Privacy Policy

Our Privacy Policy

Last Updated on December, 06, 2025

1. INTRODUCTION

ToothMatch ("we," "us," "our," or "Company") is a recruitment and job-matching platform for dental professionals developed and operated by Dev-Haus Limited, a company registered in England and Wales (Company Registration Number: 16808964.

We are committed to protecting your privacy and ensuring you have a positive experience on our app and website. This Privacy Policy explains how we collect, use, disclose and otherwise process your personal data in connection with our services.

This Privacy Policy applies to:

  • The TwothMatch mobile app (iOS and Android versions)
  • Our website: www.twothmatch.co.uk
  • Any related services we provide

We are registered with the Information Commissioner's Office (ICO) under registration number 16808964.

Please read this Privacy Policy carefully. By downloading, accessing or using the ToothMatch app, you acknowledge that you have read, understood and agree to be bound by all the terms of this Privacy Policy. If you do not agree with our practices, please do not use our app.

2. DATA CONTROLLER AND CONTACT INFORMATION

Data Controller:

Dev-Haus Limited

32 Park Place

LS1 2SP

United Kingdom

Company Registration Number: [INSERT NUMBER]

ICO Registration Number: [INSERT ICO NUMBER]

Contact Us:

If you have any questions about this Privacy Policy or our data practices, you can contact us at:

๐Ÿ“ง Email: privacy@twothmatch.co.uk

Data Protection Officer: Saba Arif

If you are not satisfied with our response to any privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ICO Contact:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

United Kingdom

www.ico.org.uk/make-a-complaint

3. WHAT PERSONAL DATA WE COLLECT

We collect personal data that you provide directly, as well as data collected automatically through your use of the ToothMatch app. The types of personal data we collect include:

3.1 Information You Provide Directly

Account Registration Data:

  • Full name
  • Email address
  • Phone number
  • Date of birth
  • Professional qualifications and registration numbers (e.g., GDC registration)
  • Workplace information (practice name, location, job title)
  • Indemnity and GDC registration status
  • Profile photo/avatar
  • Professional credentials and certifications
  • Employment history
  • CV or resume documents
  • Banking details (for payment processing โ€“ see Section 3.3)

Messaging and Communication Data:

  • Messages sent through the app
  • Support inquiries and responses
  • Feedback and reviews you provide
  • Complaints and dispute information

Application and Shift Data:

  • Job applications you submit
  • Shifts you book or express interest in
  • Your availability preferences and calendars
  • Performance ratings and reviews from employers
  • Time and attendance records for shifts completed

Wellness Club Data

  • Membership tier selected (Qualified or Trainee)
  • Event preferences and registrations
  • Course completions and CPD records
  • Mental health helpline interactions (anonymized where possible)
  • Wellness tracking data if voluntarily provided

Payment Information

  • Payment method details (handled via secure third-party processors)
  • Billing address
  • Transaction history and invoices

3.2 Information Automatically Collected

Device and Usage Data

  • Device type, operating system and version
  • Mobile device identifiers (IDFA, Android Advertising ID)
  • App version
  • IP address and approximate geolocation
  • Browser type and version
  • Pages accessed and time spent on each
  • Features used within the app
  • Search queries and filters applied
  • Date and time of your activities
  • Referring/exit pages
  • Click stream data

Cookies and Tracking Technologies

  • Session IDs
  • Authentication tokens
  • Analytical cookies (via Google Analytics, Mixpanel, or similar)
  • Performance monitoring data
  • Crash reports and error logs

Location Data

  • Approximate location based on IP address
  • Location data from wellness events (if location services enabled with permission)
  • Location preferences for job matching

3.3 Payment Processing Data

Payment and billing information is processed by our third-party payment processor (e.g., Stripe, PayPal) and is not directly stored on our servers. We retain only:

  • Last 4 digits of payment method
  • Billing address
  • Payment transaction records
  • Subscription status and renewal dates

Sensitive Payment Data: We do not store full credit card numbers, CVV codes or complete banking details. These are handled exclusively by our PCI-DSS compliant payment processors.

