About UsBlogsTreatments
oral_diseaseElevate
InvisalignSmile MakeoverComposite BondingVeneersTeeth Whitening
dentistryRestore
Crowns & BridgesDental ImplantsInlays & OnlaysDenturesFillings
star_shineMaintain
Children's DentistryRoutine ExamGum HealthProfessional Cleaning
star_shineEmergency
Emergency DentistryRoot Canal TreatmentExtractions
See Our Full Catalogue
PricingFAQsSmile Gallery
Book Appointment

Denmark Hill Smiles

Effective date: 30.06.2026 | Version: 1.1

1. Introduction

1.1 This Privacy Policy sets out the basis on which Denmark Hill Smiles (“we”, “us” or “our”) collects, uses, discloses, stores and otherwise processes personal data relating to individuals who interact with our website, submit an enquiry, or otherwise communicate with the practice. It also sets out the rights available to data subjects under applicable data protection law.

1.2 We are committed to processing personal data in accordance with the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the Privacy and Electronic Communications Regulations 2003 (“PECR”) and all other applicable laws and regulatory guidance, including guidance issued by the Information Commissioner's Office (“ICO”).

1.3 Where this policy refers to personal data relating to a person's health, such data constitutes “special category data” within the meaning of Article 9 of the UK GDPR and is subject to the enhanced protections described in this policy.

1.4 You should read this policy together with any other notice we may provide on specific occasions when we are collecting or processing personal data, so that you are fully aware of how and why we are using it.

2. Definitions

2.1 In this policy, the following terms have the meanings set out below:

  • (a) “controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • (b) “processor” means a natural or legal person which processes personal data on behalf of the controller;
  • (c) “personal data” means any information relating to an identified or identifiable natural person;
  • (d) “special category data” means personal data revealing the categories set out in Article 9(1) of the UK GDPR, including data concerning health;
  • (e) “processing” means any operation performed on personal data, including collection, recording, storage, use, disclosure and erasure;
  • (f) “data subject” means the identified or identifiable natural person to whom personal data relates.

3. Identity and contact details of the controller

3.1 For the purposes of the UK GDPR, the controller of your personal data is Denmark Hill Smiles, whose principal place of business is 179 Denmark Hill, London, SE5 8DX.

3.2 We are registered with the Information Commissioner's Office under registration number ZA538473.

3.3 Enquiries concerning this policy or the processing of personal data, including any request to exercise the rights described in clause 14, should be directed to our data protection contact: Dr Jigna Joshi - Data Protection Officer, jignajoshi82@gmail.com.

4. Scope of this policy

4.1 This policy applies to personal data collected through our website and associated enquiry form, and to personal data collected when you correspond with us by telephone, email or other means.

4.2 Submission of the enquiry form does not constitute a confirmed appointment. The form transmits an enquiry to our reception team, who will subsequently contact you in order to arrange an appointment. The processing of personal data in connection with the provision of dental treatment, once you have become a patient of the practice, is governed by this policy and by any further notice provided to you at the practice.

5. Categories of personal data we collect

5.1 Depending on the manner in which you interact with us, we may collect and process the following categories of personal data:

  • (a) Identity data, comprising your full name;
  • (b) Contact data, comprising your email address and telephone number;
  • (c) Appointment data, comprising your preferred appointment date and time and your status as a new or existing patient;
  • (d) Enquiry data, which may constitute special category data, comprising the nature of your dental concern, the treatments in which you have expressed an interest, and the urgency of your enquiry, from which information concerning your health may be inferred;
  • (e) Consent data, comprising a record of whether you provided consent and the date and time of your submission;
  • (f) Technical and marketing data, comprising campaign attribution parameters (UTM source, medium and campaign) and information collected automatically by our website, such as your internet protocol (IP) address and cookie identifiers.

5.2 We request that you do not submit detailed medical information through the website. A concise indication of the nature of your enquiry is sufficient at the enquiry stage; a full medical history will be obtained by secure means when you attend the practice.

5.3 Where you provide us with personal data relating to other individuals, you confirm that you are authorised to do so and that you have informed them of the matters set out in this policy.

6. Purposes of processing and lawful bases

6.1 We will only process your personal data where we have a lawful basis to do so. The lawful bases on which we rely are set out below.

6.2 Responding to enquiries and arranging appointments. We process your identity, contact and appointment data in order to respond to your enquiry and to arrange an appointment at your request. The lawful basis for this processing is Article 6(1)(b) of the UK GDPR (processing necessary in order to take steps at the request of the data subject prior to entering into a contract).

6.3 Processing of health-related information. To the extent that your enquiry data reveals information concerning your health, we process such special category data on the basis of Article 9(2)(h) of the UK GDPR (processing necessary for the provision of health care or treatment), as supplemented by section 9 of, and paragraph 2 of Schedule 1 to, the DPA 2018. Such data is processed by, or under the responsibility of, a member of our clinical team who is subject to an obligation of professional confidentiality.

6.4 Marketing communications. Where you have opted in to receive marketing communications, we process your contact data for that purpose. The lawful basis for this processing is Article 6(1)(a) of the UK GDPR (consent). You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

6.5 Website analytics and advertising measurement. We process technical and marketing data in order to operate our website, to understand how it is used, and to measure the performance of our advertising. Where such processing involves non-essential cookies, the lawful basis is Article 6(1)(a) of the UK GDPR (consent), obtained through our cookie banner in accordance with PECR.

6.6 Legal, regulatory and insurance purposes. We process personal data where necessary to comply with our legal and regulatory obligations and to establish, exercise or defend legal claims. The lawful bases for this processing are Article 6(1)(c) of the UK GDPR (compliance with a legal obligation) and Article 6(1)(f) (legitimate interests), our legitimate interest being the proper administration of the practice and the protection of our legal position.

7. Recipients of personal data and use of processors

7.1 We do not sell your personal data. We disclose personal data only to the recipients described in this clause, and we require each processor acting on our behalf to process personal data solely on our documented instructions and to implement appropriate technical and organisational measures. We enter into a written data processing agreement with each such processor in accordance with Article 28 of the UK GDPR.

7.2 The processors we engage, and the purposes for which we engage them, are as follows:

  • (a) Airtable — storage of enquiry and appointment data submitted through our website;
  • (b) Zapier — transmission of consultation enquiries into our internal systems;
  • (c) Slack — internal notification of our team upon receipt of an enquiry;
  • (d) Netlify — hosting of our website;
  • (e) Software of Excellence — practice management and online booking;
  • (f) Hotjar — website analytics and advertising measurement;
  • (g) CookieYes — cookie consent management, banner implementation, and consent logging.

7.3 We may also disclose personal data to the National Health Service, to regulatory bodies including the General Dental Council and the Care Quality Commission, to our professional advisers and insurers, and to any competent authority, court or law enforcement agency where we are required or permitted to do so by law.

8. International transfers of personal data

8.1 Certain of our processors, including Airtable, Zapier and Slack, store or otherwise process personal data on servers located in the United States. Accordingly, your personal data may be transferred to, and processed in, a country outside the United Kingdom.

8.2 Where we transfer personal data outside the United Kingdom, we ensure that an appropriate safeguard is in place to protect that data to a standard essentially equivalent to that required under the UK GDPR. In respect of the processors identified in clause 8.1, transfers are made pursuant to the International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, as incorporated into the relevant processor's data processing agreement.

8.3 You may obtain further information regarding the safeguards applicable to international transfers of your personal data, including a copy of the relevant transfer mechanism, by contacting us using the details set out in clause 3.

9. Data retention

9.1 We retain personal data only for so long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

9.2 Enquiry data submitted through the website is retained for so long as is necessary to deal with your enquiry. Where an enquiry does not result in an appointment, the associated personal data is deleted within 12 months of your last contact with us. Where an enquiry results in an appointment, the relevant personal data is incorporated into your patient record and retained in accordance with clause 9.3.

