Data Protection Policy
DATA PROTECTION POLICY
This policy outlines the way we handle data collected from you. Please read our policy and if you have any queries, please do not hesitate to let us know.
As a customer of ours, your data is entered into our electronic database. This is backed up every night via a cloud back up and is protected by the latest ESET anti-virus software, which is one of the leading anti-virus software brands on the market. The database is password protected and as well has having limited access, staff are bound by confidentiality clauses in their contracts.
We hold the following information electronically:
Customers Name / Wearers Name
In the form of hard copies, we keep prescription forms which contain the following information:
In some cases patient address, date of birth, gender and age may be provided by a prescribing dentist and therefore also present on the prescription form.
We use the above data to manufacture custom made appliances to your prescription and return them to you.
We are obliged to store prescription forms for up to 7 years under MHRA/GDC/DAMAS rules which we must adhere to. In the near future, the prescription forms will be scanned into a password protected computer and stored securely in the cloud.
Once a dental professional has left a practice or a practice has been closed, any account open in the practice or dentist name will be closed so that no further invoices can be added. The account will be inactive but we are unable to delete records are we are obliged to keep them under GDC/MHRA and DAMAS rules. You are welcome to view any data we hold about you by contacting us at firstname.lastname@example.org,
- We use a 3rd party platform to email our customers business information – newsletters, price change advice, and general information. The 3rd party is in compliance with the GDPR regulations and can help us to respond to requests from our customers pursuant to their rights. The 3rd party hold only the practice email address.
- We use a Worldpay POS to take card payments. Card data is provided by telephone from customers and keyed in to the terminal or the customer is asked to enter their pin if they are present. We have self-certified our compliance with requirements of the PCI DSS version 3.2. Receipt slips are kept in a locked safe at all times and no further card data is stored. The cardholder’s receipt slip is shredded securely or posted to the cardholder if requested, with the card number obscured. The security number is never stored.
- We take card payments via our website shop – gumshields.com This is run by the Shopify service. Customers may pay using the Shopify service or PayPal. PayPal transactions are secure and encrypted and as a service provider PayPal is required to comply with PCI-DSS. Shopify collects the following data from our customers:
- Customer name
- Phone number
- IP address
- Device data
This data is collected when a customer sets up an online account, uses or accesses our shop or places an order. The data is used in providing us with services, allowing us to receive orders and payments and authentication. Shopify is certified as a PCI DSS Level 1 compliant service provider, which is the highest level of compliance available. Shopify supports data transfer through a variety of legal mechanisms, including the EU-U.S. Privacy Shield and European Commission Directive 2002/2/EC. This data is kept indefinitely.
We do not use any 3rd party postal companies to distribute any literature.
We operate a CCTV system to protect and help to prevent any break in to the company. Images recorded by the company are stored for 2 months and then overwritten. Images are saved in a hard drive which is only accessible via a PC and is protected by a login page. The CCTV hardware has no video/physical interface and data cannot be obtained unless connected to a PC. Images viewed remotely can only be done so via a password protected app.