3.4 Special Categories of Personal Data

In limited circumstances, we may collect special categories of personal data (as defined under UK GDPR Article 9), including:

Health data: Information about your wellness club participation, mental health helpline usage (anonymized), or occupational health information

  • Professional data: Dental registration details and regulatory compliance information

We only process this data where

  • You have explicitly consented
  • Processing is necessary for employment law compliance
  • Processing is necessary for our legitimate business purposes (e.g., membership eligibility)
  • Processing is required by law or regulation

4. LEGAL BASIS FOR DATA PROCESSING

Under the UK GDPR, we must have a lawful basis to process your personal data. We process your data based on the following legal bases:

4.1 Contract Performance (Article 6(1)(b))

  • Creating and maintaining your account
  • Providing job matching and recruitment services
  • Processing your applications and bookings
  • Providing the ToothMatch Wellness Club membership
  • Processing payments and billing

4.2 Consent (Article 6(1)(a))

  • Marketing communications and newsletters
  • Cookies and tracking technologies (except essential cookies)
  • Use of geolocation data for event recommendations
  • Optional analytics and performance data
  • Mental health helpline interactions (where you consent to data storage)

You can withdraw consent at any time by

  • Adjusting notification and email preferences in your account settings
  • Disabling cookies in your device settings
  • Emailing
  • privacy@toothmatchwellnessclub.com
  • to opt out of specific processing

4.3 Legal Obligation (Article 6(1)(c))

  • Compliance with GDC and dental regulatory requirements
  • Employment law and health and safety obligations
  • Fraud prevention and financial crime detection
  • Responding to law enforcement requests

4.4 Legitimate Interests (Article 6(1)(f))

  • Improving and personalizing the ToothMatch app and services
  • Detecting and preventing fraud, abuse and security threats
  • Analyzing user behavior to enhance app features
  • Conducting research and analytics
  • Enforcing our Terms of Service and protecting our legal rights
  • Direct marketing (where not requiring consent under PECR)

We balance our legitimate interests against your rights and only process data where our interests outweigh your privacy expectations.

5. HOW WE USE YOUR DATA

We use personal data for the following purposes

5.1 Core Service Delivery

  • Creating and maintaining your ToothMatch account
  • Matching you with job opportunities based on your skills, qualifications and preferences
  • Processing your job applications and shift bookings
  • Enabling employers to contact you regarding positions
  • Processing payments for membership fees and services
  • Sending transactional communications (account confirmations, booking confirmations, receipts)

5.2 Wellness Club Services

  • Managing your membership tier and benefits
  • Organizing and promoting wellness events (Pilates, padel, spa days, etc.)
  • Administering CPD courses and tracking completions
  • Providing access to the online CPD library (Dentinal Tubules partnership)
  • Operating the 24/7 mental health helpline
  • Facilitating peer support communities
  • Sending event reminders and updates
  • Recording your attendance and participation

5.3 Communication and Support

  • Responding to your inquiries and support requests
  • Sending customer service communications
  • Resolving disputes and handling complaints
  • Obtaining feedback on your experience

5.4 Analytics and Improvements

  • Analyzing how users interact with the app
  • Identifying usage trends and patterns
  • Improving app functionality, features and user experience
  • Conducting A/B testing and optimization studies
  • Monitoring app performance and stability

5.5 Marketing and Promotions

  • Sending newsletters, promotional emails and marketing communications (with your consent)
  • Informing you of new features, updates and membership benefits
  • Offering personalized recommendations based on your profile
  • Running targeted promotional campaigns
  • Encouraging participation in wellness events

5.6 Security and Fraud Prevention

  • Detecting, investigating and preventing fraudulent transactions
  • Identifying and responding to security threats
  • Protecting against unauthorized access
  • Monitoring for violations of our Terms of Service
  • Conducting security audits and testing

