1. Introduction
This Privacy Policy details how Floss Health Limited uses and protects your personal data and dental practices. By using this website and services, you agree to the terms of this Privacy Policy. This policy also explains how we collect, use, and share data related to dental practices registered on our platform.
Controller - Floss Health Limited is the controller and is responsible for your personal data (collectively referred to as “we”, “us” or “our” in this privacy policy).
2. Information/data Floss collects
Personal data means any information about an individual from which that person can be identified.
We may collect, use, store and transfer different forms of personal data about you which we have detailed as follows;
· Booking and registration information Data Details about the services you book through the website, including travel distance preferences, the nature of services, and the date and time of appointments.
· Identity Data Personal information such as first name, last name, and date of birth.
· Contact Data Billing address, email address, and phone number.
· Communications you send to us Correspondence with us, including inquiries, questions, and support requests.
· Financial Data includes bank account and payment card details. Payments are processed by Stripe;
· Health Data includes certain medical details, relevant to the dental service, including any health conditions or disabilities.
· Profile Data Information such as username, password, and service preferences.
· Marketing and Communications Data Your preferences for receiving marketing communications from us and our third-party partners.
· Technical Data Data about your devices and browsing activities, including IP address, browser type, device ID, cookies, and operating system.
· Usage Data includes information about your use of the website and its features.
We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website. Practice Registration Information – Used to Onboard a Practice onto Floss Platform
· Name (individual from practice who is registering)
· Email (individual from practice who is registering)
· Job role (individual from practice who is registering)
· Current software (used by practice)
For Dental Practices:
In addition to patient data, we collect and process information about dental practices registered on our platform. This information is being collected for conducting business operations:
Effective Date: 17th Nov 2025
Compliance Framework: UK General Data Protection Regulation (UK GDPR) & Data Protection Act 2018
Practice Registration Information
(Used to onboard dental practices)
Individual Representative:
Name
Job role
Practice management software (PMS) used
Practice Details:
Practice name
Practice email
Website
Phone number
Address and postcode
Acceptance of NHS patients
Acceptance of finance
CQC regulation status and CQC number
General practice information
Site Details:
Site name
Number of dentists
Site address and postcode
Opening hours
Dentist Details:
Name
Role
Profile photo
Services offered (1–13 categories)
Practice Banking Information
Used to remit consultation or treatment fees back to the practice.
Bank account details (handled securely)
Stripe acts as the intermediary payment processor. The consultation fee is received by Stripe and automatically split between Floss and the practice, according to the pre-agreed revenue share.
Dentally API Integration (If Applicable)
If a practice uses Dentally, Floss will, with consent:
· Request a Dentally API key
· Securely import practice, site, dentist, and service information
3. How is your personal data collected?
We collect and process your data via different methods such as:
· Direct interactions with us. You may give us your Identity Data, Contact Data, Financial Data and other personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data when you:
(i) Book an appointment through the website;
(ii) Integrate with approved third-party systems (e.g., Dentally)
(iii) Enter a competition, promotion or survey
(iv) Request marketing to be sent to you
(v) Provide data-driven feedback and improve the platform.
· Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
· Information you give us. This is information (including Identity, Contact, Financial, and Marketing and Communications Data) you consent to giving us about you by filling in forms on the website or by corresponding with us.
· Facilitating Bookings. We collect and share relevant information with the Supplier to confirm and manage your bookings;. This is for the performance of a contract with you, is necessary to comply with a legal obligation and is necessary for our legitimate interests (to keep our records updated and manage our relationship with you).
· Processing Payments: Your payment information is used to complete transactions related to your bookings. Payment details are typically handled by the Supplier or a third-party payment processor, such as Stripe. We use the third party payment processor Stripe to facilitate payment of the initial Supplier consultation appointment. The patient pays via Stripe, and the fee — less our costs — is securely transferred to the designated third party processor Stripe which processes all payments in compliance with the PCI DSS and maintains industry-leading encryption and fraud prevention tools. This is to ensure the performance of a contract with you, is necessary to comply with a legal obligation and is necessary for our legitimate interests (to keep our records updated and manage our relationship with you).
