Mon–Fri 09:00–17:00+44 7939 963290info@ortho-facialplanning.co.uk
Ortho-Facial Planning
Get Started
Legal

Legal & Policies

Privacy, terms, cookies, data protection, retention, and security policies for Ortho-Facial Planning Ltd.

Clinical Standards

Ortho-Facial Planning Ltd delivers digital surgical planning in accordance with established clinical and professional standards.

  • Planning is performed by qualified clinicians with expertise in orthognathic surgery.
  • Our workflows align with recognised orthognathic planning practices.
  • Outputs are compatible with hospital imaging systems and clinical workflows.
  • Clinicians involved in planning hold relevant professional registration (e.g. GDC) where applicable.
  • We adhere to recognised surgical planning practices and quality standards.

Privacy Policy

Last updated: 1 May 2026

This Privacy Policy explains how Ortho-Facial Planning Ltd collects, uses, and protects your personal information when you visit our website or use the Ortho-Facial Planning Portal.

1. Who we are

Ortho-Facial Planning Ltd is the data controller for information collected through this website and the portal. We are registered in England and Wales (Company No. 15073037). Our registered address is Bon Marche Business Centre, Unit 116A, 241–251 Ferndale Road, London SW9 8BJ.

You can contact us regarding privacy matters at info@ortho-facialplanning.co.uk or by calling +44 7939 963290.

2. Information we collect

We collect different categories of information depending on how you interact with us:

  • Account information: name, email address, job title, clinic name, and login credentials when you register for the portal.
  • Usage data: pages visited, features used, browser type, device information, and IP address, collected automatically via server logs and analytics tools.
  • Communications: the content of emails or messages you send us, including enquiries and support requests.
  • Payment information: billing details processed securely through our payment provider (Stripe). We do not store card numbers on our own systems.
  • Clinical case data: DICOM imaging files and patient case information uploaded to the portal by clinicians. We process this data strictly as a data processor on behalf of the uploading clinic (see Section 5).

3. How we use your information

We use your information for the following purposes and on the following legal bases:

  • Providing our services — processing cases, managing your account, and delivering completed plans. Lawful basis: performance of a contract.
  • Communications — responding to enquiries and sending service-related notifications. Lawful basis: legitimate interests / contract.
  • Billing and financial administration — processing payments and maintaining financial records. Lawful basis: contract and legal obligation.
  • Improving our platform — analysing usage patterns to enhance features and fix issues. Lawful basis: legitimate interests.
  • Legal and regulatory compliance — complying with applicable law and professional obligations. Lawful basis: legal obligation.

4. Cookies and tracking

We use cookies and similar technologies on this website. Please see our Cookies Policy below for full details.

5. Clinical case data and data processor role

When a clinic uploads patient case data (including DICOM images and associated patient identifiers) to the portal, Ortho-Facial Planning Ltd acts as a data processor on behalf of that clinic, which remains the data controller for that patient's information. We process such data solely to deliver the requested planning service and do not use it for any other purpose. A Data Processing Agreement governs this relationship. If you are a clinician with questions about how your patients' data is handled, please refer to your clinic's own privacy notices.

6. Sharing your information

We do not sell or rent your personal data. We share it only in the following circumstances:

  • Service providers: trusted sub-processors who help us operate the platform (cloud hosting, email delivery, payment processing, error monitoring). Each is bound by a data processing agreement.
  • Legal requirements: where disclosure is required by law, court order, or regulatory authority.
  • Business transfer: in the event of a merger, acquisition, or sale, your data may transfer to the successor entity, subject to equivalent protections.

7. International transfers

We store data on servers located within the United Kingdom. Where any of our sub-processors transfer data outside the UK, we ensure that adequate safeguards are in place (such as the UK International Data Transfer Agreement or equivalent adequacy decisions).

8. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you (Subject Access Request).
  • Rectify any inaccurate or incomplete data.
  • Erase your data where there is no compelling reason to continue processing it.
  • Restrict processing in certain circumstances.
  • Data portability — receive a copy of your data in a machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at info@ortho-facialplanning.co.uk. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Retention

We retain personal data only as long as necessary. For specific retention periods, please see our Data Retention Policy below.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users or by a prominent notice on this page. Continued use of our services after an update constitutes acceptance of the revised policy.

Terms of Service

Last updated: 1 May 2026

These Terms of Service govern your use of the Ortho-Facial Planning website and portal. Please read them carefully. By accessing or using our services, you agree to be bound by these terms.

1. Definitions

  • “Company” means Ortho-Facial Planning Ltd, registered in England and Wales (No. 15073037), Bon Marche Business Centre, Unit 116A, 241–251 Ferndale Road, London SW9 8BJ.
  • “Services” means the digital orthognathic surgical planning services and the online portal provided by the Company.
  • “User” or “you” means any individual or organisation accessing or using the Services.
  • “Client” means a dental or surgical practice or clinic that has entered into a service agreement with the Company.

2. Eligibility and professional use

The Services are intended solely for qualified dental and medical professionals and their authorised staff. By registering, you confirm that you are accessing the Services in a professional clinical capacity and that your use will comply with all applicable professional and legal obligations, including those set by the General Dental Council (GDC) or equivalent regulatory body.

The planning outputs produced by the Company are intended to support — not replace — clinical judgement. The treating clinician retains full responsibility for all clinical decisions made in relation to their patients.

3. Account registration

To use the portal, you must create an account and provide accurate, up-to-date information. You are responsible for maintaining the confidentiality of your login credentials and for all activity that occurs under your account. You must notify us immediately at info@ortho-facialplanning.co.uk if you suspect any unauthorised access.

4. Acceptable use

You agree not to:

  • Use the Services for any unlawful purpose or in breach of any professional duty.
  • Upload content that infringes third-party intellectual property rights or that you do not have authority to share.
  • Attempt to reverse-engineer, decompile, or extract source code from any part of the platform.
  • Share your account credentials with unauthorised individuals or allow concurrent access by multiple users.
  • Use automated scripts, bots, or scrapers to interact with the Services without prior written consent.
  • Introduce malware, viruses, or other malicious code into the platform or its connected systems.

5. Intellectual property

All content, software, workflows, and technology comprising the Services are owned by or licensed to the Company and are protected by intellectual property law. Nothing in these Terms transfers ownership of any intellectual property to you.

You retain ownership of the clinical data and images you upload. By uploading content, you grant the Company a limited licence to process that content solely for the purpose of delivering the Services.

6. Fees and payment

Fees for the Services are as set out in your service agreement or on the relevant pricing page. Fees are due in accordance with the agreed payment schedule. The Company reserves the right to suspend access to the portal in the event of non-payment. All fees are quoted in GBP and are subject to VAT where applicable.

7. Disclaimers

The Services are provided “as is” and “as available”. While we take all reasonable steps to ensure the accuracy and quality of our planning outputs, the Company makes no warranty — express or implied — that the outputs will be error-free or suitable for any particular clinical outcome. The treating clinician is solely responsible for verifying the clinical appropriateness of any plan before use.

8. Limitation of liability

To the fullest extent permitted by law, the Company's aggregate liability for any claim arising from or related to these Terms or the Services shall not exceed the fees paid by the Client in the three months preceding the event giving rise to the claim. The Company shall not be liable for indirect, consequential, special, or punitive damages.

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by English law.

9. Termination

Either party may terminate a service agreement by giving notice in accordance with that agreement. The Company may suspend or terminate your access immediately if you breach these Terms, fail to make payment when due, or if required by law or regulatory authority. Upon termination, your access will be revoked and case data will be handled in accordance with our Data Retention Policy.

10. Governing law and disputes

These Terms are governed by the laws of England and Wales. Any disputes arising under or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales. For consumer disputes, statutory rights remain unaffected.