5.7 Regulatory and Legal Compliance

  • Meeting GDC and dental industry regulatory requirements
  • Maintaining employment law compliance
  • Responding to lawful requests from authorities
  • Enforcing legal rights and contractual obligations

5.8 Recruitment and Employer Analytics

  • Providing anonymized insights to employers about the dental nursing market
  • Analyzing salary trends and recruitment patterns
  • Generating reports on job placement success rates (anonymized data only)

6. WHO WE SHARE YOUR DATA WITH

We only share your personal data with third parties where necessary to provide our services, comply with legal obligations or pursue legitimate interests. We do not sell your personal data.

6.1 Service Providers and Data Processors

Cloud Hosting and Infrastructure

  • InMotion Hosting โ€“ Cloud-based servers for app hosting, data storage and backup
  • InMotion Hosting is GDPR compliant and has signed a Data Processing Agreement (DPA)

Your data is stored on servers located in the United States with GDPR-compliant safeguards

Payment Processing

  • Stripe, PayPal or similar payment gateways (PCI-DSS compliant)
  • These processors handle payment data only โ€“ we do not share full payment details

Analytics and Monitoring

  • Google Analytics โ€“ App usage analytics
  • Mixpanel, Amplitude or similar โ€“ User behavior tracking
  • Sentry or similar โ€“ Crash reporting and error monitoring
  • Firebase โ€“ Push notifications and user engagement tracking

Email and Communications

  • SendGrid, Mailchimp or similar โ€“ Email delivery
  • Twilio โ€“ SMS notifications (if applicable)

Mental Health Support

  • External mental health service providers (partner organizations) โ€“ For 24/7 helpline services
  • Data is anonymized and shared under strict confidentiality agreements

CPD and Wellness

  • Dentinal Tubules โ€“ CPD course content and tracking
  • Event organizers and venue partners โ€“ For wellness event logistics
  • Spa, fitness and wellness providers โ€“ Only your name and booking confirmation

All service providers are bound by Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.

6.2 Employers and Practices

When you apply for a job or express interest in a shift, we share

Your name, phone number and email address

  • Professional qualifications and certifications
  • CV/resume (if you choose to share)
  • Availability and preferences
  • Performance ratings (if applicable)
  • Any information you include in your application

You control how much information practices see through your profile privacy settings.

6.3 Other Members

Within the ToothMatch community and Wellness Club

Your profile name and professional information may be visible to other members

Your contributions to peer support groups are visible to group members

  • Event attendance records may be visible within the community
  • You can adjust visibility settings in your account preferences

6.4 Legal Requirements

We may disclose your data when required by law or in response to

  • Court orders or legal proceedings
  • Law enforcement requests (via proper legal channels)
  • GDC or dental regulatory investigations
  • Government agencies conducting investigations
  • Fraud or security threat responses

We will provide notice of legal requests unless prohibited by law.

6.5 Business Transfers

If Dev-Haus Limited is involved in a merger, acquisition, bankruptcy or asset sale, your data may be transferred as part of that transaction. We will provide notice of any such change and any choices you may have.

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfers Outside the UK

Some of our service providers operate outside the UK, including

  • InMotion Hosting: Servers located in the United States
  • Cloud service providers: Google, Amazon AWS (may be US-based)
  • Payment processors: Stripe, PayPal (may be US-based)

7.2 Safeguards for International Transfers

Where we transfer personal data outside the UK, we ensure adequate safeguards

  • Standard Contractual Clauses (SCCs): All service providers have signed SCCs with appropriate data protection terms
  • Adequacy Decisions: We work only with countries/providers recognized as adequate by the UK GDPR
  • Explicit Consent: Where necessary, we obtain your explicit consent before transferring data internationally
  • Encryption: Data transferred internationally is encrypted in transit and at rest
  • Data Processing Agreements: All processors have signed DPAs governing international data handling

8. DATA RETENTION AND DELETION

8.1 Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Specific retention periods include:

