Privacy Policy | OpenDentist Notes

1. Introduction

OpenDentist Ltd ("we", "us", "our") is committed to protecting the privacy and security of personal data processed through the OpenDentist platform ("the Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your information when you access or use the Platform.

OpenDentist is a cloud-based AI-powered clinical documentation tool designed for dental professionals. It captures ambient audio from dental consultations and generates structured draft clinical notes for clinician review and approval. The Platform is classified as an MHRA Class I medical device.

This Privacy Policy applies to every component of the Platform, including the OpenDentist web application at opendentist.ai and the OpenDentist Chrome extension (a side-panel companion that lets clinicians record consultations and copy the generated notes into their practice management system). All data captured through the Chrome extension is transmitted to, and processed by, the same OpenDentist backend described in this policy and is subject to the same protections, retention rules, and recipient categories set out below.

This policy applies to all users of the Platform, including dental professionals ("Clinician Users") and patients whose consultations are recorded ("Data Subjects"). It should be read alongside any Data Processing Agreement (DPA) in place between OpenDentist Ltd and your dental practice.

The Platform has been developed in compliance with DCB0129: Clinical Risk Management — its Application in the Manufacture of Health IT Systems, and has completed the NHS Digital Technology Assessment Criteria (DTAC). Copies of the Clinical Safety Case Report, DTAC self-assessment, and supporting documentation are available upon request by emailing [email protected].

A Data Protection Impact Assessment (DPIA) has been conducted for the Platform in accordance with Article 35 of the UK GDPR. A copy of the DPIA is available upon request by emailing [email protected].

2. Data Controller

The data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 is:

OpenDentist Ltd
Company Number: 16165823
ICO Registration Number: ZC020081
Email: [email protected]

Data Protection Officer

Davinderjit Singh
Email: [email protected]

The Data Protection Officer operates independently of the organisation's management in matters relating to data protection and can be contacted directly at the above email address.

3. Legal Bases for Processing

We process personal data on the following legal bases under the UK GDPR:

Legitimate Interests (Article 6(1)(f)): To provide and improve our clinical documentation services, maintain system security, and administer user accounts.
Performance of a Contract (Article 6(1)(b)): To deliver the services you or your dental practice have subscribed to, process payments, and provide customer support.
Explicit Consent (Article 9(2)(a)): For the processing of special category data (health data) derived from dental consultation audio recordings. Consent is obtained from patients by the dental practice prior to recording.
Legal Obligation (Article 6(1)(c)): Where we are required to retain or disclose data to comply with applicable laws, regulations, or lawful requests from public authorities.

4. Data We Collect

4.1 Account and Registration Data

When you register for an account, we collect your name, professional email address, dental practice details, GDC registration number (where applicable), and billing information.

4.2 Consultation Audio Data

With appropriate patient consent obtained by the dental practice, the Platform captures ambient audio from dental consultations via the clinician's device microphone. Audio is transmitted securely (TLS 1.3) to our UK cloud infrastructure and forwarded to the primary transcription service. All providers process audio in transit only under zero data retention agreements; neither stores audio. By default, audio recordings held by OpenDentist itself are deleted immediately. Where the clinician elects to retain the audio as part of the clinical record, it is encrypted at rest (AES-256) and stored in AWS eu-west-2 (London) for 11 years (adults) or 25 years (children) per NHS Records Management Code of Practice 2023.

4.3 Clinical Documentation Data

The Platform generates structured draft clinical notes from consultation audio. These notes may contain patient health information including dental charting, diagnoses, treatment plans, medications, and other clinical details. All generated notes are drafts that require mandatory clinician review and approval before use.

4.4 Usage and Technical Data

We automatically collect information about how you interact with the Platform, including feature usage, note approval and edit rates, session duration, device type, browser type, IP address, and error logs. This data is used to maintain, improve, and secure the Platform.

4.5 Payment Data

Payment processing is handled by Stripe. We do not store full payment card details on our servers. Stripe processes your payment information in accordance with PCI DSS standards. Please refer to Stripe's privacy policy for further details.

