Compliance

How DentyBot protects your patients' information · GDPR-compliant · HIPAA-aware

DentyBot is built to meet the data-protection obligations of dental practices across the UK, Ireland, the European Union, Australia, and North America. We operate as your data processor (or Business Associate, in the US) under legally binding agreements.

GDPR (UK, Ireland, EU)

For practices in the UK, Ireland, and the wider EU, DentyBot acts as a data processor under Article 28 of the GDPR. We process patient data strictly on your instructions, for the sole purpose of delivering the Denty chat service. A Data Processing Agreement (DPA) is automatically incorporated into every subscription — you can view it here.

HIPAA (United States)

For US-based dental practices, DentyBot operates as a Business Associate under HIPAA. We sign a Business Associate Agreement (BAA) with any subscribing US practice on request. Email us at hello@dentybot.com with subject line "BAA Request" to receive a signed BAA within 3 business days.

Australian Privacy Principles

For Australian dental practices, DentyBot complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988. We handle patient data with the same technical and organisational measures applied to our GDPR-covered clients.

How DentyBot handles patient data

Patient information that may pass through Denty includes names, contact details, appointment times, and health-related chat messages. We handle this data with the following protections:

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Patient conversations are never stored in plaintext.

Access controls

Patient data is accessible only to authorised DentyBot personnel for support and maintenance purposes, under strict need-to-know policies.

Audit logging

All access to patient data is logged and auditable. You can request an access log at any time.

Breach notification

In the event of a data breach, we will notify you within 72 hours as required by GDPR Article 33 and HIPAA's Breach Notification Rule.

Data minimisation

Denty only collects the minimum information necessary to fulfil the patient's request. We do not store sensitive clinical data beyond what is required for appointment booking.

Request the right agreement for your region

UK, Irish, and EU practices — our DPA is automatically in force. Download a copy here. US practices — request your BAA below.

Request a BAA or DPA

Email us with your practice name and region. We will send the appropriate signed agreement within 3 business days.

Email compliance →

Questions

For any compliance question or concern: hello@dentybot.com