GDPR & Data Processing Agreement

Last updated: 6 May 2026

Overview

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Controller”) and Optivio Automation (the “Processor”) when we process personal data on your behalf to deliver the AI receptionist service. It is designed to comply with UK GDPR and the UK Data Protection Act 2018.

1. Roles

Your dental practice is the data controller for patient personal data. Optivio Automation is the data processor. Each party will comply with its obligations under UK GDPR.

2. Subject matter and duration

We process personal data for the duration of your subscription, plus a 30-day wind-down for export and deletion. The subject matter is the operation of an AI receptionist for inbound and outbound calls.

3. Categories of data

  • Caller name, telephone number, and contact details.
  • Appointment requests, reasons for the call, and booking metadata.
  • Call recordings and transcripts.
  • Limited special-category data (health information) where the patient discloses it during a call. We process such data only as necessary to deliver the booking request.

4. Our obligations

  • Process personal data only on your documented instructions.
  • Ensure personnel with access are subject to appropriate confidentiality obligations.
  • Implement technical and organisational measures appropriate to the risk (encryption in transit and at rest, access controls, audit logs).
  • Notify you without undue delay (and within 72 hours) of becoming aware of any personal data breach.
  • Assist you in responding to data subject requests and in fulfilling your DPIA and prior-consultation obligations.

5. Sub-processors

We engage sub-processors for telephony, cloud hosting, AI model inference, and payments. We maintain a current list of sub-processors and notify you of changes with the opportunity to object. All sub-processors are bound by terms equivalent to this DPA.

6. International transfers

We aim to keep all processing within the UK or EEA. Where transfers outside the UK/EEA occur, we rely on UK International Data Transfer Agreements or Standard Contractual Clauses with the UK Addendum.

7. Deletion and return

On termination you may export your data within the wind-down window. After that period we securely delete or anonymise personal data unless retention is required by law.

8. Audit

On reasonable notice and at your cost we will provide information necessary to demonstrate compliance with this DPA, including the latest third-party audit reports we hold.

9. Contact

Data protection enquiries: privacy@optivioautomation.com. You may also contact the Information Commissioner’s Office (ICO) at ico.org.uk.