4.6 Communication Data

If you contact us for support or other enquiries, we collect the content of your communications, your email address, and any attachments you provide.

4.7 Chrome Extension Local Storage

The OpenDentist Chrome extension stores two values in your browser's local extension storage (chrome.storage.local): (1) your authenticated OpenDentist session token, so you remain signed in between browser sessions; and (2) a boolean flag recording whether you have dismissed the one-time side-panel width tip. This data is held only on your own device, is not transmitted to any third party, and is removed when you uninstall the extension or clear extension storage.

The extension does not collect browsing history, page content, keystrokes, or data from tabs other than those you explicitly interact with. The optional Dentally integration runs only on *.dentally.co URLs and reads the patient ID from the active tab's URL solely so the clinician can pre-fill a new note; no other tab data is read, and no data is read from any non-Dentally site. The extension does not contain or load remote code.

5. Special Category Data

The Platform processes special category data within the meaning of Article 9 of the UK GDPR, specifically health data derived from dental consultation audio recordings and the clinical notes generated from them.

This data is processed on the basis of explicit patient consent, obtained by the dental practice (as a joint or independent controller) prior to the use of the Platform during a consultation. Dental practices are responsible for ensuring that valid, informed consent is obtained from each patient before recording commences.

6. How We Use Your Data

We use the data we collect for the following purposes:

To transcribe dental consultation audio and generate structured clinical notes
To generate follow-up task suggestions from appointment content
To administer your account and process subscription payments
To monitor Platform performance, accuracy, and safety
To provide customer support and respond to enquiries
To comply with regulatory obligations, including MHRA post-market surveillance requirements
To send transactional communications (e.g., account confirmations, service updates) via email

Transactional emails sent to clinicians and practice administrators (password resets, billing notices, account alerts) are delivered via Resend (United States) under Standard Contractual Clauses and the UK IDTA addendum. These emails contain no patient health data.

7. AI and Automated Processing

OpenDentist uses artificial intelligence, including speech recognition and natural language processing, to transcribe consultation audio and generate clinical notes. The AI models are provided by third-party service providers (see Section 8).

Important: The Platform does not make clinical decisions, diagnose conditions, recommend treatments, or prescribe medications. All AI-generated outputs are drafts presented for mandatory clinician review. The clinician retains full responsibility for the accuracy and completeness of the final clinical record.

The generation of clinical notes by the Platform does not constitute automated decision-making within the meaning of Article 22 of the UK GDPR. All AI-generated notes are preliminary drafts that have no legal or clinical effect until a qualified dental professional has reviewed, edited where necessary, and explicitly approved them. No clinical, legal, or similarly significant decision is made without meaningful human intervention.

We do not use your personal data or patient health data to train our AI models without explicit, separate consent. Any data used for model improvement or validation is anonymised and aggregated in accordance with our AI Training Data Consent Policy.

8. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with service providers who process it on our behalf under binding Data Processing Agreements (DPAs) and equivalent contractual safeguards. Personal data is shared with the following categories of recipients:

Cloud infrastructure and storage providers (United Kingdom): host the Platform, application database, and (where retained) consultation audio. Data shared: account, clinical, and audio data. Region: UK (eu-west-2).
Speech-to-text providers: transcribe consultation audio. Data shared: audio in transit only, processed under zero-data-retention agreements; no audio is stored by these providers.
AI / large-language-model inference providers: generate draft clinical notes from cleaned transcripts. Data shared: de-identified transcript text in transit; processed under zero-data-retention agreements; no content is stored or used for model training.
Payment processor (Stripe, United States): handles subscription billing under PCI DSS. Data shared: name, email, billing address, payment method tokens. No card numbers reach our servers.
Transactional email provider (Resend, United States): delivers account, billing, and security notifications. Data shared: name, email address, message content. No patient health data.
Customer-support / live-chat provider (Crisp): enables in-app support conversations with clinicians. Data shared: name, email, chat content. No patient health data.
Edge security and CDN (Cloudflare): provides DDoS protection, web application firewall, and TLS termination. Data shared: request metadata, IP address.
Error monitoring and observability providers: capture application errors and performance traces to keep the Platform reliable. Data shared: technical telemetry, scrubbed of patient identifiers.

