Sensu (“we”, “us” or “our”) are committed to protecting and respecting your privacy.
The data controller is Sensu; the Information Governance Lead is Heather Redfern.
This policy (together with our Cookies Policy) sets out the basis on which any personal data we collect, or that you provide to us, will be processed by us. It does not include data where the identity has been removed (i.e. anonymous data).
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
You will be asked to provide personal information when joining the practice. The purpose of us processing this data is to provide optimum health care to you by, for example, recommending the most relevant treatment and ensuring your safety by taking your medical history.
The categories of data we process
- Contact data (such as name, address, email address, telephone number) for the purposes of corresponding with you, for example, regarding your appointments and treatment.
- Contact data (such as name, address, email address, telephone number) for the purposes of direct mail/email/text/marketing.
- Special category data concerning health (including health records, medical history, medication, your doctor’s name and address, warning cards or bracelets, alcohol and drug use) for the purposes of the delivery of safe health care.
- Treatment data (such as photos, moulds, X-rays, clinical findings) for the purposes of providing you with the best treatment.
- Financial data (such as credit card details, bank account information, credit history, employment status) for the purposes of processing your payment for treatment(s).
- Usage data (such as information about how you use our website, products and services) for the purposes of improving the way we provide our treatment and services.
The ways we collect information about you
We may collect and process the following data about you in operating the website and performing any of our services and treatment(s):
- Information you give us (including information you give to Clinical Directors, Specialists, Dentists, Hygienists and Orthodontic Therapists who are contracted to work for us). You may give us information about you by filling in forms on our website www.sensu.co.uk or any website wholly owned by Sensu, or by corresponding with us by phone, email, in person or otherwise.
- Personal data is obtained when a patient joins the practice, when a patient is referred to the practice and when a patient subscribes to an email list.
- Information we automatically collect about you. With regard to each of your visits to our website we may automatically collect the following information:
• Technical information, including the internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plugin types and versions, operating system and platform; and
• Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouseovers), and methods used to browse away from the page and any phone number used to call our customer service number.
From third parties
- Our Clinical Directors, Specialists, Dentists, Hygienists and Orthodontic Therapists are third parties working for us as contractors, however, they are contractually bound to us with regard to obligations of confidentiality in the same way as our employees and by professional obligations of confidentiality.
- You may have been referred to us for treatment from Invisalign and we will therefore receive contact data, special category data concerning health, treatment data and/or financial data from them.
- Information we receive from other sources. We may receive information about you if you use any of the other websites we operate or the other services we provide.
- We are also working closely with third parties (including, for example, business partners, subcontractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
How we share data with third parties
We may share your Contact data, special category of data relating to health, Financial data, Treatment data and/or Usage data with selected third parties including:
- Our Clinical Directors, Specialists, Dentists, Hygienists and Orthodontic Therapists
- Private health insurance companies (at your request if you are using private health insurance)
- Credit reference agencies
- Equipment providers and laboratories such as Align Tech, Nimrodental, Crown 24, Ken Poland and Schreiber & Low
- Accountants, lawyers and other professional advisers such as Jacob Cavenagh & Skeet
- Professional compliance organisations such as CODE and iComply
- Data storage and transfer platforms such as Microsoft Sharepoint, Rackspace, Dropbox and WeTransfer
- Our payment platform Stripe
- Our telephone system provider 4Com
- Our website host Simply Website Support
- Our practice management and CRM software providers Carestream, Pabau and HubSpot
- Our online questionnaire and form provider Formstack
- Our email marketing provider MailChimp
- Our live chat provider Zendesk
- Our review software provider Reviews.co.uk
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others such as Facebook
- Analytics and search engine providers that assist us in the improvement and optimisation of our site such as Google.
This is a list of the main third parties with whom we share your personal data. If you would like a full list of third parties who process your data, and their contact details, please contact us using the details set out above.
We never pass your personal details to a third party unless we have a contract for them to process data on our behalf and will otherwise keep it confidential.
If we intend to refer a patient to another practitioner or to secondary care such as a hospital we will gain your consent before the referral is made and the personal data is shared.
The website may include links to third party websites, plugins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Data transferred outside the EU
- Personal data is stored in the EU whether in digital or hard copy format.
- Personal data is stored in the US in digital format when the data storage company is certified with the EU-US Privacy Shield.