Data CategoryRetention PeriodReason
Account data (after deletion)90 daysBackup and recovery purposes
Transaction and payment records12 monthsUK tax and accounting requirements
Job applications6 yearsRecruitment history and compliance
Shift records and timesheetsnDuration + 1 yearService continuity and records
Wellness Club membership data5 yearsProfessional development records
Mental health helpline data3 months (anonymized)Service quality monitoring
Cookies and tracking dataUp to 2 yearsAnalytics and performance
Support tickets and inquiries2 yearsCustomer service records
Marketing data (opted-in users)Until unsubscribe + 3 monthsMarketing compliance
IP logs and security data90 daysService quality monitoring

8.2 Your Deletion Rights

You have the right to request deletion of your personal data in the following circumstances

Right to Erasure (Article 17): You can request we delete your data when

  • The data is no longer necessary for its original purpose
  • You withdraw consent and no other legal basis applies
  • You object to processing based on legitimate interests
  • The data has been unlawfully processed
  • Deletion is required by law

Exception: We may retain data when

  • Required by law or regulation (e.g., financial records, employment law)
  • Necessary to establish, exercise or defend legal claims
  • You owe outstanding fees or have unresolved disputes
  • The data is required for ongoing criminal investigations

To request deletion

  • Log into your account and select "Delete My Account"
  • Email
  • privacy@twothmatch.co.uk
  • with the subject line "Data Deletion Request"
  • Include your full name, email address, and account ID

We will confirm your request and explain any reasons why deletion cannot be completed.

8.3 Inactive Account Deletion

Accounts inactive for 24 months will be subject to automatic deletion unless you re-activate them. You will receive email warnings before automatic deletion occurs.

9. YOUR RIGHTS UNDER UK GDPR

Under the UK GDPR, you have the following rights concerning your personal data

9.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

Submit a Subject Access Request (SAR) by emailing

Include

Your full name and email address

  • Account ID
  • Specific data or date range requested

We will provide

  • A copy of your data in a clear, understandable format
  • Information about where the data came from
  • How we're using it
  • Who we've shared it with

Response time: 30 days (may be extended to 90 days for complex requests)

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate personal data.

If you notice incorrect information in your account

We will correct errors within 30 days and notify relevant third parties of the correction.

9.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

You can request deletion of your personal data (subject to legal exceptions noted in Section 8.2).

Request deletion by

9.4 Right to Data Portability (Article 20)

You can request your data in a portable format (e.g., CSV, JSON).

We will provide

  • All personal data you've provided
  • In a structured, commonly-used, machine-readable format
  • Within 30 days of request

Request portability by emailing

9.5 Right to Object (Article 21)

You can object to processing of your data in the following circumstances

  • Direct marketing: You can opt-out of all marketing emails by clicking "Unsubscribe" or adjusting notification preferences
  • Cookies: You can disable cookies in your device settings (note: some essential cookies cannot be disabled)
  • Profiling: You can opt-out of behavioral analytics in your privacy settings
  • Automated decision-making: See Section 9.6

9.6 Right to Restrict Processing (Article 18)

You can request we limit how we use your data while

  • Verifying accuracy of the data
  • Determining whether processing is lawful
  • Investigating a complaint

Request processing restriction by emailing

9.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated decisions that produce legal or similarly significant effects.

ToothMatch uses AI-powered job matching to recommend positions based on your profile. This is not a final binding decision โ€“ all recommendations are:

  • Reviewed and confirmed by you before application
  • Not used to automatically accept or reject applications
  • Transparent and explainable

You have the right to

Request human review of automated recommendations

  • Opt out of AI-based job matching (though this may limit service quality)

Request explanation of how matching algorithms work

9.8 How to Exercise Your Rights

Contact us to exercise any of the above rights

๐Ÿ“ง Email:

Include

Your full name and email address

  • Account ID
  • Specific right you're exercising
  • Detailed description of your request
  • Any supporting documentation

Response time: We will respond within 30 days (may be extended to 60-90 days for complex requests).

