• Monday–Friday: 9am–6pm
Book Appointment
Book Appointment

Patient Privacy Policy

Last updated: December 9, 2025

We respect your privacy and are committed to protecting your personal data.

This Patient Privacy Policy (“Policy”) explains how Attelia London collects, uses, stores, and discloses personal information of individuals (“you” or “your”) who receive dental treatment and related clinical services at our practice, contact us about our services, or use our online tools, forms, or communication channels as part of your care (together, the “Services”).

This Policy applies specifically to individuals engaging with our clinical and professional healthcare services, whether in person or via our digital platforms. It is separate from our Website Privacy Policy available at https://attelia.uk.

We are committed to being transparent about how your personal information is handled and will only process your personal data where we have a lawful basis to do so. We encourage you to review this Policy regularly to stay informed about how we protect your information.

We may update this Privacy Policy from time to time. When we make material updates, we will revise the “Last updated” date above and, where appropriate, notify you directly or through our website.

1. Important Information and Who We Are

Attelia London (“Attelia London”, “we”, “us” or “our”) is a CQC-registered private dental practice offering clinical dental services in the United Kingdom.  Attelia London acts as the Data Controller for all data collected through our professional Services.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Attelia London acts as the Data Controller of the personal data we collect and use in connection with our clinical and professional services.

Where part of your treatment involves our affiliated partner clinic in Türkiye, both Attelia London and Attelia Dental (Türkiye) act as independent data controllers. Each clinic independently determines the purposes and means of processing the personal data it handles for its own clinical, regulatory, and operational requirements. Attelia Dental (Türkiye) does not act as a data processor on behalf of Attelia London.

Our details are:

  • Company name: DPC-UK LTD (trading as Attelia London)
  • Postal address: 1b Stanley Road, London, United Kingdom, W3 8FT
  • Email address: info@attelia.uk

If you have any questions about this Policy, or if you wish to exercise any of your privacy rights, please contact us using the details above.

2. Types of Personal Data We Collect About You

“Personal data” or “personal information” means any information relating to an identified or identifiable person. We collect a range of information necessary to deliver safe and effective dental care.

The type of information we collect depends on your relationship with us and how you interact with our services. We collect personal data in three main ways: information you provide directly to us, information generated automatically when you use our digital services, and information received from trusted third parties involved in your care.

2.1 Information you provide to us directly

You may provide personal information when you register as a patient, attend consultations, receive treatment, communicate with us (in person, by phone, email, WhatsApp, or through our website), complete medical or consent forms, participate in remote consultations, or make payments. This may include:

  • Basic identification information: your full name, patient or registration number, age, gender, date of birth, personal details (such as information about family members for providing care to children or for emergency contact purposes).
  • Contact information: email address, telephone number, and postal address.
  • Appointment and service data: treatment preferences, selected service type (e.g. check-up, hygiene, emergency, Invisalign), date and time of your appointment, and any notes or comments you choose to provide.
  • Supplemental identification information: your country of residence and official identifiers such as your NHS or National Insurance number.
  • Financial information: payment details, bank account information and insurance policy details where relevant to your treatment arrangements.
  • Communication: records of your correspondence with us, including enquiries, feedback, complaints, requests, or incident reports, whether submitted in person or via electronic communication channels.
  • Special category data: information relating to your medical and dental history, clinical notes, diagnostic images (e.g., X-rays, scans, digital impressions), laboratory results, prescriptions, photographs, treatment plans, and any additional information required to provide safe and effective dental care. This information may come from forms you complete, clinical documentation created during your care or from your direct communications with us.

2.2 Information we collect automatically

When you use our website, online booking systems, digital forms, or other online services, we may automatically collect certain information to help us provide, secure, and improve our Services. This information is collected through cookies, analytics tools, and similar technologies. This may include:

  • Technical information: details about your device and browser, such as device type, operating system, browser version, IP address, language settings, and access times.
  • Usage information: information about how you interact with our website or online tools, including pages viewed, buttons clicked (such as “Book Appointment” or “Request Free Consultation”), time spent on pages, navigation patterns, and referring websites.
  • Preference and interaction data: records of actions you take within online forms, booking systems or e-consultation tools, including form submissions, fields completed, and preferences selected (for example, preferred treatment types or communication preferences).

