; (c) implement and maintain the technical and organisational measures set out in clause 8; (d) assist the Customer, by appropriate technical and organisational measures and taking into account the nature of the Processing, in fulfilling the Customer's obligation to respond to Data Subject requests (see clause 9); (e) assist the Customer in ensuring compliance with obligations under Articles 32 to 36 UK GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of Processing and information available to Dentalreel; (f) make available to the Customer all information necessary to demonstrate compliance with the obligations in this DPA, and allow for and contribute to audits as set out in clause 12; (g) at the choice of the Customer, delete or return all Customer Personal Data on termination of the Services, as set out in clause 11.

7. Sub-processors

7.1 The Customer generally authorises Dentalreel to engage Sub-processors to assist in providing the Services, subject to the safeguards set out in this clause 7.

7.2 The Sub-processors engaged by Dentalreel as at the Effective Date are:

Sub-processorPurposeLocation of Processing
Amazon Web Services EMEA SARL ("AWS")Cloud hosting and storage of application data, images, and metadataUnited Kingdom (eu-west-2 region primarily)
Supabase (Supabase, Inc)Application database, authentication, and storageEuropean Union (Ireland/Frankfurt)
Stripe Payments UK, LtdPayment processing and subscription billingUnited Kingdom and European Union
Resend (Resend, Inc)Transactional email delivery (magic links, lead notifications, follow-up emails to Patients)United States, with UK Standard Contractual Clauses in place
Google LLC (Gemini AI)AI vision analysis for brand detection and Widget configurationUnited States, with UK Standard Contractual Clauses in place
fal.ai, IncAI smile-preview generation from Patient photographsUnited States, with UK Standard Contractual Clauses in place
Vercel, IncApplication hosting and edge function executionGlobal edge network with UK Standard Contractual Clauses in place
Upstash, IncRate-limiting and quota counter storage (no Personal Data stored)European Union (Frankfurt)
Cloudflare, IncContent delivery network, DDoS protection, and securityGlobal edge network with UK Standard Contractual Clauses in place

7.3 Dentalreel will:

(a) impose on each Sub-processor data protection obligations no less protective than those set out in this DPA; (b) remain liable to the Customer for the acts and omissions of its Sub-processors as if those acts and omissions were Dentalreel's own; (c) maintain an up-to-date list of Sub-processors at dentalreel.com/sub-processors.

7.4 Change of Sub-processors. Dentalreel will give the Customer at least thirty (30) days' written notice before adding or replacing a Sub-processor. The Customer may object to a proposed change on reasonable data protection grounds by notifying Dentalreel within fifteen (15) days of receiving the notice. If the Customer's objection cannot be resolved by reasonable accommodation:

(a) the Customer may terminate the Terms (without penalty) effective on the date the new Sub-processor is engaged; or (b) Dentalreel may, at its option, refrain from engaging the proposed Sub-processor.

7.5 If a Sub-processor is engaged in response to an emergency security incident or to maintain service continuity, the thirty-day notice may be shortened, but Dentalreel will notify the Customer as soon as reasonably practicable.

8. Security Measures

8.1 Dentalreel implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Access control:

  • Role-based access control to all systems Processing Customer Personal Data;
  • Multi-factor authentication required for administrative access;
  • Principle of least privilege applied to all personnel access;
  • Access logs retained for audit purposes.

Encryption:

  • TLS 1.2 or higher for all data in transit;
  • AES-256 (or equivalent) encryption for Customer Personal Data at rest in databases and object storage;
  • Encrypted backups.

Network security:

  • Production systems isolated from public network access except via documented entry points;
  • Firewall and DDoS protection via Cloudflare;
  • Regular security patching of systems and dependencies.

Application security:

  • Row-level security policies in the database enforcing tenant isolation;
  • Secure session management with signed, expiring tokens;
  • Input validation, output encoding, and parameterised queries to prevent injection attacks;
  • Rate-limiting and abuse detection on public endpoints.

Personnel:

  • Confidentiality obligations on all personnel who may access Customer Personal Data;
  • Security training for engineering staff;
  • Background checks where required by role.

Operational:

  • Regular backups of Customer Personal Data;
  • Incident response procedure with defined escalation;
  • Logging and monitoring of access to and Processing of Customer Personal Data;
  • Disaster recovery plan reviewed at least annually.

