Our Privacy Policy

8.2 Your Deletion Rights

You have the right to request deletion of your personal data in the following circumstances:

• Right to Erasure (Article 17): You can request we delete your data when:

  • The data is no longer necessary for its original purpose

  • You withdraw consent and no other legal basis applies

  • You object to processing based on legitimate interests

  • The data has been unlawfully processed

  • Deletion is required by law

• Exception: We may retain data when:

  • Required by law or regulation (e.g., financial records, employment law)

  • Necessary to establish, exercise or defend legal claims

  • You owe outstanding fees or have unresolved disputes

  • The data is required for ongoing criminal investigations

To request deletion:

1. Log into your account and select "Delete My Account"

2. Email 

3. privacy@twothmatch.co.uk

4.  with the subject line "Data Deletion Request"

5. Include your full name, email address, and account ID

We will confirm your request and explain any reasons why deletion cannot be completed.

8.3 Inactive Account Deletion

Accounts inactive for 24 months will be subject to automatic deletion unless you re-activate them. You will receive email warnings before automatic deletion occurs.

9. YOUR RIGHTS UNDER UK GDPR

Under the UK GDPR, you have the following rights concerning your personal data:

9.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

Submit a Subject Access Request (SAR) by emailing:

privacy@twothmatch.co.uk

Include:

• Your full name and email address

• Account ID

• Specific data or date range requested

We will provide:

• A copy of your data in a clear, understandable format

• Information about where the data came from

• How we're using it

• Who we've shared it with

Response time: 30 days (may be extended to 90 days for complex requests)

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate personal data.

If you notice incorrect information in your account:

1. Update it directly in your account settings, OR

2. Email 

3. privacy@twothmatch.co.uk

We will correct errors within 30 days and notify relevant third parties of the correction.

9.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

You can request deletion of your personal data (subject to legal exceptions noted in Section 8.2).

Request deletion by:

1. Selecting "Delete My Account" in your account settings, OR

2. Emailing 

3. privacy@twothmatch.co.uk

9.4 Right to Data Portability (Article 20)

You can request your data in a portable format (e.g., CSV, JSON).

We will provide:

• All personal data you've provided

• In a structured, commonly-used, machine-readable format

• Within 30 days of request

Request portability by emailing:

privacy@twothmatch.co.uk

9.5 Right to Object (Article 21)

You can object to processing of your data in the following circumstances:

• Direct marketing: You can opt-out of all marketing emails by clicking "Unsubscribe" or adjusting notification preferences

• Cookies: You can disable cookies in your device settings (note: some essential cookies cannot be disabled)

• Profiling: You can opt-out of behavioral analytics in your privacy settings

• Automated decision-making: See Section 9.6

9.6 Right to Restrict Processing (Article 18)

You can request we limit how we use your data while:

• Verifying accuracy of the data

• Determining whether processing is lawful

• Investigating a complaint

Request processing restriction by emailing:

privacy@toothmatchwellnessclub.com

9.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated decisions that produce legal or similarly significant effects.

ToothMatch uses AI-powered job matching to recommend positions based on your profile. This is not a final binding decision – all recommendations are:

• Reviewed and confirmed by you before application

• Not used to automatically accept or reject applications

• Transparent and explainable

You have the right to:

• Request human review of automated recommendations

• Opt out of AI-based job matching (though this may limit service quality)

• Request explanation of how matching algorithms work

9.8 How to Exercise Your Rights

Contact us to exercise any of the above rights:

📧 Email: 

privacy@twothmatch.co.uk

Subject line: "[RIGHT NAME] Request – [YOUR NAME]"

Include:

• Your full name and email address

• Account ID

• Specific right you're exercising

• Detailed description of your request

• Any supporting documentation

Response time: We will respond within 30 days (may be extended to 60-90 days for complex requests).

Verification: We may request proof of identity to verify your request before fulfilling it.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What Are Cookies?

Cookies are small text files stored on your device that contain information about your interactions with the app and websites.

