Data Processing Notice

Effective: 10 May 2026 | Version: 2.0

This notice describes how Fluora Ltd ("Fluora", "we") processes patient data on behalf of UK dental practices ("Customers") under UK GDPR Article 28. It is intended to be read alongside our Terms of Service and Privacy Notice, and together those documents form a Data Processing Agreement (DPA) between Fluora and the Customer. We are registered with the UK Information Commissioner's Office (ICO), registration number ZC095058.

The short version. The dental practice is the data controller. Fluora is the data processor. We process patient data only on the practice's documented instructions, only for the purpose of operating the Service, and we do not use it for our own purposes.

1. Controller / processor split

Whose data?	Controller	Processor
Patients of the dental practice	The dental practice	Fluora Ltd
Practice staff & subscribers	Fluora Ltd	—
Website visitors / prospects	Fluora Ltd	—

2. Subject matter, duration & nature of processing

Subject matter: Inbound voice calls and SMS conversations between patients and the dental practice, plus follow-up communications.
Duration: The active subscription term plus a 90-day post-termination retention window for export purposes.
Nature: Speech-to-text transcription, intent classification, appointment booking, callback capture, SMS dispatch, audit logging.
Purpose: Providing the dental practice with administrative reception support.

3. Categories of data processed

Category	Examples
Patient identifiers	Name, phone number, optionally date of birth
Health-related data	Reason for booking (e.g. "toothache", "check-up"), volunteered symptoms
Appointment metadata	Requested date/time, treatment type, dentist preference
Voice / call data	Audio recording (90-day retention by our voice sub-processor; not stored in Fluora's own systems), transcript
Consent & preference	SMS opt-in/out, consent log entries

4. Categories of data subjects

Existing and prospective patients of the dental practice
Patient representatives (e.g. parents booking for children, carers booking for elderly relatives)

5. Sub-processors

See our Sub-processors page for the current list of third-party processors and their data locations.

We give 30 days' notice before adding or replacing any sub-processor. The Customer may object on reasonable grounds within 14 days; if we cannot resolve the objection, the Customer may terminate without penalty.

6. International transfers

Several providers that help us run the Service process data in the United States: the AI providers that handle call content — ElevenLabs, and through it OpenAI (the live conversation model) and Google (post-call analysis) — together with Twilio (telephony and SMS) and Vercel (portal hosting). For each US transfer we rely on a lawful UK safeguard under Chapter V of the UK GDPR: the UK Extension to the EU-US Data Privacy Framework where the provider is certified to it, or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment. Our patient database (Supabase) is hosted in London, UK; our voice-server (Render) and automation host (Elestio) run in the EEA, which the UK recognises as adequate. See our Sub-processors page for the full list and each provider's safeguard.

7. Security measures (UK GDPR Art. 32)

Encryption: TLS 1.2+ in transit; AES-256 at rest for all database storage.
Access control: Row-level security (RLS) enforced at the database; tenant-scoped per practice.
Authentication: Multi-factor authentication required for staff access to the production environment.
Audit logging: All admin actions and data exports are logged with user identity and timestamp.
Retention & minimisation: Call audio retained for 90 days by our voice sub-processor and not stored in Fluora's own systems; call transcripts purged after 90 days; booking metadata retained for the practice's subscription term.
Backup & recovery: Encrypted daily backups; tested restore procedure.
Vendor diligence: Security review on every new sub-processor.

8. Data subject rights — DSAR process

Patient requests should be addressed to the dental practice (the data controller) in the first instance. Where the practice escalates a request to Fluora, we respond within 7 calendar days to the practice, who then has the rest of the one-month statutory window to respond to the patient.

What we can deliver

Access: JSON export of structured data (patient name, phone, all appointments, all SMS, all consent log entries)
Erasure: Hard delete from active database; backup expiry within 30 days
Rectification: Direct update via portal or via support request
Portability: JSON export delivered via secure link
Restriction: Flagging the patient record so further processing is paused
Objection: Honoured for any consent-based processing; documented for legitimate-interests-based processing

9. Personal data breach notification

If Fluora becomes aware of a personal data breach affecting a Customer's data, we will notify the affected Customer without undue delay (in any event within 72 hours of becoming aware) with sufficient information for the Customer to meet their own ICO notification obligations. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it.

10. Audit rights

The Customer (acting reasonably) may audit Fluora's compliance with this notice once per year on 30 days' written notice, either by review of independent third-party security reports or, where strictly necessary, an onsite audit at the Customer's reasonable cost. Fluora will reasonably cooperate.

11. Records of processing

Fluora maintains records of processing activities (UK GDPR Art. 30) and will make them available to the ICO or to the Customer on reasonable request.

12. Termination & data return

On termination, Fluora will:

Provide a structured export of the Customer's patient data within 14 days of request;
Hard-delete patient data from active systems within 90 days of termination;
Allow backups to expire on their normal cycle (currently within a further 30 days).

Written confirmation of deletion is available on request.

13. Contact

Data protection contact: dpo@fluora.co.uk
General privacy questions: privacy@fluora.co.uk
Postal: Fluora Ltd, Suite A, 82 James Carter Road, Mildenhall, Bury St. Edmunds, IP28 7DE

To complain to the UK supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF — ico.org.uk.