Verification: We may request proof of identity to verify your request before fulfilling it.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What Are Cookies?

Cookies are small text files stored on your device that contain information about your interactions with the app and websites.

10.2 Types of Cookies We Use

Essential Cookies (Cannot be disabled)

  • Session IDs and authentication tokens
  • Security and fraud prevention
  • App functionality and settings

Analytical Cookies (Can be disabled)

  • Google Analytics โ€“ User behavior and app performance
  • Mixpanel โ€“ Feature usage and user journeys
  • These help us improve the app

Marketing Cookies (Can be disabled)

  • Remarketing and targeted ads
  • Conversion tracking
  • These cookies follow you across websites

Preference Cookies (Can be disabled)

  • Remember your settings and preferences
  • Language and region preferences

10.3 Managing Cookies

Disable cookies in your device settings

  • iOS: Settings > Privacy > App Tracking Transparency
  • Android: Settings > Privacy > Permissions

Opt out of specific services

Google Analytics

  • optout.aboutads.info

Mixpanel

Important: Disabling cookies may limit app functionality.

10.4 Do Not Track Signals

If your browser or device supports "Do Not Track" signals, we will respect your preference where technically possible. However, most websites and apps (including ours) do not currently alter their practices based on Do Not Track signals.

11. SECURITY AND DATA PROTECTION MEASURES

We implement comprehensive security measures to protect your personal data from unauthorized access, alteration, disclosure or destruction.

11.1 Technical Security Measures

Encryption

  • In Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption
  • At Rest: Sensitive data (passwords, payment info) is encrypted using AES-256 encryption
  • Database encryption for stored personal data

Access Controls

  • Multi-factor authentication (MFA) for user accounts
  • Role-based access control (RBAC) for staff
  • Unique access credentials for each employee
  • Regular access audits and reviews

Infrastructure Security

  • Firewalls and intrusion detection systems
  • DDoS protection and mitigation
  • Regular security scanning and vulnerability assessments
  • Secure development practices and code reviews
  • Automated security testing

Data Backup

  • Daily encrypted backups to geographically redundant locations
  • Backup restoration testing quarterly
  • 90-day backup retention for disaster recovery

11.2 Hosting and Infrastructure (InMotion Hosting)

Our app is hosted on InMotion Hosting's GDPR-compliant cloud infrastructure

Data Center: US-based with EU-standard security

Compliance: GDPR compliant, ISO 27001 certified

DPA: Data Processing Agreement in place

Monitoring: 24/7 network and security monitoring

SLA: 99.9% uptime guarantee

Specific InMotion Security Features

  • Redundant network infrastructure
  • Automated backups and disaster recovery
  • HTTPS/SSL encryption for all data transfers
  • Regular security audits and penetration testing
  • Immediate security incident notification

See InMotion Hosting's GDPR compliance details

11.3 Organizational Security Measures

Personnel & Training

  • Staff sign confidentiality agreements
  • Regular data protection and security training
  • Annual GDPR compliance refresher training
  • Background checks for employees with data access

Policies & Procedures

  • Data protection impact assessments (DPIAs)
  • Data breach response procedures
  • Records of processing activities
  • Regular policy reviews and updates

Third-Party Management

  • Due diligence on all service providers
  • Mandatory Data Processing Agreements
  • Audit rights and breach notification requirements
  • Contractual security obligations

11.4 Security Limitations

Please note

No method of transmission over the internet or electronic storage is completely secure

We cannot guarantee absolute security

Your password is your responsibility โ€“ never share it

If you believe your account is compromised, contact us immediately

12. DATA BREACHES AND INCIDENT RESPONSE

12.1 Data Breach Definition

A data breach is unauthorized access, disclosure, alteration or destruction of personal data due to accidental or deliberate action.

