Privacy Policy

1. Who We Are

This Privacy Policy applies to Breez, a software platform owned and operated by Bosco AI LTD, a company registered in Scotland with its registered address at Silver Moon, Clora Brae, Oxton, Scotland.

Bosco AI LTD is the data controller for information relating to our customers (such as dentists and practice staff) and may act as a data processor on behalf of those customers when processing patient data via our software.

If you have any questions about this Privacy Policy or how we handle personal data, you can contact us at:
📧 bosco@breez-dental.com
📍 Bosco AI LTD, Silver Moon, Clora Brae, Oxton, Scotland

2. What Data We Collect

We collect and process different types of data depending on how you interact with our services. This may include:

a) Data We Collect from Breez Users (e.g. Dentists):

• Full name
• Email address
• Business/practice name
• Phone number (used for support communication, e.g. WhatsApp)
• Billing information (e.g. address, VAT number)
• Payment method details (processed via third-party providers)
• Login credentials (username and hashed password)
• Usage logs and device identifiers (e.g. machine ID)

b) Data Collected from Patients (via Breez Software):

• Audio recordings of dental consultations
• Automatically transcribed text of consultations
• Patient names or identifiers (if mentioned)
• Clinical notes generated through the software
• Appointment metadata (e.g. time, duration, user ID)

Note: Transcribed data is automatically anonymised where possible (e.g. names are removed from transcripts during processing).

c) Website and Analytics Data:

• IP addresses
• Browser type and version
• Device identifiers
• Pages visited and time spent on site
• Referral information (e.g. links clicked to reach us)

We do not collect unnecessary personal data or any data not relevant to the purpose of providing our services.

3. How We Collect Data

We collect personal data through the following methods:

a) Information You Provide Directly

• When you sign up for Breez and create an account
• When you enter your payment and billing details
• When you contact us via email, WhatsApp, or support channels
• When you provide feedback or respond to surveys

b) Information Collected Automatically

• When you use the Breez desktop application (e.g. machine ID, timestamps, logs)
• When the Software records consultations (with your knowledge and consent)
• When transcripts are generated automatically from audio recordings
• When anonymisation of transcripts occurs as part of processing
• When you visit our website (e.g. cookies, device/browser info, analytics data)

c) Information Collected via Third Parties

• Payment information processed securely by our payment provider
• Audio-to-text transcription via trusted third-party services
• AI-generated dental notes via external processors
• Error and crash reports from infrastructure providers

We only collect data necessary to deliver and improve the Breez service, and we never sell your personal data.

4. Legal Basis for Processing

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The legal bases for our processing activities include:

a) For Breez Users (Dentists and Practice Staff):
We process user data on the basis of:

• Contractual necessity – to provide access to the Breez software and support services as agreed upon during sign-up
• Legitimate interests – to operate, maintain, and improve our services, to communicate with you, and to prevent misuse
• Consent – where we send optional marketing communications or offer trial sign-ups

b) For Patient Data Processed via the Software:
We process patient data (e.g. audio recordings and transcriptions) on behalf of the dental practice, which is the Data Controller. The legal basis for processing is:

• Consent – obtained by the dental practice from the patient before any recording takes place, including consent to the use of third-party processors outside the UK
• Compliance with legal obligations – e.g. retention of clinical records in accordance with NHS guidance (10 years)

Note: We rely on our customers (dental practices) to obtain the appropriate patient consent as part of their information governance and clinical protocols.

5. How We Use Personal Data

We use the personal data we collect for the following purposes:

a) To Provide and Operate the Breez Service

• Registering and managing user accounts
• Verifying user identity and managing subscriptions
• Recording and transcribing dental consultations
• Generating anonymised dental notes from consultations
• Delivering hardware (e.g. microphones) and tracking warranty or returns

b) To Communicate with Users

• Providing support via WhatsApp, email, or phone (as appropriate)
• Sending account notifications, billing updates, and operational messages
• Following up on feedback, enquiries, or incident reports

c) To Improve Our Software and Services

• Analysing usage patterns and performance data
• Identifying bugs or areas for improvement
• Enhancing internal tools and models using anonymised or aggregated data
• Informing development of new features based on broader service trends

We do not use patient audio or other identifiable clinical data for external marketing, profiling, or model training. Any improvement processes rely solely on fully anonymised or aggregated information that cannot be linked to individuals.

d) To Comply with Legal and Regulatory Obligations

• Storing clinical audio records for the required retention period
• Maintaining records for accounting and tax purposes
• Ensuring security, fraud prevention, and compliance with applicable laws

6. Sharing and Disclosure of Data

We do not sell or share your personal data with third parties for advertising purposes. We may share data with trusted third-party service providers (such as payment processors, hosting providers, transcription or language processing tools) strictly for the purpose of delivering the Breez service.