For further details on cookies and tracking technologies used on our website, please refer to our Cookie Policy.

2.3 Information we obtain from third parties

In certain situations, we may receive personal information about you from trusted third parties involved in your care or from other lawful and publicly accessible sources. Depending on your circumstances, this may include:

  • Identification and contact information: such as your name, date of birth, contact details, or identifiers shared with us by other healthcare professionals, your parent(s) or legal guardian(s) (if you are under 18 or represented), insurers managing your treatment, or regulators where required.
  • Health and clinical information: including medical or dental history, referral notes, diagnostic images, laboratory results, prescriptions, or clinical reports provided by general practitioners, hospitals, other dental or medical specialists, dental laboratories, pharmacies, or associated treatment centres (including our partner clinic in Türkiye when relevant to your treatment).
  • Insurance and financial information: such as policy details, authorisation information, or claim-related data obtained from insurers or claims administrators where your treatment is funded, arranged or reimbursed through insurance.
  • Verification or compliance information: such as limited data obtained from credit reference or anti-fraud agencies where needed to prevent fraud or financial crime.
  • Publicly available information: such as basic identity or contact details available from official or publicly accessible sources including the Electoral Register, Companies House, or professional directories, where relevant for verification or regulatory compliance.

3. How We Use Your Personal Data and Our Legal Basis

We will only use your personal data when the law allows us to. This means we process your information only when we have a valid legal basis to do so. Most commonly, we rely on one or more of the following legal bases:

  • Performance of a contract, where we need to process your information to provide dental treatment or related services that you have requested.
  • Legal or regulatory obligations, where we must process personal data to comply with our professional, clinical, tax, or regulatory duties.
  • Legitimate interests, where processing is necessary for our business purposes (such as improving services, ensuring clinic security, or communicating with patients), provided your rights and freedoms are not overridden.
  • Vital interests, where we need to protect your life or health.

We generally do not rely on consent as the primary legal basis for processing personal information, except in limited circumstances – for example, where we send third-party marketing communications to you by email. You may withdraw your consent to marketing at any time by contacting us at info@attelia.uk.

For special category data (such as your health information), we rely on additional legal bases permitted under Article 9 UK GDPR, including the provision of healthcare, medical diagnosis, preventive dentistry, and the management of dental and healthcare services.

4. Purposes For Which We Will Use Your Personal Data

We use your personal data for various purposes to provide you with safe and effective dental care. The table below summarises how we use your information and the corresponding legal bases. In some cases, we may rely on more than one lawful basis depending on the specific circumstances.

Purpose of Processing

Type of Data

Legal Basis for Processing

 

To provide initial consultations, booking services, and pre-appointment screening

·     Basic Identification

·     Contact

·     Communications

·     Appointment and Service Data

·     Necessary to take steps at your request before entering into a contract

·     Legitimate interests (to manage appointment demand efficiently, reduce missed bookings, and ensure timely access to clinical care)

 

To provide dental examinations, treatment, diagnosis, preventive care, follow-up, and aftercare

·     Basic identification

·     Contact

·     Communications

·     Appointment and Service

·     Additional identification

·     Financial

·     Special category (health)

·     Necessary for the performance of a contract (delivery of dental services)

·     Legal obligations (clinical documentation, safety, cross-infection standards)

·     Legitimate interests (to ensure the smooth and efficient operation of our clinic and support high-quality patient experience)

For special category data:

·     Necessary for medical diagnosis and the provision of health or social care or treatment (UK GDPR Art 9(2)(h))

 

To manage and administer health insurance, third-party funding, instalment plans, or financing

·     Basic identification

·     Contact

·     Communications

·     Additional identification

·     Financial details

·     Employment details

·     Special category (health)

·     Necessary for the performance of a contract (arranging funded treatment)

·     Legal obligations (financial, fraud prevention regulations)

·     Legitimate interests (to verify funding arrangements and minimise insurance-related delays or disputes)

For special category data:

·     Necessary for medical diagnosis and the provision of health or social care or treatment (UK GDPR Art 9(2)(h))

·     Consent (where required)