12.2 Our Breach Response Procedure

Upon discovery of a breach, we will

Immediate Response (within 24 hours)

  • Contain and mitigate the breach
  • Assess scope and severity
  • Preserve evidence for investigation
  • Notify management and legal team

Investigation (within 72 hours)

  • Determine what data was affected
  • Identify individuals impacted
  • Analyze cause and risks

Notification to ICO (within 72 hours)

  • Report all "high-risk" breaches to the Information Commissioner's Office
  • Include details of affected data, individuals impacted, and remedial actions
  • May request delay in notification in exceptional circumstances

Individual Notification (without undue delay)

  • Contact affected individuals if there is a "high risk" to their rights and freedoms
  • Explain what happened, what data was involved, what we're doing, and what they can do
  • Provide contact information for further assistance

Documentation

  • Maintain detailed breach records
  • Document all actions taken
  • Analyze root causes and prevent recurrence

12.3 Your Breach Rights

If your data has been breached

  • You have the right to be informed within a reasonable timeframe
  • You can lodge complaints with the ICO or other supervisory authorities
  • You may be eligible for compensation in some cases (consult a solicitor)

If you suspect a breach, contact us immediately

๐Ÿ“ง Email:

๐Ÿ“ž Phone: 07956776114

13. THIRD-PARTY LINKS AND INTEGRATIONS

13.1 External Links

The TwothMatch app may contain links to external websites and apps (e.g., social media, job boards, partner sites). We are not responsible for the privacy practices of external websites.

When you click an external link

  • You are leaving ToothMatch
  • That website's privacy policy applies

We recommend reviewing their privacy policies

13.2 Third-Party Integrations

If you connect your TwothMatch account to third-party services (e.g., social media login, calendar integration):

  • You grant us permission to access certain data from those services
  • Review that service's privacy policy
  • You can revoke access at any time through your account settings

We only access the minimum data necessary

13.3 Social Media

If you share TwothMatch content on social media

  • That data is governed by the social platform's privacy policy

We are not responsible for how they use your data

  • Contact the platform directly to delete shared content
  • 14. CHILDREN'S PRIVACY

14.1 Age Requirements

TwothMatch is not intended for children under 16 years old. We do not knowingly collect personal data from children.

You represent and warrant that

  • You are at least 16 years old
  • You have the legal capacity to enter into binding agreements

If under 18, a parent or guardian has authorized your use

14.2 Parental Consent

If we learn that personal data of a child under 16 has been collected

We will delete it promptly

We will notify the account holder and parent/guardian

We may disable the account

To report concerns about child data

๐Ÿ“ง Email:

15. SENSITIVE AND SPECIAL CATEGORIES DATA

15.1 What is Special Category Data?

Under UK GDPR Article 9, special categories include

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (for identification purposes)
  • Health data
  • Sex life or sexual orientation data

15.2 Health Data

TwothMatch processes limited health-related data

Data we collect

  • Wellness club participation and preferences
  • Mental health helpline usage (anonymized)
  • Occupational health concerns (if self-reported)
  • Fitness event participation

Legal basis for processing

Your explicit consent

  • Employment law compliance
  • Legitimate interests in providing member support

Protection measures

  • Strict access controls โ€“ limited staff have access
  • Anonymization where possible
  • Separate security measures
  • Never shared with third parties without consent

15.3 Your Rights Regarding Sensitive Data

You have enhanced rights over special category data

  • You can withdraw consent at any time
  • You can request deletion (subject to legal obligations)
  • You can restrict processing
  • You can request access and data portability

16. MARKETING AND COMMUNICATIONS

16.1 How We Communicate

We use various channels to communicate with you

  • Email: Account updates, newsletters, promotional content
  • Push notifications: In-app event reminders, wellness alerts
  • SMS: Shift booking confirmations, urgent notifications (if opted-in)
  • In-app messages: Service updates and feature announcements

16.2 Marketing Consent

We only send marketing communications with your consent.

