Privacy and Cookie Policy | Email Protection

EVO Dental Privacy Policy

At Evo Dental, we are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). This notice tells you:

what personal data we collect,
how and why we use it,
who we share it with,
how long we keep it,
your rights under data protection law, and
how to contact us or the Information Commissioner’s Office (ICO) if you have concerns.

Who we are and how to contact us

We are Evo Dental Centre Limited (referred to as “EvoDental” “we”, “us” or “our”), a company registered in England and Wales, with its registered office located at Units 5 8 Paramount Business Park, Wilson Road, Liverpool, England, L36 6AW. We provide full mouth dental implant solutions across our UK wide locations. We specialise in providing treatment options that allow our patients to leave the same day with custom made prosthetics, designed and manufactured for them in house. We are the controller of your personal data and we are responsible for processing it according to the law.

EvoDental has not appointed a statutory Data Protection Officer. A dedicated internal compliance team is responsible for overseeing data protection matters, including responding to privacy requests.

If you have questions, including any requests to exercise your rights, please contact privacy@evodental.com

Information we collect

Evo Dental processes different categories and types of personal data about you when you navigate our websites or use our services

To make this section easier to understand, we’ve included short explanations of key terms.

What is “personal data”?
Personal data (or personal information) means any information that can identify you, either on its own or when combined with other details. Examples include your name or email address. It does not include data that has been anonymised so you can no longer be identified. Please note that the definition of personal data or personal information may change depending on the applicable law.

What is “processing”?
Processing simply means anything we do with your personal data. This can be manual or automated and includes actions such as collecting, storing, using, sharing, or deleting your data.

What is “legitimate business interest”?

Sometimes we use your personal data because it’s necessary for our business and doesn’t override your rights. This is called legitimate interests. For example, we may use your details to respond to your enquiry, keep our website secure, or improve our services. When we rely on legitimate interests, we always conduct a balancing test to ensure our needs do not override your fundamental rights and freedoms, and you have the right to object to such processing.

What we collect when you use our website or contact us:

We collect the following categories of personal data, depending on how you interact with us:

Identity and contact details such as your name, email address, telephone number, postcode, and date of birth.
Preferences including your clinic preference and any information you provide when submitting an enquiry.
Device and technical information including your IP address, device type, operating system and browser information.
Website behavioural and analytics data. This includes information about how you use our website, including the pages you view, how long you spend on them, your navigation paths, scroll depth, clicks, form interactions and analytics/heat-mapping data.
Enquiry and communication data. This includes Information you provide when you contact us via webforms or telephone.
Clinical information such as dental and medical history, implant assessment forms, clinical photographs, radiographs and scans.
Paper-based information. We may initially collect certain clinical or administrative information on paper forms. These documents are scanned into our systems and securely destroyed once digitised. While held in paper format, they are stored in locked cabinets with restricted access.
Security and system data. This includes technical logs and related information used to ensure the security of our systems, prevent fraud and investigate incidents.

How we use your information and our lawful bases

We use your data for the following purposes and rely on the corresponding lawful bases under UK GDPR:

Lawful Basis for Processing Personal Data

Categories of Personal Data	Purpose of Processing	Lawful Basis (Article 6 UK GDPR)	Special Category Condition (Article 9)
Name, email, phone number, postcode, date of birth, clinic preference	Responding to enquiries submitted via website or telephone	Legitimate interests (to respond to prospective patient enquiries and operate our business)	N/A
Name, contact details, appointment preferences	Booking consultations and managing appointments	Contract (steps taken at your request before entering into a contract)	N/A
Medical and dental history, implant assessment forms, radiographs/scans, clinical photographs	Providing dental suitability assessments	Contract (provision of dental services)	Article 9(2)(h) UK GDPR and Schedule 1, Part 1, paragraph 2 DPA 2018 – provision of health or social care
Contact details, appointment data	Service communications (confirmations, reminders, updates)	Contract (necessary to deliver services you request)	N/A
Email, phone number	Direct marketing of EvoDental services	Consent, or Legitimate interests (where we rely on the soft opt-in exception under PECR for existing or recent customers)	N/A
IP address, device details, operating system, browser type, pages visited, time on site	Analytics, website performance and service improvement	Consent (for non-essential cookies and tracking technologies)	N/A
IP addresses, device data, technical logs	Website security, fraud prevention and system monitoring	Legitimate interests (to maintain security and prevent misuse)	N/A
Information submitted in enquiry form	Automated prioritisation of enquiries	Legitimate interests (to prioritise follow-up efficiently)	N/A (no special category data used for scoring)
Patient records, financial data, operational records	Regulatory, legal, tax and audit compliance	Legal obligation	Article 9(2)(h) where records relate to dental care