9.3 Patient records are retained in accordance with applicable healthcare record-keeping requirements and professional guidance. In the case of adult patients, records are retained for a minimum period of eleven years following the conclusion of treatment; in the case of patients who are children, records are retained until the patient's twenty-fifth birthday, or for eleven years, whichever is the longer.

9.4 Records evidencing marketing consent are retained for so long as you remain subscribed and for a reasonable period thereafter for the purpose of demonstrating compliance. Technical and analytics data is retained in accordance with the retention settings of our analytics provider, as described in our Cookie Policy.

10. Security of personal data

10.1 We have implemented appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.

10.2 Such measures include the allocation of individual user credentials to members of staff and the prohibition of shared accounts; the restriction of access to personal data to those members of staff who require it for the performance of their duties; the secure server-side storage of access credentials used by our website such that they are not exposed in client-side code; and the encryption of personal data in transit between your browser and our systems.

10.3 We additionally maintain the following measures: periodic access reviews, staff data protection training, and breach response procedures.

10.4 In the event of a personal data breach, we will assess the breach and, where required, notify the ICO and affected data subjects in accordance with Articles 33 and 34 of the UK GDPR.

11. Automated decision-making and profiling

11.1 We do not make decisions producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing of your personal data within the meaning of Article 22 of the UK GDPR.

12. Personal data relating to children

12.1 Our website is directed at adults. Where we provide treatment to a patient who is a child, personal data relating to that child is ordinarily provided and managed by a parent or person with parental responsibility, and is processed in accordance with this policy and with the enhanced care appropriate to the data of children.

13. Cookies

13.1 Our website uses cookies and similar technologies. Cookies that are strictly necessary for the operation of the website are set automatically and do not require your consent. Non-essential cookies, including analytics, performance, and advertising cookies, are set only with your explicit consent.

13.2 You can manage, modify, or withdraw your cookie preferences at any time by clicking the cookie consent widget (the small icon) located in the bottom corner of our website, or via our cookie banner.

13.3 Detailed information regarding the specific cookies we use, their purposes, and their lifespans is set out in our dedicated Cookie Policy, available at denmarkhillsmiles.co.uk/cookie-policy.

14. Your rights as a data subject

14.1 Subject to the conditions and exemptions provided for under applicable law, you have the following rights in respect of your personal data:

  • (a) the right of access, being the right to obtain confirmation as to whether we process your personal data and, where we do, a copy of that data;
  • (b) the right to rectification, being the right to have inaccurate personal data corrected and incomplete personal data completed;
  • (c) the right to erasure, being the right to have your personal data deleted in the circumstances provided for by law;
  • (d) the right to restriction of processing, being the right to require us to restrict the processing of your personal data in certain circumstances;
  • (e) the right to data portability, being the right to receive certain personal data in a structured, commonly used and machine-readable format and to have it transmitted to another controller;
  • (f) the right to object, being the right to object to processing carried out on the basis of legitimate interests and to object at any time to processing for direct marketing purposes; and
  • (g) the right to withdraw consent, being the right, where processing is based on consent, to withdraw that consent at any time.

15. Exercising your rights and making a complaint

15.1 You may exercise any of the rights set out in clause 14 by contacting us using the details set out in clause 3. No fee is ordinarily payable; however, we may charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive.

15.2 We may request specific information from you in order to verify your identity before responding to a request, so as to ensure that personal data is not disclosed to any person who has no right to receive it.

15.3 We will respond to your request without undue delay and in any event within one month of receipt. That period may be extended by up to two further months where necessary, taking into account the complexity and number of requests, in which case we will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

15.4 If you are dissatisfied with the manner in which we have handled your personal data, we encourage you to contact us in the first instance. You also have the right to lodge a complaint with the Information Commissioner's Office, the supervisory authority for data protection matters in the United Kingdom, at ico.org.uk/make-a-complaint, or by telephone on 0303 123 1113.

16. Changes to this policy

16.1 We may amend this policy from time to time. Where we make material changes, we will update the effective date and version number recorded at the head of this document and, where appropriate, notify you by other means. Your continued use of our website or services following any such amendment constitutes acknowledgement of the amended policy.