1. INTRODUCTION
ToothMatch ("we," "us," "our," or "Company") is a recruitment and job-matching platform for dental professionals developed and operated by Dev-Haus Limited, a company registered in England and Wales (Company Registration Number: 16808964.
We are committed to protecting your privacy and ensuring you have a positive experience on our app and website. This Privacy Policy explains how we collect, use, disclose and otherwise process your personal data in connection with our services.
This Privacy Policy applies to:
- The TwothMatch mobile app (iOS and Android versions)
- Our website: www.twothmatch.co.uk
- Any related services we provide
We are registered with the Information Commissioner's Office (ICO) under registration number 16808964.
Please read this Privacy Policy carefully. By downloading, accessing or using the ToothMatch app, you acknowledge that you have read, understood and agree to be bound by all the terms of this Privacy Policy. If you do not agree with our practices, please do not use our app.
2. DATA CONTROLLER AND CONTACT INFORMATION
Data Controller:
Dev-Haus Limited
32 Park Place
LS1 2SP
United Kingdom
Company Registration Number: [INSERT NUMBER]
ICO Registration Number: [INSERT ICO NUMBER]
Contact Us:
If you have any questions about this Privacy Policy or our data practices, you can contact us at:
๐ง Email: privacy@twothmatch.co.uk
Data Protection Officer: Saba Arif
If you are not satisfied with our response to any privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ICO Contact:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
United Kingdom
www.ico.org.uk/make-a-complaint
3. WHAT PERSONAL DATA WE COLLECT
We collect personal data that you provide directly, as well as data collected automatically through your use of the ToothMatch app. The types of personal data we collect include:
3.1 Information You Provide Directly
Account Registration Data:
- Full name
- Email address
- Phone number
- Date of birth
- Professional qualifications and registration numbers (e.g., GDC registration)
- Workplace information (practice name, location, job title)
- Indemnity and GDC registration status
- Profile photo/avatar
- Professional credentials and certifications
- Employment history
- CV or resume documents
- Banking details (for payment processing โ see Section 3.3)
Messaging and Communication Data:
- Messages sent through the app
- Support inquiries and responses
- Feedback and reviews you provide
- Complaints and dispute information
Application and Shift Data:
- Job applications you submit
- Shifts you book or express interest in
- Your availability preferences and calendars
- Performance ratings and reviews from employers
- Time and attendance records for shifts completed
Wellness Club Data
- Membership tier selected (Qualified or Trainee)
- Event preferences and registrations
- Course completions and CPD records
- Mental health helpline interactions (anonymized where possible)
- Wellness tracking data if voluntarily provided
Payment Information
- Payment method details (handled via secure third-party processors)
- Billing address
- Transaction history and invoices
3.2 Information Automatically Collected
Device and Usage Data
- Device type, operating system and version
- Mobile device identifiers (IDFA, Android Advertising ID)
- App version
- IP address and approximate geolocation
- Browser type and version
- Pages accessed and time spent on each
- Features used within the app
- Search queries and filters applied
- Date and time of your activities
- Referring/exit pages
- Click stream data
Cookies and Tracking Technologies
- Session IDs
- Authentication tokens
- Analytical cookies (via Google Analytics, Mixpanel, or similar)
- Performance monitoring data
- Crash reports and error logs
Location Data
- Approximate location based on IP address
- Location data from wellness events (if location services enabled with permission)
- Location preferences for job matching
3.3 Payment Processing Data
Payment and billing information is processed by our third-party payment processor (e.g., Stripe, PayPal) and is not directly stored on our servers. We retain only:
- Last 4 digits of payment method
- Billing address
- Payment transaction records
- Subscription status and renewal dates
Sensitive Payment Data: We do not store full credit card numbers, CVV codes or complete banking details. These are handled exclusively by our PCI-DSS compliant payment processors.