Upon sign-up, you can choose to opt-in to

  • โœ“ Weekly job recommendations
  • โœ“ Wellness event updates
  • โœ“ Career development tips
  • โœ“ Membership promotion messages

16.3 Unsubscribing from Marketing

You can opt-out at any time

  • Click "Unsubscribe" at the bottom of any marketing email
  • Adjust preferences in your account settings under "Communications"
  • Email:
  • privacy@twothmatch.co.uk
  • with subject "Unsubscribe"

Note: You will continue to receive transactional messages (confirmations, receipts, account alerts) regardless of marketing preferences.

16.4 Direct Marketing Regulations (PECR)

Under the Privacy and Electronic Communications Regulations (PECR)

We obtain consent before sending marketing SMS or calls

We include clear opt-out options in all marketing messages

We honor opt-out requests immediately

We maintain opt-out records for 2 years

17. UPDATES TO THIS PRIVACY POLICY

17.1 When We Update

We review this Privacy Policy annually and update it when

Our practices change

  • UK GDPR or other laws change
  • Technology evolves
  • User feedback suggests improvements

17.2 How We Notify You

For material changes

We will send email notification to your registered address

We will display a notice in-app

  • Changes take effect 30 days after notification

For minor clarifications

We may update without notification

Your continued use indicates acceptance

You can review updates

  • Check the "Last Updated" date at the top of this policy
  • Compare with previous versions available on request

17.3 Your Rights Upon Update

If you disagree with policy changes

  • You can request deletion of your account
  • You can contact us to discuss concerns
  • You can lodge complaints with the ICO

18. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

We conduct Data Protection Impact Assessments for high-risk processing, including

  • Large-scale collection of health data
  • Automated decision-making (job matching algorithm)
  • Use of AI and machine learning
  • Biometric processing (if implemented)

You can request our DPIA

๐Ÿ“ง Email:

19. ACCOUNTABILITY AND GOVERNANCE

19.1 Data Protection Officer

Dev-Haus Limited has appointed a Data Protection Officer (DPO)

DPO Contact

๐Ÿ“ง Email: dpo@toothmatchwellnessclub.com

๐Ÿ“ž Phone: 07956776114

The DPO is responsible for

  • Monitoring GDPR compliance
  • Handling data subject requests
  • Investigating complaints
  • Conducting internal audits
  • Providing data protection advice

19.2 Records of Processing Activities

We maintain Records of Processing Activities (Appropriate Records of Processing under updated UK GDPR) documenting:

  • What data we collect
  • Why we collect it
  • How we use it
  • Who we share it with
  • How long we retain it
  • Security measures

These records are available to supervisory authorities upon request.

19.3 Compliance Framework

Our data protection compliance includes

  • Quarterly compliance audits
  • Annual GDPR training for all staff
  • Annual review and updating of policies
  • Regular security assessments
  • Vendor risk assessments

20. CONTACT AND COMPLAINT PROCEDURES

20.1 Contacting Us

For privacy questions or to exercise your rights

๐Ÿ“ง Email: privacy@twothmatch.co.uk

๐Ÿ“ž Phone: 07956776114

๐Ÿข Postal Address:Dev-Haus Limited 32 Park Place LS1 2SP United Kingdom

Response time: 30 days (may be extended for complex requests)

20.2 Internal Complaint Procedure

If you have concerns about our data practices

Submit complaint in writing including

Your name and contact details

  • Description of the issue
  • Dates and specific events
  • Supporting documentation

We will investigate and respond within 30 days

If not resolved, you can escalate to our Data Protection Officer

20.3 External Complaints to ICO

If you're not satisfied with our response, you can lodge a complaint with the Information Commissioner's Office (ICO):

๐Ÿ“ฎ Information Commissioner's Office

  • Wycliffe House
  • Water Lane
  • Wilmslow
  • Cheshire, SK9 5AF
  • United Kingdom