Transfers of personal data outside the United Kingdom are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, with provider-level Transfer Impact Assessments on file. The named sub-processors operating within each category are listed in the Data Processing Agreement entered into with each customer practice and are kept current as our service providers change.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. OpenDentist applies NHS Records Management Code of Practice retention periods to all patient records, regardless of whether the patient is treated under the NHS or privately:

Consultation audio: Deleted immediately by default. Clinicians may opt in to retain consultation audio as part of the clinical record, in which case NHS Records Management Code of Practice 2021 retention periods apply (11 years for adults; 25 years for child patients).
Clinical notes (adult patients): Retained for a minimum of 11 years from the date of the last entry, in line with NHS Records Management Code of Practice. This applies to both NHS and private patients.
Clinical notes (child patients): Retained for a minimum of 25 years, in line with NHS Records Management Code of Practice. This applies to both NHS and private patients.
Account data: Retained for the duration of the active subscription and for up to 12 months after account closure for administrative and legal purposes.
Payment records: Retained for 6 years to comply with HMRC requirements.
Usage and technical data: Retained for up to 24 months for performance monitoring and regulatory compliance.
Support communications: Retained for up to 24 months after resolution.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. All personal data and patient health data is stored on servers located in the United Kingdom. Our measures include:

All data stored on UK-based servers
Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls with role-based permissions and multi-factor authentication
Regular security assessments and vulnerability scanning
Incident response and serious incident reporting procedures (in accordance with MHRA requirements)
DDoS protection and web application firewall via Cloudflare
Staff training on data protection and information security

11. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

Strictly Necessary Cookies: Required for authentication, session management, and security. These cannot be disabled.
Functional Cookies: Used to remember your preferences and settings.

OpenDentist does not set marketing, analytics, or advertising cookies. The Crisp live-chat widget is loaded on authenticated clinician pages under the legitimate-interests balancing described in Section 3. You can disable Crisp via your browser controls or by contacting us. Strictly necessary cookies required for authentication and Stripe fraud prevention do not require consent under PECR.

12. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights in relation to your personal data:

Right of Access: You may request a copy of the personal data we hold about you.
Right to Rectification: You may request correction of inaccurate or incomplete personal data.
Right to Erasure: You may request deletion of your personal data where there is no compelling reason for its continued processing.
Right to Restriction of Processing: You may request that we restrict the processing of your data in certain circumstances.
Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
Right to Object: You may object to processing based on legitimate interests.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. As described in Section 7, the Platform's clinical note generation does not constitute automated decision-making under Article 22, as all outputs require mandatory clinician review and approval before use.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one calendar month.

13. Patient Data and Practice Responsibilities

Dental practices using the Platform act as data controllers (or joint controllers with OpenDentist Ltd) for patient health data processed through the Platform. The dental practice is responsible for:

Obtaining valid, informed patient consent before recording consultations
Maintaining their own privacy notice informing patients about the use of AI documentation tools
Responding to patient data subject access requests relating to their clinical records
Ensuring that the use of the Platform complies with their own data protection obligations

Patients who wish to exercise their data protection rights in relation to consultation recordings or generated notes should contact their dental practice in the first instance.

14. Children's Data

The Platform may process data relating to children (under 18) where dental consultations involve paediatric patients. In such cases, consent for recording must be obtained from a person with parental responsibility by the dental practice. We do not knowingly collect personal data directly from children. The processing of children's health data is subject to the same safeguards as adult patient data.

15. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.

As a registered medical device, any data breach that constitutes a serious incident under the UK Medical Devices Regulations 2002 will also be reported to the MHRA in accordance with our Serious Incident Reporting Procedure.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform functionality. Where changes are material, we will notify registered users by email and/or by a prominent notice on the Platform. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

We encourage you to review this policy periodically. Continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

17. Complaints

If you are dissatisfied with the way we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at [email protected] in the first instance.

18. Contact Us

If you have any questions about this Privacy Policy or our data protection practices, please contact us:

OpenDentist Ltd
Email: [email protected]
ICO Registration: ZC020081