Lawful basis for processing personal data
The lawful bases for processing personal data (including providing your personal data to third parties) are:
- Consent of the data subject for data relating to treatment, care, our services, processing payment, credit checks, marketing and reviews, improving our services and improving our website (including using data analytics). This will also apply to the storage of personal data for these purposes
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract such as the provision of the services by us
- Processing is necessary to comply with a legal obligation such as financial, tax and contractual laws.
For consent relating to children and people who may not have mental capacity to give consent, please contact us using the details above for a copy of our Safeguarding and Mental Capacity policies.
The reason for processing special category data such as patients’ health data is:
- The processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional; and
- Data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Purposes for processing personal data
We (and the third parties listed above) process your personal data for the following purposes:
- To provide you with our services
- To discuss relevant treatments
- To provide a safe working environment for staff, contractors and patients
- To check your employment and financial status for payment plans
- To process payments
- To keep you informed of our latest offers, other services we provide and general marketing activities
- To obtain reviews and feedback on your experience of our services
- To store our data
If you would like more information about how your data is processed please contact us by using the details set out above.
The retention period for special category data in patient records is a minimum of 10 years and may be longer for complex records in order to meet our legal requirements. The retention periods for other personal data is two years after it was last processed.
You will receive marketing emails until you unsubscribe, either by contacting us or by clicking on the unsubscribe link at the bottom of the email. For details of other retention periods please contact us using the details set out above.
Your personal data rights
You have the following personal data rights:
- The right to be informed
- The right of access to your personal data, which enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it
- The right to rectification of your personal data that you consider to be inaccurate. This enables you to have any incomplete or inaccurate data we hold about you corrected
- The right to erasure. This enables you to ask us to delete or remove your personal data (however clinical records must be retained for a certain time period)
- The right to restrict processing. This gives you the option to ask us to suspend the processing of your personal data e.g. if you want us to establish the data’s accuracy or you do not want us to erase it
- The right to data portability. If you request us to do so, we will provide to you, or a third party of your choice, your personal data in a commonly used, machine-readable format
- The right to object. This enables you to object to the processing of your personal data if you feel it impacts on your fundamental rights and freedoms, however, in some cases, we may have compelling legitimate grounds to process your information which can override your right to object
- The right to request confirmation as to whether or not your personal data is being processed
- The right to not have a decision made about you based solely on automated processing.
You have the right to withdraw consent at any time. If you request us to do so, we will no longer process your data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we will not be able to provide you with the services. You have the right to obtain a free copy of your patient records within one month of submitting a request.
If you are not a patient of the practice you have the right to withdraw consent for processing personal data, to have a free copy of it within one month of submitting a request, to correct errors in it or to ask us to delete it. You can also withdraw consent from communication methods such as telephone, email or text.
We have carried out a Privacy Impact Assessment and if you would like a copy please contact us using the details set out above.
If you wish to exercise any of the rights set out above, in the first instance, please contact us using the details set out above.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Further details of these rights can be obtained on the Information Commissioner’s website.
We have put in place appropriate security measures to prevent your personal data from being lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Comments, suggestions and complaints
Please contact the practice for a comment, suggestion or a complaint about your data processing at email@example.com, or 020 7486 4433 or by writing to or visiting the practice. We take complaints very seriously.
If you are unhappy with our response or if you need any advice you should contact the Information Commissioner’s Office (ICO). Their telephone number is 0303 123 1113, you can also chat online with an advisor. The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint.
Marketing by us
We offer individuals real choice and control. Our consent procedures put individuals in charge to build customer trust and engagement.
Our consent for marketing requires a positive opt-in, we don’t use pre-ticked boxes or any other method of default consent. We make it easy for people to withdraw consent, tell you how to and keep contemporaneous evidence of consent. Consent to marketing is never a precondition of a service.
You will receive marketing communications from us if you have requested information from us or if you have signed up via our contact form on the website and, in each case, you have not opted out of receiving that marketing.
Marketing by third parties
We do not share your data with third parties for marketing purposes.
Where you opt out of receiving these marketing messages, this means that you may not receive messages relating to your appointments or treatment so please let us know by using the details set out above if you would like to continue to receive messages about your appointments and treatment.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details set out above.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Changes to your data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by using the details set out above.