Privacy Policy

Dupital Clinic Privacy Notice (UK)

Last updated: 7 October 2025

This notice explains how Dupital LTD (“Dupital”, “we”, “us”) handles personal data when we act as Controller for clinic account, billing, website and support data. For patient images and related data processed on behalf of clinics, see the Patient Privacy Notice and the DPA (where Dupital acts as Processor).

1) Who we are and how to contact us

- Dupital LTD, 178 New Road Side, Horsforth, Leeds, LS18 4DP, England

- Email: hello@dupital.com

2) What we collect (Controller role)

- Account & billing: contact names, business emails, phone numbers, practice details, billing addresses, VAT numbers, subscription records, invoices, and payment status (payments handled by our processor; we do not store full card details).

- Service usage: admin user IDs, seat allocations, simulation usage counts/metadata (no access to patient images unless provided under support and strictly under Processor role and instructions).

- Support communications: emails, chat transcripts, attachments you provide to us.

- Website & cookies: analytics and preferences (see Cookie Policy). Marketing preferences, opt-ins/opt-outs.

3) Purposes and legal bases (UK GDPR)

- Provide and administer your account and subscription (Contract).

- Billing, invoicing, and VAT compliance (Legal obligation; Contract).

- Security, fraud prevention, service reliability, and abuse prevention (Legitimate interests).

- Product improvement and analytics on Controller data (Legitimate interests).

- Marketing communications to business contacts with easy opt-out (Legitimate interests/PECR soft opt-in where applicable; consent where required).

4) Sharing and recipients

- Vendors/sub‑processors for hosting, CRM, billing, email, analytics, and support. Current list: https://dupital.com/subprocessors

- Professional advisers and authorities where required by law.

- We do not sell personal data.

5) International transfers

- Where data is transferred outside the UK/EEA, we use appropriate safeguards (UK IDTA/Addendum and/or EU SCCs), plus supplementary measures as needed.

6) Retention

- Account and billing records: for the life of the account and up to 6 years after for tax/audit.

- Support records: while needed to resolve issues and up to 24 months thereafter unless a longer period is required by law or to establish/defend legal claims.

- Marketing preferences: until you unsubscribe or we delete inactive records.

7) Your rights

- You have rights to access, rectification, erasure, restriction, portability, and to object to processing (especially direct marketing). You can exercise these by emailing hello@dupital.com.

- You may complain to the UK Information Commissioner’s Office (ICO).

8) Children

- Our Services and this notice are intended for business users. We do not knowingly collect children’s data in our Controller role.

9) Security

- We use reasonable technical and organisational measures (encryption in transit/at rest where applicable, access controls, monitoring). No system is 100% secure.

10) Relationship to patient data

- For clarity, patient images and related personal data uploaded for simulations are handled under the clinic’s Controller role and our Processor role, and are governed by the Patient Privacy Notice and the DPA.

11) Changes

- We may update this notice. Material changes will be communicated via email or within the admin portal.