To manage Membership Plans (routine hygiene, check-ups, preventive maintenance)

·     Basic Identification

·     Contact Data

·     Appointment and Service

·     Special category (health)

·     Necessary for the performance of a contract

For special category data:

·     Necessary for medical diagnosis and the provision of health or social care or treatment (UK GDPR Art 9(2)(h))

To coordinate, plan, and manage the continuation of treatment that you have requested to be delivered at Attelia Dental (Türkiye)

·     Basic Identification

·     Contact

·     Appointment and Service

·     Special category (health)

·     Necessary for the performance of the contract (to arrange and facilitate the clinical services in Türkiye that you have requested)

·     Legitimate interests (to ensure continuity of care across treatment providers and deliver coordinated cross-border treatment safely)

For special category data:

·     Necessary for medical diagnosis and the provision of health or social care or treatment (UK GDPR Art 9(2)(h))

To comply with GDC, CQC, and other Legal/Regulatory Obligations (Safety & Guarantees)

·     Basic Identification

·     Contact Data

·     Special category (health)

·     Legal obligations (professional standards, clinical auditing, patient safety, reporting duties)

For special category data:

·     Necessary for medical diagnosis and the provision of health or social care or treatment (UK GDPR Art 9(2)(h)).

To carry out financial activities, billing, invoicing, refunds, and payment processing

·     Basic identification information;

·     Contact;

·     Additional identification

·     Financial details

·     Performance of a contract;

·     Legal obligation.

To maintain accurate clinical records and comply with medical record-keeping requirements

·     Basic identification

·     Contact

·     Special category (health)

·     Legal obligation (healthcare regulation standards).

For special category data:

·     Necessary for medical diagnosis, dental treatment, preventive dentistry, or management of healthcare services.

To manage our relationship with you, including handling complaints, queries, claims, aftercare, and service concerns

·     Basic identification

·     Contact

·     Communications

·     Additional identification information

·     Financial information

·     Performance of a contract

·     Legal obligation

·     Legitimate interests (to investigate concerns, ensure patient safety, improve service quality, and prevent recurrence of issues)

To communicate with you about your care, including reminders, treatment plans, updates, and recall messages

·     Basic identification

·     Contact

·     Communications

·     Performance of a contract (provision of health services)

·     Legitimate interests (to provide timely reminders and updates that support continuity of care and reduce missed appointments)

To contact your next of kin in an emergency

Basic identification information

Vital interests (protecting your life or health).

To send marketing communications (by email, text, or social media), and personalise marketing

·     Basic identification

·     Contact

·     Communications

·     Consent (for direct marketing);

·     Legitimate interests (to promote dental services that are relevant to you, improve patient engagement, and grow our business)

Internal audits, training, and service improvement (including anonymised/aggregated data for analysis)

·     Basic identification

·     Contact

·     Communications

·     Additional identification

·     Special category data

·     Legitimate interests (to maintain high clinical standards, improve staff competence, and ensure consistent quality of care);

·     Legal obligation;

For special category data:

·     anonymised data where possible; otherwise, healthcare audit purposes if needed.

5. Disclosures of Personal Information

We may share your personal information with trusted third parties where this is necessary for the purposes set out in Section 4. Whenever we share your data, we ensure that appropriate contractual, organisational, and technical safeguards are applied to protect it, in line with our legal obligations and our standards of confidentiality, security, and data protection.

We may disclose your personal information in the following circumstances:

  • Your Parents, Guardians or Authorised Representatives. If you are under 18, or if you are unable to act on your own behalf, we may share your personal data with your parent(s), guardian(s), or authorised representative(s).
  • Affiliated Clinics and Partners. Where part of your treatment is coordinated with our affiliated dental centres, such as advanced procedures carried out in Türkiye, we may share relevant information to ensure continuity of care, safe treatment planning, and clinical accuracy.
  • Healthcare Providers. We may share your information with other healthcare professionals involved in your treatment, such as general practitioners, dental laboratories, imaging providers, pharmacies, hospitals, or specialist clinicians.
  • Insurers and claims administrators. If your treatment is funded, arranged, or reimbursed through an insurance policy, we may share relevant information with your insurer or claims handler.
  • Credit Reference and Fraud Prevention Agencies. Where necessary to prevent or detect unlawful activity, financial crime, or fraud, we may share limited personal data with relevant agencies.
  • Professional Advisers. We may disclose information to external professional advisers such as lawyers, auditors, or accountants where required for business operations, obtaining legal or financial advice, risk management, or in connection with establishing, exercising, or defending legal claims.
  • Service providers. We use carefully selected third-party service providers who assist us in delivering our services. These include IT and security providers, secure cloud storage services, communication platforms, appointment and patient management systems, marketing platforms, and payment processors.
  • Regulators, Public Authorities, and Law Enforcement. We may disclose your personal data to law enforcement agencies, courts, regulators (including General Dental Council (GDC), Care Quality Commission (CQC), NHS bodies), government authorities, or financial institutions when we are legally required to do so or when such disclosure is necessary to: (i) comply with a legal or regulatory obligation, (ii) protect our rights, safety, or property (or those of others), or (iii) establish, exercise, or defend legal claims.
  • Business transfers and transactions. In the event of a reorganisation, merger, acquisition, sale, or other corporate transaction involving our business or assets, we may share or transfer your personal data to the relevant third party involved. Any such recipient will be required to process your personal data in a manner consistent with this Privacy Policy, unless and until you are notified otherwise.

We require all third parties to respect the confidentiality and security of your personal data and to process it only for the specific purposes for which it was shared.

6. International Data Transfers

We work with organisations (such as healthcare providers and service providers) that may operate in, or from, countries outside the United Kingdom. This means that your personal data may be transferred to, or accessed from, jurisdictions that do not provide the same level of legal protection as in the UK.

Whenever we make such transfers, we take appropriate steps to ensure that your information remains protected to a standard that is essentially equivalent to that required under UK data protection laws. In particular:

  • Adequacy decision. We only transfer personal data to countries that the UK Government has recognised as providing an adequate level of protection for personal data. For further details, please see UK adequacy list or
  • Appropriate safeguards. Where no adequacy regulation applies, we put in place appropriate contractual safeguards, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses.

Where part of your treatment is delivered at our partner clinic in Türkiye, we may share relevant personal and health information with the healthcare professionals there to support safe and effective treatment planning, continuity of care, and the completion of clinical procedures.

We will only disclose the minimum amount of clinical information necessary to plan or deliver the specific treatment you have requested. Attelia Dental (Türkiye) acts as an independent data controller, responsible for the personal data it processes for its own clinical and regulatory purposes.

Your personal data is shared with Attelia Dental (Türkiye) solely where required to prepare your treatment plan or to provide the advanced procedures you have chosen. All such international transfers are carried out under the UK International Data Transfer Agreement (IDTA), supported by appropriate clinical, technical, and organisational safeguards to ensure your information remains protected.

7. Aggregate and De-Identified Information

We may collect, use, and share aggregated or de-identified data, such as statistical or demographic information, for any lawful purpose. Although this information may be derived from personal data, it is not considered personal information under applicable data protection laws if it does not directly or indirectly identify you. For example, we may aggregate information about appointment bookings, treatment preferences, or referral sources to analyse patient trends, improve our services, and enhance patient experience. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.

8. Marketing Preferences

We may use your identity, contact, technical, usage and profile data to form a view on what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

You may receive marketing communications from us if you have requested information from us or if you provided us with your details when you subscribe for news and updates, in each case, you have not opted out of receiving that marketing. You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at info@attelia.uk.

Your choices:

  • You may opt out of marketing communications at any time by clicking the ‘unsubscribe’ link in our emails or by contacting us directly.
  • You may also tell us your preferred method of communication, and we will respect your choice.

Please note that essential service messages, such as appointment reminders or updates about your treatment, are not optional. These communications are necessary to provide safe and effective care and cannot be unsubscribed from.

9. Children’s Data

We keep some personal information about you so that we can give you safe and effective dental care. This includes your name, address, date of birth, health details, and information about your dental treatment. We may also keep the contact details of your parent(s) or guardian(s).

We only use this information to look after your health, remind you about appointments, and, if needed, share it with other doctors, dentists, or hospitals involved in your care. We do not give your information to anyone else unless the law requires us to.