Special Category Personal Data

EvoDental processes special category personal data only where necessary for clinical assessment and the provision of dental care. This includes:

Medical and dental records and history – collected so our Clinicians have a full understanding of your dental and overall health. This enables us to make the safest and most informed decisions when creating your treatment plan.
Radiographs and intra-oral scans – taken to analyse bone availability, identify any clinical issues and ensure that your custom prosthetic fits precisely using the captured digital data.
Clinical photographs – captured to document and understand your unique smile, bite and tooth alignment, and to support accurate clinical planning and review.
Implant assessment forms and implant details – stored so we can reference the exact implant types and sizes used in your treatment, including for future care or in the rare event of an implant‑related issue.
Health information provided during consultations – collected to ensure our Clinicians can make informed decisions at each stage of your care, including any follow‑up appointments.

Our lawful basis is Article 6(1)(b) (performance of a contract) or Article 6(1)(e) (public interest in the provision of health care), and our special category condition is Article 9(2)(h) UK GDPR read together with Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018 (provision of health or social care).

EvoDental does not process other special categories such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, or sexual orientation.

Additional Information

We will only use your personal data for the purposes described in this Privacy Notice. If we need to use it for a reason that is compatible with those purposes, we may do so and you may contact us for an explanation. If we need to use your data for a purpose that is not compatible, we will inform you and explain the lawful basis; where required, we will seek your consent. We may also process your data without your knowledge or consent where this is required or permitted by law.

When you submit an enquiry, our systems may automatically assess how likely you are to require our services to help us prioritise follow-up. This does not have legal or similarly significant effects. You can object to this profiling or request human review at any time by contacting privacy@evodental.com.

Who we share data with

We do not sell your personal data. However, we may share your information with trusted third parties where necessary for the operation of our business, compliance with the law, or the delivery of our services. Any third party that processes personal data on our behalf is required to do so under a written contract that meets UK GDPR requirements, including obligations to keep your information secure and to act only on our instructions.

We may share personal data with:

Service providers (processors): Third-party companies who provide services that support our operations. Our service providers include marketing agencies, auditors, CRM providers, cloud hosting providers and cybersecurity partners (including EDR/MDR/SIEM services), who process personal data under our instructions. These providers are only permitted to use your data as instructed by us and must maintain appropriate security measures.
Professional advisers: Lawyers, auditors, accountants, insurers and other professional advisers where necessary for the management of our business, to obtain professional advice, or to meet our legal and regulatory obligations.
Regulators and authorities: HMRC, law enforcement, regulatory bodies, courts or other public authorities where we are legally required to disclose personal data or where such disclosure is necessary to protect our legal rights or detect/prevent crime.
Corporate transactions (if applicable): If we undergo a business restructure, merger, acquisition or asset transfer, your personal data may be shared with relevant parties where strictly necessary and subject to appropriate confidentiality and data protection safeguards.

We ensure that any sharing of personal data is lawful, proportionate, and carried out with appropriate safeguards in place.

Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this notice, or for as long as required by law. Once data is no longer needed, we securely delete or anonymise it.

Our current retention standards are:

Patient and clinical records: retained for 11 years, in line with applicable clinical recordkeeping requirements.
Enquiry data: retained for 24 months.
Marketing data: retained until you opt out, or for 24 months from your last interaction with us.
Implant assessment forms, clinical images and scans: retained in accordance with patient record retention requirements (normally 11 years).
Security logs and audit records: retained for as long as necessary to maintain system security and to meet operational and audit requirements.

We will update this notice if our retention periods change.

Your Rights

You have many rights under applicable data protection laws in relation to your personal data. These include:

Access – You can ask us for a copy of the personal data we hold about you (often called a “subject access request”).
Rectification – If any of your personal data is wrong or incomplete, you can ask us to correct it.
Erasure (Right to be Forgotten) – You can ask us to delete your personal data in certain situations, for example if we no longer need it or you withdraw consent.
Restriction – You can ask us to limit how we use your data, for example while a complaint is being resolved.
Portability – You can ask us to provide your data in a structured, machine-readable format so you can move it to another provider.
Object – You can object to us processing your data for certain purposes, including direct marketing. If you object to marketing, we must stop immediately.
Withdraw Consent – If we rely on your consent (e.g., for marketing or cookies), you can withdraw it at any time. This won’t affect processing we did before you withdrew consent.
Automated Decision-Making and Profiling – If we make decisions about you using automated systems that have a significant effect, you can ask for human review, challenge the decision, or object to profiling.

