Privacy Policy
Last updated: 26 December 2024
Introduction
AES-CRM Ltd ("AES-CRM", "we", "us", or "our") is committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, and protect personal data when you use our platform.
AES-CRM is designed for UK dental and aesthetic clinics and operates in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller and Data Processor
For Clinic Data
Your clinic is the Data Controller. AES-CRM acts as a Data Processor on behalf of your clinic. This means your clinic determines how and why patient data is processed, and AES-CRM processes data only according to your clinic's instructions.
For AES-CRM Account Data
For data relating to your AES-CRM account (e.g., billing information, login credentials), AES-CRM Ltd is the Data Controller.
Data We Collect
AES-CRM collects and processes the following categories of data:
Patient Data (processed on behalf of clinics)
- Contact information (name, email, phone number)
- Enquiry and appointment details
- Communication history (chat, SMS, email)
- Marketing attribution data (ad source, campaign, referrer)
- Chatbot interaction logs
Marketing Attribution Data
- Advertising click identifiers (Google Click ID, Meta Click ID)
- Campaign and source tracking parameters
- Page URLs and referrer information
- Conversion events linked to bookings
Account Data
- Clinic and user account information
- Billing and payment information (processed via Stripe)
- Usage analytics and feature adoption
Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract: To provide the AES-CRM service to clinics and fulfil our contractual obligations.
- Legitimate Interest: To improve our services, prevent fraud, and ensure platform security.
- Consent: For marketing communications and certain data processing activities where explicit consent is required.
- Legal Obligation: To comply with applicable laws and regulations.
Third-Party Data Processors
We use the following third-party services to process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | EU/UK |
| Stripe | Payment processing | UK/EU with UK safeguards |
| Twilio | SMS and voice communications | UK/EU with UK safeguards |
| Ads conversion tracking | Global with UK adequacy | |
| Postmark | Email delivery | US with UK safeguards |
AI and Automated Processing
AES-CRM uses artificial intelligence for:
- Chatbot conversations and enquiry handling
- Automated appointment reminders and follow-ups
- Lead prioritisation and workflow automation
Important: AI does not provide medical advice.
All AI-powered conversations are logged for audit and safety purposes. AI outputs are assistive only and do not replace clinical judgment. See our AI Disclosure for more details.
Data Retention
We retain personal data for as long as necessary to provide our services and comply with legal obligations:
- Patient data: Retained while the clinic's account is active, plus 7 years after termination (or as required by healthcare record-keeping regulations)
- Account data: Retained for the duration of the account plus 7 years for financial records
- Marketing attribution: Retained for 2 years for analytics purposes
- Audit logs: Retained for 7 years for compliance and security
Your Rights
Under UK GDPR, you have the following rights:
Access
Request a copy of your personal data
Rectification
Correct inaccurate personal data
Erasure
Request deletion of your personal data
Restriction
Limit how we process your data
Portability
Receive your data in a portable format
Objection
Object to certain processing activities
For patient data: Please contact your clinic directly to exercise these rights, as your clinic is the Data Controller.
For AES-CRM account data: Contact us at privacy@aescrm.com.
International Data Transfers
AES-CRM primarily stores and processes data within the UK. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. Our sub-processors maintain appropriate data protection certifications.
Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption at rest and in transit (AES-256, TLS 1.3)
- Role-based access controls
- Regular security assessments
- Audit logging of all data access
For more details, see our Security page.
Contact Us
For privacy-related enquiries or to exercise your rights:
Email: privacy@aescrm.com
Address: AES-CRM Ltd, 123 Dental Street, London, UK, SW1A 1AA
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.