๐ŸŒWebsite: www.ico.org.uk/make-a-complaint

๐Ÿ“ž Phone: 0303 123 1113

21. DEFINITIONS

  • Biometric data: Information derived from biological/physical measurements for identification
  • Cloud hosting: Storing data on remote servers accessed via the internet
  • Cookies: Small text files storing information about user interactions
  • Data controller: Entity determining purposes and means of data processing
  • Data processor: Entity processing data on behalf of the controller
  • Data subject: Individual to whom personal data relates
  • Encryption: Converting data into unreadable format without appropriate key
  • GDC: General Dental Council (UK dental regulator)
  • GDPR: General Data Protection Regulation (UK data protection law as amended)
  • ICO: Information Commissioner's Office (UK data protection regulator)
  • Personal data: Any information relating to an identified or identifiable living individual
  • Processing: Any operation on personal data (collection, storage, use, transmission, deletion, etc.)
  • Special categories: Sensitive personal data including health, race, religion, biometric data

22. FINAL PROVISIONS

22.1 Entire Agreement

This Privacy Policy constitutes the entire data protection agreement between you and Dev-Haus Limited and supersedes all prior understandings and agreements.

22.2 Severability

If any provision of this Privacy Policy is found invalid or unenforceable, that provision will be modified to the minimum extent necessary, and all other provisions remain in effect.

22.3 Governing Law

This Privacy Policy is governed by UK law and the UK GDPR. Any disputes shall be exclusively resolved through UK courts, except where ICO jurisdiction applies.

22.4 No Waiver

Our failure to enforce any provision does not constitute a waiver of that provision or any other rights.

23. ACKNOWLEDGMENT

By downloading and using the ToothMatch app, you acknowledge

  • โœ“ You have read and understood this entire Privacy Policy
  • โœ“ You consent to our data collection and processing practices
  • โœ“ You understand your rights under UK GDPR
  • โœ“ You accept the terms and conditions outlined
  • โœ“ You agree to contact us with any privacy concerns

APPENDIX A: DATA PROCESSING AGREEMENT SUMMARY

Our service providers have signed Data Processing Agreements (DPAs) governing

  • Permitted processing activities
  • Security obligations
  • Confidentiality requirements
  • Breach notification procedures
  • Audit and inspection rights
  • Sub-processor management
  • International transfer safeguards

Key processors and their DPA status

ProcessorServiceDPA StatusLocation
InMotion HostingCloud hostingโœ“ SignedUSA
Google AnalyticsAnalyticsโœ“ SignedUSA
StripePaymentsโœ“ SignedUSA
Dentinal TubulesCPD platformโœ“ SignedUK
SendGridEmailโœ“ SignedUSA

Copies of DPAs available upon request to: privacy@twothmatch.co.uk

APPENDIX B: STANDARD CONTRACTUAL CLAUSES (SCCs)

For data transfers outside the UK, we rely on

  • UK GDPR Article 46(2)(c): Standard Contractual Clauses
  • Processor locations: USA, EU member states

All SCCs include

  • Standard clauses approved by the UK government
  • Transfer impact assessments
  • Supplementary safeguards where required
  • Encryption and security obligations

APPENDIX C: GDPR COMPLIANCE CHECKLIST

Dev-Haus Limited compliance with UK GDPR requirements

GDPR RequirementToothMatch Compliance
Article 6 (Legal basis)โœ“ Contract, consent, legal obligation, legitimate interests
Article 7 (Consent)โœ“ Freely given, specific, informed, documented
Article 13-14 (Transparency)โœ“ Privacy policy, cookie notices, DPA transparency
Article 15-22 (Data subject rights)โœ“ Access, rectification, erasure, portability, object, restrict
Article 32-34 (Security & breaches)โœ“ Encryption, access controls, breach procedures, DPO
Article 35 (DPIA)โœ“ Assessments for high-risk processing
Article 36-37 (DPO)โœ“ DPO appointed and accessible
Article 46 (International transfers)โœ“ SCCs and safeguards in place

Last Updated: 06.12.2025

Version: 1.0

Next Review Date: 06.12.2026

ยฉ 2025 Dev-Haus Limited. All rights reserved.