3.4 Special Categories of Personal Data
In limited circumstances, we may collect special categories of personal data (as defined under UK GDPR Article 9), including:
Health data: Information about your wellness club participation, mental health helpline usage (anonymized), or occupational health information
- Professional data: Dental registration details and regulatory compliance information
We only process this data where
- You have explicitly consented
- Processing is necessary for employment law compliance
- Processing is necessary for our legitimate business purposes (e.g., membership eligibility)
- Processing is required by law or regulation
4. LEGAL BASIS FOR DATA PROCESSING
Under the UK GDPR, we must have a lawful basis to process your personal data. We process your data based on the following legal bases:
4.1 Contract Performance (Article 6(1)(b))
- Creating and maintaining your account
- Providing job matching and recruitment services
- Processing your applications and bookings
- Providing the ToothMatch Wellness Club membership
- Processing payments and billing
4.2 Consent (Article 6(1)(a))
- Marketing communications and newsletters
- Cookies and tracking technologies (except essential cookies)
- Use of geolocation data for event recommendations
- Optional analytics and performance data
- Mental health helpline interactions (where you consent to data storage)
You can withdraw consent at any time by
- Adjusting notification and email preferences in your account settings
- Disabling cookies in your device settings
- Emailing
- privacy@toothmatchwellnessclub.com
- to opt out of specific processing
4.3 Legal Obligation (Article 6(1)(c))
- Compliance with GDC and dental regulatory requirements
- Employment law and health and safety obligations
- Fraud prevention and financial crime detection
- Responding to law enforcement requests
4.4 Legitimate Interests (Article 6(1)(f))
- Improving and personalizing the ToothMatch app and services
- Detecting and preventing fraud, abuse and security threats
- Analyzing user behavior to enhance app features
- Conducting research and analytics
- Enforcing our Terms of Service and protecting our legal rights
- Direct marketing (where not requiring consent under PECR)
We balance our legitimate interests against your rights and only process data where our interests outweigh your privacy expectations.
5. HOW WE USE YOUR DATA
We use personal data for the following purposes
5.1 Core Service Delivery
- Creating and maintaining your ToothMatch account
- Matching you with job opportunities based on your skills, qualifications and preferences
- Processing your job applications and shift bookings
- Enabling employers to contact you regarding positions
- Processing payments for membership fees and services
- Sending transactional communications (account confirmations, booking confirmations, receipts)
5.2 Wellness Club Services
- Managing your membership tier and benefits
- Organizing and promoting wellness events (Pilates, padel, spa days, etc.)
- Administering CPD courses and tracking completions
- Providing access to the online CPD library (Dentinal Tubules partnership)
- Operating the 24/7 mental health helpline
- Facilitating peer support communities
- Sending event reminders and updates
- Recording your attendance and participation
5.3 Communication and Support
- Responding to your inquiries and support requests
- Sending customer service communications
- Resolving disputes and handling complaints
- Obtaining feedback on your experience
5.4 Analytics and Improvements
- Analyzing how users interact with the app
- Identifying usage trends and patterns
- Improving app functionality, features and user experience
- Conducting A/B testing and optimization studies
- Monitoring app performance and stability
5.5 Marketing and Promotions
- Sending newsletters, promotional emails and marketing communications (with your consent)
- Informing you of new features, updates and membership benefits
- Offering personalized recommendations based on your profile
- Running targeted promotional campaigns
- Encouraging participation in wellness events
5.6 Security and Fraud Prevention
- Detecting, investigating and preventing fraudulent transactions
- Identifying and responding to security threats
- Protecting against unauthorized access
- Monitoring for violations of our Terms of Service
- Conducting security audits and testing
5.7 Regulatory and Legal Compliance
- Meeting GDC and dental industry regulatory requirements
- Maintaining employment law compliance
- Responding to lawful requests from authorities
- Enforcing legal rights and contractual obligations
5.8 Recruitment and Employer Analytics
- Providing anonymized insights to employers about the dental nursing market
- Analyzing salary trends and recruitment patterns
- Generating reports on job placement success rates (anonymized data only)
6. WHO WE SHARE YOUR DATA WITH
We only share your personal data with third parties where necessary to provide our services, comply with legal obligations or pursue legitimate interests. We do not sell your personal data.
6.1 Service Providers and Data Processors
Cloud Hosting and Infrastructure
- InMotion Hosting โ Cloud-based servers for app hosting, data storage and backup
- InMotion Hosting is GDPR compliant and has signed a Data Processing Agreement (DPA)
Your data is stored on servers located in the United States with GDPR-compliant safeguards
Payment Processing
- Stripe, PayPal or similar payment gateways (PCI-DSS compliant)
- These processors handle payment data only โ we do not share full payment details
Analytics and Monitoring
- Google Analytics โ App usage analytics
- Mixpanel, Amplitude or similar โ User behavior tracking
- Sentry or similar โ Crash reporting and error monitoring
- Firebase โ Push notifications and user engagement tracking
Email and Communications
- SendGrid, Mailchimp or similar โ Email delivery
- Twilio โ SMS notifications (if applicable)
Mental Health Support
- External mental health service providers (partner organizations) โ For 24/7 helpline services
- Data is anonymized and shared under strict confidentiality agreements
CPD and Wellness
- Dentinal Tubules โ CPD course content and tracking
- Event organizers and venue partners โ For wellness event logistics
- Spa, fitness and wellness providers โ Only your name and booking confirmation
All service providers are bound by Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.