11. Changes to these Terms

We may update these Terms from time to time. We will provide reasonable notice of material changes by email or via the portal. Continued use of the Services after the effective date of any change constitutes acceptance of the updated Terms.

Cookies Policy

Last updated: 1 May 2026

This page sets out how Ortho-Facial Planning Ltd uses cookies and similar technologies on this website and within the portal.

What are cookies?

Cookies are small text files placed on your device by a website. They are widely used to make websites work, to improve user experience, and to provide information to website operators.

Cookies we use

We use the following categories of cookies:

Strictly necessary cookies

These cookies are essential for the website and portal to function and cannot be switched off. They include:

  • Session cookies — maintain your login state while you are using the portal.
  • Security cookies — protect against cross-site request forgery (CSRF) and other threats.
  • Preference cookies — store your theme or UI preference selections.

These cookies do not require your consent as they are technically necessary.

Analytics cookies

We may use analytics tools to understand how visitors interact with our website, such as which pages are most visited and how users navigate. This helps us improve the platform. Analytics data is collected in aggregate and is not used to identify individual users.

You can opt out of analytics cookies via the cookie preference centre or by using your browser settings.

Third-party cookies

Some pages may embed content from third-party services (for example, payment widgets provided by Stripe). These third parties may set their own cookies, subject to their own privacy and cookie policies. We do not control third-party cookies.

Managing cookies

Most browsers allow you to control cookies through their settings — you can block or delete cookies at any time. Please note that disabling strictly necessary cookies may affect the functionality of the portal. For more information on managing cookies, visit allaboutcookies.org.

Data Protection & GDPR

Last updated: 1 May 2026

How we process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Data controller

Ortho-Facial Planning Ltd is registered as a data controller with the Information Commissioner's Office (ICO). Our nominated contact for data protection matters is reachable at info@ortho-facialplanning.co.uk.

Lawful bases for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Article 6(1)(b) — Contract: processing necessary to perform our services or take steps prior to entering a contract.
  • Article 6(1)(c) — Legal obligation: where processing is required to comply with a legal obligation (e.g. tax and accounting records).
  • Article 6(1)(f) — Legitimate interests: where our legitimate business interests are pursued and are not overridden by your rights and freedoms (e.g. platform security, fraud prevention, service improvement).

Special category data

Clinical case data submitted to the portal may constitute special category health data under UK GDPR Article 9. Where Ortho-Facial Planning Ltd processes such data as a data processor on behalf of a clinic, processing is carried out under Article 9(2)(h) (health or social care purposes) and the applicable Schedule 1 condition under DPA 2018. The clinic, as data controller, is responsible for ensuring patients have been appropriately informed and for obtaining any necessary consents.

Data Processing Agreements

All client clinics processing patient data through the portal are required to enter into a Data Processing Agreement (DPA) with Ortho-Facial Planning Ltd before uploading any patient data. This agreement sets out the obligations of both parties in accordance with UK GDPR Article 28. Please contact us at info@ortho-facialplanning.co.uk to request a copy.

Sub-processors

We engage the following categories of sub-processors to help deliver our services, each bound by appropriate data processing agreements:

  • Cloud infrastructure and database hosting (UK-based servers)
  • Transactional email delivery
  • Payment processing (Stripe, Inc. — operating under approved transfer mechanisms)
  • Error monitoring and application performance tooling

A full and up-to-date list of sub-processors is available on request at info@ortho-facialplanning.co.uk.

Your rights

Under UK GDPR, you have rights of access, rectification, erasure, restriction, portability, and objection. To exercise any of these rights, submit a written request to info@ortho-facialplanning.co.uk. We will respond within one calendar month (extendable by a further two months for complex requests, with notice). We may ask you to verify your identity before proceeding.

Complaints to the ICO

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the ICO, the UK supervisory authority for data protection:

  • Website: ico.org.uk/make-a-complaint
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Data Retention Policy

Last updated: 1 May 2026

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. This policy sets out our retention periods by data category.

