PRIVACY AND DATA PROTECTION POLICY
Express Dentures
Effective Date: 1 June 2026
1. Introduction & Scope
1.1 Express Dentures (“the Company”, “we”, “us”, or “our”) is committed to protecting and respecting the privacy of our clients, care home facilities, and residents. 1.2 This Privacy Policy explains how we collect, use, process, disclose, and safeguard personal data and clinical digital assets in accordance with UK Data Protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 1.3 This policy directly aligns with our standard Terms and Conditions of Service, specifically regarding the generation, archiving, and commercial processing of 3D digital dental scans.
2. Data Controller & Compliance
2.1 Data Controller: Express Dentures operates as the Data Controller for administrative and commercial data, and as a Data Controller or Joint Data Controller (in partnership with care homes) regarding specific clinical digital assets. 2.2 Lawful Bases for Processing: We process personal and clinical data under the following lawful bases set out in Article 6 and Article 9 of the UK GDPR:
Contractual Necessity: To perform the services requested, manage subscription packages, and fabricate custom prosthetics.
Legitimate Interests: For internal operations, digital record backup, and commercial/technological product development.
Consent / Explicit Consent: For processing specific health data or where explicit authorization is provided by the client or their legal representative.
3. Types of Data We Collect
We may collect and process the following categories of data:
Client & Facility Data: Contact names, care home facility addresses, email addresses, billing information, and telephone numbers.
Resident Personal Data: Names, dates of birth, and room/ward identifiers within a facility.
Clinical Health Data (Special Category Data): 3D intraoral digital scans, three-dimensional topographic tooth and tissue maps, digital dental design files, and relevant oral health metadata required for prosthetic manufacturing.
4. Intellectual Property, Commercial Use & Anonymisation
4.1 Ownership of 3D Assets: As established in Section 2 of our Terms and Conditions, all digital data, 3D intraoral scans, and topographic maps generated during appointments remain the exclusive intellectual property of the Company. 4.2 Commercial Exploitation Rights: We reserve the right to utilize these 3D scans and metadata for commercial, industrial, or educational purposes, including but not limited to algorithmic software training, machine learning, internal research and development, and commercial product fabrication. 4.3 Strict Anonymisation Guarantee: To ensure absolute compliance with UK law, any digital assets or scans used for commercial exploitation, research, or marketing are completely and irreversibly anonymised. All Personally Identifiable Information (PII), such as names and facility locations, is entirely removed before any commercial or educational utilization occurs.
5. Data Retention, Purging & Subscription Cancellation
5.1 General Retention: We securely store active resident 3D digital scans in our secure cloud archives to facilitate instant, hassle-free replacement printing if a device is ever lost or broken. 5.2 Subscription Cancellation & Purge Policy: In alignment with Section 4 of our Terms and Conditions, care home facilities retain the right to cancel their subscription packages at any time without penalty. 5.3 Immediate Deletion: Upon the processing of a subscription cancellation request, our obligation to preserve that facility's digital records ceases instantly. The Company will remove and delete all resident scans associated with that specific facility from our active file library and is under no obligation to maintain backup archives. Following cancellation, data recovery or promotional reprinting is unavailable from the previous file.
6. Data Security & Storage
6.1 Security Measures: We implement robust technical, administrative, and physical security measures to protect personal and clinical data against unauthorized access, loss, alteration, or disclosure. This includes encrypted cloud storage databases, secure digital clinical tools, and restricted staff access protocols. 6.2 Location of Processing: All personal and clinical data is stored on secure servers located within the United Kingdom or the European Economic Area (EEA) in absolute compliance with UK data sovereignty guidelines.
7. Data Sharing & Third Parties
We do not sell personal data to third parties. We only share information with:
Authorized internal dental technicians and clinical staff managing the physical 3D-printing and fabrication process.
Anonymised data partners, solely for technological development, engineering, or software learning models where individual identification is legally impossible.
Legal authorities, strictly if required to do so by applicable UK law.
8. Your Rights Under UK GDPR
Depending on the lawful basis of processing, individuals (or their authorized legal representatives/guardians) hold the following rights under UK data protection law:
The Right of Access: The right to request copies of the personal data we hold about them.
The Right to Rectification: The right to request that we correct any information believed to be inaccurate or incomplete.
The Right to Erasure: The right to request that we erase personal data under certain conditions (subject to our terms regarding subscription cancellations and asset purges).
The Right to Restrict Processing: The right to request that we restrict the processing of personal data under specific circumstances.
9. Governing Law & Contact Details
9.1 Jurisdiction: This Privacy Policy is governed by and construed in accordance with the laws of Scotland. Any disputes regarding data processing under this policy shall fall under the exclusive jurisdiction of the Scottish courts. 9.2 Contact Information: For questions regarding this Privacy Policy, data access requests, or to exercise your statutory rights, please contact the Express Dentures Data Compliance Team directly via email.