Anonymised or aggregated data may also be used or processed by these providers to support internal functions such as system reliability, technical support, or performance enhancement. This data is not used to identify you or your patients.

a) With Service Providers (Sub-Processors)
We share data with a limited number of carefully selected providers, including:

• Transcription providers
• Language model processors (for structuring consultation notes)
• Cloud infrastructure providers
• Payment processors
• Support platforms (e.g. for chat, emails)

All service providers are bound by strict data protection agreements and may only process data on our behalf and in accordance with this Privacy Policy.
Any analytics or improvement processes involving such providers are based solely on non-identifiable data. No personal or clinical information is disclosed in a way that would permit re-identification.

b) With Legal or Regulatory Authorities
We may disclose personal data:

• To comply with legal obligations or regulatory requests
• To enforce our terms and investigate fraud or misuse
• To protect Breez, our users, or the public

c) In the Event of a Business Transfer
If Breez is acquired or merged, personal data may be transferred. We will inform users of any such change.

Identifiable patient data is never shared for advertising, commercial reuse, or profiling purposes.

7. International Data Transfers

Some of our trusted service providers operate outside the United Kingdom. As a result, personal data may be transferred to, stored in, or accessed from jurisdictions with different data protection laws.

To protect these transfers:

• We use lawful mechanisms under UK GDPR (such as SCCs or approved frameworks);
• Providers are required to process data only for specific purposes and in line with contractual safeguards;
• Where feasible, data is anonymised or aggregated before transfer.

Data processed by third-party services for operational or analytic purposes is anonymised where possible to reduce risks. This data is not linked back to individuals or used in any external data models that may be retrained or re-used.

Patients are informed (by their dental practice) that some data processing may occur outside the UK as part of standard Breez functionality.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to support legitimate business interests.

a) Audio Recordings
Audio recordings of dental consultations may be stored for up to ten (10) years to comply with UK clinical record-keeping guidance, such as NHS dental data retention standards.

b) Transcripts and Dental Notes
Text transcripts are automatically anonymised as part of our processing workflow. Anonymised data may be retained indefinitely for internal analytics, system improvement, and audit purposes, as it no longer qualifies as personal data under UK GDPR.

c) User Account and Billing Data
User-related data (e.g. names, emails, payment records) is retained for as long as the Customer holds an active subscription and for a reasonable period thereafter, typically up to six (6) years, to comply with financial and tax record-keeping laws.

d) After Cancellation
Once your subscription is cancelled:

• You will have 30 days to access and download any relevant data;
• After this period, all remaining data will be securely deleted or anonymised unless a longer retention period is required by law.

You may request early deletion of your data, subject to legal or regulatory constraints.

9. Your Rights Under UK GDPR

As a data subject under UK data protection law, you have the following rights in relation to your personal data:

a) Right to Access
You have the right to request a copy of the personal data we hold about you.

b) Right to Rectification
You can request that we correct any inaccurate or incomplete personal data.

c) Right to Erasure ("Right to be Forgotten")
In certain cases, you may ask us to delete your personal data, subject to our legal obligations (e.g. for clinical record-keeping).

d) Right to Restriction of Processing
You may request a restriction on how we process your personal data in specific circumstances.

e) Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another provider where technically feasible.

f) Right to Object
You may object to our processing of your data in certain contexts, such as direct marketing or where processing is based on our legitimate interests.

g) Right to Withdraw Consent
If processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of your rights, please contact us at bosco@breez-dental.com.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your data has been mishandled.

10. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we process your personal data, you can reach us using the details below:
Bosco AI LTD
Silver Moon, Clora Brae, Oxton, Scotland
bosco@breez-dental.com

We aim to respond to all privacy-related enquiries within one month of receipt, in accordance with UK GDPR.