DentaCFO
External Privacy Notice
Last Updated: October 2025
- Who we are and what we do
Who we are
We are Greenarch Systems Ltd t/a DentaCFO (“DentaCFO”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 15979706, and we have our registered office at 1a City Gate, 185 Dyke Road, Hove, England, BN3 1TL. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number ZB957161.
What we do
We are in the business of providing dental practices with an AI financial intelligence platform. We are committed to protecting the privacy and security of the Personal Data we process about you.
Controller
Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.
We are a processor of your Personal Data when we deliver our services to our clients through our DentaCFO Saas platform. The dental practice will remain a controller. The controllers decide how your personal data is processed, not us. Please contact them for further details in relation to this.
2. Purpose of this privacy notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.
3. Who this privacy notice applies to
This privacy notice applies to you if:
1. You visit our website
2. You purchase goods or services from us
3. You enquire about our products and/or services
4. You sign up to receive newsletters and/or other promotional communications from us
5. You contact our customer services
For more information regarding our collection and processing of your personal data as part of our job application process, please see our Job Applicant Privacy Notice.
If you visit our website, we will collect information about your engagement with us online via our cookies and similar technologies such as your IP address and geographical location. See our Cookie Notice for more information on our use of cookies and similar technologies.
4. What Personal Data is
‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.
‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.
5. Personal Data we collect
The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.
6. How we collect your Personal Data
We collect most of the Personal Data directly from you in by telephone, text or email and/or via our website. We also receive your Personal Data from the partners that we work with.
However, we may also collect your Personal Data from third parties such as:
• Others to whom you have provided consent
• publicly available sources such as social media platforms
7. Purposes and lawful bases
We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:
| Categories of individuals | Categories of Personal Data | Purpose of Processing | Lawful Basis |
| Website visitors | IP address, your login data, browser type and version, time zone setting and location, and other technology on the devices you use to access this website. | To monitor use of our website and prevent unauthorised access and modifications to systems | Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) |
| Clients | Name, job title, phone numbers, email address, billing information, company address
|
To register you as a new customer
|
Performance of a contract with you
|
| Clients | Name, job title, phone numbers, email address, billing information and transaction data | To process and deliver your order including:
(a) Manage payments, fees and charges (b) Collect and recover money owed to us
|
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts owed to us)
|
| Business clients
|
Name, job title, email address | To send out business clients newsletters and other promotional material | Necessary for our legitimate interests (for growing and expanding our business, and to send you relevant information about our products and services) |
Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
8. Sharing your Personal Data
We may also disclose your information to third parties in connection with other purposes set out in this policy. These third parties may include:
• Our development and hosting partners (Zudu, AWS UK, Tresorit)
• Professional advisers (legal, financial and compliance consultants)
• analytics and search engine providers
• advertisers, social media platforms, and advertising networks
9. International Transfers
Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our service to you could be based outside the UK.
We have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:
● Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation),
● We rely on the UK Extension to the EU-U.S. Data Privacy Framework, where the receiving organisation is certified under it, ensuring compliance with recognised data protection standards, or
● We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)).
10. Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including to:
• Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.
• Right of access (commonly known as a “Subject Access Request”)
You have the right to receive a copy of the Personal Data we hold about you.
• Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected.
• Right to erasure (commonly known as the right to be forgotten)
You have the right to ask us to delete your Personal Data.
• Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
• Right to restrict processing
You have the right to restrict our use of your Personal Data.
• Right to portability
You have the right to ask us to transfer your Personal Data to another party.
• Automated decision-making.
You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
• Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.
• Right to lodge a complaint
You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:
Contact us | ICO Or by telephone on 0303 123 1113
How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.
11. How to contact us and our Data Protection Officer
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us by email privacy@dentacfo.com.
We have also appointed a Data Protection Officer (“DPO”). Our DPO, Evalian Limited and can be contacted as follows: West Lodge, Leylands Farm, 1 Nobs Crook, Colden Common, Winchester, Hampshire, SO21 1TH