We keep your records for as long as necessary to provide you with safe and effective dental care and to meet our legal, regulatory, and professional obligations. In practice, this usually means at least 11 years after the completion of treatment, or until age 25 for children (26 if treatment ended when the patient was 17). After this period, records are securely deleted unless longer retention is required (for example, in case of ongoing claims or legal requirements).

You and your parent(s) or guardian(s) have the right to see a copy of your records, ask us to send them to another dentist or doctor, or ask us to stop sending you reminders if you are no longer a patient.

When you turn 18, you will be given our adult Privacy Notice, which explains how we use your information once you are an adult.

10. Data Security

We have implemented appropriate technical and organisational security measures to protect your personal information from accidental loss, unauthorised access, misuse, alteration, or disclosure. These measures include, but are not limited to, access controls, encryption, secure storage, and regular system monitoring.

Access to your personal data is limited to employees, agents, contractors, and other third parties who have a legitimate business need to access it. They will only process your data on our instructions and are bound by confidentiality obligations.

We also have procedures in place to deal with any suspected personal data breach. Where legally required, we will notify you and the appropriate regulatory authority of any breach that affects your personal information.

11. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. In certain cases, for example, where a complaint has been made or where we reasonably anticipate litigation, we may retain your data for a longer period. For children’s records, we follow specific retention rules (please see Section 9 – Children’s Data).

When determining the appropriate retention period, we consider several factors, including the nature, sensitivity and volume of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which the data is being processed and whether those purposes can be achieved by other means; and applicable legal, regulatory and operational retention requirements. Once we no longer require your personal information, we will securely delete or anonymise it in accordance with our internal retention policies and applicable laws.

12. Your Legal Rights

In accordance with the UK GDPR, you have the following rights in respect of your personal data that we hold:

  • Right of access. You have the right to obtain:

(i) confirmation of whether, and where, we are processing your personal data;

(ii) information about the categories of personal data we are processing, the purposes for which we process your personal data and information as to how we determine applicable retention periods;

(iii) information about the categories of recipients with whom we may share your personal data; and

(iv) a copy of the personal data we hold about you.

  • Right to obtain rectification of any inaccurate or incomplete personal data we hold about you without undue delay.
  • Right to erasure. You have the right, in some circumstances, to require us to erase your personal data without undue delay if the continued processing of that personal data is not justified.
  • Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you.
  • Right to object. You also have the right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal data, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.
  • Right to withdraw consent. If you have provided consent for the processing of your personal data, you have the right to withdraw your consent at any time free of charge. If you withdraw your consent, this will not affect the lawfulness of our use of your personal data before your withdrawal.
  • Right of portability. You have the right, in certain circumstances, to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.

You also have the right to lodge a complaint to a supervisory authority, including in your country of residence, place of work, or where an incident took place.

If you wish to exercise any of the rights set out above, you can also submit your request via our online Data Subject Request Form.

Due to the confidential nature of data processing, we may ask you to confirm your identity when exercising the above rights. Please note that there are exceptions and limitations to each of these rights, and that while any changes you make will be reflected in active user databases instantly or within a reasonable period of time, we may retain personal information for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.

13. Complaints

We are committed to protecting your personal data and aim to resolve any concerns you may have about how we handle your information. If you have concerns about how we handle your personal data, please contact us so we can address them promptly.

If you are unhappy with how we use your personal data, you can contact the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113. The ICO can investigate complaints and take action against organisations misusing personal data.

14. Changes to this Policy and Your Duty to Inform Us of Change

This version was last updated on December 9, 2025.

We keep this Privacy Policy under regular review and may update it from time to time to reflect changes in our practices, legal obligations, or the nature of the services we provide. When we make material changes, we will notify you where appropriate, such as by updating the date at the top of this Policy or by contacting you directly.

It is important that the personal information we hold about you is accurate and up to date. Please notify us of any changes to your personal details (such as your email address or contact information) during your relationship with us.

15. Contact Us

If you have any questions, comments, or requests regarding this Privacy Policy or how we handle your personal information, please contact our Privacy Team at: info@attelia.uk.