· Location Data: Some of our location based services require personal data for the feature to work (for example, matching users with suitable dental practices with reference to user location.
4. Third party links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Please note that these websites (and any services accessible through them) are controlled by those third parties and are not covered by this privacy notice. You should review their own privacy notices to understand how they use your personal data before you submit any personal data to these websites or use these services. We do not control these third-party websites and are not responsible for their privacy statements.
5. Legal Basis for Processing
The law requires us to have a legal basis for collecting and using your personal data. Our lawful basis for each purpose for which we use your personal data is specified below::
· Consent – We rely on consent only when we have obtained your active agreement to use your personal data for a specified purpose, for example at the point of user registration or practice onboarding;
· Performance of a contract with you – Where we need to perform the contract we about to enter into with you regarding appointment bookings and service agreements;
· Legitimate Interests - Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
· Legal obligation - Where we need to use your personal data to comply with a legal or regulatory obligation. Where we rely on legal obligation and you do not provide the necessary information, we may be unable to fulfil a right you have or comply with our obligations to you, or we may need to take additional steps, such as informing law enforcement or a public authority or applying for a court order.
6. How We Protect Your Data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. How Long We Retain Data
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
By law we have to keep basic information about our users (including Booking and registration information Data, Contact, Identity and Financial Data) for seven years after they cease being customers for tax purposes or such other time as legislation may so require.
In some circumstances you can ask us to delete your data: see paragraph 7 below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
8. Your Legal Rights
You have the following rights under data protection laws in relation to your personal data.
Access: Request access to and/or a copy of the personal data we process about you (commonly known as a data subject access request). This enables you to check that we are lawfully processing it.
Correction: Request correction of any incomplete or inaccurate data we hold about you. (We may need to verify the accuracy of the new data you provide to us.)
Deletion: Request us to delete or remove personal data where there is no good reason for us continuing to process it. You also can ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we need to erase your personal data to comply with law. (In some cases, we may need to continue to retain some of your personal data where required by law. If these apply, we will notify you at the time of our response.)
Objection: Object to us processing your personal data where (a) we are relying on legitimate interests as the lawful basis and you feel the processing impacts on your fundamental rights and freedoms, or (b) the processing is for direct marketing purposes. In some cases, we may refuse your objection if we can demonstrate that we have compelling legitimate grounds to continue processing your information which override your rights and freedoms.
Restriction: Request that we restrict or suspend our processing of your personal data:
if you want us to establish the data's accuracy
where our use of the data is unlawful, but you do not want us to erase it;
where we no longer require it, but you need us to hold onto it to establish, exercise or defend legal claims; or
you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Withdraw consent: Withdraw your consent at any time where we are relying on consent to process your personal data. Please know that this does not affect the lawfulness of any processing carried out before you withdraw your consent, and after withdrawal, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Complain to the UK data protection regulator: If you are unhappy with how we process your personal data, we ask that you contact us first using the details below so that we have the chance to put it right. However, you also have the right to make a complaint to the ICO (www.ico.org.uk). at any time.
9. Transfers and Disclosure of your personal data
Where we transfer your personal data outside the UK (including to the EEA). Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring safeguards are in place in that we will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data. We may need to share your information with a range of other parties including legislative and regulatory bodies in compliance with relevant legislation. We will share your personal data with participating dental practices in relation to confirmed booking and third party Practice Management Systems (PMS) (for example Dentally). If the dental practice is a Dentally API user we may request the API key from the relevant dental practice and use that API key to automatically obtain the aforementioned practice information from Dentally. Dentally also assign identifiers to the client, dentist and practice e.g. Dentally_Practice_ID. These are protected by Dentally encryption software.
10. Contact Us
Our contact details are as follows:
Email: info@floss-dental.co.uk
DPO: Mark McCormack
Registered Office: 3rd Floor, 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE
