Privacy Policy
Last updated: June 2026
Review Your Doctor (“we”, “us”), operated by ShiftDeploy, provides a patient-feedback tool to dental clinics. This policy explains how patient personal data is handled. We operate as a data processor under the UK GDPR and the Data Protection Act 2018; the clinic is the data controllerand decides why patient feedback is collected. We process it only to provide the service on the clinic’s instructions.
What data we collect (data minimisation)
- 4-5 star ratings: an anonymous star rating only, with no personal data.
- 1-3 star ratings: the star rating, an optional reason, and any contact details (name, email, phone) only where the patient voluntarily provides them so the clinic can follow up. All contact fields are optional and never required.
- No medical data is ever collected.
Why we collect it (lawful basis)
Our lawful basis is legitimate interests: enabling the clinic to improve service quality and follow up privately with patients who report a poor experience. Data is never used for marketing. As a processor we do not decide independent purposes for patient data.
Who has access
Negative-feedback contact details are accessible only to the relevant clinic’s practice manager. We do not sell or share patient data with any third parties beyond the subprocessors listed below.
How long we keep it
Negative-feedback submissions are retained for a maximum of 12 months, after which they are automatically deleted. A clinic may request earlier deletion of its data at any time.
Cookies
We use three categories of cookies:
- Essential (always active): required for login, security, session handling, and core operation. Typically last for the session or a short period.
- Analytics (off unless you accept): help us understand usage and improve the product.
- Marketing (off unless you accept): used only if paid ads or retargeting pixels are ever added.
Non-essential cookies are blocked until you opt in. Your choice is remembered for up to 12 months. You can change or withdraw consent at any time via .
Subprocessors
We use the following infrastructure providers to deliver the service. Any new subprocessor will be added here before it processes patient data.
| Provider | Purpose | Location / transfer |
|---|---|---|
| Supabase | Database, authentication, file storage, email function | UK/EU data region |
| Vercel | Application hosting, CDN, DNS/edge delivery | Global edge (US company); SCCs / UK Addendum |
| Email/SMTP provider | Sends the manager alert email | Per your configured provider |
| Google (Places API) | Optional live rating; only a place identifier is sent, no patient data | US; safeguards apply |
| Payment provider (e.g. PayPal/Stripe) | Billing the clinic (no patient data) | Per provider |
| Analytics / error monitoring | Not currently used; listed here before any future activation (consent-gated) | TBC |
International transfers
Patient personal data is stored within the UK/EU (Supabase region). Some providers (such as Vercel and Google) are US-based or operate globally. Where UK/EU personal data is accessed or processed outside the UK/EU, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) / Addendum or Standard Contractual Clauses (SCCs).
Children and minors
Dental patients may include children. Feedback involving a child should be submitted by a parent or guardian, or handled by the clinic directly. We do not knowingly collect personal data from children without an appropriate adult acting on their behalf.
Your rights
Under UK GDPR (Articles 15-20) patients have the right to access, rectification, erasure, restriction, and portability of their personal data. You can contact either the clinic (the data controller) or us as the processor using the details below; where legally required, we will route the request to the relevant clinic.
Data processor & contact
Data processor: Review Your Doctor / ShiftDeploy.
Data queries: contact@shiftdeploy.com
ICO registration number: pending registration.
A Data Processing Agreement (DPA) under UK GDPR Article 28 is provided to every clinic before go-live, defining processing instructions, confidentiality, security, subprocessors, assistance with rights requests, deletion/return of data, and audit cooperation.