10.2 Types of Cookies We Use

Essential Cookies (Cannot be disabled):

• Session IDs and authentication tokens

• Security and fraud prevention

• App functionality and settings

Analytical Cookies (Can be disabled):

• Google Analytics – User behavior and app performance

• Mixpanel – Feature usage and user journeys

• These help us improve the app

Marketing Cookies (Can be disabled):

• Remarketing and targeted ads

• Conversion tracking

• These cookies follow you across websites

Preference Cookies (Can be disabled):

• Remember your settings and preferences

• Language and region preferences

10.3 Managing Cookies

Disable cookies in your device settings:

• iOS: Settings > Privacy > App Tracking Transparency

• Android: Settings > Privacy > Permissions

Opt out of specific services:

• Google Analytics: 

• optout.aboutads.info

• Mixpanel: 

• mixpanel.com/optout

Important: Disabling cookies may limit app functionality.

10.4 Do Not Track Signals

If your browser or device supports "Do Not Track" signals, we will respect your preference where technically possible. However, most websites and apps (including ours) do not currently alter their practices based on Do Not Track signals.

11. SECURITY AND DATA PROTECTION MEASURES

We implement comprehensive security measures to protect your personal data from unauthorized access, alteration, disclosure or destruction.

11.1 Technical Security Measures

Encryption:

• In Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption

• At Rest: Sensitive data (passwords, payment info) is encrypted using AES-256 encryption

• Database encryption for stored personal data

Access Controls:

• Multi-factor authentication (MFA) for user accounts

• Role-based access control (RBAC) for staff

• Unique access credentials for each employee

• Regular access audits and reviews

Infrastructure Security:

• Firewalls and intrusion detection systems

• DDoS protection and mitigation

• Regular security scanning and vulnerability assessments

• Secure development practices and code reviews

• Automated security testing

Data Backup:

• Daily encrypted backups to geographically redundant locations

• Backup restoration testing quarterly

• 90-day backup retention for disaster recovery

11.2 Hosting and Infrastructure (InMotion Hosting)

Our app is hosted on InMotion Hosting's GDPR-compliant cloud infrastructure:

• Data Center: US-based with EU-standard security

• Compliance: GDPR compliant, ISO 27001 certified

• DPA: Data Processing Agreement in place

• Monitoring: 24/7 network and security monitoring

• SLA: 99.9% uptime guarantee

Specific InMotion Security Features:

• Redundant network infrastructure

• Automated backups and disaster recovery

• HTTPS/SSL encryption for all data transfers

• Regular security audits and penetration testing

• Immediate security incident notification

See InMotion Hosting's GDPR compliance details: 

www.inmotionhosting.com/legal/gdpr/

11.3 Organizational Security Measures

Personnel & Training:

• Staff sign confidentiality agreements

• Regular data protection and security training

• Annual GDPR compliance refresher training

• Background checks for employees with data access

Policies & Procedures:

• Data protection impact assessments (DPIAs)

• Data breach response procedures

• Records of processing activities

• Regular policy reviews and updates

Third-Party Management:

• Due diligence on all service providers

• Mandatory Data Processing Agreements

• Audit rights and breach notification requirements

• Contractual security obligations

11.4 Security Limitations

Please note:

• No method of transmission over the internet or electronic storage is completely secure

• We cannot guarantee absolute security

• Your password is your responsibility – never share it

• If you believe your account is compromised, contact us immediately

12. DATA BREACHES AND INCIDENT RESPONSE

12.1 Data Breach Definition

A data breach is unauthorized access, disclosure, alteration or destruction of personal data due to accidental or deliberate action.

12.2 Our Breach Response Procedure

Upon discovery of a breach, we will:

1. Immediate Response (within 24 hours):

   • Contain and mitigate the breach

   • Assess scope and severity

   • Preserve evidence for investigation

   • Notify management and legal team

2. Investigation (within 72 hours):

   • Determine what data was affected

   • Identify individuals impacted

   • Analyze cause and risks

3. Notification to ICO (within 72 hours):

   • Report all "high-risk" breaches to the Information Commissioner's Office

   • Include details of affected data, individuals impacted, and remedial actions

   • May request delay in notification in exceptional circumstances

4. Individual Notification (without undue delay):

   • Contact affected individuals if there is a "high risk" to their rights and freedoms

   • Explain what happened, what data was involved, what we're doing, and what they can do

   • Provide contact information for further assistance

5. Documentation:

   • Maintain detailed breach records

   • Document all actions taken

   • Analyze root causes and prevent recurrence

12.3 Your Breach Rights

If your data has been breached:

• You have the right to be informed within a reasonable timeframe

• You can lodge complaints with the ICO or other supervisory authorities

• You may be eligible for compensation in some cases (consult a solicitor)

If you suspect a breach, contact us immediately:
📧 Email: 

privacy@twothmatch.co.uk

📞 Phone: 07956776114

13. THIRD-PARTY LINKS AND INTEGRATIONS

13.1 External Links

The TwothMatch app may contain links to external websites and apps (e.g., social media, job boards, partner sites). We are not responsible for the privacy practices of external websites.

