Privacy Policy
Effective Date: February 2026
1. Introduction
This Privacy Policy explains how Lumina Dental Ltd ("Lumina", "we", "us", or "our") collects, uses, stores, and protects personal information in connection with our dental practice management platform (the "Service") and our website at luminadental.co.uk.
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy covers personal data for which Lumina acts as a Data Controller. Where Lumina acts as a Data Processor on behalf of dental practices, the practice's own privacy notice applies. Please see Section 3 for more detail.
2. Who We Are
The Data Controller for the purposes described in this Privacy Policy is:
Lumina Dental Ltd
Company No. 16067035
Registered in England and Wales
Email: privacy@luminadental.co.uk
3. When Lumina Acts as Data Processor
When dental practices use the Lumina platform to manage patient records, clinical notes, treatment plans, and other practice data, the dental practice is the Data Controller for that data. Lumina processes this data solely on behalf of the practice, acting as a Data Processor under the UK GDPR.
This means:
- The dental practice determines why and how patient data is processed
- Lumina processes patient data only in accordance with the practice's instructions and our Data Processing Agreement
- If you are a patient and wish to exercise your data rights (such as access, correction, or deletion of your records), you should contact your dental practice directly, as they are the Controller of your data
- Lumina does not use patient data for its own purposes, does not sell it, and does not share it with third parties except as necessary to provide the Service to the practice
The relationship between Lumina and each dental practice is governed by our Data Processing Agreement, which sets out the obligations of both parties under UK GDPR.
4. When Lumina Acts as Data Controller
Lumina acts as an independent Data Controller for the following categories of data. This Privacy Policy governs how we handle this data.
4.1 Customer Account Data
When a dental practice or individual registers for the Service, we collect and process account information including:
- Organisation name and practice details
- Contact name, email address, and phone number of the account holder
- Names and email addresses of Authorised Users added to the account
- Role assignments and access permissions
4.2 Billing and Subscription Data
We collect information necessary to manage subscriptions and process payments, including:
- Subscription tier and billing cycle
- Invoice history and payment status
- Billing contact details
Payment card details are processed directly by Stripe. Lumina does not store full payment card numbers. See our Sub-processors page for details.
4.3 Website Usage Data
When you visit luminadental.co.uk, we may collect:
- Pages visited, time spent, and navigation paths
- Browser type, device type, and operating system
- IP address (which may be truncated or anonymised)
- Referring website or source
This data is used to understand how visitors use our website and to improve the user experience. See our Cookie Policy for more information.
4.4 Marketing Communications
Where you have given your consent, we may send you marketing communications about our products, features, and updates. You can withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at privacy@luminadental.co.uk.
5. Categories of Personal Data Collected
The following table summarises the categories of personal data we collect as Data Controller:
| Category | Examples | Source |
|---|---|---|
| Identity Data | Name, job title, role within the practice | Provided by you |
| Contact Data | Email address, phone number, practice address | Provided by you |
| Billing Data | Subscription details, invoice history, payment status | Provided by you / generated by the Service |
| Technical Data | IP address, browser type, device information, login timestamps | Collected automatically |
| Usage Data | Pages visited, features used, session duration | Collected automatically |
| Communications Data | Support requests, feedback, correspondence with us | Provided by you |
6. Lawful Bases for Processing
Under Article 6 of the UK GDPR, we rely on the following lawful bases for processing your personal data as a Data Controller:
| Purpose | Lawful Basis |
|---|---|
| Providing the Service, managing your account, and processing subscriptions | Performance of a contract (Article 6(1)(b)) |
| Complying with legal, regulatory, and tax obligations | Legal obligation (Article 6(1)(c)) |
| Improving the Service, analysing usage patterns, ensuring security, and preventing fraud | Legitimate interests (Article 6(1)(f)) |
| Sending marketing communications about our products and updates | Consent (Article 6(1)(a)) |
Where we rely on legitimate interests, we have assessed that these interests are not overridden by your rights and freedoms. You may contact us for details of our legitimate interest assessments.
7. Special Category Data
Health data (such as clinical records, treatment plans, and medical histories) constitutes special category data under Article 9 of the UK GDPR.
Lumina processes health data only as a Data Processor on behalf of dental practices. The dental practice, as Data Controller, is responsible for ensuring it has a valid lawful basis and an Article 9 condition for processing health data (typically "provision of health care" under Article 9(2)(h) of the UK GDPR, read with Schedule 1 of the Data Protection Act 2018).
Lumina does not collect or process health data in its capacity as Data Controller. The personal data we collect as Controller (account data, billing data, website usage) does not include health or clinical information.