6.2 Employers and Practices
When you apply for a job or express interest in a shift, we share
Your name, phone number and email address
- Professional qualifications and certifications
- CV/resume (if you choose to share)
- Availability and preferences
- Performance ratings (if applicable)
- Any information you include in your application
You control how much information practices see through your profile privacy settings.
6.3 Other Members
Within the ToothMatch community and Wellness Club
Your profile name and professional information may be visible to other members
Your contributions to peer support groups are visible to group members
- Event attendance records may be visible within the community
- You can adjust visibility settings in your account preferences
6.4 Legal Requirements
We may disclose your data when required by law or in response to
- Court orders or legal proceedings
- Law enforcement requests (via proper legal channels)
- GDC or dental regulatory investigations
- Government agencies conducting investigations
- Fraud or security threat responses
We will provide notice of legal requests unless prohibited by law.
6.5 Business Transfers
If Dev-Haus Limited is involved in a merger, acquisition, bankruptcy or asset sale, your data may be transferred as part of that transaction. We will provide notice of any such change and any choices you may have.
7. INTERNATIONAL DATA TRANSFERS
7.1 Transfers Outside the UK
Some of our service providers operate outside the UK, including
- InMotion Hosting: Servers located in the United States
- Cloud service providers: Google, Amazon AWS (may be US-based)
- Payment processors: Stripe, PayPal (may be US-based)
7.2 Safeguards for International Transfers
Where we transfer personal data outside the UK, we ensure adequate safeguards
- Standard Contractual Clauses (SCCs): All service providers have signed SCCs with appropriate data protection terms
- Adequacy Decisions: We work only with countries/providers recognized as adequate by the UK GDPR
- Explicit Consent: Where necessary, we obtain your explicit consent before transferring data internationally
- Encryption: Data transferred internationally is encrypted in transit and at rest
- Data Processing Agreements: All processors have signed DPAs governing international data handling
8. DATA RETENTION AND DELETION
8.1 Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Specific retention periods include:
| Data Category | Retention Period | Reason |
| Account data (after deletion) | 90 days | Backup and recovery purposes |
| Transaction and payment records | 12 months | UK tax and accounting requirements |
| Job applications | 6 years | Recruitment history and compliance |
| Shift records and timesheetsn | Duration + 1 year | Service continuity and records |
| Wellness Club membership data | 5 years | Professional development records |
| Mental health helpline data | 3 months (anonymized) | Service quality monitoring |
| Cookies and tracking data | Up to 2 years | Analytics and performance |
| Support tickets and inquiries | 2 years | Customer service records |
| Marketing data (opted-in users) | Until unsubscribe + 3 months | Marketing compliance |
| IP logs and security data | 90 days | Service quality monitoring |
8.2 Your Deletion Rights
You have the right to request deletion of your personal data in the following circumstances
Right to Erasure (Article 17): You can request we delete your data when
- The data is no longer necessary for its original purpose
- You withdraw consent and no other legal basis applies
- You object to processing based on legitimate interests
- The data has been unlawfully processed
- Deletion is required by law
Exception: We may retain data when
- Required by law or regulation (e.g., financial records, employment law)
- Necessary to establish, exercise or defend legal claims
- You owe outstanding fees or have unresolved disputes
- The data is required for ongoing criminal investigations
To request deletion
- Log into your account and select "Delete My Account"
- Email
- privacy@twothmatch.co.uk
- with the subject line "Data Deletion Request"
- Include your full name, email address, and account ID
We will confirm your request and explain any reasons why deletion cannot be completed.
8.3 Inactive Account Deletion
Accounts inactive for 24 months will be subject to automatic deletion unless you re-activate them. You will receive email warnings before automatic deletion occurs.
9. YOUR RIGHTS UNDER UK GDPR
Under the UK GDPR, you have the following rights concerning your personal data
9.1 Right of Access (Article 15)
You can request a copy of all personal data we hold about you.
