Privacy Policy

AKPro Referrals

Last updated: 15 April 2026

AKPro Referrals ("we", "us", "our") operates the AKPro Referrals Referral Portal. We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

The data controller for data processed in connection with operating this Portal is AKPro Referrals. We are registered with the Information Commissioner's Office (ICO) under registration number ZC119927.

For patient and referral data submitted through the Portal, you (the referring dentist or practice) remain the data controller. We act as your data processor, as described in our Data Processing Agreement.

2. What Data We Collect

Account data: name, GDC number, email address, phone number, practice details, and login credentials of registered dental professionals.

Referral and clinical data: patient name, date of birth, contact details, clinical history, referral notes, and imaging files submitted by referring clinicians.

Usage data: IP addresses, browser type, pages visited, and actions taken within the Portal, collected via server logs.

Payment data: transaction references and billing information. Card details are processed solely by Stripe and are never stored by us.

Communications: emails and messages sent to or from our support team.

3. How We Use Your Data

PurposeLegal Basis
Managing your account and delivering referral servicesContract
Processing paymentsContract
Compliance with IR(ME)R, UK GDPR, and other legal obligationsLegal obligation
Portal security, fraud prevention, and audit loggingLegitimate interests
Sending service notifications (email, SMS)Contract / Legitimate interests
Improving and developing the PortalLegitimate interests
AI-assisted structuring of referral notes and optional patient record extraction (via OpenAI API)Contract / Legitimate interests

Patient referral data constitutes special category health data under UK GDPR. We process it under Article 9(2)(h) (healthcare purposes) and Schedule 1 Part 1(2) of the DPA 2018.

4. Data Retention

  • Imaging files and reports: retained according to the applicable storage plan (currently 14 days on Free plans and up to 365 days on paid storage plans), then deleted. You are responsible for downloading files within your retention window.
  • Account and referral records: retained for 7 years from the date of the referral, in accordance with NHS/BDA clinical record-keeping guidance.
  • Financial records: retained for 6 years in accordance with HMRC requirements.
  • Audit logs: retained for 7 years for regulatory and security assurance.

5. Who We Share Data With

We share data only where necessary:

  • Stripe — payment processing (UK/EU data centres)
  • Cloudflare R2 — encrypted file storage
  • Resend — transactional email delivery
  • Bird (MessageBird) — SMS notification delivery
  • Neon — hosted PostgreSQL database (EU region)
  • Sentry — anonymised error monitoring
  • OpenAI (API) — AI-assisted referral documentation. We use OpenAI's API in two ways: (1) Smart referral wizard: clinical notes typed by the referring dentist are processed to structure them into a referral form; patient-identifiable information (name, date of birth, contact details, postcodes, phone numbers) is automatically stripped from notes before they are sent to OpenAI. (2) Optional patient record scan: if a dentist chooses to photograph a patient registration form to auto-fill demographics, that image (which may contain patient name, DOB, address, and NHS number) is sent directly to OpenAI for text extraction. This feature is only available to authenticated, verified dental professionals. OpenAI does not use API-submitted data to train its models and processes data under a Data Processing Agreement. Data is transferred to the United States under appropriate safeguards (Standard Contractual Clauses).
  • Regulators or law enforcement — where we are legally required to do so

We do not sell personal data. We do not use data for advertising.

6. International Transfers

Some of our service providers process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or adequacy decisions.

7. Your Rights

Under UK GDPR you have the right to:

  • Access — request a copy of personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion where there is no overriding legal basis to retain it
  • Restriction — request we restrict processing in certain circumstances
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at the address below. We will respond within one month. You also have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.

8. Cookies and Tracking

The Portal uses strictly necessary session cookies to keep you logged in. We do not use advertising or analytics tracking cookies. No cookie consent banner is required for strictly necessary cookies under the UK PECR.

9. Security

We apply industry-standard security measures including TLS encryption in transit, encrypted storage at rest, access controls, and regular monitoring. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via the Portal. The current version is always available at this URL.

11. Contact Us

For privacy-related queries, data subject rights requests, or complaints:

AKPro Referrals

View our Data Processing Agreement →