8. Sub-processors and Data Sharing
We use a limited number of trusted third-party service providers to help deliver the Service. These include:
- Amazon Web Services (AWS) for secure application hosting and data storage, located in the United Kingdom (eu-west-2)
- Stripe Payments Europe Ltd / Stripe, Inc. for subscription billing and payment processing
All sub-processors are bound by data protection obligations consistent with UK GDPR. A full list is maintained at luminadental.co.uk/subprocessors.
Lumina does not sell personal data. We do not share personal data with advertising networks, data brokers, or any third party for their own marketing purposes.
9. International Transfers
All primary application data is hosted within the United Kingdom (AWS eu-west-2, London region).
Some processing by sub-processors (e.g., Stripe) may involve processing outside the UK. Where international transfers occur, we rely on appropriate safeguards in accordance with UK GDPR and applicable law.
Full details are set out in the Data Processing Agreement and the Sub-processors page.
9.1 AI Features (Optional)
The Lumina platform includes optional AI-powered features. Where a practice chooses to enable AI features, the following safeguards apply:
- AI features are optional and are not enabled by default
- Prompts are sanitised on a best-effort basis to reduce identifiable patient information before processing
- Prompts are stored encrypted and automatically deleted after 24 hours
- Only metadata (which user submitted a prompt and when) is retained beyond 24 hours for audit and compliance purposes
- No identifiable patient data is used for model training
- AI processing occurs within UK infrastructure (AWS eu-west-2, London region)
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
Patient and clinical data is processed by Lumina as a Data Processor on behalf of dental practices. Retention and deletion of such data is governed by the practice's instructions, our Terms of Service / Data Processing Agreement, and applicable law.
| Data Type | Retention Period |
|---|---|
| Customer account data | Duration of the contract, plus a reasonable period for administrative and legal purposes |
| Billing and invoice data | As required by applicable tax and accounting legislation (typically 6 years) |
| Marketing consent records | Until consent is withdrawn, plus a record of the withdrawal |
| Website usage data | Anonymised or deleted within 12 months |
| Support correspondence | Duration of the contract, plus a reasonable period |
| System backups | 35-day rolling retention; expired backups are automatically and permanently deleted |
For details on how patient data (processed as Data Processor) is retained and deleted after termination of a practice's subscription, see the Terms of Service (Section 15) and the Data Processing Agreement.
11. How We Protect Your Data
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or destruction. These include:
- Encryption at rest (AES-256) for all stored data
- Encryption in transit (TLS 1.2 or higher) for all data transmission
- Mandatory multi-factor authentication (MFA) for all user accounts
- Role-based access control with granular permissions
- Comprehensive audit logging of all data access and modifications
- Complete data isolation between organisations, ensuring one practice cannot access another's data
- Separate development and production environments; developers do not have access to production data
Multi-factor authentication (MFA) is mandatory and enforced for all user accounts accessing the platform. All AI processing is restricted to AWS eu-west-2 (UK).
For more detail on our security practices, see our Security page.
12. Your Rights
Under the UK GDPR, you have the following rights in relation to the personal data we hold about you as Data Controller:
- Right of access (Article 15): You may request a copy of the personal data we hold about you
- Right to rectification (Article 16): You may ask us to correct inaccurate or incomplete personal data
- Right to erasure (Article 17): You may ask us to delete your personal data in certain circumstances
- Right to restriction (Article 18): You may ask us to restrict the processing of your personal data in certain circumstances
- Right to object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes
- Right to data portability (Article 20): You may request a copy of your data in a structured, commonly-used, machine-readable format
- Right to withdraw consent: Where we rely on consent (marketing communications), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, please contact us at privacy@luminadental.co.uk. We may need to verify your identity before responding to a rights request, in order to protect your data. We will respond to your request within one month.
12.1 Patient Data
If you are a patient whose data is processed through Lumina by your dental practice, please contact your dental practice directly to exercise your data rights. The dental practice is the Data Controller for your clinical and personal records, and they are responsible for responding to your requests. If your practice needs assistance from Lumina to fulfil your request, we will provide it in accordance with our Data Processing Agreement.
12.2 Complaints
If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113
We encourage you to contact us first so we can try to resolve any concerns directly.
13. Cookies
Our website and platform use cookies and similar technologies to provide core functionality and understand how our services are used. For full details on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Where changes are material, we will notify you by email and by posting the updated policy on this page with a revised effective date.
We encourage you to review this page periodically for the latest information on our privacy practices.
15. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your personal data, please contact us:
Lumina Dental Ltd
Company No. 16067035
Registered in England and Wales
General: operations@luminadental.co.uk
Data Protection: privacy@luminadental.co.uk
This Privacy Policy was last updated in February 2026. Previous versions are available upon request.