UK Data Protection

Following the United Kingdom's withdrawal from the European Union, the UK operates its own data protection framework comprising the UK General Data Protection Regulation (UK GDPR) — a retained version of the EU GDPR incorporated into UK law by the European Union (Withdrawal) Act 2018 — and the Data Protection Act 2018 (DPA 2018). Together, these instruments establish comprehensive requirements for the processing of personal data relating to individuals in the United Kingdom.

Cavitech AI processes personal data of UK-based dental professionals and, where applicable, their patients when those individuals use our platform. We act as a data controller in relation to account and usage data, and as a data processor when handling patient data uploaded by dental practices. We are committed to processing all personal data in accordance with the principles set out in Article 5 of the UK GDPR: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Our lawful bases for processing include: performance of a contract (Article 6(1)(b)) for delivering the Service to registered users; legitimate interests (Article 6(1)(f)) for platform security, fraud prevention, and service improvement; consent (Article 6(1)(a)) where explicitly obtained, such as for marketing communications; and compliance with a legal obligation (Article 6(1)(c)) where required by UK law.

Where we process special category data — including health data contained in dental radiographs and clinical notes — we rely on the condition that processing is necessary for the provision of health care under Article 9(2)(h) of the UK GDPR, read in conjunction with Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018, as the processing is carried out by or under the responsibility of a health professional.

Under the UK GDPR, individuals whose personal data we process have the following rights. These rights mirror those established under the EU GDPR and are subject to certain conditions and exemptions as set out in the Data Protection Act 2018.

Right of access (Article 15). You have the right to obtain confirmation as to whether we process your personal data and, where we do, to request a copy of that data together with supplementary information about how it is processed. We will respond to access requests within one calendar month, which may be extended by a further two months where requests are complex or numerous.

Right to rectification (Article 16). You have the right to request that we correct any inaccurate personal data we hold about you, and to have incomplete data completed. Where we have disclosed the data to third parties, we will inform them of the rectification where practicable.

Right to erasure (Article 17). You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed. This right does not apply where retention is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for reasons of public interest in the area of public health.

Right to restriction of processing (Article 18). You may request that we restrict the processing of your personal data where you contest its accuracy, where processing is unlawful but you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of our legitimate grounds.

Right to data portability (Article 20). Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Right to object (Article 21). You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights relating to automated decision-making (Article 22). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Cavitech AI's radiograph analysis features are clinical decision support tools designed to assist — not replace — the professional judgement of a qualified dental practitioner. No automated decisions with legal or similarly significant effects are made without human oversight.

To exercise any of these rights, please contact our data protection team at gdpr@cavitech-ai.com. We will verify your identity before processing your request and respond within one calendar month. If we are unable to comply with your request, we will provide a clear explanation of the reasons.

Cavitech AI is headquartered in South Africa and uses infrastructure and service providers located in various jurisdictions. When personal data originating in the United Kingdom is transferred to countries outside the UK, we ensure that appropriate safeguards are in place as required by Chapter V of the UK GDPR.

South Africa does not currently hold a UK adequacy decision — that is, the UK Secretary of State has not determined that South Africa provides an adequate level of data protection under Section 17A of the Data Protection Act 2018. As a result, we implement additional safeguards for transfers of personal data from the UK to South Africa and other non-adequate jurisdictions.

For international transfers, we rely on one or both of the following mechanisms: (a) the International Data Transfer Agreement (UK IDTA), a standalone transfer mechanism approved by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018; or (b) the UK Addendum to the EU Standard Contractual Clauses (the "UK Addendum"), which supplements the European Commission's Standard Contractual Clauses as approved by the ICO. Both instruments were laid before Parliament on 2 February 2022 and came into force on 21 March 2022.

In addition to contractual safeguards, we conduct Transfer Risk Assessments (TRAs) for each international transfer to evaluate the legal framework and data protection practices in the destination country. These assessments consider the laws governing government access to data, the independence and effectiveness of supervisory authorities, and the availability of effective legal remedies for data subjects. Where a TRA identifies risks that are not adequately mitigated by the transfer mechanism alone, we implement supplementary measures, which may include encryption of data in transit and at rest using industry-standard protocols, pseudonymisation or anonymisation of personal data where technically feasible, contractual commitments to challenge disproportionate government access requests, and access controls limiting personnel who can view personal data to those with a demonstrated operational need.

We maintain an up-to-date record of all international transfers, including the categories of data transferred, the recipient jurisdictions, and the safeguards applied. This record is available to the ICO upon request.

The supervisory authority for data protection in the United Kingdom is the Information Commissioner's Office (ICO). If you are located in the United Kingdom and believe that our processing of your personal data infringes the UK GDPR or the Data Protection Act 2018, you have the right to lodge a complaint with the ICO. We encourage you to contact us first at gdpr@cavitech-ai.com so that we have the opportunity to address your concerns directly, but you are not required to do so before approaching the ICO.

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: ico.org.uk

The ICO provides guidance on data protection matters, investigates complaints, and has the power to issue enforcement notices, penalty notices, and other regulatory actions under the Data Protection Act 2018. You may also seek a judicial remedy through the UK courts if you consider that your rights under the UK GDPR have been infringed as a result of our processing of your personal data in non-compliance with the legislation.