When you click an external link:

• You are leaving ToothMatch

• That website's privacy policy applies

• We recommend reviewing their privacy policies

13.2 Third-Party Integrations

If you connect your TwothMatch account to third-party services (e.g., social media login, calendar integration):

• You grant us permission to access certain data from those services

• Review that service's privacy policy

• You can revoke access at any time through your account settings

• We only access the minimum data necessary

13.3 Social Media

If you share TwothMatch content on social media:

• That data is governed by the social platform's privacy policy

• We are not responsible for how they use your data

• Contact the platform directly to delete shared content

14. CHILDREN'S PRIVACY

14.1 Age Requirements

TwothMatch is not intended for children under 16 years old. We do not knowingly collect personal data from children.

You represent and warrant that:

• You are at least 16 years old

• You have the legal capacity to enter into binding agreements

• If under 18, a parent or guardian has authorized your use

14.2 Parental Consent

If we learn that personal data of a child under 16 has been collected:

• We will delete it promptly

• We will notify the account holder and parent/guardian

• We may disable the account

To report concerns about child data:
📧 Email: 

privacy@twothmatch.co.uk

15. SENSITIVE AND SPECIAL CATEGORIES DATA

15.1 What is Special Category Data?

Under UK GDPR Article 9, special categories include:

• Racial or ethnic origin

• Political opinions

• Religious or philosophical beliefs

• Trade union membership

• Genetic data

• Biometric data (for identification purposes)

• Health data

• Sex life or sexual orientation data

15.2 Health Data

TwothMatch processes limited health-related data:

Data we collect:

• Wellness club participation and preferences

• Mental health helpline usage (anonymized)

• Occupational health concerns (if self-reported)

• Fitness event participation

Legal basis for processing:

• Your explicit consent

• Employment law compliance

• Legitimate interests in providing member support

Protection measures:

• Strict access controls – limited staff have access

• Anonymization where possible

• Separate security measures

• Never shared with third parties without consent

15.3 Your Rights Regarding Sensitive Data

You have enhanced rights over special category data:

• You can withdraw consent at any time

• You can request deletion (subject to legal obligations)

• You can restrict processing

• You can request access and data portability

16. MARKETING AND COMMUNICATIONS

16.1 How We Communicate

We use various channels to communicate with you:

• Email: Account updates, newsletters, promotional content

• Push notifications: In-app event reminders, wellness alerts

• SMS: Shift booking confirmations, urgent notifications (if opted-in)

• In-app messages: Service updates and feature announcements

16.2 Marketing Consent

We only send marketing communications with your consent.

Upon sign-up, you can choose to opt-in to:

• ✓ Weekly job recommendations

• ✓ Wellness event updates

• ✓ Career development tips

• ✓ Membership promotion messages

16.3 Unsubscribing from Marketing

You can opt-out at any time:

1. Click "Unsubscribe" at the bottom of any marketing email

2. Adjust preferences in your account settings under "Communications"

3. Email: 

4. privacy@twothmatch.co.uk

5.  with subject "Unsubscribe"

Note: You will continue to receive transactional messages (confirmations, receipts, account alerts) regardless of marketing preferences.

16.4 Direct Marketing Regulations (PECR)

Under the Privacy and Electronic Communications Regulations (PECR):

• We obtain consent before sending marketing SMS or calls

• We include clear opt-out options in all marketing messages

• We honor opt-out requests immediately

• We maintain opt-out records for 2 years

17. UPDATES TO THIS PRIVACY POLICY

17.1 When We Update

We review this Privacy Policy annually and update it when:

• Our practices change

• UK GDPR or other laws change

• Technology evolves

• User feedback suggests improvements

17.2 How We Notify You

For material changes:

• We will send email notification to your registered address

• We will display a notice in-app

• Changes take effect 30 days after notification

For minor clarifications:

• We may update without notification

• Your continued use indicates acceptance

You can review updates:

• Check the "Last Updated" date at the top of this policy

• Compare with previous versions available on request

17.3 Your Rights Upon Update

If you disagree with policy changes:

• You can request deletion of your account

• You can contact us to discuss concerns

• You can lodge complaints with the ICO

18. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

We conduct Data Protection Impact Assessments for high-risk processing, including:

• Large-scale collection of health data

• Automated decision-making (job matching algorithm)

• Use of AI and machine learning

• Biometric processing (if implemented)

You can request our DPIA:
📧 Email: 

privacy@twothmatch.co.uk

19. ACCOUNTABILITY AND GOVERNANCE

19.1 Data Protection Officer

Dev-Haus Limited has appointed a Data Protection Officer (DPO):

DPO Contact:
📧 Email: dpo@toothmatchwellnessclub.com

📞 Phone: 07956776114

The DPO is responsible for:

• Monitoring GDPR compliance

• Handling data subject requests

• Investigating complaints

• Conducting internal audits

• Providing data protection advice

19.2 Records of Processing Activities

We maintain Records of Processing Activities (Appropriate Records of Processing under updated UK GDPR) documenting:

• What data we collect

• Why we collect it

• How we use it

• Who we share it with

• How long we retain it

• Security measures

These records are available to supervisory authorities upon request.

19.3 Compliance Framework

Our data protection compliance includes:

• Quarterly compliance audits

• Annual GDPR training for all staff

• Annual review and updating of policies

• Regular security assessments

• Vendor risk assessments

20. CONTACT AND COMPLAINT PROCEDURES

20.1 Contacting Us

For privacy questions or to exercise your rights:

📧 Email: privacy@twothmatch.co.uk

📞 Phone: 07956776114
🏢 Postal Address:Dev-Haus Limited 32 Park Place LS1 2SP United Kingdom

Response time: 30 days (may be extended for complex requests)

20.2 Internal Complaint Procedure

If you have concerns about our data practices:

1. Submit complaint in writing including:

   • Your name and contact details

   • Description of the issue

   • Dates and specific events

   • Supporting documentation

2. We will investigate and respond within 30 days

3. If not resolved, you can escalate to our Data Protection Officer

20.3 External Complaints to ICO

If you're not satisfied with our response, you can lodge a complaint with the Information Commissioner's Office (ICO):

📮 Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
United Kingdom

🌐Website: www.ico.org.uk/make-a-complaint

📞 Phone: 0303 123 1113

21. DEFINITIONS

Biometric data: Information derived from biological/physical measurements for identification

Cloud hosting: Storing data on remote servers accessed via the internet

Cookies: Small text files storing information about user interactions

Data controller: Entity determining purposes and means of data processing

Data processor: Entity processing data on behalf of the controller

Data subject: Individual to whom personal data relates

Encryption: Converting data into unreadable format without appropriate key

GDC: General Dental Council (UK dental regulator)

GDPR: General Data Protection Regulation (UK data protection law as amended)

ICO: Information Commissioner's Office (UK data protection regulator)

Personal data: Any information relating to an identified or identifiable living individual

Processing: Any operation on personal data (collection, storage, use, transmission, deletion, etc.)

Special categories: Sensitive personal data including health, race, religion, biometric data

22. FINAL PROVISIONS

22.1 Entire Agreement

This Privacy Policy constitutes the entire data protection agreement between you and Dev-Haus Limited and supersedes all prior understandings and agreements.

22.2 Severability

If any provision of this Privacy Policy is found invalid or unenforceable, that provision will be modified to the minimum extent necessary, and all other provisions remain in effect.

22.3 Governing Law

This Privacy Policy is governed by UK law and the UK GDPR. Any disputes shall be exclusively resolved through UK courts, except where ICO jurisdiction applies.

22.4 No Waiver

Our failure to enforce any provision does not constitute a waiver of that provision or any other rights.

23. ACKNOWLEDGMENT

By downloading and using the ToothMatch app, you acknowledge:

✓ You have read and understood this entire Privacy Policy
✓ You consent to our data collection and processing practices
✓ You understand your rights under UK GDPR
✓ You accept the terms and conditions outlined
✓ You agree to contact us with any privacy concerns

APPENDIX A: DATA PROCESSING AGREEMENT SUMMARY

Our service providers have signed Data Processing Agreements (DPAs) governing:

• Permitted processing activities

• Security obligations

• Confidentiality requirements

• Breach notification procedures

• Audit and inspection rights

• Sub-processor management

• International transfer safeguards

Key processors and their DPA status: