Your patients' data.
Protected by design.
VocoClinic processes patient names and phone numbers on behalf of dental practices. We are ICO registered, UK data residency compliant, and provide a full Data Processing Agreement to every client.
ICO Registered
Data Controller
UK Data Residency
All data stays in UK
Full DPA Provided
On every contract
Encrypted at Rest
AES-256 standard
What data VocoClinic processes
We act as a data processor on behalf of your dental practice (the data controller). We process only the minimum data required to perform the service.
| Data type | Purpose | Lawful basis |
|---|---|---|
| Caller phone number | Call routing and SMS follow-up | Legitimate interests / contract |
| Caller name | Appointment booking and personalisation | Contract performance |
| Appointment details | Diary booking into practice PMS | Contract performance |
| Call transcript (partial) | AI processing — anonymised within 30 days | Legitimate interests |
| SMS message history | Audit trail for practice | Contract performance |
Data subject rights
Patients whose data is processed by VocoClinic have the following rights under UK GDPR:
Right to access
Patients can request a copy of all data held about them. Fulfilled within 30 days.
Right to erasure
Patients can request deletion of their data. We comply within 72 hours of written notice.
Right to rectification
Inaccurate data can be corrected at any time. Contact hello@vococlinic.com.
Right to object
Patients can object to any processing not required for contract performance.
Right to portability
Data can be exported in machine-readable format on request.
Right to restrict processing
Processing can be restricted pending a complaint or dispute.
Data Processing Agreement
Every VocoClinic client receives a signed Data Processing Agreement (DPA) as part of their contract. This DPA is structured in accordance with Article 28 of UK GDPR and covers:
- Subject matter and duration of processing
- Nature and purpose of the processing
- Type of personal data and categories of data subjects
- Obligations and rights of the data controller (your practice)
- Sub-processor list and approval process
- Data breach notification timeline (72 hours)
- Return and deletion of data on contract termination
- UK and international data transfer safeguards
To request a copy of our DPA template prior to signing: hello@vococlinic.com
Security measures
Encryption at rest
All patient data is encrypted using AES-256 before storage. Decryption keys are held separately from data stores.
Encryption in transit
All data transmitted between VocoClinic systems uses TLS 1.3. No patient data is transmitted unencrypted.
UK data residency
All data is stored on UK-based servers. No patient data is transferred outside the United Kingdom or the EEA without explicit agreement.
Access controls
Role-based access. Only authorised VocoClinic engineers can access production data, under a strict audit log.
Data minimisation
We collect only what is necessary. Call transcripts are anonymised after 30 days. Caller phone numbers are pseudonymised in our logs.
Incident response
Any breach affecting patient data is notified to the ICO within 72 hours and to affected clients within 24 hours.
Questions about data compliance?
We are happy to answer any compliance questions before or after signing.