To exercise any of your rights, email privacy@evodental.com. Please include enough information to confirm your identity (such as your full name and email address). This security step ensures we only share personal data with the correct person.

We will respond to your request within one calendar month of receiving it. If your request is complex or you’ve made multiple requests, we may extend this by up to two additional months, but we’ll let you know within the first month and explain why.

If you’re unhappy with how we handle your data, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk. We’d appreciate the chance to resolve your concerns first, so please contact us before approaching the ICO.

Links

Our website may contain links to other websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their Privacy Notices. When you leave our website, we encourage you to read the Privacy Notice of each website you visit..

We use cookies and similar tracking technologies to improve your experience on our website, analyse usage and support our marketing activities.

You can find detailed information about the cookies we use, including their purpose and duration, in our Cookie Declaration, which is available here:

https://www.evodental.com/cookie-declaration/
Where required, we obtain your consent before placing non‑essential cookies. You can manage or withdraw your consent at any time through our cookie settings.

Direct marketing

If you agree, we’ll send you marketing by email/SMS about EvoDental services. Where you’ve enquired about or purchased our services, we may rely on PECR soft opt‑in to send marketing about similar EvoDental services; you’ll be given a simple, free opt‑out when we collect your details and in every message. You can unsubscribe using the link in our emails or by contacting privacy@evodental.com.

Data storage, transfers and security

EvoDental takes the protection of your personal data seriously. This section explains where your data is stored, how international access is managed, and the technical and organisational measures we use to safeguard your information.

Where Your Data Is Stored

Our Customer Relationship Management (CRM) system and associated data infrastructure are hosted within the European Economic Area (EEA), specifically in:

Amsterdam, Netherlands (NL)
Dublin, Ireland (IE)

Under current UK adequacy regulations, transfers of personal data to the EEA are permitted and do not require additional transfer safeguards. However, the Controller will monitor any changes to UK adequacy decisions and implement appropriate safeguards if adequacy is withdrawn or modified.

International Access

Access to personal data normally occurs within the UK. Any access from outside the UK requires documented approval and appropriate safeguards as follows:

prior written approval from our designated data protection lead, in consultation with the IT Manager, and
IP whitelisting to ensure that only authorised connections are permitted.

Where international access would constitute a restricted transfer under UK GDPR (i.e., to a country without an adequacy decision), we will implement one of the following appropriate safeguards before permitting such access:

the UK International Data Transfer Agreement (IDTA), or
the UK Addendum to the EU Standard Contractual Clauses (SCCs), or
such other transfer mechanism as may be approved under UK GDPR Article 46

We carry out transfer risk assessments (TRAs) in accordance with ICO guidance before implementing any restricted transfer, and review these assessments periodically (at least annually) and whenever there are material changes to the transfer circumstances, to ensure that appropriate protections remain in place and that the transfer remains compliant with UK GDPR requirements.

How We Protect Your Data

We use a layered security approach combining technical and organisational measures to protect personal data against unauthorised or unlawful processing, and against accidental loss, destruction or damage. These measures are appropriate to the risk and include:

Multi-factor authentication (MFA) for system access
Use of company-issued devices only, secured and monitored
Endpoint Detection and Response (EDR) supported by 24/7/365 Managed Detection and Response (MDR)
Security Information and Event Management (SIEM) logging to detect and investigate activity
Immutable, redundant backups to protect data integrity
Next-generation firewalls protecting our internal network
Controlled VPN access for remote connections
Role-based access controls, ensuring users only access data required for their duties

These measures are regularly tested, assessed and evaluated to ensure ongoing effectiveness, and are designed to maintain the confidentiality, integrity and availability of your personal data.

Children

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly unless we have a legal obligation to retain it. We recognise that some users may be vulnerable adults and treat their personal data with additional care and safeguards in accordance with relevant professional and regulatory guidance.

Updates to this notice

We may update this notice from time to time to reflect changes in our processing activities, legal obligations, or for other operational, legal or regulatory reasons. We will post any updated version on our website and, where changes are material. We encourage you to review this notice periodically.

Last updated: 22/05/2026.