Vulnerability management:

  • Dependency monitoring for known vulnerabilities;
  • Security review prior to release of significant new features;
  • Bug bounty / responsible disclosure programme (forthcoming).

8.2 Dentalreel reviews and updates its security measures from time to time. The Customer acknowledges that some changes to security measures may be made without prior notice where required to address emerging threats. Dentalreel will not materially reduce the level of security without notifying the Customer.

8.3 The Customer is responsible for the security of:

(a) its account credentials and any credentials it issues to its authorised users; (b) its own website on which the Widget is installed; (c) any data exported from the Platform onto its own systems.

9. Data Subject Rights

9.1 Dentalreel will provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising rights under the UK GDPR, including:

(a) right of access (Article 15); (b) right to rectification (Article 16); (c) right to erasure (Article 17); (d) right to restriction of Processing (Article 18); (e) right to data portability (Article 20); (f) right to object (Article 21); (g) rights related to automated decision-making (Article 22).

9.2 If Dentalreel receives a request from a Data Subject directly relating to Customer Personal Data, Dentalreel will:

(a) not respond substantively to the request other than to acknowledge receipt and redirect the Data Subject to the Customer; (b) notify the Customer of the request without undue delay (and in any event within five (5) business days); (c) on the Customer's instructions, provide reasonable assistance to enable the Customer to respond.

9.3 The Customer may be charged for assistance with Data Subject rights requests where such assistance requires substantial engineering effort beyond standard Platform capabilities, on a reasonable cost-recovery basis.

10. Personal Data Breach Notification

10.1 Dentalreel will notify the Customer without undue delay (and in any event within seventy-two (72) hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data.

10.2 The notification will include, to the extent known at the time:

(a) the nature of the breach, including categories and approximate number of Data Subjects affected; (b) the categories and approximate volume of Personal Data records affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate its effects; (e) contact details of Dentalreel's data protection point of contact.

10.3 Where Dentalreel cannot provide all information in the initial notification, it will be provided in phases as it becomes available.

10.4 Dentalreel will cooperate with the Customer in investigation, mitigation, and any required regulatory or Data Subject notifications. The Customer remains responsible for any notifications required to the Information Commissioner's Office (ICO) and to affected Data Subjects.

10.5 Dentalreel maintains an incident response plan and will conduct a post-incident review of any Personal Data Breach.

11. Return and Deletion of Customer Personal Data

11.1 On termination of the Services (whether by expiry of the subscription, cancellation, or other event), Dentalreel will:

(a) retain Customer Personal Data for thirty (30) days after termination, during which the Customer may export its lead data via the dashboard or by request; (b) after the thirty-day retention period, delete all Customer Personal Data from production systems within a further fourteen (14) days.

11.2 Backups containing Customer Personal Data are deleted in line with Dentalreel's backup rotation schedule, which is no longer than ninety (90) days from the date of the last backup containing the data.

11.3 The Customer may at any time during the subscription request export of its lead data via the dashboard or by emailing support@dentalreel.com.

11.4 Notwithstanding clauses 11.1 and 11.2, Dentalreel may retain Customer Personal Data:

(a) to the extent required by law (e.g. tax or accounting records, fraud prevention); (b) in anonymised, aggregated form for analytics, AI model improvement, and operational reporting, where individuals cannot be re-identified.

11.5 On request, Dentalreel will provide written confirmation of deletion.

12. Audit Rights

12.1 Dentalreel makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including:

(a) the Sub-processor list at dentalreel.com/sub-processors; (b) a summary of security measures (this clause 8 and updated annexes); (c) responses to reasonable Customer questionnaires about data protection practices; (d) any third party audit reports or certifications obtained by Dentalreel (e.g. SOC 2, ISO 27001), if and when obtained, on request.

12.2 The Customer may audit Dentalreel's compliance with this DPA, subject to the following conditions:

(a) audits are conducted no more than once per twelve-month period, except in the event of a Personal Data Breach affecting Customer Personal Data, where additional audit may be conducted; (b) audits are conducted on reasonable prior written notice (at least thirty (30) days, save in case of a breach); (c) audits are conducted during normal business hours; (d) audits do not unreasonably disrupt Dentalreel's business operations; (e) audits do not extend to information of other customers, Dentalreel's commercially sensitive information, or any matter unrelated to the Customer's own Customer Personal Data; (f) audits are conducted at the Customer's expense, except where the audit reveals material non-compliance by Dentalreel.