Guiding principles

Our retention decisions are based on the following principles:

  • Data is not kept for longer than is necessary for its original purpose.
  • Retention periods account for legal, regulatory, and contractual obligations.
  • Data is securely deleted or anonymised at the end of its retention period.
  • Where we act as a data processor, we follow the data controller's documented instructions regarding retention and deletion.

Retention periods by category

Account and registration data

User account information (name, email, role, clinic) is retained for the duration of the active account relationship, plus 12 months following closure to allow for any outstanding queries or disputes. Accounts inactive for 24 consecutive months may be archived and then deleted.

Clinical case data

DICOM imaging files, planning outputs, and associated case data are subject to automatic deletion as follows:

  • Draft cases — cases that remain in draft status and have not been submitted for planning are automatically purged after 90 days of inactivity. Both the case record and all uploaded files are deleted.
  • Completed cases — once a case is marked as complete, a deletion date is set 60 days from the completion date. Files and case data are automatically purged on or after that date.

Clinics are responsible for downloading and retaining any planning outputs they require before the deletion date. We recommend downloading all deliverables promptly upon case completion. We are not able to recover data after the automatic purge has run.

Clinics should note that separate obligations may apply under NHS records management standards or applicable professional guidelines — including minimum retention periods for clinical records — which are the data controller's responsibility. Our retention window is designed for portal data only and does not substitute for your own records management obligations.

Financial and payment records

Invoices, payment records, and related financial correspondence are retained for 7 years from the end of the relevant financial year, in line with HMRC requirements.

Communication records

Emails and support communications are retained for 3 years from the date of the last communication, after which they are deleted unless required for an ongoing legal matter.

Security and access logs

System access logs, authentication events, and security audit logs are retained for 90 days for operational security purposes, and for up to 12 months where a security incident is under investigation.

Website analytics data

Aggregated analytics data (non-identifiable) may be retained indefinitely. Any IP-address-level or session-level analytics data is anonymised or deleted after 26 months.

Deletion and anonymisation

At the end of the applicable retention period, data is either securely deleted (overwritten in a manner that makes recovery infeasible) or irreversibly anonymised so that it can no longer be attributed to any individual. Deletion requests submitted by individuals or clinics are processed within 30 days.

Security & Compliance

Last updated: 1 May 2026

Protecting the confidentiality, integrity, and availability of clinical and personal data is central to how we operate. This page describes our approach to information security.

Encryption

All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher. Data at rest — including clinical case files and personal data — is encrypted using AES-256 encryption.

Access controls

Access to clinical case data within the portal is strictly role-based. Each user is granted the minimum level of access required for their role:

  • Clinic portal users can only access their own clinic's cases and data.
  • Internal planning staff access only the cases assigned to them for planning work.
  • Administrative access is restricted to named personnel and protected by multi-factor authentication.

UK data residency

Primary data storage and processing occurs on infrastructure located within the United Kingdom. We do not store clinical case data on servers outside the UK without explicit agreement and appropriate transfer safeguards in place.

Security monitoring and incident response

We operate continuous monitoring for suspicious activity, unauthorised access attempts, and anomalous behaviour. In the event of a personal data breach, we follow a documented incident response procedure. Where a breach is likely to result in risk to individuals, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Staff and contractor obligations

All staff and contractors with access to personal or clinical data are subject to confidentiality obligations. Staff receive data protection and information security training on onboarding and at least annually thereafter.

Vulnerability management

We conduct regular reviews of our technology stack and apply security patches promptly. Responsible disclosure of potential vulnerabilities is welcomed — please contact us at info@ortho-facialplanning.co.uk with details. We commit to acknowledging all security reports within 5 business days.

Regulatory compliance

We maintain compliance with the following:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations 2003 (PECR)
  • NHS data security standards where applicable to our clinical clients