Effective Date: 22 May 2026 Version: v1.0
This Privacy Notice explains how Implants Local Ltd trading as Dentalreel (company number 16197776, ICO registration ZB960243, registered office Ayton Firs Hall, Great Ayton, Middlesbrough, England, TS9 6JB) handles personal data when you visit our website or use the Dentalreel platform.
This notice covers personal data we collect about you, the user of dentalreel.com: dental practice owners or staff, agency partners, and prospective customers. Personal data of patients who interact with the Dentalreel widget on a dental practice's website is governed by the Data Processing Agreement and is the responsibility of the dental practice as data controller.
This notice is intentionally short. The full picture for practice subscribers is in the Terms of Service and the Data Processing Agreement.
What we collect
When you create an account (dental practice or agency):
- Email address. Used to identify your account and to send verification, billing, and product emails.
- Password. Stored in hashed form only — we never see the plaintext.
- Practice or agency name, postcode, role. Self-declared during sign-up; used to personalise the dashboard and route support.
- Account status, generation count, generation limit. Internal counters that gate feature access.
When you verify your email:
- A one-time magic-link token, valid for one hour, sent via email and consumed on click.
When you visit the site (any visitor):
- IP address — hashed, not stored raw. We compute SHA-256 of the IP plus a server-side salt and store only the hash. Used to rate-limit registration and brand-extraction endpoints. The raw IP never reaches our database.
- Browser session cookies (
dr-session,dr-refresh-soon). Both first-party. The first carries an authenticated session as a signed JWT (HttpOnly, Secure, SameSite=Lax, 1-hour sliding TTL); the second is a short-lived hint that triggers a background session refresh. - Standard server logs (request path, status, latency, user-agent) for security and operations.
We do not use third-party analytics or advertising cookies on dentalreel.com.
Why we use it
All personal data is processed on one of these lawful bases under UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Operate your account, deliver the service you subscribed to | Contract performance (Art 6(1)(b)) |
| Send transactional emails (verification, billing, security) | Contract performance |
| Bill you, prevent fraud, keep tax records | Legal obligation, legitimate interest |
| Rate-limit endpoints, detect abuse | Legitimate interest (network and information security) |
| Improve the product using anonymised aggregate data | Legitimate interest |
We do not sell personal data. We do not share personal data for third-party advertising.
How long we keep it
| Data | Retention |
|---|---|
| Active account data | While your account is active |
| Account data after cancellation | 30 days on production, deleted within a further 14 days; backups rotated out within 90 days |
| Magic-link tokens | Expire 1 hour after issue; not stored server-side |
| IP hash counters (Upstash) | TTL set by the relevant rate-limit window (typically 1 hour or 24 hours) |
| Server logs | 30 days in hot storage, then aggregated |
| Tax and accounting records | 6 years (HMRC requirement) |
| Anonymised aggregate analytics | Indefinitely |
Patient-data retention on the widget itself is governed by the DPA, clause 11.
Who we share it with
We use a small set of sub-processors to deliver the service. The full list (with location of processing and transfer safeguards) is on our sub-processors page. The current list includes AWS, Supabase, Stripe, Resend, Google (Gemini AI), fal.ai, Vercel, Upstash, and Cloudflare.
Where personal data leaves the United Kingdom, we rely on UK adequacy regulations or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
We will give at least 30 days' notice before adding or replacing a sub-processor.
Your rights
Under the UK GDPR and the Data Protection Act 2018, you have the right to:
- Access the personal data we hold about you (Article 15)
- Correct inaccurate data (Article 16)
- Erase your data, subject to legal retention requirements (Article 17)
- Restrict processing (Article 18)
- Port your data to another provider (Article 20)
- Object to processing on legitimate-interest grounds (Article 21)
- Withdraw consent at any time where processing relies on consent
- Not be subject to a decision based solely on automated processing (Article 22) — Dentalreel does not make decisions of legal or similarly significant effect about you on a fully automated basis
To exercise any of these rights, email dpo@dentalreel.com. We respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113 if you believe we have mishandled your data.
Security
We protect personal data with the technical and organisational measures described in clause 8 of the DPA — encrypted transit (TLS 1.2+), encrypted at-rest (AES-256), role-based access control with MFA, tenant-scoped row-level security in the database, signed and expiring session tokens, regular security patching, and incident response procedures.
If we become aware of a personal data breach that affects you, we will notify you without undue delay (in any event within 72 hours of becoming aware) and, where the breach is high-risk to your rights and freedoms, advise you of the steps you can take.
Contact
- Data protection: dpo@dentalreel.com
- Support: support@dentalreel.com
- Legal: legal@dentalreel.com
- Post: Ayton Firs Hall, Great Ayton, Middlesbrough, England, TS9 6JB
Document version: v1.0 Last updated: 22 May 2026