12.3 Dentalreel may satisfy an audit request by providing a recent third-party audit report or certification covering the matters the Customer wishes to audit.

13. International Data Transfers

13.1 Where Customer Personal Data is transferred outside the United Kingdom to a country not subject to a UK adequacy regulation, Dentalreel will ensure that an appropriate transfer mechanism is in place, such as:

(a) the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU Standard Contractual Clauses (the "UK Addendum"); (b) Binding Corporate Rules where applicable; (c) any other transfer mechanism recognised under Data Protection Laws.

13.2 Where Sub-processors are located outside the United Kingdom, Dentalreel has entered into the UK Addendum (or equivalent) with each such Sub-processor.

13.3 By entering into this DPA, the Customer authorises Dentalreel to transfer Customer Personal Data to Sub-processors and other recipients outside the United Kingdom, subject to the safeguards in this clause 13.

14. Liability

14.1 The liability of each Party under this DPA is subject to the limitations and exclusions in the Terms, except where Data Protection Laws prevent such limitation.

14.2 Nothing in this DPA limits or excludes either Party's liability for fines imposed by a Supervisory Authority, or for liability to Data Subjects, in each case where Data Protection Laws require such liability to be borne by a specific Party.

14.3 Where one Party pays compensation to a Data Subject in respect of damage caused by Processing under this DPA, that Party is entitled to claim back from the other Party that part of the compensation corresponding to the other Party's responsibility for the damage, in line with Article 82(5) UK GDPR.

15. Term and Termination

15.1 This DPA takes effect on the Effective Date and continues for the duration of the Terms.

15.2 On termination of the Terms, this DPA terminates automatically, except that:

(a) provisions relating to confidentiality, data return/deletion, audit rights, and liability survive termination; (b) obligations relating to Customer Personal Data still held by Dentalreel survive until that data is deleted under clause 11.

16. General

16.1 Conflict. In the event of conflict between this DPA and the Terms in respect of Personal Data Processing, this DPA prevails. In all other respects, the Terms prevail.

16.2 Amendments. Dentalreel may amend this DPA from time to time:

(a) to reflect changes in Data Protection Laws; (b) to reflect changes in Sub-processors or security measures as permitted under this DPA; (c) to clarify ambiguities or correct errors.

Material amendments will be notified to the Customer with at least thirty (30) days' notice. Continued use of the Services after the notice period constitutes acceptance.

16.3 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force.

16.4 Notices. Notices under this DPA are sent in accordance with the notice provisions of the Terms. Data protection-specific communications may also be sent to dpo@dentalreel.com.

16.5 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales, with exclusive jurisdiction of the courts of England and Wales.

Annex 1 — Processing Details Summary

ItemDetail
Subject matterProvision of the Dentalreel Platform
DurationTerm of the subscription + retention periods in clause 11
Nature of ProcessingAI smile-preview generation, lead capture, dashboard reporting, transactional emails
PurposeEnable the Customer to convert website visitors into qualified leads
Categories of Data SubjectsPatients (website visitors); Customer's authorised users
Categories of Personal DataSee clause 4.2
Special Category DataPhotographs of face (possibly biometric in certain contexts) — see clause 4.3
Retention periods30 days post-termination on production; up to 90 days in backups

Annex 2 — Sub-processors

Current Sub-processors as at the Effective Date are listed in clause 7.2. The up-to-date list is maintained at dentalreel.com/sub-processors.

Annex 3 — Technical and Organisational Security Measures

See clause 8.

Acceptance

This DPA is accepted automatically upon the Customer's acceptance of the Terms. By using the Services, the Customer confirms acceptance of this DPA.

Implants Local Ltd, trading as Dentalreel

Company number: 16197776
Registered address: Ayton Firs Hall, Great Ayton, Middlesbrough, England, TS9 6JB
ICO registration: ZB960243
Data protection contact: dpo@dentalreel.com

Document version: v1.0
Last updated: 22 May 2026