Data Processing Agreement

Last updated: 1 January 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Dentree Ltd (“Processor”) and the clinic or business subscribing to Denbot (“Controller”). It governs the processing of personal data by Dentree Ltd on behalf of the Controller in connection with the Denbot service.

1. Definitions

Personal data, processing, data subject, controller, processor have the meanings given in the UK GDPR (UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018).

Service data means personal data submitted to the Denbot service by or on behalf of the Controller, including visitor names, email addresses, phone numbers, and conversation transcripts.

2. Details of processing

Subject matter	Patient enquiry capture and lead delivery via the Denbot widget
Duration	For the term of the subscription agreement
Nature	Collection, storage, transmission, and deletion of visitor enquiry data
Purpose	To capture and deliver patient enquiries to the Controller’s nominated email or CRM
Data types	Names, email addresses, phone numbers, enquiry content, UTM parameters, session timestamps
Data subjects	Website visitors who interact with the Denbot widget on the Controller’s website

3. Processor obligations

Dentree Ltd agrees to:

• Process service data only on documented instructions from the Controller (as set out in these terms)
• Ensure that persons authorised to process service data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see clause 5)
• Not engage sub-processors without the Controller’s prior authorisation (clause 4 constitutes general authorisation)
• Assist the Controller in responding to data subject rights requests
• Assist the Controller in fulfilling its obligations under Articles 32–36 of UK GDPR
• Delete or return all service data upon termination of the agreement
• Provide all information necessary to demonstrate compliance with this DPA

4. Sub-processors

The Controller grants general authorisation for Dentree Ltd to engage the following sub-processors:

Sub-processor	Purpose	Location
Supabase Inc.	Database hosting and authentication	EU (West Europe)
Twilio SendGrid	Transactional email delivery	USA (SCCs apply)
Stripe Inc.	Payment processing	USA (SCCs apply)
Vercel Inc.	API and CDN hosting	USA/EU (SCCs apply)
Anthropic PBC	AI processing (free-text only, no personal data)	USA

Dentree Ltd will notify the Controller of any intended changes to sub-processors at least 14 days in advance, giving the Controller the opportunity to object.

5. Security measures

Dentree Ltd maintains the following technical and organisational measures:

• TLS encryption for all data in transit
• Encryption at rest via infrastructure provider
• Row-level security policies restricting data access by clinic
• Magic-link authentication (no password storage)
• Audit logging of all data access and modifications
• Regular security reviews
• Data minimisation — no personal data is sent to AI models

6. Data subject rights

Where a data subject makes a request to exercise their rights (access, erasure, portability, etc.) directly to Dentree Ltd, we will forward the request to the Controller within 5 working days. The Controller is responsible for responding to data subjects. We will assist the Controller in fulfilling the request to the extent technically feasible within the Denbot platform.

7. Data breaches

Dentree Ltd will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting service data. The notification will include all information required under Article 33(3) of UK GDPR that is available at that time.

8. International transfers

Where service data is transferred to sub-processors outside the UK or EEA, Dentree Ltd ensures that appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or standard contractual clauses (SCCs), as applicable.

9. Termination and deletion

Upon termination of the subscription, Dentree Ltd will, at the Controller’s election, delete or return all service data within 30 days. Anonymised aggregated statistics may be retained.

10. Governing law

This DPA is governed by the laws of England and Wales.

11. Contact

Data protection queries: privacy@denbot.co.uk
Dentree Ltd, Company No. 11734826, England and Wales