Submit a Subject Access Request (SAR) by emailing
Include
Your full name and email address
- Account ID
- Specific data or date range requested
We will provide
- A copy of your data in a clear, understandable format
- Information about where the data came from
- How we're using it
- Who we've shared it with
Response time: 30 days (may be extended to 90 days for complex requests)
9.2 Right to Rectification (Article 16)
You can request correction of inaccurate personal data.
If you notice incorrect information in your account
- Update it directly in your account settings, OR
- Email
- privacy@twothmatch.co.uk
We will correct errors within 30 days and notify relevant third parties of the correction.
9.3 Right to Erasure / "Right to Be Forgotten" (Article 17)
You can request deletion of your personal data (subject to legal exceptions noted in Section 8.2).
Request deletion by
- Selecting "Delete My Account" in your account settings, OR
- Emailing
- privacy@twothmatch.co.uk
9.4 Right to Data Portability (Article 20)
You can request your data in a portable format (e.g., CSV, JSON).
We will provide
- All personal data you've provided
- In a structured, commonly-used, machine-readable format
- Within 30 days of request
Request portability by emailing
9.5 Right to Object (Article 21)
You can object to processing of your data in the following circumstances
- Direct marketing: You can opt-out of all marketing emails by clicking "Unsubscribe" or adjusting notification preferences
- Cookies: You can disable cookies in your device settings (note: some essential cookies cannot be disabled)
- Profiling: You can opt-out of behavioral analytics in your privacy settings
- Automated decision-making: See Section 9.6
9.6 Right to Restrict Processing (Article 18)
You can request we limit how we use your data while
- Verifying accuracy of the data
- Determining whether processing is lawful
- Investigating a complaint
Request processing restriction by emailing
9.7 Rights Related to Automated Decision-Making (Article 22)
You have rights regarding automated decisions that produce legal or similarly significant effects.
ToothMatch uses AI-powered job matching to recommend positions based on your profile. This is not a final binding decision โ all recommendations are:
- Reviewed and confirmed by you before application
- Not used to automatically accept or reject applications
- Transparent and explainable
You have the right to
Request human review of automated recommendations
- Opt out of AI-based job matching (though this may limit service quality)
Request explanation of how matching algorithms work
9.8 How to Exercise Your Rights
Contact us to exercise any of the above rights
๐ง Email:
- privacy@twothmatch.co.uk
- Subject line: "[RIGHT NAME] Request โ [YOUR NAME]"
Include
Your full name and email address
- Account ID
- Specific right you're exercising
- Detailed description of your request
- Any supporting documentation
Response time: We will respond within 30 days (may be extended to 60-90 days for complex requests).
Verification: We may request proof of identity to verify your request before fulfilling it.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 What Are Cookies?
Cookies are small text files stored on your device that contain information about your interactions with the app and websites.
10.2 Types of Cookies We Use
Essential Cookies (Cannot be disabled)
- Session IDs and authentication tokens
- Security and fraud prevention
- App functionality and settings
Analytical Cookies (Can be disabled)
- Google Analytics โ User behavior and app performance
- Mixpanel โ Feature usage and user journeys
- These help us improve the app
Marketing Cookies (Can be disabled)
- Remarketing and targeted ads
- Conversion tracking
- These cookies follow you across websites
Preference Cookies (Can be disabled)
- Remember your settings and preferences
- Language and region preferences
10.3 Managing Cookies
Disable cookies in your device settings
- iOS: Settings > Privacy > App Tracking Transparency
- Android: Settings > Privacy > Permissions
Opt out of specific services
Google Analytics
Mixpanel
Important: Disabling cookies may limit app functionality.
10.4 Do Not Track Signals
If your browser or device supports "Do Not Track" signals, we will respect your preference where technically possible. However, most websites and apps (including ours) do not currently alter their practices based on Do Not Track signals.
11. SECURITY AND DATA PROTECTION MEASURES
We implement comprehensive security measures to protect your personal data from unauthorized access, alteration, disclosure or destruction.
11.1 Technical Security Measures
Encryption
- In Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption
- At Rest: Sensitive data (passwords, payment info) is encrypted using AES-256 encryption
- Database encryption for stored personal data
Access Controls
- Multi-factor authentication (MFA) for user accounts
- Role-based access control (RBAC) for staff
- Unique access credentials for each employee
- Regular access audits and reviews
Infrastructure Security
- Firewalls and intrusion detection systems
- DDoS protection and mitigation
- Regular security scanning and vulnerability assessments
- Secure development practices and code reviews
- Automated security testing
Data Backup
- Daily encrypted backups to geographically redundant locations
- Backup restoration testing quarterly
- 90-day backup retention for disaster recovery
11.2 Hosting and Infrastructure (InMotion Hosting)
Our app is hosted on InMotion Hosting's GDPR-compliant cloud infrastructure
Data Center: US-based with EU-standard security
Compliance: GDPR compliant, ISO 27001 certified
DPA: Data Processing Agreement in place
Monitoring: 24/7 network and security monitoring
SLA: 99.9% uptime guarantee
Specific InMotion Security Features
- Redundant network infrastructure
- Automated backups and disaster recovery
- HTTPS/SSL encryption for all data transfers
- Regular security audits and penetration testing
- Immediate security incident notification
See InMotion Hosting's GDPR compliance details
11.3 Organizational Security Measures
Personnel & Training
- Staff sign confidentiality agreements
- Regular data protection and security training
- Annual GDPR compliance refresher training
- Background checks for employees with data access
Policies & Procedures
- Data protection impact assessments (DPIAs)
- Data breach response procedures
- Records of processing activities
- Regular policy reviews and updates
Third-Party Management
- Due diligence on all service providers
- Mandatory Data Processing Agreements
- Audit rights and breach notification requirements
- Contractual security obligations
11.4 Security Limitations
Please note
No method of transmission over the internet or electronic storage is completely secure
We cannot guarantee absolute security
Your password is your responsibility โ never share it
If you believe your account is compromised, contact us immediately
12. DATA BREACHES AND INCIDENT RESPONSE
12.1 Data Breach Definition
A data breach is unauthorized access, disclosure, alteration or destruction of personal data due to accidental or deliberate action.
12.2 Our Breach Response Procedure
Upon discovery of a breach, we will
Immediate Response (within 24 hours)
- Contain and mitigate the breach
- Assess scope and severity
- Preserve evidence for investigation
- Notify management and legal team
Investigation (within 72 hours)
- Determine what data was affected
- Identify individuals impacted
- Analyze cause and risks
Notification to ICO (within 72 hours)
- Report all "high-risk" breaches to the Information Commissioner's Office
- Include details of affected data, individuals impacted, and remedial actions
- May request delay in notification in exceptional circumstances
Individual Notification (without undue delay)
- Contact affected individuals if there is a "high risk" to their rights and freedoms
- Explain what happened, what data was involved, what we're doing, and what they can do
- Provide contact information for further assistance
Documentation
- Maintain detailed breach records
- Document all actions taken
- Analyze root causes and prevent recurrence
12.3 Your Breach Rights
If your data has been breached
- You have the right to be informed within a reasonable timeframe
- You can lodge complaints with the ICO or other supervisory authorities
- You may be eligible for compensation in some cases (consult a solicitor)
If you suspect a breach, contact us immediately
๐ง Email:
๐ Phone: 07956776114
13. THIRD-PARTY LINKS AND INTEGRATIONS
13.1 External Links
The TwothMatch app may contain links to external websites and apps (e.g., social media, job boards, partner sites). We are not responsible for the privacy practices of external websites.
When you click an external link
- You are leaving ToothMatch
- That website's privacy policy applies
We recommend reviewing their privacy policies
13.2 Third-Party Integrations
If you connect your TwothMatch account to third-party services (e.g., social media login, calendar integration):
- You grant us permission to access certain data from those services
- Review that service's privacy policy
- You can revoke access at any time through your account settings
We only access the minimum data necessary
13.3 Social Media
If you share TwothMatch content on social media
- That data is governed by the social platform's privacy policy
We are not responsible for how they use your data
- Contact the platform directly to delete shared content
- 14. CHILDREN'S PRIVACY
14.1 Age Requirements
TwothMatch is not intended for children under 16 years old. We do not knowingly collect personal data from children.
You represent and warrant that
- You are at least 16 years old
- You have the legal capacity to enter into binding agreements
If under 18, a parent or guardian has authorized your use
14.2 Parental Consent
If we learn that personal data of a child under 16 has been collected
We will delete it promptly
We will notify the account holder and parent/guardian
We may disable the account
To report concerns about child data
๐ง Email:
15. SENSITIVE AND SPECIAL CATEGORIES DATA
15.1 What is Special Category Data?
Under UK GDPR Article 9, special categories include
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for identification purposes)
- Health data
- Sex life or sexual orientation data
15.2 Health Data
TwothMatch processes limited health-related data
Data we collect
- Wellness club participation and preferences
- Mental health helpline usage (anonymized)
- Occupational health concerns (if self-reported)
- Fitness event participation
Legal basis for processing
Your explicit consent
- Employment law compliance
- Legitimate interests in providing member support
Protection measures
- Strict access controls โ limited staff have access
- Anonymization where possible
- Separate security measures
- Never shared with third parties without consent
15.3 Your Rights Regarding Sensitive Data
You have enhanced rights over special category data
- You can withdraw consent at any time
- You can request deletion (subject to legal obligations)
- You can restrict processing
- You can request access and data portability
16. MARKETING AND COMMUNICATIONS
16.1 How We Communicate
We use various channels to communicate with you
- Email: Account updates, newsletters, promotional content
- Push notifications: In-app event reminders, wellness alerts
- SMS: Shift booking confirmations, urgent notifications (if opted-in)
- In-app messages: Service updates and feature announcements
16.2 Marketing Consent
We only send marketing communications with your consent.
Upon sign-up, you can choose to opt-in to
- โ Weekly job recommendations
- โ Wellness event updates
- โ Career development tips
- โ Membership promotion messages
16.3 Unsubscribing from Marketing
You can opt-out at any time
- Click "Unsubscribe" at the bottom of any marketing email
- Adjust preferences in your account settings under "Communications"
- Email:
- privacy@twothmatch.co.uk
- with subject "Unsubscribe"
Note: You will continue to receive transactional messages (confirmations, receipts, account alerts) regardless of marketing preferences.
16.4 Direct Marketing Regulations (PECR)
Under the Privacy and Electronic Communications Regulations (PECR)
We obtain consent before sending marketing SMS or calls
We include clear opt-out options in all marketing messages
We honor opt-out requests immediately
We maintain opt-out records for 2 years
17. UPDATES TO THIS PRIVACY POLICY
17.1 When We Update
We review this Privacy Policy annually and update it when
Our practices change
- UK GDPR or other laws change
- Technology evolves
- User feedback suggests improvements
17.2 How We Notify You
For material changes
We will send email notification to your registered address
We will display a notice in-app
- Changes take effect 30 days after notification
For minor clarifications
We may update without notification
Your continued use indicates acceptance
You can review updates
- Check the "Last Updated" date at the top of this policy
- Compare with previous versions available on request
17.3 Your Rights Upon Update
If you disagree with policy changes
- You can request deletion of your account
- You can contact us to discuss concerns
- You can lodge complaints with the ICO
18. DATA PROTECTION IMPACT ASSESSMENT (DPIA)
We conduct Data Protection Impact Assessments for high-risk processing, including
- Large-scale collection of health data
- Automated decision-making (job matching algorithm)
- Use of AI and machine learning
- Biometric processing (if implemented)
You can request our DPIA
๐ง Email:
19. ACCOUNTABILITY AND GOVERNANCE
19.1 Data Protection Officer
Dev-Haus Limited has appointed a Data Protection Officer (DPO)
DPO Contact
๐ง Email: dpo@toothmatchwellnessclub.com
๐ Phone: 07956776114
The DPO is responsible for
- Monitoring GDPR compliance
- Handling data subject requests
- Investigating complaints
- Conducting internal audits
- Providing data protection advice
19.2 Records of Processing Activities
We maintain Records of Processing Activities (Appropriate Records of Processing under updated UK GDPR) documenting:
- What data we collect
- Why we collect it
- How we use it
- Who we share it with
- How long we retain it
- Security measures
These records are available to supervisory authorities upon request.
19.3 Compliance Framework
Our data protection compliance includes
- Quarterly compliance audits
- Annual GDPR training for all staff
- Annual review and updating of policies
- Regular security assessments
- Vendor risk assessments
20. CONTACT AND COMPLAINT PROCEDURES
20.1 Contacting Us
For privacy questions or to exercise your rights
๐ง Email: privacy@twothmatch.co.uk
๐ Phone: 07956776114
๐ข Postal Address:Dev-Haus Limited 32 Park Place LS1 2SP United Kingdom
Response time: 30 days (may be extended for complex requests)
20.2 Internal Complaint Procedure
If you have concerns about our data practices
Submit complaint in writing including
Your name and contact details
- Description of the issue
- Dates and specific events
- Supporting documentation
We will investigate and respond within 30 days
If not resolved, you can escalate to our Data Protection Officer
20.3 External Complaints to ICO
If you're not satisfied with our response, you can lodge a complaint with the Information Commissioner's Office (ICO):
๐ฎ Information Commissioner's Office
- Wycliffe House
- Water Lane
- Wilmslow
- Cheshire, SK9 5AF
- United Kingdom
๐Website: www.ico.org.uk/make-a-complaint
๐ Phone: 0303 123 1113
21. DEFINITIONS
- Biometric data: Information derived from biological/physical measurements for identification
- Cloud hosting: Storing data on remote servers accessed via the internet
- Cookies: Small text files storing information about user interactions
- Data controller: Entity determining purposes and means of data processing
- Data processor: Entity processing data on behalf of the controller
- Data subject: Individual to whom personal data relates
- Encryption: Converting data into unreadable format without appropriate key
- GDC: General Dental Council (UK dental regulator)
- GDPR: General Data Protection Regulation (UK data protection law as amended)
- ICO: Information Commissioner's Office (UK data protection regulator)
- Personal data: Any information relating to an identified or identifiable living individual
- Processing: Any operation on personal data (collection, storage, use, transmission, deletion, etc.)
- Special categories: Sensitive personal data including health, race, religion, biometric data
22. FINAL PROVISIONS
22.1 Entire Agreement
This Privacy Policy constitutes the entire data protection agreement between you and Dev-Haus Limited and supersedes all prior understandings and agreements.
22.2 Severability
If any provision of this Privacy Policy is found invalid or unenforceable, that provision will be modified to the minimum extent necessary, and all other provisions remain in effect.
22.3 Governing Law
This Privacy Policy is governed by UK law and the UK GDPR. Any disputes shall be exclusively resolved through UK courts, except where ICO jurisdiction applies.
22.4 No Waiver
Our failure to enforce any provision does not constitute a waiver of that provision or any other rights.
23. ACKNOWLEDGMENT
By downloading and using the ToothMatch app, you acknowledge
- โ You have read and understood this entire Privacy Policy
- โ You consent to our data collection and processing practices
- โ You understand your rights under UK GDPR
- โ You accept the terms and conditions outlined
- โ You agree to contact us with any privacy concerns
APPENDIX A: DATA PROCESSING AGREEMENT SUMMARY
Our service providers have signed Data Processing Agreements (DPAs) governing
- Permitted processing activities
- Security obligations
- Confidentiality requirements
- Breach notification procedures
- Audit and inspection rights
- Sub-processor management
- International transfer safeguards
Key processors and their DPA status
| Processor | Service | DPA Status | Location |
| InMotion Hosting | Cloud hosting | โ Signed | USA |
| Google Analytics | Analytics | โ Signed | USA |
| Stripe | Payments | โ Signed | USA |
| Dentinal Tubules | CPD platform | โ Signed | UK |
| SendGrid | Email | โ Signed | USA |
Copies of DPAs available upon request to: privacy@twothmatch.co.uk
APPENDIX B: STANDARD CONTRACTUAL CLAUSES (SCCs)
For data transfers outside the UK, we rely on
- UK GDPR Article 46(2)(c): Standard Contractual Clauses
- Processor locations: USA, EU member states
All SCCs include
- Standard clauses approved by the UK government
- Transfer impact assessments
- Supplementary safeguards where required
- Encryption and security obligations
APPENDIX C: GDPR COMPLIANCE CHECKLIST
Dev-Haus Limited compliance with UK GDPR requirements
| GDPR Requirement | ToothMatch Compliance |
| Article 6 (Legal basis) | โ Contract, consent, legal obligation, legitimate interests |
| Article 7 (Consent) | โ Freely given, specific, informed, documented |
| Article 13-14 (Transparency) | โ Privacy policy, cookie notices, DPA transparency |
| Article 15-22 (Data subject rights) | โ Access, rectification, erasure, portability, object, restrict |
| Article 32-34 (Security & breaches) | โ Encryption, access controls, breach procedures, DPO |
| Article 35 (DPIA) | โ Assessments for high-risk processing |
| Article 36-37 (DPO) | โ DPO appointed and accessible |
| Article 46 (International transfers) | โ SCCs and safeguards in place |
Last Updated: 06.12.2025
Version: 1.0
Next Review Date: 06.12.2026
ยฉ 2025 Dev-Haus Limited. All rights reserved.