Privacy notice
Effective 27 June 2026 · ZinqLeads
Who we are
ZinqLeadsis the missed-call patient recovery agent for UK dental practices: when a call to a practice rings out, we text the patient back and follow up by SMS on the practice's behalf. This notice covers three situations: when you give us your details directly (for example through the booking form on this site), when a dental practice uses ZinqLeads, and when a practice asks us to contact you because you called or enquired with it.
Questions, or want to exercise any right described here? Email hello@zinqleads.com. We reply within one working day.
Data you give us directly
When you book a walk-through we collect your name, practice name, mobile number, and anything you add in the notes field. We use it only to arrange and follow up that call — no marketing list, no resale. Our lawful basis is taking steps at your request before entering a contract. We keep booking enquiries for as long as the conversation is live, then delete them.
Data we process for a practice
When a dental practice uses ZinqLeads, we process the details of patients who call or enquire with that practice: name (where known), phone number, the treatment or reason asked about, and the SMS conversation itself. For that data the practice is the controller and ZinqLeads is its processor, acting only on its instructions — we sign a data processing agreement with every practice before go-live.
We only message patients who have contacted the practice first: a call to its number, an inbound text, a website enquiry, or a practice-attested import of recent enquiries. Every outbound message carries opt-out wording. Reply STOP at any time and messages cease immediately; the number is suppressed so it cannot be re-contacted.
Special category (health) data
A patient replying to the agent may describe a symptom — for example a toothache, swelling, or pain. When that happens the system stores the patient's own words: the full SMS thread, and a short clinical summary of the complaint (for example “severe toothache, painkillers not working, awake all night”) used to flag urgency to the practice. This is health data, a special category of personal data under Article 9 of the UK GDPR, and we treat it as such.
Because it is health data, the practice (as controller) must have a condition under Article 9 to process it. For a dental practice providing care that is typically Article 9(2)(h) — processing necessary for the provision of health care by, or under the responsibility of, a health professional — and some practices rely instead on the patient's explicit consent under Article 9(2)(a). The practice is responsible for identifying and recording its own condition; ZinqLeadsprocesses this data only as the practice's processor, on its instructions, and never uses it for any purpose of its own.
The agent recognises urgency but never diagnoses, and red-flag symptoms are met with fixed, pre-approved NHS-aligned signposting (for example to NHS 111 or 999). To draft and triage replies, the text of patient messages — including any health detail — is sent to a US-based AI provider (identifiable on request) under the UK International Data Transfer Addendum.
Automated processing
Two parts of the service work automatically. The agent assesses the urgency of an inbound message — for example flagging severe pain or red-flag symptoms — so the practice is alerted quickly, and a small set of fixed, pre-approved emergency safety replies (such as NHS 111 or 999 signposting) can be sent without waiting for a person. Every other reply is drafted for a member of the practice to review before it is sent. These steps do not make any decision that produces a legal or similarly significant effect on a patient: an urgency flag is a prompt for human care, never a substitute for it, and a clinician always makes the clinical decisions. If you have a question about how this works, contact the practice or ZinqLeads.
Sub-processors
We use a small number of vetted providers to run the product, described below by category. Patient message content, including any health detail, is processed by the SMS, AI, and database providers; the billing provider handles only the practice's billing. The current named list is in the data processing agreement and is available on request.
- SMS provider — Sends and receives the SMS, and forwards the practice phone number. (USA, with UK/EU data residency used where available; UK International Data Transfer Addendum)
- AI provider — Drafts replies and assesses urgency. Patient message content, including any health detail the patient types, is sent here to be processed. (USA; UK International Data Transfer Addendum)
- Database host — Hosts the database that stores leads, messages, and activity. (UK/EU region; Processing kept in-region)
- Email provider — Sends transactional email — practice alerts, the daily report, password resets. (USA/EU; UK International Data Transfer Addendum)
- Billing provider — Processes the practice’s subscription billing. Handles practice billing data, not patient data. (USA/EU; UK International Data Transfer Addendum)
Practices receive this named list in the data processing agreement, and we give notice before adding or changing a sub-processor. Anyone can request the current named list by email. Where data leaves the UK we rely on the UK International Data Transfer Addendum (to the EU SCCs) with each provider.
Cookies
This site sets no analytics, advertising, or tracking cookies. The only cookies we use are strictly necessary ones that keep you signed in to the practice dashboard and protect our forms from abuse. These are exempt from consent under PECR, so the site shows no cookie banner. If we ever add analytics or marketing cookies, we will ask for your consent first and update this notice.
How long we keep data
Patient records are retained for up to 24 months from last activity and then purged automatically, unless the practice agrees a different retention period with us in its data processing agreement. Erasure requests are honoured promptly — ask the practice you contacted, or email us directly and we will route the request.
Your rights
Under UK GDPR you can ask for access to your data, correction, erasure, restriction, portability, and you can object to processing. Where ZinqLeadsis a practice's processor we will pass your request to that practice (the controller) or act on its instruction. Email hello@zinqleads.com and we will respond within one month. You can also complain to the Information Commissioner's Office at ico.org.uk.
Changes
If this notice changes materially we will update the effective date above and, for practices, give notice before the change applies. See also our terms of service.